fix(api): pass real account_id for lookup requests instead of bypass header

The x-no-account-id bypass was hardcoded to resolve account_id=1 on the
backend, causing account-scoped lookup overrides (e.g. custom country names)
to leak to all callers regardless of their account.

Removing the bypass lets get_object auto-promote the real account_id from
api_cfg, so the backend's existing account filter works correctly.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/lib/api/api.ts

@@ -67,11 +67,10 @@ export const get_ae_obj_li_for_lu = async function get_ae_obj_li_for_lu({
         console.log(`*** get_ae_obj_li_for_lu() *** for_lu_type=${for_lu_type}`);
     }
 
-    // Lookup data is global; bypass account-id scope check
-    const merged_headers = {
-        'x-no-account-id': 'Nothing to See Here',
-        ...headers
-    };
+    // Pass headers as-is — get_object will auto-promote the real account_id from api_cfg.
+    // Do NOT use x-no-account-id bypass: the backend hardcodes account_id=1 for that path,
+    // which leaks account-scoped lookup overrides to all callers.
+    const merged_headers = { ...headers };
 
     // Use V3 system for primary lookup types
     if (['country', 'country_subdivision', 'time_zone'].includes(for_lu_type)) {