feat(auth): auto-login after onboarding, consolidate session cookies

- Extract session cookie issuance into sessionCookies.ts helper; remove
  duplicated COOKIE_BASE blocks from login, register, oauth callback/authorize,
  refresh handler, hooks.server.ts, and onboarding.
- Derive cookie secure flag from ORIGIN (https://...) instead of NODE_ENV so
  plain-HTTP production deploys don't silently drop cookies.
- Auto-login admin after onboarding completes; UI does a full reload so
  hooks.server.ts picks up the new session.
- Harden onboarding: reject duplicate admin creation, flip onboardingComplete
  atomically to prevent concurrent completions, error out if no admin found.
- Fix Dockerfile CMD operator precedence: node build now always runs after
  migrate deploy || db push.
- Wire ORIGIN env through docker-compose.

src/lib/components/onboarding/OnboardingWizard.svelte

@@ -157,8 +157,9 @@
 						break;
 					}
 
-					// Redirect to login page
-					goto('/login');
+					// Auto-logged in via cookies. Use a full navigation (not goto) so
+					// hooks.server.ts re-runs and populates locals.user from the new cookies.
+					window.location.href = '/';
 					break;
 				}
 			}