Fix template errors: Starlette new API + remove hx-headers escaping

- TemplateResponse now uses (request, name, context) signature for Starlette 0.36+
- Replace per-button hx-headers with global htmx:configRequest token injection in base.html
- Fix JS cookie regex to handle leading semicolons correctly

Tested: login, auth redirect, profile create/view/delete all return correct status codes.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

manager/templates/index.html

@@ -28,12 +28,10 @@
         <a href="/profile/{{ p.id }}" class="btn btn-ghost" style="padding: 6px 14px; font-size: 13px;">View</a>
         <button class="btn btn-success" style="padding: 6px 14px; font-size: 13px;"
                 hx-post="/api/profiles/{{ p.id }}/start"
-                hx-headers='{"X-Token": "{{ request.cookies.get(\"token\", \"\") }}"}'
                 hx-swap="none"
                 onclick="this.textContent='Starting…'">Start</button>
         <button class="btn btn-danger" style="padding: 6px 14px; font-size: 13px;"
                 hx-post="/api/profiles/{{ p.id }}/stop"
-                hx-headers='{"X-Token": "{{ request.cookies.get(\"token\", \"\") }}"}'
                 hx-swap="none"
                 onclick="this.textContent='Stopping…'">Stop</button>
       </div>
@@ -95,9 +93,10 @@ document.getElementById('create-form').addEventListener('submit', async (e) => {
   const welcome = fd.get('welcome_message')
   if (welcome) config.welcome_message = welcome
 
+  const token = document.cookie.match(/(?:^|;\s*)token=([^;]+)/)?.[1] || ''
   const resp = await fetch('/api/profiles', {
     method: 'POST',
-    headers: {'Content-Type': 'application/json', 'X-Token': document.cookie.match(/token=([^;]+)/)?.[1] || ''},
+    headers: {'Content-Type': 'application/json', 'X-Token': token},
     body: JSON.stringify({name: fd.get('name'), bot_type: fd.get('bot_type'), config})
   })
   if (resp.ok) {