docs(auth): add SSO documentation and test credentials

- Document cross-domain SSO with COOKIE_DOMAIN configuration
- Add production test credentials for automated testing
- Explain cookie-based SSO flow across *.mana.how subdomains

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

apps/matrix/CLAUDE.md

@@ -2,6 +2,8 @@
 
 Secure Matrix messaging client - a bridge to decentralized communication.
 
+**Production URL:** https://link.mana.how
+
 ## Project Overview
 
 Manalink is a privacy-focused Matrix client built with SvelteKit. It connects to Matrix homeservers (default: matrix.mana.how) and supports PWA installation for mobile devices.
@@ -159,6 +161,15 @@ No environment variables required for basic usage. The client stores credentials
 
 The login page defaults to `matrix.mana.how` but any Matrix homeserver can be used.
 
+### Test Account
+
+For testing the SSO login flow:
+- **Email:** t@t.de
+- **Password:** test1234
+- **Auth URL:** https://auth.mana.how
+- **Matrix Homeserver:** matrix.mana.how
+- **Web Client:** https://link.mana.how
+
 ## Matrix SDK Notes
 
 ### Browser Polyfills
@@ -205,6 +216,20 @@ if (browser) {
 
 ## Troubleshooting
 
+### Can't see the login page / stuck on loading
+
+The app auto-logs in if credentials are stored in localStorage. To reset:
+
+1. **Browser console method:**
+   ```javascript
+   localStorage.removeItem('matrix_credentials');
+   location.reload();
+   ```
+
+2. **Direct URL:** Navigate to `https://link.mana.how/login` directly
+
+3. **If logged in:** Use the logout button in settings or navigation
+
 ### "super.off is not a function"
 
 This is a known issue with typed-event-emitter. Make sure polyfills are loaded before any matrix-js-sdk imports.

apps/matrix/apps/web/src/routes/(app)/+layout.svelte

@@ -16,7 +16,7 @@
 	import {
 		isSidebarMode as sidebarModeStore,
 		isNavCollapsed as collapsedStore,
-	} from '$lib/stores/navigation';
+	} from '$lib/stores/navigation.svelte';
 	import { PillNavigation } from '@manacore/shared-ui';
 	import type { PillNavItem, PillDropdownItem } from '@manacore/shared-ui';
 	import { getPillAppItems } from '@manacore/shared-branding';

services/mana-core-auth/CLAUDE.md

@@ -172,7 +172,58 @@ For dynamic data (credits, org info), create API endpoints instead.
 2. Check `auth.users` table exists
 3. Check `auth.accounts` table for credential record
 
-## Testing Auth Flow
+## Cross-Domain SSO
+
+Session cookies are shared across all `*.mana.how` subdomains via `COOKIE_DOMAIN=.mana.how`.
+
+**How it works:**
+1. User logs in on any app (e.g., `calendar.mana.how`)
+2. Session cookie set with `Domain=.mana.how`
+3. User navigates to another app (e.g., `todo.mana.how`)
+4. Browser sends the same cookie → User is already authenticated
+
+**Configuration** (`better-auth.config.ts`):
+```typescript
+advanced: {
+  cookiePrefix: 'mana',
+  crossSubDomainCookies: {
+    enabled: !!process.env.COOKIE_DOMAIN,
+    domain: process.env.COOKIE_DOMAIN,  // '.mana.how' in production
+  },
+}
+```
+
+**Environment Variable:**
+- Production: `COOKIE_DOMAIN=.mana.how`
+- Development: Leave empty (cookies domain-specific)
+
+## Test Credentials (Production)
+
+For automated testing against `auth.mana.how`:
+
+| Field    | Value                      |
+| -------- | -------------------------- |
+| Email    | `claude-test@mana.how`     |
+| Password | `ClaudeTest2024`           |
+| User ID  | `kxMeQZSM1HhdiM1ed5EOQ9z0o0aCiXux` |
+
+**Usage:**
+```bash
+# Login (returns JWT tokens)
+curl -X POST https://auth.mana.how/api/v1/auth/login \
+  -H "Content-Type: application/json" \
+  -d '{"email":"claude-test@mana.how","password":"ClaudeTest2024"}'
+
+# Login with cookies (Better Auth native - for SSO testing)
+curl -c cookies.txt -X POST https://auth.mana.how/api/auth/sign-in/email \
+  -H "Content-Type: application/json" \
+  -d '{"email":"claude-test@mana.how","password":"ClaudeTest2024"}'
+
+# Verify cookie has Domain=.mana.how
+cat cookies.txt | grep mana.how
+```
+
+## Testing Auth Flow (Local Development)
 
 ```bash
 # Register