/**
 * Module-level CSRF token holder.
 *
 * The token is populated by SessionProvider after a successful GET /api/session.
 * The fetch client middleware reads it on every non-GET/HEAD request.
 *
 * Per the project CSRF contract (m2-frontend-v2.md §3.2, orchestrator-decisions.md §3):
 * - Server checks presence/non-empty only, does NOT validate the value.
 * - Sending an empty-string or stale value will result in a 403; callers must
 *   ensure setCsrfToken() is called before issuing write requests.
 */

let _csrfToken = ''

/** Store the CSRF token returned by GET /api/session. */
export function setCsrfToken(token: string): void {
  _csrfToken = token
}

/** Return the current CSRF token (may be empty string if not yet set). */
export function getCsrfToken(): string {
  return _csrfToken
}