Auth clients now use localStorage-based token headers instead of cookie
credentials. This provides cross-origin compatibility and clearer auth flow.
- analytics-client: Remove credentials: include from fetch calls
- sso-client: Add getAuthHeaders() helper for MFA components
- SSOClient core: Remove redundant credentials, keep Authorization headers
- Updated tests to match new header-based auth expectations
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Analytics was causing CORS errors in dev when no analytics server was
running. Now analytics is disabled by default in dev mode and enabled
in production. Can be overridden via VITE_ANALYTICS_ENABLED env var.
- Add `enabled` config option to AnalyticsConfig type
- AnalyticsClient no-ops all methods when disabled
- Dev: disabled by default, enable with VITE_ANALYTICS_ENABLED=true
- Prod: enabled by default, disable with VITE_ANALYTICS_ENABLED=false
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>