perf: reuse locals.session from hook in all remaining routes

Extends the previous loader-only sweep across the full tree: every
remaining `await locals.auth()` now falls back through
`locals.session ?? await locals.auth()`, so the hook's cached result
is reused.

68 files, 107 sites touched — loaders, form actions, and API
endpoints across cospend / tasks / fitness / faith / recipe / admin.
hooks.server.ts is intentionally left alone since it's the originating
call that populates locals.session in the first place.

src/lib/server/middleware/auth.ts

@@ -31,7 +31,7 @@ export interface AuthenticatedUser {
 export async function requireAuth(
 	locals: RequestEvent['locals']
 ): Promise<AuthenticatedUser> {
-	const session = await locals.auth();
+	const session = locals.session ?? await locals.auth();
 
 	if (!session || !session.user?.nickname) {
 		throw json({ error: 'Unauthorized' }, { status: 401 });
@@ -53,7 +53,7 @@ export async function requireGroup(
 	locals: RequestEvent['locals'],
 	group: string
 ): Promise<AuthenticatedUser> {
-	const session = await locals.auth();
+	const session = locals.session ?? await locals.auth();
 
 	if (!session || !session.user?.nickname) {
 		throw json({ error: 'Unauthorized' }, { status: 401 });
@@ -92,7 +92,7 @@ export async function requireGroup(
 export async function optionalAuth(
 	locals: RequestEvent['locals']
 ): Promise<AuthenticatedUser | null> {
-	const session = await locals.auth();
+	const session = locals.session ?? await locals.auth();
 
 	if (!session || !session.user?.nickname) {
 		return null;

src/lib/server/shoppingAuth.ts

@@ -12,7 +12,7 @@ export async function getShoppingUser(
   url: URL
 ): Promise<string | null> {
   // Check session first
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
   if (auth?.user?.nickname) return auth.user.nickname;
 
   // Check share token