Simple browser auth, no SSR required.

1. Browser posts credentials to `POST /api/web-auth/login`.

2. API returns an access token and sets the refresh cookie.

3. Frontend keeps the access token in memory and uses it for protected API calls.

4. After reload, the auth provider calls `POST /api/web-auth/refresh` to silently rebuild the session.