fix(auth): widen swagger cookie path to /api

The os_swagger session cookie was scoped to /api/admin/docs, but the
admin Tools panel opens Swagger UI at /api/v1/admin/docs/index.html.
The browser refused to send the cookie for that path so the docs
middleware rejected the request with 'swagger session required'.

Widen the cookie path to /api so it's delivered on both the legacy
/api/admin/docs/* and v1 /api/v1/admin/docs/* routes.

CHANGELOG.md

@@ -119,6 +119,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 
+- Swagger UI now opens correctly from the admin Tools panel. The short-lived `os_swagger` session cookie was scoped to `/api/admin/docs`, so the browser refused to send it on the v1 docs URL (`/api/v1/admin/docs/index.html`) and the docs route returned `swagger session required`. The cookie path is now `/api`, covering both legacy and v1 docs routes.
 - Lock the primary admin's Allowed Systems selector in the user editor; the first user always has access to every system and the badges are now read-only with all systems shown as allowed.
 - Default `audioEncodingPreset` seeded into the settings table is now
   `mp3_32k` (matching the dropdown's "(default)" label and the Go

backend/internal/auth/auth.go

@@ -411,7 +411,9 @@ func SetSwaggerCookie(c interface {
 	value := fmt.Sprintf("%d.%s", expiry, sig)
 
 	c.SetSameSite(http.SameSiteStrictMode)
-	c.SetCookie(SwaggerCookieName, value, maxAge, "/api/admin/docs", "", secure, true)
+	// Path "/api" so the cookie is sent on both the legacy
+	// /api/admin/docs/* route and the v1 /api/v1/admin/docs/* route.
+	c.SetCookie(SwaggerCookieName, value, maxAge, "/api", "", secure, true)
 }
 
 // ValidateSwaggerCookie checks that the swagger cookie value is valid and