fix(security): make auth-cookie SecurePolicy configurable for HTTP-only deployments

The cookie SecurePolicy was hard-coded to Always, so the auth cookie was always
marked Secure and the browser never sent it over plain HTTP — making login
impossible on the HTTP-only Docker dev cluster (login succeeded server-side but
every following request was unauthenticated). Add SecurityOptions.RequireHttps-
Cookie (default true — production stays HTTPS-only); when false the cookie uses
SameAsRequest. The docker/ central nodes set it false.

src/ScadaLink.Security/SecurityOptions.cs

@@ -92,4 +92,14 @@ public class SecurityOptions
     /// Minutes before token expiry to trigger refresh.
     /// </summary>
     public int JwtRefreshThresholdMinutes { get; set; } = 5;
+
+    /// <summary>
+    /// When true (default) the authentication cookie is always marked
+    /// <c>Secure</c> (sent only over HTTPS) — the correct production setting,
+    /// since the cookie carries the embedded JWT bearer credential. Set false
+    /// for an HTTP-only deployment such as the local Docker dev cluster: the
+    /// cookie then uses <c>SameAsRequest</c>, so it is still <c>Secure</c> on
+    /// any HTTPS request but is usable over plain HTTP.
+    /// </summary>
+    public bool RequireHttpsCookie { get; set; } = true;
 }