Live e2e test caught a paste-inserted whitespace in URL token param —
copy-paste from terminal had inserted %20%20%20 into middle of the
64-char hex token, which passed URL parsing but failed byte-level
auth::tokens_match on the daemon → 403.
Two fixes:
1. `sanitize_token()` strips ALL whitespace (spaces, tabs, newlines,
zero-width) from token before use, applied on both URL-param and
localStorage read paths. Defensive even against future Setup-form
paste mishaps — Setup input itself could also be whitespace-dirty.
2. `credentials: 'include'` → `credentials: 'omit'`. Bearer auth rides
on an explicit header; we don't need cookies. `include` triggers
browser quirks (Safari especially) around credentialed cross-origin
fetches that can strip or mismangle Authorization on redirects.
3. Error message now includes response body preview — `"403 Forbidden
— {\"error\":{\"code\":\"forbidden\",\"message\":\"bearer token
rejected\"}}"` — so the next failing setup surfaces root-cause.
Tests unchanged (10 passing). Rebuild hash: index-7ZqAoBoM.js.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
39f95f7e04