fix: evita refrescar cookie durante /api/logout y limpia cookie

Co-authored-by: aider (openrouter/openai/gpt-5) <aider@aider.chat>

apps/web/src/hooks.server.ts

@@ -9,6 +9,7 @@ function toIsoSql(d: Date): string {
 
 export const handle: Handle = async ({ event, resolve }) => {
 	// Sesión por cookie 'sid'
+	const isLogout = event.url.pathname === '/api/logout' || event.url.pathname.startsWith('/api/logout/');
 	const sid = event.cookies.get('sid');
 	if (sid) {
 		try {
@@ -48,17 +49,19 @@ export const handle: Handle = async ({ event, resolve }) => {
 					} catch {}
 				}
 
-				// Refrescar cookie (idle)
-				event.cookies.set('sid', sid, {
-					path: '/',
-					httpOnly: true,
-					sameSite: 'lax',
-					secure: isProd(),
-					maxAge: Math.floor(sessionIdleTtlMs / 1000)
-				});
+				// Refrescar cookie (idle) excepto durante /api/logout
+				if (!isLogout) {
+					event.cookies.set('sid', sid, {
+						path: '/',
+						httpOnly: true,
+						sameSite: 'lax',
+						secure: isProd(),
+						maxAge: Math.floor(sessionIdleTtlMs / 1000)
+					});
+				}
 			} else {
 				// Sesión inválida/expirada
-				event.cookies.delete('sid', { path: '/' });
+				event.cookies.delete('sid', { path: '/', httpOnly: true, sameSite: 'lax', secure: isProd() });
 			}
 		} catch {
 			// En caso de error de DB, no romper la request; continuar sin sesión

apps/web/src/routes/api/logout/+server.ts

@@ -1,6 +1,7 @@
 import type { RequestHandler } from './$types';
 import { getDb } from '$lib/server/db';
 import { sha256Hex } from '$lib/server/crypto';
+import { isProd } from '$lib/server/env';
 
 export const POST: RequestHandler = async (event) => {
 	const sid = event.cookies.get('sid');
@@ -22,7 +23,7 @@ export const POST: RequestHandler = async (event) => {
 			// Ignorar errores de DB en logout
 		}
 	}
-	// Limpiar cookie
-	event.cookies.delete('sid', { path: '/' });
+	// Limpiar cookie (asegurar mismos atributos que al crearla)
+	event.cookies.delete('sid', { path: '/', httpOnly: true, sameSite: 'lax', secure: isProd() });
 	return new Response(null, { status: 204 });
 };