From 6e22639e6e0debe7324b4b12e1fca084eedd159f Mon Sep 17 00:00:00 2001
From: Scott Idem <stidem@gmail.com>
Date: Mon, 23 Mar 2026 20:00:28 -0400
Subject: [PATCH] fix(api): pass real account_id for lookup requests instead of
 bypass header

The x-no-account-id bypass was hardcoded to resolve account_id=1 on the
backend, causing account-scoped lookup overrides (e.g. custom country names)
to leak to all callers regardless of their account.

Removing the bypass lets get_object auto-promote the real account_id from
api_cfg, so the backend's existing account filter works correctly.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 src/lib/api/api.ts | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/src/lib/api/api.ts b/src/lib/api/api.ts
index c55ac23c..7765a6e7 100644
--- a/src/lib/api/api.ts
+++ b/src/lib/api/api.ts
@@ -67,11 +67,10 @@ export const get_ae_obj_li_for_lu = async function get_ae_obj_li_for_lu({
         console.log(`*** get_ae_obj_li_for_lu() *** for_lu_type=${for_lu_type}`);
     }
 
-    // Lookup data is global; bypass account-id scope check
-    const merged_headers = {
-        'x-no-account-id': 'Nothing to See Here',
-        ...headers
-    };
+    // Pass headers as-is — get_object will auto-promote the real account_id from api_cfg.
+    // Do NOT use x-no-account-id bypass: the backend hardcodes account_id=1 for that path,
+    // which leaks account-scoped lookup overrides to all callers.
+    const merged_headers = { ...headers };
 
     // Use V3 system for primary lookup types
     if (['country', 'country_subdivision', 'time_zone'].includes(for_lu_type)) {