[fix](trx-frontend-http): warn when auth enabled but cookie_secure is false

Log a startup warning when HTTP auth is active but cookie_secure remains
false, alerting operators that session cookies will be sent unencrypted.

https://claude.ai/code/session_01XzurkeuUmamBuhQwxVy7T4
Signed-off-by: Claude <noreply@anthropic.com>

src/trx-client/trx-frontend/trx-frontend-http/src/server.rs

@@ -32,7 +32,7 @@ use actix_web::{
 use tokio::signal;
 use tokio::sync::{broadcast, mpsc, watch};
 use tokio::task::JoinHandle;
-use tracing::{error, info};
+use tracing::{error, info, warn};
 
 use trx_core::RigRequest;
 use trx_core::RigState;
@@ -208,6 +208,16 @@ fn build_server(
         same_site,
     );
 
+    // Warn operators if auth is enabled but cookie_secure is false,
+    // which means session cookies will be sent over plain HTTP.
+    if auth_config.enabled && !auth_config.cookie_secure {
+        warn!(
+            "HTTP auth is enabled but cookie_secure is false — \
+             session cookies will be sent over unencrypted connections. \
+             Set cookie_secure = true when behind a TLS-terminating proxy."
+        );
+    }
+
     let context_data = web::Data::new(context);
     let auth_state = web::Data::new(AuthState::new(auth_config.clone()));