- Cookie Secure flag now uses req.secure (respects trust proxy +
X-Forwarded-Proto) instead of NODE_ENV. Works correctly over both
HTTP (local dev) and HTTPS (production tunnel).
- SameSite=Strict over HTTPS, SameSite=Lax over HTTP (browsers reject
Strict cookies over plain HTTP).
- Un-track generated nginx/conf.d/api.conf and services.conf (gitignored,
regenerated from templates at startup).
- Update CLAUDE.md: ENCRYPTION_KEY now required in all environments.
Bunker Admin
bunker-admin
0fc9ea80bf