Five small fixes from REVIEW.md §2/§4/§8:
- attach_tag: 64-char cap at the handler so the validation error
envelope matches username/collection-name.
- create_token: same 64-char cap on bot token names.
- LocalStorage::resolve rejects NUL bytes explicitly so callers see
BadKey instead of an opaque IO error.
- sendBeacon dropped from the reader's pagehide flush — it's POST-only
and the server's read-progress route is PUT, so every page-close
was logging a 405 then falling through to the same keepalive fetch
anyway. Keepalive fetch is now the only path.
- Frontend logout sets content-type: application/json for symmetry
with the other mutation helpers.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
8667f8b957