Refactor authentication handling and improve API client security

- Updated OAuth endpoints for Challonge and Discord in platforms configuration.
- Implemented session and CSRF cookie initialization in main application entry.
- Enhanced Challonge API client to avoid sending sensitive API keys from the browser.
- Modified tournament querying to handle new state definitions and improved error handling.
- Updated UI components to reflect server-side storage of authentication tokens.
- Improved user experience in API Key Manager and Authentication Hub with clearer messaging.
- Refactored client credentials management to support asynchronous operations.
- Adjusted API client tests to validate new request configurations.
- Updated Vite configuration to support session and CSRF handling through proxies.

code/websites/pokedex.online/src/components/DeveloperTools.vue

@@ -139,7 +139,9 @@ const isOpen = ref(false);
 // 2. JWT authenticated users with developer_tools.view permission
 // 3. Discord authenticated users with developer_tools.view permission
 const isAvailable = computed(() => {
-  const isDev = process.env.NODE_ENV === 'development';
+  // Vite-native dev detection (reliable in the browser).
+  // In production builds, this is always false.
+  const isDev = import.meta.env.DEV === true;
 
   // Check JWT auth permissions
   const hasJwtPermission = user.value?.permissions?.includes(
@@ -154,7 +156,7 @@ const isAvailable = computed(() => {
   return isDev || hasPermission;
 });
 
-const nodeEnv = computed(() => process.env.NODE_ENV || 'unknown');
+const nodeEnv = computed(() => import.meta.env.MODE || 'unknown');
 const appVersion = computed(
   () => import.meta.env.VITE_APP_VERSION || '1.0.0-dev'
 );