- Replace httpOnly cookies with localStorage + Authorization headers
- SSOClient: Add token storage methods, update all auth endpoints
- Auth controller: Return sessionId in response, read from headers
- Remove CookieConfig (no longer needed)
- Update privacy policy: "no cookies" messaging
Cross-origin cookie restrictions made this necessary for
multi-domain SSO flows.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>