Remove deprecated FirestoreAuthStrategy and POST /session endpoint

[bpowers]

Description

The FirestoreAuthStrategy class and POST /session endpoint in src/server/authn.ts are preserved with a DEPRECATED comment after the server-side auth migration. The comment at line 296 reads:

DEPRECATED: Use /auth/login instead. This endpoint exists for backward compatibility with existing mobile apps and will be removed in a future release.

This legacy code should be removed once all clients have migrated to the new auth endpoints (/auth/login, etc.).

Why it matters

• Maintainability: Keeping deprecated auth code increases the surface area for security-sensitive logic that must be reviewed and maintained.
• Developer experience: New contributors may be confused about which auth path is canonical.
• Code hygiene: Dead code paths accumulate risk and obscure the intended architecture.

Component(s) affected

• src/server/authn.ts -- FirestoreAuthStrategy class (line 63) and POST /session route setup (line 296)

Possible approach

1. Confirm all clients (web app, any mobile apps) use the new /auth/login endpoint.
2. Remove FirestoreAuthStrategy class and the POST /session passport route registration.
3. Remove any associated test code or middleware that only serves the legacy endpoint.

Context

Identified during review of the server-side-auth branch migration work.