revert(clerk-js): remove cookie write monotonic guard

The cookie write guard at AuthCookieService.updateSessionCookie was
causing integration test failures across handshake, sessions, and
multiple framework matrices. The guard would reject token writes when
oiat+iat matched, but two tokens with identical timestamps can still
differ in OTHER claims (azp added in a recent token-format rollout,
org_id, etc.). Backend then logged 'Session token from cookie is
missing the azp claim' and treated the session as invalid, redirecting
to /sign-in.

The broadcast handler (tokenCache.ts:292) and Session resource
(Session.ts:463, :526) keep the monotonic enforcement at the layers
where it works correctly. The cookie chokepoint was too aggressive.

The cookie path
deserves a guard but with a different shape (e.g., raw-string equality
or signature compare), not the claim-timestamp shape.

Author: nikosdouvlis

packages/clerk-js/src/core/auth/AuthCookieService.ts

@@ -13,13 +13,11 @@ import type { Clerk, InstanceType } from '@clerk/shared/types';
 import { noop } from '@clerk/shared/utils';
 
 import { debugLogger } from '@/utils/debug';
-import { decode } from '@/utils/jwt';
 
 import { clerkMissingDevBrowser } from '../errors';
 import { eventBus, events } from '../events';
 import type { FapiClient } from '../fapiClient';
 import { Environment } from '../resources/Environment';
-import { pickFreshestJwt } from '../tokenFreshness';
 import { createActiveContextCookie } from './cookies/activeContext';
 import type { ClientUatCookieHandler } from './cookies/clientUat';
 import { createClientUatCookie } from './cookies/clientUat';
@@ -196,27 +194,6 @@ export class AuthCookieService {
       return;
     }
 
-    // Monotonic freshness guard: don't regress the cookie within the same session.
-    if (token) {
-      const currentRaw = this.sessionCookie.get();
-      if (currentRaw) {
-        try {
-          const current = decode(currentRaw);
-          const incoming = decode(token);
-          const currentSid = current.claims.sid;
-          const incomingSid = incoming.claims.sid;
-          // Only apply within the same session. Different sessions always allowed.
-          if (currentSid && incomingSid && currentSid === incomingSid) {
-            if (pickFreshestJwt(current, incoming) === current) {
-              return;
-            }
-          }
-        } catch {
-          // If decode fails, allow the write (don't block on malformed tokens)
-        }
-      }
-    }
-
     if (!token && !isValidBrowserOnline()) {
       debugLogger.warn('Removing session cookie (offline)', { sessionId: this.clerk.session?.id }, 'authCookieService');
     }