docs(security): narrow x-no-account-id guidance and JWT notes

2026-05-01 13:59:07 -04:00
parent d5e5cb7ada
commit 19822c4eaf
4 changed files with 34 additions and 2 deletions
--- a/documentation/PROJECT__AE_Site_Passcode_Security.md
+++ b/documentation/PROJECT__AE_Site_Passcode_Security.md
@@ -83,6 +83,15 @@ This gives session expiry without a network call on every page load.

 **Note:** The backend fixes described below have been implemented and tested in the `aether_api_fastapi` repository (the `/authenticate_passcode` endpoint now uses explicit role priority, returns a full passcode JWT with `auth_type: 'passcode'`, applies per-role TTLs, and validates passcode length). Frontend changes can proceed once the backend deployment with these fixes is available.

+### Backend Agent Follow-Up
+
+If the backend team revisits this area, keep the next round focused on narrowing escape hatches rather than adding new ones:
+
+1. Audit every `x-no-account-id` use and decide whether it is still required for bootstrap, public delivery, or a global-default fallback.
+2. Prefer JWT-backed auth once a session exists; do not add new transport-level bypass paths for authenticated UI flows.
+3. Mark any remaining bypass-only helper as temporary and add a removal target.
+4. Plan the eventual removal of `access_code_kv_json` from public bootstrap payloads once passcode auth is fully deployed.
+
 **Phase 2 status:** Not started — removing `access_code_kv_json` from the public site model remains pending.

 **File:** `aether_api_fastapi/app/routers/api.py`