fix: SSE auth via query param, null-safe stages access

- Append auth token as query parameter to EventSource URLs
  (EventSource API doesn't support custom headers)
- Add null guards for stages arrays from API responses
- Hide sidebar on login page

web/src/routes/projects/[id]/+page.svelte

@@ -35,7 +35,7 @@
 		try {
 			const detail = await api.getProject(projectId);
 			project = detail.project;
-			stages = detail.stages;
+			stages = detail.stages ?? [];
 
 			const instanceResults = await Promise.all(
 				stages.map(async (s) => {