Fix CSRF token missing from refresh fetch requests

Manual JavaScript fetch() calls weren't including the CSRF token,
causing 403 Forbidden on /api/refresh. Extract token from
hx-headers body attribute and include in all POST requests.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

0 files changed, 0 insertions, 0 deletions