fix: fix session JWT validation for local email/password users

- createSessionToken: use fallback values so appId/name are never empty
  (VITE_APP_ID is not set in production for local deployments)
- verifySession: only require openId; appId and name are optional for
  local users — previously empty appId caused every auth check to fail

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

server/_core/sdk.ts

@@ -171,8 +171,8 @@ class SDKServer {
     return this.signSession(
       {
         openId,
-        appId: ENV.appId,
-        name: options.name || "",
+        appId: ENV.appId || "local",  // fallback so JWT payload is never empty
+        name: options.name || openId,  // fallback so name is never empty
       },
       options
     );
@@ -212,19 +212,16 @@ class SDKServer {
       });
       const { openId, appId, name } = payload as Record<string, unknown>;
 
-      if (
-        !isNonEmptyString(openId) ||
-        !isNonEmptyString(appId) ||
-        !isNonEmptyString(name)
-      ) {
-        console.warn("[Auth] Session payload missing required fields");
+      // Only openId is required; appId/name may be empty for local users
+      if (!isNonEmptyString(openId)) {
+        console.warn("[Auth] Session payload missing openId");
         return null;
       }
 
       return {
         openId,
-        appId,
-        name,
+        appId: typeof appId === "string" ? appId : "",
+        name: typeof name === "string" ? name : "",
       };
     } catch (error) {
       console.warn("[Auth] Session verification failed", String(error));