fix: TLS verification, cookie hardening, and proxy transport (#7)

- Renamed _ssl_ctx to _internal_ssl_ctx (explicitly scoped to internal services)
- Image proxy now uses default SSL context (TLS verification enabled for external URLs)
- Logout cookie clearing now includes HttpOnly, Secure, SameSite=Lax
- proxy.py still uses internal context (Docker services have no valid certs)

Closes #7

gateway/integrations/image_proxy.py

@@ -5,7 +5,7 @@ Platform Gateway — Image proxy with domain allowlist.
 import urllib.request
 import urllib.parse
 
-from config import _ssl_ctx
+# No custom SSL context — external URLs use default TLS verification
 
 ALLOWED_IMAGE_DOMAINS = {
     "i.redd.it",
@@ -59,7 +59,7 @@ def handle_image_proxy(handler):
             "Accept": "image/*,*/*",
             "Referer": parsed.scheme + "://" + parsed.netloc + "/",
         })
-        resp = urllib.request.urlopen(req, timeout=10, context=_ssl_ctx)
+        resp = urllib.request.urlopen(req, timeout=10)
         body = resp.read()
         ct = resp.headers.get("Content-Type", "image/jpeg")
         # Only serve actual image content types