fix(security): resolve Security-001/002/003 — reachable StartTLS path, Secure cookie, JWT signing key validation

src/ScadaLink.Security/ServiceCollectionExtensions.cs

@@ -20,6 +20,9 @@ public static class ServiceCollectionExtensions
                 options.Cookie.Name = "ScadaLink.Auth";
                 options.Cookie.HttpOnly = true;
                 options.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Strict;
+                // The cookie carries the embedded JWT (a bearer credential); never
+                // transmit it over plain HTTP. Design: "HttpOnly and Secure (requires HTTPS)".
+                options.Cookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always;
             });
 
         services.AddScadaLinkAuthorization();