fix splitting layout bug - was not splitting visually original shell

internals/handlers.go

@@ -210,6 +210,47 @@ func handleAuth(w http.ResponseWriter, r *http.Request) {
 	w.Write([]byte(`{"ok":true}`)) //nolint:errcheck
 }
 
+// handleLogout clears the auth cookie without destroying the workspace.
+// The terminal URL remains valid — user re-authenticates to resume.
+func handleLogout(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		w.WriteHeader(http.StatusMethodNotAllowed)
+		return
+	}
+	http.SetCookie(w, &http.Cookie{
+		Name:     authCookieName,
+		Value:    "",
+		Path:     "/",
+		HttpOnly: true,
+		Secure:   true,
+		SameSite: http.SameSiteLaxMode,
+		MaxAge:   -1,
+	})
+	next := r.FormValue("next")
+	if !isValidNext(next) {
+		next = "/"
+	}
+	http.Redirect(w, r, "/login?next="+next, http.StatusSeeOther)
+}
+
+// handleRefresh extends the auth cookie TTL for an active authenticated session.
+// Called by the frontend heartbeat every 5 minutes.
+func handleRefresh(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	if r.Method != http.MethodPost {
+		w.WriteHeader(http.StatusMethodNotAllowed)
+		w.Write([]byte(`{"error":"POST only"}`)) //nolint:errcheck
+		return
+	}
+	if !isAuthed(r) {
+		w.WriteHeader(http.StatusUnauthorized)
+		w.Write([]byte(`{"error":"unauthorized"}`)) //nolint:errcheck
+		return
+	}
+	refreshAuthCookie(w, r)
+	w.Write([]byte(`{"ok":true}`)) //nolint:errcheck
+}
+
 func handleWS(w http.ResponseWriter, r *http.Request) {
 	if !isAuthed(r) {
 		http.Error(w, "unauthorized", http.StatusUnauthorized)