fix(capture): authenticate sidecar->mam-api calls with bearer token

The live-thumbnail and manual /start,/stop sidecar->mam-api calls hit the CSRF
guard (403 missing X-Requested-With). Match the working pattern in index.js:
send Authorization: Bearer $MAM_API_TOKEN (= CAPTURE_TOKEN, injected by
recorders.js), which is CSRF-exempt. Falls back to the UI header only when no
token is set (dev). Fixes [livethumb] failed ... 403 — posters now persist.

🤖 Generated with Claude Code

services/capture/src/capture-manager.js

@@ -1346,7 +1346,10 @@ exit "$BMXRC"
       // 4. Tell mam-api the key (only sticks while the asset is still 'live').
       const resp = await fetch(`${mamUrl}/api/v1/assets/${assetId}/live-thumbnail`, {
         method: 'POST',
-        headers: { 'Content-Type': 'application/json' },
+        headers: {
+          'Content-Type': 'application/json',
+          ...(process.env.MAM_API_TOKEN ? { Authorization: `Bearer ${process.env.MAM_API_TOKEN}` } : {}),
+        },
         body: JSON.stringify({ thumbnailKey: thumbKey }),
       });
       if (!resp.ok) throw new Error(`mam-api ${resp.status}: ${(await resp.text()).slice(0, 200)}`);

services/capture/src/routes/capture.js

@@ -77,6 +77,7 @@ function classifyProbeError(raw, sourceType) {
 const router = express.Router();
 
 const MAM_API_URL = process.env.MAM_API_URL || 'http://mam-api:3000';
+const MAM_API_TOKEN = process.env.MAM_API_TOKEN || '';
 
 /**
  * GET /devices
@@ -340,7 +341,7 @@ router.post('/start', async (req, res) => {
     try {
       const mamResponse = await fetch(`${MAM_API_URL}/api/v1/assets`, {
         method: 'POST',
-        headers: { 'Content-Type': 'application/json' },
+        headers: { 'Content-Type': 'application/json', ...(MAM_API_TOKEN ? { Authorization: `Bearer ${MAM_API_TOKEN}` } : { 'X-Requested-With': 'dragonflight-ui' }) },
         body: JSON.stringify({
           projectId: project_id,
           binId: bin_id,