phase 3 initial completion

frontend/src/api/client.ts

@@ -2,12 +2,20 @@ import { z } from 'zod'
 
 let csrfToken: string | null = null
 
+// Called once on app bootstrap. Fetches the CSRF token and sets the cookie.
+export async function bootstrapCSRF(): Promise<void> {
+  const res = await fetch('/api/v1/csrf', { credentials: 'include' })
+  if (!res.ok) return
+  const data = await res.json()
+  if (typeof data.token === 'string') {
+    csrfToken = data.token
+  }
+}
+
 async function getCSRFToken(): Promise<string> {
   if (csrfToken) return csrfToken
-  const res = await fetch('/api/v1/csrf', { credentials: 'include' })
-  if (!res.ok) throw new Error('Failed to fetch CSRF token')
-  csrfToken = res.headers.get('X-CSRF-Token') ?? ''
-  return csrfToken
+  await bootstrapCSRF()
+  return csrfToken ?? ''
 }
 
 export class ApiError extends Error {