fix: resolve Starlette cookie deprecation warnings

Set cookies on client instance instead of passing per-request to avoid
the deprecation warning about ambiguous cookie persistence behavior.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

tests/test_web_app.py

@@ -127,6 +127,7 @@ class TestAppWithTestClient:
     def test_csrf_with_valid_tokens_succeeds(self, client):
         """POST with matching CSRF tokens proceeds."""
         csrf_token = "test-csrf-token-123"
+        client.cookies.set("csrf_token", csrf_token)
         resp = client.post(
             "/",
             headers={
@@ -134,7 +135,6 @@ class TestAppWithTestClient:
                 "X-CSRF-Token": csrf_token,
                 "Origin": "http://testserver",
             },
-            cookies={"csrf_token": csrf_token},
         )
         # Should get through CSRF check (200 or 405 if method not allowed)
         # The key is it shouldn't be 403 CSRF error