Standardize JWT authentication and finalize Activity Log V3 migration

GEMINI.md

@@ -225,21 +225,24 @@ The activity logging functionality is now working as expected. While the origina
 
 ### Session Learnings (2026-01-07)
 
-**Context:** Finalized IDAA Bulletin Board V3 migration and completed the global application of the `editable_fields.ts` pattern.
+**Context:** Finalized IDAA Bulletin Board V3 migration, implemented global `editable_fields.ts` whitelists, and standardized JWT authentication for CRUD V3.
 
 **Key Accomplishments:**
+- **JWT Authentication:** Standardized JWT usage across all CRUD V3 operations. Updated API helpers to automatically inject `Authorization: Bearer` headers and added secure file download support via `jwt` URL parameters.
+- **Activity Log Management:** Fully migrated to V3 CRUD. Created a standalone management page at `/core/activity_logs` and integrated filtered activity history into the Person detail view.
 - **IDAA Bulletin Board V3:** Completed migration to V3 CRUD. Resolved a critical bug where results disappeared after filtering by ensuring `account_id` is injected into processed objects before being saved to IndexedDB.
 - **Race Condition Resolution:** Identified and fixed a race condition during database refresh by `await`ing Dexie `.clear()` operations.
-- **Global Editable Field Whitelists:** Successfully created `.editable_fields.ts` whitelist files for all remaining Aether objects (Journals, Events, Sponsorships). This standardizes secure updates from the frontend by explicitly defining permitted fields for PATCH operations.
-- **Documentation:** Updated `TODO.md` and `GEMINI.md` to reflect the current project state and recent milestones.
+- **Global Editable Field Whitelists:** Successfully created `.editable_fields.ts` whitelist files for all remaining Aether objects (Journals, Events, Sponsorships).
+- **Bug Fix:** Resolved a critical `ReferenceError` in the POST helper that was causing 500 errors during site lookup.
 
 **Key Learnings:**
+- **Header Normalization:** When merging headers in API helpers, ensure consistent kebab-case normalization (e.g., `Authorization` instead of `authorization`) to match backend expectations and avoid duplicates.
+- **Secure Direct Access:** For direct browser-led requests like file downloads, passing the JWT as a URL parameter is a robust alternative to header-based auth which can be difficult to set on standard `<a>` or `<img>` tags.
 - **IndexedDB Filter Consistency:** When using client-side filtering (e.g., `liveQuery`) on fields like `account_id`, it is vital that the frontend data processors inject these IDs if the API response omits them (common in nested V3 routes).
 - **Asynchronous DB Operations:** Always `await` database cleanup operations (`.clear()`) before triggering new data loads to prevent stale data or empty lists due to race conditions.
-- **Strict Data Shaping:** Centralizing field whitelists in `.editable_fields.ts` files provides a clean, maintainable way to control what data is sent back to the API during updates, preventing accidental overwrites of protected fields.
 
 **Next Steps:**
-- **Authentication & Security:** Standardize JWT usage in headers for all V3 calls.
-- **Person Management:** Build out the "Linked Activity & Content" section and dedicated edit forms.
+- **Person Management:** Build out dedicated edit forms and finalize the "Linked Activity & Content" section.
 - **Address/Contact Details:** Implement detail pages for these newly added modules.
+- **Coordination:** Continue checking `agents_sync/inbox` for API V3 updates from the backend agent.