frontend bug hunt fixes + stream-ticket auth

[Polliog]

Multi-agent frontend bug hunt followed by fixes. Findings report lives in the gitignored FRONTEND-BUGS.md (48 confirmed, 13 disputed, 40 rejected; no confirmed criticals).

What changed

Bug fixes (60 confirmed/disputed findings across 43 frontend files)

• API client error handling: guard response.json() in error branches so non-JSON bodies (proxy 502/HTML, empty 204) no longer mask the real HTTP error (auth, admin, exceptions clients).
• Stale-response races: added local request-sequence guards so an older in-flight load can no longer overwrite fresher results (search, traces, errors, incidents, monitoring, custom-dashboards, alert-preview).
• Admin client-side authorization: pages that loaded/mutated data without an admin guard now redirect non-admins.
• Secret exposure: webhook auth secrets are no longer rehydrated into the DOM on channel edit; OIDC callback strips the token from the URL; removed a debug console.log leaking log content and api key metadata.
• Locale: user-facing dates/numbers use en-US formatting; alert history timestamps no longer mislabel UTC as local.
• Lifecycle/memory: cleared timers, unsubscribed stores, disposed charts on destroy.
• Svelte 5 reactivity fixes and assorted UI/validation bugs.

Single-use stream tickets (closes the 3 high "token in URL" findings)

WebSocket/EventSource cannot send an Authorization header, so the session token used to be placed in the stream URL query string (logged by proxies). Now:

• New migration 049_stream_tickets.sql (ticket stored in the relational DB, not Redis, to stay portable across BullMQ/graphile).
• POST /api/v1/stream-tickets mints a short-lived, single-use ticket for the authenticated user.
• The auth plugin (WebSocket + traces SSE) and the SIEM SSE handler accept ?ticket= and consume it once. Legacy ?token= still works for backward compat.
• Frontend live-tail clients (logs WS, traces SSE, SIEM SSE) mint a ticket and pass it instead of the token.

Global 401 handler

A single fetch interceptor installed at app startup clears auth and redirects to /login (preserving the current path) on any authenticated /api/v1 401 that is not an auth endpoint. Avoids refactoring all 32 API clients.

Tests

• New stream-tickets.test.ts: 8 tests covering the service (single-use, expiry) and the end-to-end ticket auth chain.
• Existing WebSocket/SSE/traces/auth suites: 97 tests still green.
• svelte-check: no new errors (only the pre-existing baseline). Backend tsc --noEmit: clean.

Not done (intentional)

• Session token in localStorage -> httpOnly cookie: disputed/low finding, left as-is (standard SPA pattern; the cookie move trades XSS token-theft for CSRF surface and a full auth overhaul without a clear net win).

Note: this branch was cut from main, so it also carries a few main-only commits (release 1.0.1, dependency bumps, clickhouse backfill) that are not yet on develop.

[codecov]

Codecov Report

❌ Patch coverage is 80.00000% with 35 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
...ervoir/src/engines/clickhouse/clickhouse-engine.ts	75.86%	14 Missing ⚠️
...kend/src/modules/streaming/stream-ticket-routes.ts	70.37%	8 Missing ⚠️
packages/backend/src/modules/siem/sse-events.ts	61.11%	7 Missing ⚠️
packages/backend/src/modules/auth/plugin.ts	78.26%	5 Missing ⚠️
...end/src/modules/streaming/stream-ticket-service.ts	96.55%	1 Missing ⚠️

📢 Thoughts on this report? Let us know!