fix(dev): inject Authorization header from cookie in Vite dev proxy

Browser-side fetch('/api/...') calls bypass SvelteKit's handleFetch hook
(which adds the Authorization header from the auth_token cookie for SSR).
As a result, client-side API calls in the dev server always got a 401.

Add a proxy configure hook that extracts the auth_token cookie from incoming
requests and sets it as the Authorization header before forwarding to the
backend. This makes browser-side fetches (history panel, file preview, etc.)
work correctly in dev mode.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

frontend/vite.config.ts

@@ -13,7 +13,19 @@ export default defineConfig({
 		proxy: {
 			'/api': {
 				target: process.env.API_PROXY_TARGET || 'http://localhost:8080',
-				changeOrigin: true
+				changeOrigin: true,
+				// Inject Authorization header from the auth_token cookie so that
+				// browser-side fetch('/api/...') calls work the same as SSR fetches
+				// (which go through handleFetch in hooks.server.ts).
+				configure: (proxy) => {
+					proxy.on('proxyReq', (proxyReq, req) => {
+						const cookies = req.headers.cookie ?? '';
+						const match = cookies.match(/auth_token=([^;]+)/);
+						if (match) {
+							proxyReq.setHeader('Authorization', decodeURIComponent(match[1]));
+						}
+					});
+				}
 			}
 		}
 	},