Fixed
- iOS PWA: recurring "forbidden" (403) errors caused by CSRF token desync after app resume. The server now sends the correct CSRF token as
X-CSRF-Tokenresponse header on every API response (not just/auth/meand/auth/login). The client reads the header from every response - including 403 errors - enabling instant self-healing without an extra/auth/meround-trip. SW cache bumped to v33 to ensure iOS PWA users pick up the fix.