Calmstorm-decks auth gate fixed — prerendered Play routes were silently bypassing the middleware
Mid-afternoon detour from the dididecks TOC redesign: the calmstorm-decks fundraise deck was stuck in an auth loop — submit `staycalm`, land on a page once, then every subsequent navigation bounced back to `/access`. Server logs said `[middleware] /play/variant/v2: no cookie → /access` even though DevTools showed `cs_session` sitting in the browser cookie jar with all the right attributes. The HAR export looked like the browser wasn't sending cookies at all. The real culprit, after three rounds of red herrings: `/play/variant/[variant].astro` and `/play/section/[slot].astro` both had `export const prerender = true`. In Astro 6 with `output: "server"`, prerendered routes serve through a code path where the middleware's request context doesn't surface the inbound `Cookie` header — so the cookie was being set correctly and sent correctly, but the middleware was structurally blind to it. Worse, in production those routes would be static HTML files served directly by the Vercel CDN, **bypassing the auth gate entirely**. Flipping both to `prerender = false` makes every request to a gated route flow through the middleware properly, in dev and prod. The auth hardening done before discovering the prerender issue (explicit `Set-Cookie` headers on manually-constructed redirect Responses in verify / logout / link redemption) stays — it removes ambiguity from a part of the stack that has bitten this codebase before.