Replace IDP token passthrough with backend-issued JWT for iOS auth

iOS clients now exchange the OIDC authorization code for a backend-signed
HS256 JWT via POST /auth/token. All subsequent API requests authenticate
using this JWT as a Bearer token, verified locally — no per-request IDP
call is needed. Web frontend session-cookie auth is unchanged.

backend/package.json

@@ -15,6 +15,7 @@
     "dotenv": "^17.3.1",
     "express": "^4.18.2",
     "express-session": "^1.17.3",
+    "jsonwebtoken": "^9.0.3",
     "openid-client": "^5.6.1",
     "zod": "^3.22.4"
   },
@@ -22,6 +23,7 @@
     "@types/cors": "^2.8.17",
     "@types/express": "^4.17.21",
     "@types/express-session": "^1.17.10",
+    "@types/jsonwebtoken": "^9.0.10",
     "@types/node": "^25.2.3",
     "prisma": "^6.19.2",
     "tsx": "^4.7.0",