fix: security hardening + code quality improvements (401 retry limit, UUID crypto, debounce this-bug, deduplicate CSS/helpers, optimize SW precache)

js/app.js

@@ -18,7 +18,6 @@ async function initApp() {
     // Restore auth session before loading components
     await auth.tryRestoreSession()
     favoritesService.init()
-    notificationsService.init()
 
     auth.subscribe((loggedIn) => {
         if (loggedIn) {
@@ -28,6 +27,10 @@ async function initApp() {
         }
     })
 
+    if (auth.isLoggedIn()) {
+        notificationsService.init()
+    }
+
     await import('./components/app-shell.js')
     
     const appEl = document.getElementById('app')