Send X-Arkor-Client during anonymous token bootstrap

[k-taro56]

Summary

requestAnonymousToken was the one SDK call path that issued a raw fetch
instead of going through createClient(...), so it never set the
X-Arkor-Client: arkor/<version> header. The cloud API's SDK version gate
rejects header-less requests with 426 sdk_version_unsupported
(reason: "missing") — even while SUPPORTED_RANGE is *, by design, so
that pre-header SDK builds can't silently bypass policy during rollout.

End-to-end effect: on a fresh install with no ~/.arkor/credentials.json,
arkor dev fails to bootstrap an anonymous identity and exits with:

Error: Failed to acquire anonymous token (426): {"error":"sdk_version_unsupported","currentVersion":"unknown","supportedRange":"*","upgrade":"npm install -g arkor@latest","reason":"missing"}

This blocks the npm create arkor → arkor dev happy path on every
machine that hasn't been onboarded yet.

Changes

• packages/arkor/src/core/credentials.ts: add
  X-Arkor-Client: arkor/${SDK_VERSION} to the bootstrap fetch.
• packages/arkor/src/core/credentials.test.ts: new requestAnonymousToken
  describe block covering (a) the header is present on the wire, (b) the
  response shape is mapped correctly, (c) non-2xx surfaces the status.

Test plan

• pnpm --filter arkor test — green (12 files / 93 tests)
• pnpm typecheck — clean workspace-wide
• Manual: delete ~/.arkor/credentials.json, run arkor dev against a
  deployment with the gate enabled, confirm anonymous bootstrap completes
  and Studio reaches /api/credentials.

Follow-up

• Cut a new arkor alpha so users unblocked by this fix can pnpm add arkor@alpha.
• Consider a lint rule or test that fails if any /v1/* request in this
  package is built without going through createClient (would have caught
  this at PR time).

[greptile-apps]

k-taro56 has reached the 50-review limit for trial accounts. To continue receiving code reviews, upgrade your plan.