Prune duplicated auth-mode wording/tests

[itsmiso-ai]

Parent umbrella issue: #308
Source audit: Weekly tech debt audit: dispatch - 2026-06-03
Source audit date: 2026-06-03

Original recommendation

P3 — Prune duplicated auth-mode wording/tests: keep one source of truth for auth mode semantics and use route-level tests for high-risk flows.

Matched top finding

README says browser mutating API calls automatically include Basic Auth credentials via authedFetch(), and some board paths do. Other active UI paths still use plain fetch() for protected mutating routes, which means DISPATCH_AUTH_MODE=basic operators can hit 401s or inconsistent behavior depending on page/component.

Evidence:

• src/lib/client-auth.ts defines authedFetch() and sessionStorage-backed Basic Auth header injection.
• src/components/sync-issues-button.tsx:6,35 and src/components/kanban-board.tsx:26,89,118,213 use authedFetch.
• src/app/automation/page.tsx:198,212,239, src/app/automation/repos/[...repo]/page.tsx:297, and src/components/issue-card.tsx:96,119,148,194 still use plain fetch for protected POST/DELETE routes.
• Static scan command: grep -RIn "fetch(" src/app src/components showed the split.

[itsmiso-ai]

Saffron grooming result: promoted to ready

P3 concrete fix: prune duplicated auth-mode wording/tests, keep one source of truth for auth mode semantics. Clear scope.