fix(core): preserve account context on key params and harden account detail fallback

- api_get/post/patch_object: stop treating params.key as account-bypass trigger\n- account detail: remove forced key usage, add list/cache fallback path\n- account detail: fix fallback bug that set load_error even when fallback record existed\n- sites detail: pretty-print cfg_json before save\n- docs: clarify key != bypass and add 403 troubleshooting notes

documentation/BOOTSTRAP__AI_Agent_Quickstart.md

@@ -206,6 +206,10 @@ x-aether-api-key: <PUBLIC_AE_API_SECRET_KEY>
 x-account-id: <account_id>
 ```
 
+**Do not treat `params.key` as an auth bypass.**
+Only explicit `x-no-account-id: bypass` means "drop account context".
+If `key` is present for business logic, keep `x-account-id` intact.
+
 ### Dexie queries — always use the object ID index, not `.get()`
 All `db_core` (and other module) Dexie tables define their schema with `id` as the first
 field (primary key), followed by the object's string ID (e.g. `person_id`). V3 **never**
@@ -288,6 +292,10 @@ These are real incidents — know them before you start.
    clean of data loads in private modules. See `GUIDE__SvelteKit2_Svelte5_DexieJS.md` →
    "SvelteKit Layout Hierarchy: Security and Execution Order" for the full explanation.
 
+10. **Using query `key` as a proxy for bypass stripped `x-account-id`** — this caused
+   valid account-scoped requests to lose account context and 403. `key` can be a valid
+   endpoint/business param, but it is not equivalent to `x-no-account-id: bypass`.
+
 ---
 
 ## 8. Source Layout (Quick Reference)