Fixed
- iOS: persistent "forbidden" (403) errors caused by iOS Safari/PWA not reliably exposing CSRF cookie via
document.cookie. CSRF token is now returned in the response body of/auth/loginand/auth/meand stored in-memory, bypassing cookie read issues entirely. Cookie is still set as fallback. - CSRF retry:
/auth/merefresh now reads the token from the response body instead of relying on the cookie being available. Also handles expired sessions (401) during retry instead of silently failing.