fix(admin): fresh SSR reads, atomic user delete + sanitized errors, cookie-rotation in middleware, no-store on admin APIs

app/api/admin/tunnels/[id]/regenerate-token/route.ts

@@ -1,9 +1,10 @@
-import { NextResponse, type NextRequest } from 'next/server';
+import { type NextRequest } from 'next/server';
 import { randomBytes } from 'node:crypto';
 import { requireAdminApi } from '@/lib/auth/admin-guard';
 import { getSupabaseAdmin } from '@/lib/supabase/admin';
 import { logAdminAction } from '@/lib/auth/audit';
 import { isUuid } from '@/lib/admin/validators';
+import { jsonNoStore } from '@/lib/admin/response';
 
 export const runtime = 'nodejs';
 export const dynamic = 'force-dynamic';
@@ -17,7 +18,7 @@ export async function POST(
 
   const { id } = params;
   if (!isUuid(id)) {
-    return NextResponse.json({ error: 'invalid tunnel id' }, { status: 400 });
+    return jsonNoStore({ error: 'invalid tunnel id' }, { status: 400 });
   }
 
   const token = randomBytes(32).toString('hex');
@@ -30,10 +31,11 @@ export async function POST(
     .select('subdomain, token')
     .maybeSingle<{ subdomain: string; token: string }>();
   if (error) {
-    return NextResponse.json({ error: error.message }, { status: 500 });
+    console.error('admin tunnel.regenerate_token failed', error);
+    return jsonNoStore({ error: 'internal error' }, { status: 500 });
   }
   if (!data) {
-    return NextResponse.json({ error: 'tunnel not found' }, { status: 404 });
+    return jsonNoStore({ error: 'tunnel not found' }, { status: 404 });
   }
 
   await logAdminAction(auth.user, {
@@ -43,5 +45,5 @@ export async function POST(
     details: { subdomain: data.subdomain },
   });
 
-  return NextResponse.json({ ok: true, token: data.token });
+  return jsonNoStore({ ok: true, token: data.token });
 }