diff --git a/frontend/src/lib/shared/cookies.ts b/frontend/src/lib/shared/cookies.ts
index e507ea81..4b029dbf 100644
--- a/frontend/src/lib/shared/cookies.ts
+++ b/frontend/src/lib/shared/cookies.ts
@@ -45,8 +45,18 @@ export function makeCsrfFetch(inner: typeof fetch): typeof fetch {
  * Drop-in replacement for fetch that automatically injects X-XSRF-TOKEN on
  * all mutating requests (POST, PUT, PATCH, DELETE). Use this everywhere in
  * client-side code instead of bare fetch + withCsrf().
+ *
+ * Implemented as a function (not a module-level const) so that test stubs
+ * applied via vi.stubGlobal('fetch', mock) are picked up at call time rather
+ * than being silently bypassed by a pre-captured reference.
  */
-export const csrfFetch = makeCsrfFetch(fetch);
+export function csrfFetch(input: RequestInfo | URL, init?: RequestInit): Promise<Response> {
+	const method = (init?.method ?? 'GET').toUpperCase();
+	if (['POST', 'PUT', 'PATCH', 'DELETE'].includes(method)) {
+		return fetch(input, withCsrf(init));
+	}
+	return fetch(input, init);
+}
 
 /**
  * Extracts the fa_session cookie value from a list of Set-Cookie response headers.