fix(admin): fresh SSR reads, atomic user delete + sanitized errors, cookie-rotation in middleware, no-store on admin APIs

app/api/admin/users/route.ts

@@ -1,7 +1,8 @@
-import { NextResponse, type NextRequest } from 'next/server';
+import { type NextRequest } from 'next/server';
 import { requireAdminApi } from '@/lib/auth/admin-guard';
 import { parsePageParam, parsePerPageParam } from '@/lib/admin/validators';
 import { getUsersList } from '@/lib/admin/list';
+import { jsonNoStore } from '@/lib/admin/response';
 
 export const runtime = 'nodejs';
 export const dynamic = 'force-dynamic';
@@ -17,8 +18,9 @@ export async function GET(req: NextRequest) {
 
   try {
     const { users, total } = await getUsersList({ page, perPage, search });
-    return NextResponse.json({ users, total, page, perPage });
+    return jsonNoStore({ users, total, page, perPage });
   } catch (e) {
-    return NextResponse.json({ error: (e as Error).message }, { status: 500 });
+    console.error('admin users list failed', e);
+    return jsonNoStore({ error: 'internal error' }, { status: 500 });
   }
 }