MVP ready to test

src/lib/cookieConfig.ts

@@ -19,14 +19,15 @@ export function getAuthCookieOptions() {
 
 /**
  * Get cookie options for CSRF tokens
- * Note: httpOnly is false so client-side JavaScript can read the token
+ * Note: httpOnly is false so the client can read it, but we verify via double-submit pattern
  */
 export function getCsrfCookieOptions() {
   return {
-    httpOnly: false, // Client needs to read this token
+    httpOnly: false, // Client needs to read this token for the header
     secure: isProduction, // HTTPS only in production
     sameSite: 'lax' as const,
     maxAge: 60 * 60 * 24, // 24 hours
+    path: '/', // Available on all paths
   };
 }