fix: correct session DELETE tautology and HTTP cookie domain interpolation

[Abhinav-kodes]

Community Contribution License Agreement

By creating this pull request, I grant the project maintainers an unlimited,
perpetual license to use, modify, and redistribute these contributions under any terms they
choose, including both the AGPLv3 and the Fossorial Commercial license terms. I
represent that I have the right to grant this license for all contributed content.

Description

Two bugs in server/auth/sessions/resource.ts with minimal, surgical fixes.
Changes are limited to two single-line corrections — no architecture changes, no new abstractions.

Closes #2534

Fix 1 — Session DELETE tautology

validateResourceSessionToken was deleting all rows in resourceSessions on any expiry because the WHERE clause compared the column to itself:

// Before — tautology, deletes everything
.where(eq(resourceSessions.sessionId, resourceSessions.sessionId)

// After — targets only the expired session
.where(eq(resourceSessions.sessionId, sessionId)

Fix 2 — HTTP cookie Domain broken template literal

serializeResourceSessionCookie had a missing { in the HTTP path:

// Before — sends literal string "$domain}" to browser
`... Domain=$domain}`

// After — correctly interpolates the domain variable
`... Domain=${domain}`

Testing

• Verified expired session only deletes itself, not others
• Verified HTTP resource cookie is correctly scoped to domain

[oschwartz10612]

Thanks!