fix: auth cookies cross-origin, async params, CSRF/web-vitals errors

- Set SameSite=lax for auth & CSRF cookies in development (cross-port)
- Set refresh_token cookie path to / (was /auth, preventing cross-port send)
- Await params in Next.js 15 async server components (layout, listings, agents)
- Add CSRF token to web-vitals POST requests
- Fix: 401 Unauthorized on all authenticated API calls from web app
- Fix: CSRF token missing on POST requests from different port
- Fix: params.locale sync access warning in generateMetadata

Co-Authored-By: Claude Opus 4 (1M context) <noreply@anthropic.com>

apps/web/app/[locale]/(public)/agents/[id]/page.tsx

@@ -19,10 +19,11 @@ const siteUrl = process.env['NEXT_PUBLIC_SITE_URL'] || 'https://goodgo.vn';
 // ---------------------------------------------------------------------------
 
 interface PageProps {
-  params: { locale: string; id: string };
+  params: Promise<{ locale: string; id: string }>;
 }
 
-export async function generateMetadata({ params }: PageProps): Promise<Metadata> {
+export async function generateMetadata({ params: paramsPromise }: PageProps): Promise<Metadata> {
+  const params = await paramsPromise;
   const agent = await fetchAgentProfile(params.id);
   if (!agent) {
     return { title: 'Không tìm thấy môi giới' };
@@ -82,7 +83,8 @@ export async function generateMetadata({ params }: PageProps): Promise<Metadata>
 // Page (Server Component)
 // ---------------------------------------------------------------------------
 
-export default async function AgentProfilePage({ params }: PageProps) {
+export default async function AgentProfilePage({ params: paramsPromise }: PageProps) {
+  const params = await paramsPromise;
   const [agent, reviewsResult] = await Promise.all([
     fetchAgentProfile(params.id),
     fetchAgentReviews(params.id, 1, 10),