Add a SvelteKit param matcher that rejects reserved route names ("admin",
"login") so direct navigation to /admin works correctly instead of being
captured by the dynamic [cohort_name] route and redirected to /market.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

On full page refresh, kinde.isAuthenticated() returns false, triggering
a login redirect through Kinde. After auth completes, Kinde returns to /
which auto-redirects to /{cohort}/market, losing the original URL. Save
the intended path in sessionStorage before the login redirect and restore
it when landing back on /.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Replace the manual sessionStorage workaround with Kinde's built-in
mechanism. The PKCE library already saves window.location.href as
appState.kindeOriginUrl when login() is called. By providing an
on_redirect_callback, we can redirect back to the original page
(e.g. /admin) after the OAuth round-trip instead of staying on /
and getting auto-redirected to /{cohort}/market.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

window.location.replace() causes a full page reload which wipes the
Kinde PKCE in-memory token store, restarting the auth flow in a loop.
Instead, save the pre-login path to sessionStorage in the Kinde
on_redirect_callback and let the root +page.svelte restore it via
goto() (client-side navigation that preserves the token store).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Enable is_dangerously_use_local_storage so the refresh token persists
across page reloads. Without this, the Kinde PKCE library stores tokens
only in memory, forcing a full OAuth redirect round-trip on every
refresh. With persistent storage, the library silently refreshes tokens
via a background API call — no redirect, no URL loss.

This replaces the on_redirect_callback + sessionStorage workaround.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>