fix: pass auth token via query param for SSE EventSource

EventSource API doesn't support custom headers, so pass token as
?token= query parameter. Server auth middleware now accepts token
from both Authorization header and query param.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

server/src/services/auth.ts

@@ -58,7 +58,9 @@ export async function authMiddleware(token: string | null) {
     }
 
     const auth = ctx.headers.authorization || ''
-    const provided = auth.startsWith('Bearer ') ? auth.slice(7) : ''
+    const provided = auth.startsWith('Bearer ')
+      ? auth.slice(7)
+      : (ctx.query.token as string) || ''
 
     if (!provided || provided !== token) {
       ctx.status = 401