fix(security): mark auth cookies Secure outside localhost

The user and logout cookies were set with secure:false, so the AniList
tokens the user cookie carries could traverse plaintext HTTP. Drop the
override and let SvelteKit's default apply (Secure everywhere except
http://localhost), giving Secure in production and on https://due.localhost
while keeping plain-http local dev working. httpOnly is unchanged (the
client reads the token from layout data; tightening that is tracked
separately as the architectural part of C2).

0 files changed, 0 insertions, 0 deletions