The select-documents picker queried the Forgejo API with only the
browser's session cookie (credentials: 'include'), so an OpenCDE client
that authenticated via OAuth2 saw only public repositories.
Thread the access token presented on the select-documents request
through to the picker UI (query param) and have its JS send it as
Authorization: Bearer on every Forgejo API call, falling back to cookie
auth when no token is supplied. Add a no-referrer policy so the token in
the page URL does not leak via Referer on API fetches or the callback
redirect.
Closes ifcurl-i5c.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>