docs(core): mark data store fallback temporary and list special cases

documentation/PROJECT__AE_Site_Passcode_Security.md

@@ -92,6 +92,19 @@ If the backend team revisits this area, keep the next round focused on narrowing
 3. Mark any remaining bypass-only helper as temporary and add a removal target.
 4. Plan the eventual removal of `access_code_kv_json` from public bootstrap payloads once passcode auth is fully deployed.
 
+### Frontend special-case endpoints to review
+
+These are the current frontend-facing exceptions that the backend work should assume are special-cased. None require a frontend/client code change today, but some are intentionally temporary.
+
+| Frontend path / helper | Status | Notes |
+| --- | --- | --- |
+| `src/routes/+layout.ts` | Keep | Bootstrap site-domain lookup before account context is known. |
+| `src/routes/manifest.webmanifest/+server.ts` | Keep | Public PWA branding lookup; bootstrap key only. |
+| `src/lib/ae_core/ae_core__site.ts` | Keep | Cache-first site-domain bootstrap path. Still a bootstrap-only special case. |
+| `src/lib/ae_api/api_get__data_store.ts` + `src/lib/ae_core/core__data_store.ts` + `src/lib/elements/element_data_store.svelte` | Temporary | Global-default fallback. Target state is JWT-backed account-scoped access only. |
+| `src/lib/ae_core/ae_core_functions.ts` | Remove candidate | Legacy site-domain helper with forced no-account scope. |
+| `src/routes/testing/+page.svelte` | Dev-only | Useful for trace testing; do not add to any production allowlist. |
+
 **Phase 2 status:** Not started — removing `access_code_kv_json` from the public site model remains pending.
 
 **File:** `aether_api_fastapi/app/routers/api.py`