docs(security): narrow x-no-account-id guidance and JWT notes

documentation/BOOTSTRAP__AI_Agent_Quickstart.md

@@ -29,7 +29,7 @@ running in Docker. The frontend talks to it exclusively via the V3 REST API.
 | Editors | CodeMirror 6 (primary), Edra/TipTap (secondary) |
 | Native | Electron app for onsite launcher (`src/lib/electron/electron_relay.ts`) |
 | Backend | FastAPI + MariaDB, V3 API (`/v3/crud/`, `/v3/lookup/`) |
-| Auth | Custom headers: `x-aether-api-key` + `x-account-id` (no Bearer tokens) |
+| Auth | Custom headers: `x-aether-api-key` + `x-account-id`; JWT Bearer is auto-injected when a session exists |
 
 ---
 
@@ -294,7 +294,9 @@ These are real incidents — know them before you start.
 
 10. **Using query `key` as a proxy for bypass stripped `x-account-id`** — this caused
    valid account-scoped requests to lose account context and 403. `key` can be a valid
-   endpoint/business param, but it is not equivalent to `x-no-account-id: bypass`.
+   endpoint/business param, but it is not equivalent to `x-no-account-id: bypass`. Keep
+   `x-no-account-id` usage narrow and temporary; do not expand it without a documented
+   allowlist case.
 
 11. **Pre-stringifying `*_json` fields before passing to API wrappers** — the API wrappers
    (`api_post__crud_obj.ts` for V3, `api.ts` for legacy CRUD) automatically serialize any