The test was failing with 401 because the Pulse container starts in
fresh state requiring bootstrap token authentication. Added a
setupCredentials step that calls /api/security/quick-setup with the
known bootstrap token to create the admin user before attempting login.