fix(join): use secure: !dev for JSESSIONID cookie to work in local dev

Hardcoded secure: true silently drops the cookie on HTTP (localhost),
causing the post-join redirect to bounce back to /login. Use $app/environment
dev flag so the cookie works in development while remaining Secure in production.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

frontend/src/routes/(public)/join/[token]/+page.server.ts

@@ -1,4 +1,5 @@
 import { fail, redirect } from '@sveltejs/kit';
+import { dev } from '$app/environment';
 import { apiClient } from '$lib/server/api';
 import type { Actions, PageServerLoad } from './$types';
 
@@ -74,7 +75,7 @@ export const actions = {
 				path: '/',
 				httpOnly: true,
 				sameSite: 'lax',
-				secure: true
+				secure: !dev
 			});
 		}
 

frontend/src/routes/(public)/join/[token]/page.server.test.ts

@@ -4,6 +4,8 @@ vi.mock('$env/dynamic/private', () => ({
 	env: { BACKEND_URL: 'http://localhost:8080' }
 }));
 
+vi.mock('$app/environment', () => ({ dev: false }));
+
 const mockGet = vi.fn();
 const mockPost = vi.fn();
 vi.mock('$lib/server/api', () => ({