// Tiny API client with optional bearer-token auth (hosted deployments set // APP_PASSWORD on the server; local dev runs open and all of this no-ops). let token = localStorage.getItem('core_token') || '' export function setToken(t) { token = t || '' if (token) localStorage.setItem('core_token', token) else localStorage.removeItem('core_token') } // For URLs the browser fetches itself (PDF viewer, download links) where we // can't set an Authorization header. export function authUrl(path) { if (!token) return path return path + (path.includes('?') ? '&' : '?') + 'token=' + encodeURIComponent(token) } export async function api(path, opts = {}) { const headers = { ...(opts.headers || {}) } if (token) headers['Authorization'] = `Bearer ${token}` return fetch(path, { ...opts, headers }) }