Phase 13 follow-up demo: a username (any non-empty string, 1-64
chars, no :) mints an HMAC-SHA256 signed cookie
(base64url username:exp payload + hex signature,
joined by .) and stashes it in an
HttpOnly cookie named homura_session.
/chat is gated on that cookie.
No password (yet) — this is a demo of the signed-cookie session flow, not an identity provider. Logout at /logout.