fix: auth cookies cross-origin, async params, CSRF/web-vitals errors

- Set SameSite=lax for auth & CSRF cookies in development (cross-port)
- Set refresh_token cookie path to / (was /auth, preventing cross-port send)
- Await params in Next.js 15 async server components (layout, listings, agents)
- Add CSRF token to web-vitals POST requests
- Fix: 401 Unauthorized on all authenticated API calls from web app
- Fix: CSRF token missing on POST requests from different port
- Fix: params.locale sync access warning in generateMetadata

Co-Authored-By: Claude Opus 4 (1M context) <noreply@anthropic.com>

apps/web/app/[locale]/(public)/listings/[id]/page.tsx

@@ -26,10 +26,11 @@ function getLabel(list: readonly { value: string; label: string }[], value: stri
 // ---------------------------------------------------------------------------
 
 interface PageProps {
-  params: { locale: string; id: string };
+  params: Promise<{ locale: string; id: string }>;
 }
 
-export async function generateMetadata({ params }: PageProps): Promise<Metadata> {
+export async function generateMetadata({ params: paramsPromise }: PageProps): Promise<Metadata> {
+  const params = await paramsPromise;
   const listing = await fetchListingById(params.id);
   if (!listing) {
     return { title: 'Kh\u00f4ng t\u00ecm th\u1ea5y tin \u0111\u0103ng' };
@@ -92,7 +93,8 @@ export async function generateMetadata({ params }: PageProps): Promise<Metadata>
 // Page (Server Component)
 // ---------------------------------------------------------------------------
 
-export default async function PublicListingDetailPage({ params }: PageProps) {
+export default async function PublicListingDetailPage({ params: paramsPromise }: PageProps) {
+  const params = await paramsPromise;
   const listing = await fetchListingById(params.id);
 
   if (!listing) {