Implement browser cookie auth client mode

[TheSilkky]

Summary

• Add explicit bearer/cookie API client auth mode selection with VITE_PROOFLINE_AUTH_MODE.
• Route cookie-mode login/logout through the browser-session endpoints and keep CSRF tokens in memory only.
• Reject mixed cookie and bearer credential usage before requests are sent.
• Keep bearer mode on Authorization headers with credentials: omit, and use credentials: include only for cookie-mode browser-session requests.
• Update session parsing, docs, and tests for the implemented browser cookie auth mode.

Validation

• npm run typecheck
• npm run lint
• npm run test
• npm run build
• npm run test:e2e
• git diff --check

Security and Scope

• Frontend-only change; no backend, CORS, or deployment configuration changes.
• No browser decryption, key unwrapping, recording, notification, emergency-response, or admin-route behavior added.
• Raw browser session cookies, CSRF token values, Authorization headers, and request bodies are not logged or displayed.
• Cookie sessions do not persist bearer tokens in browser storage.

Closes #55

[TheSilkky]

@codex review

Please review this PR for correctness, security, scope control, tests, and
consistency with README.md, AGENTS.md, SECURITY.md, and relevant docs.

Focus on frontend route behavior, API client assumptions against
open-proofline/server, token handling, no secret logging, no browser decryption
or key unwrapping, Catalyst licensing boundaries, and validation results.

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Nice work!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".