fix: use credentials:include for cross-origin API requests

apps/web/src/dashboard/app.js

@@ -13,7 +13,7 @@ function requireAuth() { return true; }
 async function api(path, opts = {}) {
   const res = await fetch(`${API_BASE}${path}`, {
     ...opts,
-    credentials: 'same-origin', // send cookie automatically
+    credentials: 'include', // send cookie cross-origin to api.pingql.com
     headers: {
       'Content-Type': 'application/json',
       ...opts.headers,
@@ -67,7 +67,7 @@ function watchAccount(onPing) {
   async function connect() {
     try {
       const res = await fetch(`${API_BASE}/account/stream`, {
-        credentials: 'same-origin',
+        credentials: 'include',
         signal: ac.signal,
       });
       if (!res.ok || !res.body) return;