fix: TLS verification, cookie hardening, and proxy transport (#7)

- Renamed _ssl_ctx to _internal_ssl_ctx (explicitly scoped to internal services)
- Image proxy now uses default SSL context (TLS verification enabled for external URLs)
- Logout cookie clearing now includes HttpOnly, Secure, SameSite=Lax
- proxy.py still uses internal context (Docker services have no valid certs)

Closes #7

gateway/config.py

@@ -62,7 +62,11 @@ SESSION_MAX_AGE = int(os.environ.get("SESSION_MAX_AGE", 30 * 86400))  # 30 days
 # ── Ensure data dir exists ──
 DATA_DIR.mkdir(parents=True, exist_ok=True)
 
-# ── Shared SSL context (skip verification for internal services) ──
-_ssl_ctx = ssl.create_default_context()
-_ssl_ctx.check_hostname = False
-_ssl_ctx.verify_mode = ssl.CERT_NONE
+# ── SSL contexts ──
+# Internal: skip verification for Docker-internal services (no valid certs)
+_internal_ssl_ctx = ssl.create_default_context()
+_internal_ssl_ctx.check_hostname = False
+_internal_ssl_ctx.verify_mode = ssl.CERT_NONE
+
+# Legacy alias — to be removed once all callers are updated
+_ssl_ctx = _internal_ssl_ctx