fix: proxy API through nginx to fix cross-domain cookie issues

Brave and other privacy-focused browsers block third-party cookies.
Instead of cross-domain requests from app.thenetwork to api.thenetwork,
nginx now proxies /api/* to the backend, making everything same-origin.

nginx.conf

@@ -4,6 +4,16 @@ server {
     root /usr/share/nginx/html;
     index index.html;
 
+    # Proxy API requests to backend (same-origin = no cookie issues in Brave etc.)
+    location /api/ {
+        proxy_pass https://api.thenetwork.donovankelly.xyz/api/;
+        proxy_set_header Host api.thenetwork.donovankelly.xyz;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_ssl_server_name on;
+    }
+
     location / {
         try_files $uri $uri/ /index.html;
     }

src/lib/api.ts

@@ -1,12 +1,10 @@
 import type { Profile, Client, ClientCreate, ClientNote, Event, EventCreate, Email, EmailGenerate, User, Invite, ActivityItem, InsightsData, ImportPreview, ImportResult, NetworkMatch, NetworkStats, Notification, Interaction, BulkEmailResult, EmailTemplate, EmailTemplateCreate, ClientSegment, SegmentFilters, FilterOptions, AuditLogsResponse, MeetingPrep, CommunicationStyle } from '@/types';
 
-const API_BASE = import.meta.env.PROD
-  ? 'https://api.thenetwork.donovankelly.xyz/api'
-  : '/api';
+// Always use same-origin paths — nginx proxies /api/* to the backend
+// This avoids cross-domain cookie issues in Brave and other privacy browsers
+const API_BASE = '/api';
 
-const AUTH_BASE = import.meta.env.PROD
-  ? 'https://api.thenetwork.donovankelly.xyz'
-  : '';
+const AUTH_BASE = '';
 
 const TOKEN_KEY = 'network-auth-token';