b91a58f30a
Internal service-to-service POSTs (call_action) were blocked by CSRF middleware since they have no session cookie. These requests are already gated by X-Internal-Action/X-Internal-Data headers and only reachable on the Docker overlay network. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>