Harden auth and outbound admin surfaces

frontend/app/signup/page.tsx

@@ -106,6 +106,7 @@ function SignupPageContent() {
       const response = await fetch(`${baseUrl}/auth/signup`, {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
+        credentials: 'include',
         body: JSON.stringify({
           invite_code: inviteCode,
           username: username.trim(),
@@ -117,12 +118,12 @@ function SignupPageContent() {
         throw new Error(text || 'Sign-up failed')
       }
       const data = await response.json()
-      if (data?.access_token) {
-        setToken(data.access_token)
+      if (data?.authenticated) {
+        setToken('cookie')
         window.location.href = '/'
         return
       }
-      throw new Error('Sign-up did not return a token')
+      throw new Error('Sign-up did not complete')
     } catch (err) {
       console.error(err)
       setError(err instanceof Error ? err.message : 'Unable to create account.')