fix: auth cookies cross-origin, async params, CSRF/web-vitals errors

- Set SameSite=lax for auth & CSRF cookies in development (cross-port)
- Set refresh_token cookie path to / (was /auth, preventing cross-port send)
- Await params in Next.js 15 async server components (layout, listings, agents)
- Add CSRF token to web-vitals POST requests
- Fix: 401 Unauthorized on all authenticated API calls from web app
- Fix: CSRF token missing on POST requests from different port
- Fix: params.locale sync access warning in generateMetadata

Co-Authored-By: Claude Opus 4 (1M context) <noreply@anthropic.com>

apps/api/src/modules/auth/presentation/controllers/auth.controller.ts

@@ -41,19 +41,21 @@ const ACCESS_TOKEN_MAX_AGE = 15 * 60 * 1000; // 15 minutes
 const REFRESH_TOKEN_MAX_AGE = 30 * 24 * 60 * 60 * 1000; // 30 days
 const AUTH_COOKIE_MAX_AGE = 30 * 24 * 60 * 60 * 1000; // 30 days
 
+const SAME_SITE = IS_PRODUCTION ? 'strict' : 'lax';
+
 function setAuthCookies(res: Response, tokens: TokenPair): void {
   res.cookie('access_token', tokens.accessToken, {
     httpOnly: true,
     secure: IS_PRODUCTION,
-    sameSite: 'strict',
+    sameSite: SAME_SITE,
     path: '/',
     maxAge: ACCESS_TOKEN_MAX_AGE,
   });
   res.cookie('refresh_token', tokens.refreshToken, {
     httpOnly: true,
     secure: IS_PRODUCTION,
-    sameSite: 'strict',
-    path: '/auth', // Only sent to auth endpoints
+    sameSite: SAME_SITE,
+    path: '/',
     maxAge: REFRESH_TOKEN_MAX_AGE,
   });
   res.cookie('goodgo_authenticated', '1', {
@@ -67,7 +69,7 @@ function setAuthCookies(res: Response, tokens: TokenPair): void {
 
 function clearAuthCookies(res: Response): void {
   res.clearCookie('access_token', { path: '/' });
-  res.clearCookie('refresh_token', { path: '/auth' });
+  res.clearCookie('refresh_token', { path: '/' });
   res.clearCookie('goodgo_authenticated', { path: '/' });
 }