feat(clerk-js): Send previous token and force_origin on /tokens requests

Two changes to Session.#createTokenResolver():

1. Send the current session JWT as `token` in the POST body on
   non-template /tokens requests. This lets the FAPI Proxy forward it
   to Session Minter for claim cloning without a DB read.

2. Send `force_origin=true` in the query string when skipCache is true.
   This tells the FAPI Proxy to route directly to origin instead of
   Session Minter, preserving the skipCache contract of always returning
   authoritative DB-minted tokens.

Author: nikosdouvlis

packages/clerk-js/src/core/resources/Session.ts

@@ -480,10 +480,19 @@ export class Session extends BaseResource implements SessionResource {
   ): Promise<TokenResource> {
     const path = template ? `${this.path()}/tokens/${template}` : `${this.path()}/tokens`;
     // TODO: update template endpoint to accept organizationId
-    const params: Record<string, string | null> = template ? {} : { organizationId: organizationId ?? null };
+    const params: Record<string, string | null> = template
+      ? {}
+      : {
+          organizationId: organizationId ?? null,
+          ...(this.lastActiveToken ? { token: this.lastActiveToken.getRawString() } : {}),
+        };
     const lastActiveToken = this.lastActiveToken?.getRawString();
 
-    const tokenResolver = Token.create(path, params, skipCache ? { debug: 'skip_cache' } : undefined).catch(e => {
+    const tokenResolver = Token.create(
+      path,
+      params,
+      skipCache ? { debug: 'skip_cache', force_origin: 'true' } : undefined,
+    ).catch(e => {
       if (MissingExpiredTokenError.is(e) && lastActiveToken) {
         return Token.create(path, { ...params }, { expired_token: lastActiveToken });
       }