Scott.Idem/OSIT-AE-App-Svelte
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs(core): mark data store fallback temporary and list special cases

Browse Source
This commit is contained in:
Scott Idem
2026-05-01 14:31:19 -04:00
parent 19822c4eaf
commit 7cef6be54c
5 changed files with 29 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
documentation/PROJECT__AE_Site_Passcode_Security.md
View File

@@ -92,6 +92,19 @@ If the backend team revisits this area, keep the next round focused on narrowing
3. Mark any remaining bypass-only helper as temporary and add a removal target. 3. Mark any remaining bypass-only helper as temporary and add a removal target.
4. Plan the eventual removal of `access_code_kv_json` from public bootstrap payloads once passcode auth is fully deployed. 4. Plan the eventual removal of `access_code_kv_json` from public bootstrap payloads once passcode auth is fully deployed.
### Frontend special-case endpoints to review
These are the current frontend-facing exceptions that the backend work should assume are special-cased. None require a frontend/client code change today, but some are intentionally temporary.
| Frontend path / helper | Status | Notes |
| --- | --- | --- |
| `src/routes/+layout.ts` | Keep | Bootstrap site-domain lookup before account context is known. |
| `src/routes/manifest.webmanifest/+server.ts` | Keep | Public PWA branding lookup; bootstrap key only. |
| `src/lib/ae_core/ae_core__site.ts` | Keep | Cache-first site-domain bootstrap path. Still a bootstrap-only special case. |
| `src/lib/ae_api/api_get__data_store.ts` + `src/lib/ae_core/core__data_store.ts` + `src/lib/elements/element_data_store.svelte` | Temporary | Global-default fallback. Target state is JWT-backed account-scoped access only. |
| `src/lib/ae_core/ae_core_functions.ts` | Remove candidate | Legacy site-domain helper with forced no-account scope. |
| `src/routes/testing/+page.svelte` | Dev-only | Useful for trace testing; do not add to any production allowlist. |
**Phase 2 status:** Not started — removing `access_code_kv_json` from the public site model remains pending. **Phase 2 status:** Not started — removing `access_code_kv_json` from the public site model remains pending.
**File:** `aether_api_fastapi/app/routers/api.py` **File:** `aether_api_fastapi/app/routers/api.py`

9
src/lib/ae_api/api_get__data_store.ts
View File

@@ -12,7 +12,9 @@ interface GetDataStoreV3Params {
/** /**
* Get a Data Store object by its human-friendly code (V3) * Get a Data Store object by its human-friendly code (V3)
* Uses hierarchical fallback logic (Specific -> Account -> Global) * Uses hierarchical fallback logic (Specific -> Account -> Global).
* TEMPORARY: the global fallback is a stopgap until the backend can
* serve account-scoped defaults via JWT-backed access only.
* Path: GET /v3/data_store/code/{code} * Path: GET /v3/data_store/code/{code}
*/ */
export async function get_data_store({ export async function get_data_store({
@@ -36,8 +38,9 @@ export async function get_data_store({
const headers: key_val = {}; const headers: key_val = {};
if (no_account_id) { if (no_account_id) {
// Use the standard bypass header understood by get_object so the // TEMPORARY: keep this narrow global-default escape hatch until the
// request can actually fall back to global defaults. // backend can answer the data_store request with account-scoped JWT
// access only.
headers['x-no-account-id'] = 'Nothing to See Here'; headers['x-no-account-id'] = 'Nothing to See Here';
} }

3
src/lib/ae_core/ae_core_functions.ts
View File

@@ -74,6 +74,9 @@ async function load_ae_obj_id__site_domain({
no_account_id = true; no_account_id = true;
// api_cfg.headers['x_account_id'] = 'nothing here'; // api_cfg.headers['x_account_id'] = 'nothing here';
} }
// LEGACY BOOTSTRAP SPECIAL CASE: this helper is effectively a remove
// candidate once all site-domain lookups use the cache-first/bootstrap
// path in ae_core__site.ts.
no_account_id = true; no_account_id = true;
const params = {}; const params = {};

4
src/lib/ae_core/core__data_store.ts
View File

@@ -28,6 +28,10 @@ export async function load_ae_obj_by_code__data_store({
save_idb?: boolean; save_idb?: boolean;
timeout?: number; timeout?: number;
log_lvl?: number; log_lvl?: number;
// TEMPORARY: this no-account fallback exists only until the backend
// can serve account-scoped defaults via JWT-backed access alone.
// Keep this path narrow and remove it when the backend no longer
// needs a transport-level scope drop for data_store.
}): Promise<any> { }): Promise<any> {
if (log_lvl) { if (log_lvl) {
console.log(`*** load_ae_obj_by_code__data_store() *** code=${code}`); console.log(`*** load_ae_obj_by_code__data_store() *** code=${code}`);

3
src/lib/elements/element_data_store.svelte
View File

@@ -227,6 +227,9 @@ async function load_data_store() {
`ae_e_data_store [${ds_code}]: Not found in context (Status ${status_code}). Trying global fallback.` `ae_e_data_store [${ds_code}]: Not found in context (Status ${status_code}). Trying global fallback.`
); );
// TEMPORARY: same global-default fallback as core__data_store.ts.
// This should go away once the backend can answer with JWT-backed,
// account-scoped defaults only.
ds_results = await api.get_data_store({ ds_results = await api.get_data_store({
api_cfg, api_cfg,
code: ds_code, code: ds_code,