fix(achievements): use canonical X-Hermes-Session-Token header

Follow-up to TreyDong's fix: switch the auth header to
`X-Hermes-Session-Token` (the canonical pattern used by the rest of
the dashboard SPA — see `web/src/lib/api.ts` `fetchJSON()`). The
server still accepts both schemes, so the original `Authorization:
Bearer` form would also work; we standardize on X-header to match
every other dashboard fetch and only set the header when a token is
actually present.

Also add scripts/release.py AUTHOR_MAP entry for treydong.zh@gmail.com.

plugins/hermes-achievements/dashboard/dist/index.js

@@ -51,8 +51,9 @@
   async function api(path, options) {
     const url = "/api/plugins/hermes-achievements" + path;
     const token = window.__HERMES_SESSION_TOKEN__ || "";
-    const headers = { ...(options?.headers || {}), Authorization: `Bearer ${token}` };
-    const res = await fetch(url, { ...options, headers });
+    const headers = { ...((options && options.headers) || {}) };
+    if (token) headers["X-Hermes-Session-Token"] = token;
+    const res = await fetch(url, { ...(options || {}), headers });
     if (!res.ok) {
       const text = await res.text().catch(function () { return res.statusText; });
       throw new Error(res.status + ": " + text);

scripts/release.py

@@ -54,6 +54,7 @@ AUTHOR_MAP = {
     "cleo@edaphic.xyz": "curiouscleo",
     "hirokazu.ogawa@kwansei.ac.jp": "hrkzogw",
     "datapod.k@gmail.com": "dandacompany",
+    "treydong.zh@gmail.com": "TreyDong",
     "127238744+teknium1@users.noreply.github.com": "teknium1",
     "128259593+Gutslabs@users.noreply.github.com": "Gutslabs",
     "50326054+nocturnum91@users.noreply.github.com": "nocturnum91",