fix: set refresh token (not access token) in HttpOnly cookie

The login endpoint was incorrectly storing the access token in the
refresh_token cookie. This caused silent refresh to fail after page
reload since the short-lived access token couldn't be used for refresh.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

packages/core-service/src/core/auth/auth.controller.ts

@@ -45,7 +45,7 @@ export class AuthController {
 
     // Refresh-Token als HttpOnly Cookie setzen (NICHT im localStorage!)
     // Regel: Kein localStorage fuer Tokens
-    this.setRefreshTokenCookie(res, result.accessToken);
+    this.setRefreshTokenCookie(res, result.refreshToken);
 
     return {
       accessToken: result.accessToken,

packages/core-service/src/core/auth/auth.service.ts

@@ -21,6 +21,7 @@ interface TokenPair {
 
 interface LoginResponse {
   accessToken: string;
+  refreshToken: string;
   user: {
     id: string;
     email: string;
@@ -151,6 +152,7 @@ export class AuthService {
 
     return {
       accessToken: tokens.accessToken,
+      refreshToken: tokens.refreshToken,
       user: {
         id: user.id,
         email: user.email,