Fix CSRF cookie Secure flag for localhost development

- Changed hardcoded secure:true to req.secure || req.protocol === 'https'
- Allows CSRF cookies to work over HTTP on localhost
- Still enforces secure flag for HTTPS connections
- Enables OpenClaw programmatic API access

dashcaddy-api/csrf-protection.js

@@ -65,7 +65,7 @@ function csrfCookieMiddleware(req, res, next) {
   // Set cookie with the nonce (SameSite=Strict for additional protection)
   res.cookie(CSRF_COOKIE_NAME, csrfNonce, {
     httpOnly: false, // Must be readable by JavaScript for signing
-    secure: true,
+    secure: req.secure || req.protocol === 'https', // Only secure in HTTPS
     sameSite: 'strict',
     path: '/',
     maxAge: 24 * 60 * 60 * 1000 // 24 hours