API Hardening: Refine Bypass Logic and Enable Permissive Mode

- Hardened 'Bootstrap Paradox' bypass logic in GET/POST helpers to only strip account ID if an intentional bypass value is provided.
- Enabled 'Permissive Update Mode' (x-ae-ignore-extra-fields: true) by default to improve frontend state synchronization.
- Fixed loader hydration bug where isolated API headers were being overwritten by stale global defaults.
- Ensured correctly resolved account names persist in local state instead of defaulting to 'Ghost Account'.
- Added Environment & Bridge diagnostics section to the testing dashboard for easier runtime verification.

src/lib/ae_api/api_post_object.ts

@@ -72,9 +72,17 @@ export const post_object = async function post_object({
 
     // Handle "Bootstrap Paradox" for unauthenticated requests
     if (merged_headers.hasOwnProperty('x-no-account-id')) {
-        delete merged_headers['x-account-id'];
-        if (merged_headers['x-no-account-id'] === null) {
-            merged_headers['x-no-account-id'] = 'Nothing to See Here';
+        const bypass_val = merged_headers['x-no-account-id'];
+        const is_valid_bypass = bypass_val === 'bypass' || 
+                               bypass_val === 'Nothing to See Here' || 
+                               bypass_val === 'direct-download';
+        
+        if (is_valid_bypass) {
+            if (log_lvl > 1) console.log('api_post_object: Valid bypass detected. Stripping account ID context.');
+            delete merged_headers['x-account-id'];
+        } else if (bypass_val === null || bypass_val === undefined || bypass_val === 'No_Account_ID_Here') {
+            if (log_lvl > 1) console.log('api_post_object: Placeholder bypass detected. Preserving account ID context.');
+            delete merged_headers['x-no-account-id'];
         }
     }