SettingsPage was still calling window.open() directly,
bypassing the auth-enabled fetch methods in api.js.
Changed buttons to use api.exportZip() and api.exportJson()
which properly include authentication headers.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Lars
a0660e7a40