security: migrate auth tokens to httpOnly cookies (hybrid bearer token approach)

Backend:
- CookieBearerToken middleware reads httpOnly cookie and injects Authorization
  header before Sanctum validates (prepended to API middleware group)
- SetAuthCookie trait provides cookie creation/expiry helpers with per-app
  cookie names (crewli_admin_token, crewli_app_token, crewli_portal_token)
- LoginController sets token via Set-Cookie, removes it from JSON body
- LogoutController expires the auth cookie on logout
- AuthRefreshController (POST /auth/refresh) rotates tokens with new cookie
- InvitationController accept also sets token via cookie, not JSON body
- All cookies: httpOnly, SameSite=Strict, Secure (in production)

Frontend (all three SPAs):
- Removed all localStorage token storage (apps/app, apps/portal)
- Removed all JS-readable cookie token storage (apps/admin)
- Removed Authorization: Bearer header interceptors from axios
- Auth stores now rely on GET /auth/me to validate httpOnly cookie
- Admin app: new Pinia auth store replaces useCookie-based auth pattern
- withCredentials: true ensures browser sends cookies automatically

Fixes security findings A13-1 (localStorage tokens) and A13-2 (admin
cookie flags). Tokens are now invisible to JavaScript.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

apps/admin/src/stores/useAuthStore.ts

@@ -0,0 +1,112 @@
+import { defineStore } from 'pinia'
+import { computed, ref } from 'vue'
+import { apiClient } from '@/lib/axios'
+import { getUserAbilityRules } from '@/utils/auth-ability'
+import type { Rule } from '@/plugins/casl/ability'
+import type { AuthUserCookie } from '@/composables/useOrganisationContext'
+
+interface MeResponse {
+  id: string
+  first_name: string
+  last_name: string
+  full_name: string
+  email: string
+  timezone: string
+  locale: string
+  avatar: string | null
+  organisations: Array<{
+    id: string
+    name: string
+    slug: string
+    role: string
+  }>
+  app_roles: string[]
+  permissions: string[]
+}
+
+export const useAuthStore = defineStore('auth', () => {
+  const user = ref<AuthUserCookie | null>(null)
+  const abilityRules = ref<Rule[]>([])
+  const isInitialized = ref(false)
+
+  const isAuthenticated = computed(() => !!user.value)
+
+  function setUser(userData: AuthUserCookie, roles: string[]) {
+    user.value = userData
+    abilityRules.value = getUserAbilityRules(roles)
+  }
+
+  function clearState() {
+    user.value = null
+    abilityRules.value = []
+  }
+
+  function handleUnauthorized() {
+    clearState()
+    isInitialized.value = false
+
+    if (typeof window !== 'undefined') {
+      const publicPaths = ['/login', '/forgot-password', '/reset-password', '/verify-email-change']
+      if (!publicPaths.some(p => window.location.pathname.startsWith(p))) {
+        window.location.href = '/login'
+      }
+    }
+  }
+
+  async function logout() {
+    try {
+      await apiClient.post('/auth/logout')
+    }
+    catch {
+      // Continue with logout even if API call fails
+    }
+    clearState()
+  }
+
+  let initializePromise: Promise<void> | null = null
+
+  function initialize(): Promise<void> {
+    if (isInitialized.value) return Promise.resolve()
+    if (!initializePromise) {
+      initializePromise = doInitialize()
+    }
+    return initializePromise
+  }
+
+  async function doInitialize(): Promise<void> {
+    try {
+      const { data } = await apiClient.get<{ success: boolean; data: MeResponse }>('/auth/me')
+      const me = data.data
+      const roles = me.app_roles ?? []
+
+      setUser(
+        {
+          id: me.id,
+          name: me.full_name,
+          email: me.email,
+          roles,
+          organisations: me.organisations,
+        },
+        roles,
+      )
+    }
+    catch {
+      clearState()
+    }
+    finally {
+      isInitialized.value = true
+    }
+  }
+
+  return {
+    user,
+    abilityRules,
+    isAuthenticated,
+    isInitialized,
+    setUser,
+    clearState,
+    logout,
+    handleUnauthorized,
+    initialize,
+  }
+})