security(api): harden V3 authentication and unify CRUD endpoint patterns

Implemented critical security and architectural fixes to align the frontend with the Aether API V3 standard and resolve 403 Forbidden race conditions.

- Unified CRUD Helpers: Updated get, create, update, and delete helpers to use the standard /v3/crud/{obj_type}/{id} paths, ensuring correct backend isolation context.
- Auth Scavenging: Implemented direct localStorage scavenging for 'x-account-id' in core fetch helpers to prevent hydration race conditions in Svelte 5.
- Header Cleanup: Purged redundant 'x-aether-api-token' and fixed misplaced protocol headers in global stores.
- Reliability: Fixed 'Content-Type' typos and standardized kebab-case header normalization.

src/lib/ae_api/api_patch_object.ts

@@ -51,8 +51,25 @@ export const patch_object = async function patch_object({
     const merged_headers = { ...api_cfg['headers'], ...headers };
 
     // Auto-promote account_id from api_cfg to header if missing
-    if (!merged_headers['x-account-id'] && api_cfg['account_id']) {
-        merged_headers['x-account-id'] = api_cfg['account_id'];
+    let account_id = merged_headers['x-account-id'] || api_cfg['account_id'];
+
+    // IMMEDIATE ACCOUNT ID SCAVENGING: Read from localStorage to avoid race conditions
+    if (!account_id && typeof localStorage !== 'undefined') {
+        try {
+            const ae_loc_raw = localStorage.getItem('ae_loc');
+            if (ae_loc_raw) {
+                const ae_loc_json = JSON.parse(ae_loc_raw);
+                if (ae_loc_json.account_id) {
+                    account_id = ae_loc_json.account_id;
+                }
+            }
+        } catch (e) {
+            // Silently fail on storage read
+        }
+    }
+
+    if (account_id) {
+        merged_headers['x-account-id'] = account_id;
     }
 
     // Handle "Bootstrap Paradox" for unauthenticated requests