fix(admin): fresh SSR reads, atomic user delete + sanitized errors, cookie-rotation in middleware, no-store on admin APIs

app/api/admin/tunnels/[id]/route.ts

@@ -1,9 +1,10 @@
-import { NextResponse, type NextRequest } from 'next/server';
+import { type NextRequest } from 'next/server';
 import { requireAdminApi } from '@/lib/auth/admin-guard';
 import { getSupabaseAdmin } from '@/lib/supabase/admin';
 import { logAdminAction } from '@/lib/auth/audit';
 import { isUuid } from '@/lib/admin/validators';
 import { redisSet } from '@/lib/redis';
+import { jsonNoStore } from '@/lib/admin/response';
 
 export const runtime = 'nodejs';
 export const dynamic = 'force-dynamic';
@@ -17,7 +18,7 @@ export async function DELETE(
 
   const { id } = params;
   if (!isUuid(id)) {
-    return NextResponse.json({ error: 'invalid tunnel id' }, { status: 400 });
+    return jsonNoStore({ error: 'invalid tunnel id' }, { status: 400 });
   }
 
   const admin = getSupabaseAdmin();
@@ -28,10 +29,11 @@ export async function DELETE(
     .select('subdomain')
     .maybeSingle<{ subdomain: string }>();
   if (error) {
-    return NextResponse.json({ error: error.message }, { status: 500 });
+    console.error('admin tunnel.delete failed', error);
+    return jsonNoStore({ error: 'internal error' }, { status: 500 });
   }
   if (!data) {
-    return NextResponse.json({ error: 'tunnel not found' }, { status: 404 });
+    return jsonNoStore({ error: 'tunnel not found' }, { status: 404 });
   }
 
   // Best-effort live kill-switch.
@@ -44,5 +46,5 @@ export async function DELETE(
     details: { subdomain: data.subdomain },
   });
 
-  return NextResponse.json({ ok: true });
+  return jsonNoStore({ ok: true });
 }