Playwright E2E tests: CORS behavior in Chromium, Firefox, and WebKit; service workers and bypass patterns

Inspect failed preflight steps in traces to distinguish CORS failures from slow backends.

HAR exports should redact Authorization headers before sharing CORS bug reports publicly.

When sharding suites, keep per-shard API base URLs stable so Allow-Origin caches do not cross-contaminate.

Use project dependencies to run auth setup once before CORS-heavy SPAs.