fix(auth): use token.sid to avoid Auth.js jti claim conflict

Auth.js v5 manages token.jti internally and overwrites it after the jwt
callback. Storing our session UUID in token.sid ensures the value we
persist in active_sessions matches what the signed cookie carries.

- jwt callback: token.sid = jti (was token.jti)
- session callback: read from token.sid
- signOut event: falls back to token.jti for backward compat with any
  sessions created before this change

Also adds Playwright dev-system test suite (playwright.dev.config.ts +
e2e/dev-system/) that validates login, session registry health, and
RBAC enforcement against the running localhost:3100 dev server.

Co-Authored-By: claude-flow <ruv@ruv.net>

apps/web/playwright.dev.config.ts

@@ -0,0 +1,36 @@
+/**
+ * Playwright configuration for running E2E tests against the LIVE dev server.
+ *
+ * Unlike the default playwright.config.ts (which spins up a dedicated test
+ * server with isolated test data), this config targets the already-running
+ * dev server at localhost:3100 and exercises real dev-DB data.
+ *
+ * Usage:
+ *   pnpm --filter @capakraken/web exec playwright test --config playwright.dev.config.ts
+ *
+ * Prerequisites:
+ *   - Dev server running: pnpm run dev  (or docker compose up)
+ *   - Dev DB seeded with planarchy.dev seed users
+ */
+import { defineConfig, devices } from "@playwright/test";
+
+export default defineConfig({
+  testDir: "./e2e/dev-system",
+  fullyParallel: false,
+  forbidOnly: !!process.env["CI"],
+  retries: 0,
+  workers: 1,
+  reporter: "list",
+  use: {
+    baseURL: "http://localhost:3100",
+    trace: "on-first-retry",
+    screenshot: "only-on-failure",
+  },
+  projects: [
+    {
+      name: "chromium",
+      use: { ...devices["Desktop Chrome"] },
+    },
+  ],
+  // No webServer block — the dev server must already be running
+});