Parent umbrella issue: #308
Source audit: Weekly tech debt audit: dispatch - 2026-06-03
Source audit date: 2026-06-03
Original recommendation
P1 — Normalize browser API auth helpers: replace protected mutating UI fetch calls with authedFetch or a shared client wrapper and add Basic Auth mode regression tests.
Matched top finding
README says browser mutating API calls automatically include Basic Auth credentials via authedFetch(), and some board paths do. Other active UI paths still use plain fetch() for protected mutating routes, which means DISPATCH_AUTH_MODE=basic operators can hit 401s or inconsistent behavior depending on page/component.
Evidence:
src/lib/client-auth.ts defines authedFetch() and sessionStorage-backed Basic Auth header injection.src/components/sync-issues-button.tsx:6,35 and src/components/kanban-board.tsx:26,89,118,213 use authedFetch.src/app/automation/page.tsx:198,212,239, src/app/automation/repos/[...repo]/page.tsx:297, and src/components/issue-card.tsx:96,119,148,194 still use plain fetch for protected POST/DELETE routes.- Static scan command:
grep -RIn "fetch(" src/app src/components showed the split.
Parent umbrella issue: #308
Source audit: Weekly tech debt audit: dispatch - 2026-06-03
Source audit date: 2026-06-03
Original recommendation
P1 — Normalize browser API auth helpers: replace protected mutating UI
fetchcalls withauthedFetchor a shared client wrapper and add Basic Auth mode regression tests.Matched top finding
README says browser mutating API calls automatically include Basic Auth credentials via
authedFetch(), and some board paths do. Other active UI paths still use plainfetch()for protected mutating routes, which meansDISPATCH_AUTH_MODE=basicoperators can hit 401s or inconsistent behavior depending on page/component.Evidence:
src/lib/client-auth.tsdefinesauthedFetch()and sessionStorage-backed Basic Auth header injection.src/components/sync-issues-button.tsx:6,35andsrc/components/kanban-board.tsx:26,89,118,213useauthedFetch.src/app/automation/page.tsx:198,212,239,src/app/automation/repos/[...repo]/page.tsx:297, andsrc/components/issue-card.tsx:96,119,148,194still use plainfetchfor protected POST/DELETE routes.grep -RIn "fetch(" src/app src/componentsshowed the split.