fix: SSE auth via query param, null-safe stages access

- Append auth token as query parameter to EventSource URLs
  (EventSource API doesn't support custom headers)
- Add null guards for stages arrays from API responses
- Hide sidebar on login page

web/src/lib/sse.ts

@@ -87,7 +87,10 @@ export function connectSSE(url: string, options: SSEOptions): SSEConnection {
 	function connect(): void {
 		if (closed) return;
 
-		eventSource = new EventSource(url);
+		// Append auth token as query param (EventSource doesn't support custom headers).
+		const token = typeof localStorage !== 'undefined' ? localStorage.getItem('auth_token') : null;
+		const authUrl = token ? `${url}${url.includes('?') ? '&' : '?'}token=${encodeURIComponent(token)}` : url;
+		eventSource = new EventSource(authUrl);
 
 		eventSource.onopen = () => {
 			retryCount = 0;

web/src/routes/+page.svelte

@@ -21,8 +21,9 @@
 			const detailPromises = projects.map(async (p) => {
 				try {
 					const detail = await api.getProject(p.id);
+					const stages = detail.stages ?? [];
 					const stageInstances = await Promise.all(
-						detail.stages.map((s) => api.listInstances(p.id, s.id))
+						stages.map((s) => api.listInstances(p.id, s.id))
 					);
 					return { projectId: p.id, instances: stageInstances.flat() };
 				} catch {

web/src/routes/projects/[id]/+page.svelte

@@ -35,7 +35,7 @@
 		try {
 			const detail = await api.getProject(projectId);
 			project = detail.project;
-			stages = detail.stages;
+			stages = detail.stages ?? [];
 
 			const instanceResults = await Promise.all(
 				stages.map(async (s) => {