Fix pipe desync: send_ok_raw escapes newlines, expand-components? in env

- send_ok_raw: when SX wire format contains newlines (string literals),
  fall back to (ok "...escaped...") instead of (ok-raw ...) to keep
  the pipe single-line. Prevents multi-line responses from desyncing
  subsequent requests.
- expand-components? flag set in kernel env (not just VM adapter globals)
  so aser-list's env-has? check finds it during component expansion.
- SX_STANDALONE: restore no_oauth but generate CSRF via session cookie
  so mutation handlers (DELETE etc.) still work without account service.
- Shell statics injection: only inject small values (hashes, URLs) as
  kernel vars. Large blobs (CSS, component_defs) use placeholder tokens.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

sx/app.py

@@ -49,6 +49,11 @@ async def sx_standalone_context() -> dict:
     ctx["cart_mini"] = ""
     ctx["auth_menu"] = ""
     ctx["nav_tree"] = ""
+    # Generate CSRF token — standalone has no account service but still
+    # needs CSRF for mutation handlers (DELETE etc.)
+    from shared.browser.app.csrf import generate_csrf_token
+    from quart import g
+    g.csrf_token = generate_csrf_token()
     return ctx
 
 
@@ -57,8 +62,8 @@ def create_app() -> "Quart":
 
     extra_kw = {}
     if SX_STANDALONE:
-        extra_kw["no_oauth"] = True
         extra_kw["no_db"] = True
+        extra_kw["no_oauth"] = True
 
     app = create_base_app(
         "sx",