fix: get all Set-Cookie headers and strip attributes

ClassCharts returns two cookies on login:
- cc-session
- parent_session_credentials

Two bugs were fixed:

1. response.headers.get('set-cookie') only returns the first cookie
   Fix: use getSetCookie() to get ALL Set-Cookie headers

2. authCookies was storing full Set-Cookie header values (with path,
   HttpOnly, Secure attributes) which breaks the Cookie header
   Fix: extract only name=value portion: h.split(';')[0].trim()

3. Cookie header join used ';' instead of '; ' (missing space)
   Fix: use '; ' as per RFC 7230

src/core/parentClient.ts

@@ -61,11 +61,23 @@ export class ParentClient extends BaseClient {
 			);
 		}
 
-		const cookies = String(response.headers.get("set-cookie"));
+		// Get ALL Set-Cookie headers (get() only returns the first one!)
-		// this.authCookies = cookies.split(";");
+		const setCookieHeaders = response.headers.getSetCookie();
-		const sessionCookies = parseCookies(cookies);
+		if (!setCookieHeaders || setCookieHeaders.length < 2) {
+			await response.body?.cancel();
+			throw new Error("Unauthenticated: Missing Set-Cookie headers");
+		}
+
+		// Parse both cookies
+		const cookie1 = parseCookies(setCookieHeaders[0]);
+		const cookie2 = parseCookies(setCookieHeaders[1]);
+
+		// Store only the name=value portion of each Set-Cookie header
+		this.authCookies = setCookieHeaders.map((h) => h.split(";")[0].trim());
+
+		// Get session ID from parent_session_credentials cookie
 		const sessionID = JSON.parse(
-			String(sessionCookies.parent_session_credentials),
+			String(cookie1.parent_session_credentials || cookie2.parent_session_credentials),
 		);
 		this.sessionId = sessionID.session_id;
 		this.pupils = await this.getPupils();