fix: warn when session cookie secret is not configured

[stevenle]

Motivation

• Warn developers when a session cookie is about to be written but server.sessionCookieSecret is not configured so they know sessions may be invalidated across server restarts.

Description

• Added a one-time process-level flag hasWarnedMissingSessionCookieSecret and a check in res.saveSession() that logs a console.warn when req.rootConfig?.server?.sessionCookieSecret is not set; change is in packages/root/src/middleware/session.ts.

Testing

• No automated tests were run for this change.

---

Codex Task

[stevenle]

@jeremydw here's a PR for that issue you were debugging earlier today.

[jeremydw]

LGTM but i think this will appear in the deployed app logs (and not locally in dev mode due to https://github.com/blinkk/rootjs/pull/895/changes) - is that right?

if so maybe we need to log something more prominently since, at least in cloud console's logs viewer, it might be hard to spot that

[stevenle]

it checks the root.config.ts setting explicitly so it should appear in dev afaict

[jeremydw]

ah right - of course. sounds good. this is a good temp fix - we may still want to show a "setup error" on the CMS login page though if it's not configured (to prevent the eng from having to check the logs on first setup)

[stevenle]

agreed, let me work on a warning box for that in a follow-up.