feat: PKCE auth + CI/CD deploy

- Frontend: PKCE flow (oauth.js, api.js centralized, cookie-based AuthContext)
- Backend: token introspection, cookies httpOnly, refresh endpoint
- Replaced localStorage JWT with httpOnly session cookies
- useSaveSync migrated to cookie auth
- cookie-parser added
- Gitea CI workflow (vps-runner pattern)

Backend/.env.sample

@@ -3,6 +3,7 @@
 # Application Configuration
 APP_PORT=3310
 APP_SECRET=YOUR_APP_SECRET_KEY
+NODE_ENV=development
 
 # Database Configuration
 DB_HOST=localhost
@@ -13,3 +14,9 @@ DB_NAME=YOUR_DATABASE_NAME
 
 # Frontend URL (for CORS configuration)
 FRONTEND_URL=http://localhost:3000
+
+# SuperOAuth — service externe d'authentification (introspection, pas de secret JWT)
+SUPER_OAUTH_URL=https://superoauth.tetardtek.com
+
+# Cookie signing secret
+COOKIE_SECRET=