PEN-123 expose onboarding API bridge

[wauputr4]

Summary

• Adds a SvelteKit endpoint bridge for POST /api/v1/organization-onboarding-requests so public web routing no longer falls through to the Svelte 404 page.
• Forwards accept, authorization, and content-type headers to the existing Go API and preserves upstream status/content-type responses.

Verification

• make test
• npm run check
• npm run build
• Local preview smoke: GET /organizations/new -> 303 /login?return_to=/organizations/new
• Local preview smoke: POST /api/v1/organization-onboarding-requests -> 401 JSON session_required

Closes PEN-123

[gemini-code-assist]

Code Review

This pull request introduces a new SvelteKit API route to proxy POST requests for organization onboarding requests to an upstream Go API. The feedback recommends forwarding the 'cookie' header to ensure authenticated requests do not fail with a 401 Unauthorized error, and wrapping the fetch call in a try-catch block to gracefully handle upstream connection failures with a 502 Bad Gateway response.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

Since the application uses cookie-based session management (e.g., SESSION_COOKIE), any client-side requests to this endpoint will rely on cookies for authentication. Currently, the cookie header is not forwarded to the upstream Go API, which will cause authenticated requests to fail with a 401 Unauthorized error. Adding 'cookie' to the list of forwarded headers resolves this issue.

Suggested change

	for (const name of ["accept", "authorization", "content-type"]) {
	for (const name of ["accept", "authorization", "content-type", "cookie"]) {

[gemini-code-assist]

If the upstream Go API is down or unreachable, fetch will throw an error, causing SvelteKit to return a generic 500 error page or response. Wrapping the fetch call in a try-catch block allows us to handle connection failures gracefully and return a consistent JSON error response (e.g., 502 Bad Gateway) matching the API's standard error format.

export async function POST({ request, fetch }) {
	try {
		const upstream = await fetch(apiBaseURL() + TARGET_PATH, {
			method: "POST",
			headers: forwardedHeaders(request),
			body: await request.text(),
		});

		return new Response(upstream.body, {
			status: upstream.status,
			statusText: upstream.statusText,
			headers: responseHeaders(upstream),
		});
	} catch (error) {
		return new Response(
			JSON.stringify({
				error: {
					code: "upstream_connection_failed",
					message: "Failed to communicate with the upstream API service.",
				},
			}),
			{
				status: 502,
				headers: {
					"content-type": "application/json"
				}
			}
		);
	}
}