Fix frontend issues found in Phase 4 code review

Fixes 7 issues identified by code-reviewer agent:

1. (Critical) Move JSON.parse inside try/catch in targets page to
   handle malformed webhook headers input gracefully
2. (Low) Add window guard to refreshAccessToken for SSR safety
3. (Important) Show loading indicator instead of page content while
   auth state is being resolved (prevents flash of protected content)
4. (Important) Add try/catch to trackers load() Promise.all
5. (Important) Add error handling to remove() in servers, trackers,
   and templates pages
6. (Important) Track preview per-template with previewId, show
   inline instead of global bottom block
7. (Important) Use finally block for loading state in auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

frontend/src/routes/trackers/+page.svelte

@@ -15,9 +15,11 @@
 	onMount(load);
 
 	async function load() {
-		[trackers, servers, targets] = await Promise.all([
-			api('/trackers'), api('/servers'), api('/targets')
-		]);
+		try {
+			[trackers, servers, targets] = await Promise.all([
+				api('/trackers'), api('/servers'), api('/targets')
+			]);
+		} catch { /* handled by api redirect on 401 */ }
 	}
 
 	async function loadAlbums() {
@@ -45,8 +47,10 @@
 
 	async function remove(id: number) {
 		if (!confirm('Delete this tracker?')) return;
-		await api(`/trackers/${id}`, { method: 'DELETE' });
-		await load();
+		try {
+			await api(`/trackers/${id}`, { method: 'DELETE' });
+			await load();
+		} catch (err: any) { error = err.message; }
 	}
 
 	function toggleAlbum(albumId: string) {