fix(pitch-deck): use explicit PITCH_SECURE_COOKIE flag for cookie security

HTTP access on local network was blocked by secure cookie flag when
NODE_ENV=production. Now requires explicit opt-in via env var.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

pitch-deck/lib/admin-auth.ts

@@ -112,7 +112,7 @@ export async function setAdminCookie(jwt: string): Promise<void> {
   const cookieStore = await cookies()
   cookieStore.set(ADMIN_COOKIE_NAME, jwt, {
     httpOnly: true,
-    secure: process.env.NODE_ENV === 'production',
+    secure: process.env.PITCH_SECURE_COOKIE === 'true',
     sameSite: 'lax',
     path: '/',
     maxAge: ADMIN_SESSION_EXPIRY_HOURS * 60 * 60,