fix(auth): scope Auth.js session cookie via AUTH_COOKIE_PREFIX

[tvi]

Cookies are scoped by host+path+name, not port, so multiple local dashboards on different localhost ports shared the default authjs.session-token cookie and clobbered each other's sessions. AUTH_COOKIE_PREFIX lets each instance use a distinct cookie name; unset in prod/preview keeps the standard name.

[cursor]

PR Summary

Low Risk
Optional env-only change for local dev; production and preview are unchanged when the variable is unset.

Overview
Adds optional AUTH_COOKIE_PREFIX to server env validation so each local dashboard on a different localhost port can use a distinct Auth.js session cookie name. Multiple instances on the same host were sharing authjs.session-token and overwriting each other’s sessions because cookies are not scoped by port. When unset, behavior stays the same for prod and preview.

^{Reviewed by Cursor Bugbot for commit 7b664db. Bugbot is set up for automated code reviews on this repo. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
web	Ready	Preview, Comment	Jun 9, 2026 8:23pm
web-juliett	Ready	Preview, Comment	Jun 9, 2026 8:23pm