Remove cross-subdomain cookie sharing, use lax SameSite

L1 servers now verify tokens by calling L2's /auth/verify endpoint,
so L2 no longer needs to share cookies across subdomains. Each L1
sets its own first-party cookie via its /auth endpoint.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

server.py

@@ -433,15 +433,14 @@ async def ui_login_submit(request: Request):
             <script>window.location.href = "/";</script>
         ''')
 
-    # Always set cookie on L2 as well
+    # Set cookie for L2 only (L1 servers set their own cookies via /auth endpoint)
     response.set_cookie(
         key="auth_token",
         value=token.access_token,
         httponly=True,
         max_age=60 * 60 * 24 * 30,  # 30 days
-        samesite="none",
-        domain=COOKIE_DOMAIN,  # Share across subdomains
-        secure=True  # Required for cross-subdomain cookies
+        samesite="lax",
+        secure=True
     )
     return response
 
@@ -525,9 +524,8 @@ async def ui_register_submit(request: Request):
         value=token.access_token,
         httponly=True,
         max_age=60 * 60 * 24 * 30,  # 30 days
-        samesite="none",
-        domain=COOKIE_DOMAIN,  # Share across subdomains
-        secure=True  # Required for cross-subdomain cookies
+        samesite="lax",
+        secure=True
     )
     return response