fix: scope basic auth to same-origin requests [TE-13690]

[shrinishLT]

RCA

Root Cause: In src/lib/screenshot.ts, basic auth credentials were applied globally to ALL requests via page.setExtraHTTPHeaders() (line 186-189, now removed). This Playwright API attaches the Authorization header to every HTTP request the page makes — including cross-origin requests to third-party APIs.

Impact on this site: The Angular SPA at stg.universalstudioshollywood.com calls api-stg.universalparks.com/oidc/connect/token to fetch a login token. The OIDC token endpoint expects client/app credentials in the Authorization header (per OAuth2 spec), but SmartUI was sending the user's basic auth credentials (uprush:F73QqwDf) instead → 400 Bad Request → no token → SPA renders blank.

Fix Applied (screenshot.ts only — capture flow):

1. Removed basic auth from page.setExtraHTTPHeaders() (which was global/unscoped)
2. Added route-based interception that applies the Authorization header only to same-origin requests (where requestHostname === targetHostname):
   • Non-error-capture path (lines 193-204): New page.route('**/*') handler that adds the auth header only when the request hostname matches the target URL's hostname
   • Error-capture path (lines 218-222): Auth header added inside the existing route interceptor, scoped to same-origin via requestHostname === targetHostname

This ensures cross-origin requests (like the OIDC token call to api-stg.universalparks.com) are not polluted with the user's basic auth credentials.

Test plan

• URL with basic auth + cross-origin OIDC calls → SPA renders, auth header only on target host
• URL with basic auth, no cross-origin calls → behavior unchanged
• URL without basic auth → no route interception, zero overhead

🤖 Generated with Claude Code