30c661a364
Cookies were set with secure flag based solely on NODE_ENV, causing 401 errors when accessing over HTTP with NODE_ENV=production. - Add COOKIE_SECURE env var for explicit control - Auto-detect HTTPS via X-Forwarded-Proto header in production - Extract isSecureCookie() utility to lib/auth/utils.ts - Document COOKIE_SECURE in README and .env.example Fixes #39