milestone 4: org header, logging, backup docs, mark all m4 tasks done

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

server/app/main.py

@@ -82,6 +82,7 @@ async def check_token(request: Request) -> None:
     auth = request.headers.get("authorization", "")
     scheme, _, provided = auth.partition(" ")
     if scheme.lower() != "bearer" or provided != expected:
+        logger.warning("rejected request: invalid token from %s", request.client.host if request.client else "unknown")
         raise HTTPException(status_code=401, detail="unauthorized")
 
 
@@ -101,7 +102,10 @@ async def capture(payload: CaptureRequest, store: IdempotencyStore = Depends(get
 
     lock = get_file_lock()
     with lock:
-        Path(org_path).parent.mkdir(parents=True, exist_ok=True)
+        org_file = Path(org_path)
+        org_file.parent.mkdir(parents=True, exist_ok=True)
+        if not org_file.exists():
+            org_file.write_text("#+title: synq captures\n#+startup: overview\n\n", encoding="utf-8")
         with open(org_path, "a", encoding="utf-8") as f:
             f.write(entry)
         store.mark_seen(payload.id, payload.created_at)
@@ -113,6 +117,8 @@ async def capture(payload: CaptureRequest, store: IdempotencyStore = Depends(get
 @app.exception_handler(RequestValidationError)
 async def validation_exception_handler(request: Request, exc: RequestValidationError) -> JSONResponse:
     errors = exc.errors()
+    fields = [str(e.get("loc", "")) for e in errors]
+    logger.warning("rejected payload: validation failed fields=%s from=%s", fields, request.client.host if request.client else "unknown")
     for err in errors:
         if "body" in err.get("loc", ()):
             return JSONResponse(status_code=400, content={"detail": "body must not be empty"})