fix: send JSON content type for inbox sync

The CSRF guard requires application/json on mutation requests, including zero-body endpoints. The inbox sync store now sends that header so the sync button triggers the background notification refresh instead of receiving 415.

Verified with:\n- cd packages/ui && bun test src/stores/notifications.test.ts\n- cd packages/ui && bun run typecheck\n- git diff --check

Author: mariusvniekerk

packages/ui/src/stores/notifications.svelte.ts

@@ -200,6 +200,7 @@ export function createNotificationsStore(
     try {
       const { error: requestError } = await apiClient.POST(
         "/notifications/sync",
+        { headers: { "Content-Type": "application/json" } },
       );
       if (requestError) {
         throw new Error(apiErrorMessage(requestError, "failed to sync inbox"));

packages/ui/src/stores/notifications.test.ts

@@ -153,7 +153,9 @@ describe("createNotificationsStore", () => {
       await store.triggerSync();
       for (let i = 0; i < 100; i++) await Promise.resolve();
 
-      expect(post).toHaveBeenCalledWith("/notifications/sync");
+      expect(post).toHaveBeenCalledWith("/notifications/sync", {
+        headers: { "Content-Type": "application/json" },
+      });
       expect(get).toHaveBeenCalledTimes(5);
       expect(delays).toEqual([500, 1_500, 3_000, 5_000]);
     } finally {