feat(ui): Settings view + per-space project cards (status/research/edit/delete) + theming pass

- Settings (#/settings): API tokens (mint/list/revoke), Agents list, Orthos Mode placeholder
- Per-space Projects: Void-1-style expandable cards — inline status, ↻ Research (Eithan stub),
  Edit/New modal, Delete-with-confirm; migration 019 adds research_status/notes/timestamps;
  POST /api/projects/:id/research stub; GET /api/agent-tokens list
- Global +1 font bump; themed scrollbars; larger/bolder themed topbar

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

tests/api/pending_extended_actions.test.js

@@ -5,6 +5,7 @@ import * as spacesRepo from '../../lib/db/repos/spaces.js';
 import * as agentsRepo from '../../lib/db/repos/agents.js';
 import * as refsRepo from '../../lib/db/repos/refs.js';
 import * as pendingChanges from '../../lib/db/repos/pending_changes.js';
+import { applyPendingChange } from '../../lib/api/routes/pending_changes.js';
 
 // Regression coverage for docs/security-followups.md:
 // the pending_changes.action CHECK previously rejected the extended actions
@@ -69,6 +70,14 @@ describe('ref upsert as a suggest-tier draft', () => {
     expect(created).toBeTruthy();
     expect(created.title).toBe('Y');
   });
+
+  it('approving an upsert for an entity whose repo cannot upsert fails clean (ValidationError, not TypeError)', async () => {
+    // 'upsert' only legitimately originates from refs; guard the dispatch so a
+    // stray upsert row on another entity_type fails loud, not with a bare TypeError.
+    await expect(
+      applyPendingChange({ entity_type: 'task', action: 'upsert', payload: {} }, owner)
+    ).rejects.toThrow(/does not support upsert/i);
+  });
 });
 
 describe('resource dependency mutations are owner-only', () => {