fix: pass auth token via query param for SSE EventSource

EventSource API doesn't support custom headers, so pass token as
?token= query parameter. Server auth middleware now accepts token
from both Authorization header and query param.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

server/src/services/auth.ts

@@ -58,7 +58,9 @@ export async function authMiddleware(token: string | null) {
     }
 
     const auth = ctx.headers.authorization || ''
-    const provided = auth.startsWith('Bearer ') ? auth.slice(7) : ''
+    const provided = auth.startsWith('Bearer ')
+      ? auth.slice(7)
+      : (ctx.query.token as string) || ''
 
     if (!provided || provided !== token) {
       ctx.status = 401

src/api/chat.ts

@@ -1,4 +1,4 @@
-import { request, getBaseUrlValue } from './client'
+import { request, getBaseUrlValue, getApiKey } from './client'
 
 export interface ChatMessage {
   role: 'user' | 'assistant' | 'system'
@@ -44,7 +44,8 @@ export function streamRunEvents(
   onError: (err: Error) => void,
 ) {
   const baseUrl = getBaseUrlValue()
-  const url = `${baseUrl}/v1/runs/${runId}/events`
+  const token = getApiKey()
+  const url = `${baseUrl}/v1/runs/${runId}/events${token ? `?token=${encodeURIComponent(token)}` : ''}`
 
   let closed = false
   const source = new EventSource(url)

src/api/client.ts

@@ -6,7 +6,7 @@ function getBaseUrl(): string {
   return localStorage.getItem('hermes_server_url') || DEFAULT_BASE_URL
 }
 
-function getApiKey(): string {
+export function getApiKey(): string {
   return localStorage.getItem('hermes_api_key') || ''
 }