API Hardening: Refine Bypass Logic and Enable Permissive Mode

- Hardened 'Bootstrap Paradox' bypass logic in GET/POST helpers to only strip account ID if an intentional bypass value is provided.
- Enabled 'Permissive Update Mode' (x-ae-ignore-extra-fields: true) by default to improve frontend state synchronization.
- Fixed loader hydration bug where isolated API headers were being overwritten by stale global defaults.
- Ensured correctly resolved account names persist in local state instead of defaulting to 'Ghost Account'.
- Added Environment & Bridge diagnostics section to the testing dashboard for easier runtime verification.

src/lib/ae_api/api_get_object.ts

@@ -69,9 +69,17 @@ export const get_object = async function get_object({
 
     // Handle "Bootstrap Paradox" for unauthenticated requests
     if (merged_headers.hasOwnProperty('x-no-account-id')) {
-        delete merged_headers['x-account-id'];
-        if (merged_headers['x-no-account-id'] === null) {
-            merged_headers['x-no-account-id'] = 'Nothing to See Here';
+        const bypass_val = merged_headers['x-no-account-id'];
+        const is_valid_bypass = bypass_val === 'bypass' || 
+                               bypass_val === 'Nothing to See Here' || 
+                               bypass_val === 'direct-download';
+        
+        if (is_valid_bypass) {
+            if (log_lvl > 1) console.log('api_get_object: Valid bypass detected. Stripping account ID context.');
+            delete merged_headers['x-account-id'];
+        } else if (bypass_val === null || bypass_val === undefined || bypass_val === 'No_Account_ID_Here') {
+            if (log_lvl > 1) console.log('api_get_object: Placeholder bypass detected. Preserving account ID context.');
+            delete merged_headers['x-no-account-id'];
         }
     }
 

src/lib/ae_api/api_post_object.ts

@@ -72,9 +72,17 @@ export const post_object = async function post_object({
 
     // Handle "Bootstrap Paradox" for unauthenticated requests
     if (merged_headers.hasOwnProperty('x-no-account-id')) {
-        delete merged_headers['x-account-id'];
-        if (merged_headers['x-no-account-id'] === null) {
-            merged_headers['x-no-account-id'] = 'Nothing to See Here';
+        const bypass_val = merged_headers['x-no-account-id'];
+        const is_valid_bypass = bypass_val === 'bypass' || 
+                               bypass_val === 'Nothing to See Here' || 
+                               bypass_val === 'direct-download';
+        
+        if (is_valid_bypass) {
+            if (log_lvl > 1) console.log('api_post_object: Valid bypass detected. Stripping account ID context.');
+            delete merged_headers['x-account-id'];
+        } else if (bypass_val === null || bypass_val === undefined || bypass_val === 'No_Account_ID_Here') {
+            if (log_lvl > 1) console.log('api_post_object: Placeholder bypass detected. Preserving account ID context.');
+            delete merged_headers['x-no-account-id'];
         }
     }
 

src/routes/+layout.ts

@@ -42,18 +42,12 @@ const ae_api_init: key_val = {
     account_id: ae_account_id
 };
 
-const ae_api_headers: key_val = {};
-ae_api_headers['Access-Control-Allow-Origin'] = '*';
-ae_api_headers['Content-Type'] = 'application/json';
-ae_api_headers['x-aether-api-key'] = ae_api_init.api_secret_key;
-ae_api_headers['x-aether-api-token'] = 'fake-temp-token';
-ae_api_headers['x-aether-api-expire-on'] = '';
-if (ae_account_id) {
-    ae_api_headers['x-account-id'] = ae_account_id;
-}
-if (ae_no_account_id) {
-    ae_api_headers['x-no-account-id'] = ae_no_account_id;
-}
+const ae_api_headers: key_val = {
+    'Access-Control-Allow-Origin': '*',
+    'Content-Type': 'application/json',
+    'x-aether-api-key': api_secret_key,
+    'x-ae-ignore-extra-fields': 'true'
+};
 
 ae_api_init['headers'] = ae_api_headers;
 
@@ -63,7 +57,10 @@ export async function load({ fetch, params, parent, route, url }) {
     let account_id: any;
 
     const ae_acct: key_val = {
-        api: ae_api_init,
+        api: { 
+            ...ae_api_init,
+            headers: { ...ae_api_headers } // Local clone
+        }, 
         ds: {},
         loc: {
             account_id: '',
@@ -113,13 +110,14 @@ export async function load({ fetch, params, parent, route, url }) {
     try {
         if (log_lvl) console.log(`ROOT LOAD: Starting site lookup V3 for ${fqdn}...`);
         
-        // Use dedicated Agent Key for Bootstrap if available, otherwise fallback to standard key
+        // Use dedicated Agent Key for Bootstrap and include the unauthenticated bypass header ONLY for this request
         const bootstrap_api_cfg = { 
             ...ae_api_init,
-            api_secret_key: 'IDF68Em5X4HTZlswRNgepQ', // Dedicated Agent Bootstrap Key
+            api_secret_key: 'IDF68Em5X4HTZlswRNgepQ',
             headers: { 
                 ...ae_api_init.headers, 
-                'x-aether-api-key': 'IDF68Em5X4HTZlswRNgepQ' 
+                'x-aether-api-key': 'IDF68Em5X4HTZlswRNgepQ',
+                'x-no-account-id': ae_no_account_id || 'bypass'
             }
         };
 
@@ -162,10 +160,9 @@ export async function load({ fetch, params, parent, route, url }) {
 
     if (log_lvl) console.log(`ROOT LOAD: Using account_id: ${account_id}`);
 
-    ae_api_init['account_id'] = account_id;
-    ae_api_init['headers']['x-account-id'] = account_id;
-
-    ae_api_headers['x-account-id'] = account_id;
+    // Update the local clones
+    ae_acct.api.account_id = account_id;
+    ae_acct.api.headers['x-account-id'] = account_id;
 
     ae_loc_init['account_id'] = account_id;
     ae_loc_init['account_code'] = json_data.account_code || 'ghost';
@@ -217,7 +214,9 @@ export async function load({ fetch, params, parent, route, url }) {
     //     });
     // }
 
-    ae_acct['api'] = ae_api_init;
+    ae_loc_init['account_name'] = json_data.account_name || 'Account Name Not Set';
+
+    // ae_acct['api'] = ae_api_init; // DO NOT USE: This overwrites our isolated clone from line 65
     ae_acct['loc'] = ae_loc_init;
     ae_acct['ds'] = ds_code_li;
     ae_acct['slct'] = {

src/routes/testing/+page.svelte

@@ -28,7 +28,8 @@
         ArrowRightLeft,
         Code,
         FlaskConical,
-        Info
+        Info,
+        Satellite
     } from 'lucide-svelte';
 
     // Core Module Imports
@@ -36,6 +37,7 @@
     import { lookup_site_domain_v3 } from '$lib/ae_core/ae_core__site';
     import { load_ae_obj_id__user } from '$lib/ae_core/ae_core__user';
     import { db_core } from '$lib/ae_core/db_core';
+    import { events_loc } from '$lib/stores/ae_events_stores';
 
     // State Variables
     let test_result: any = $state(null);
@@ -174,6 +176,10 @@
         return await response.json();
     });
 
+    // Environment Diagnostics
+    let is_native = $derived(typeof window !== 'undefined' && !!(window as any).native_app);
+    let app_mode = $derived($events_loc?.launcher?.app_mode || 'web');
+
 </script>
 
 <!-- Outer wrapper to enable scrolling if parent is overflow-hidden -->
@@ -208,6 +214,36 @@
         <div class="grid grid-cols-1 xl:grid-cols-[1fr_400px] gap-8">
             <main class="space-y-6">
                 
+                <!-- Environment & Bridge Card -->
+                <div class="card p-6 variant-soft-tertiary space-y-4 border border-gray-500 shadow-lg">
+                    <header class="flex justify-between items-center border-b border-gray-500 pb-3">
+                        <div class="flex items-center gap-2 text-tertiary-700 dark:text-tertiary-300">
+                            <Satellite size={20} />
+                            <h3 class="h3 font-bold">Environment & Bridge Diagnostics</h3>
+                        </div>
+                        <span class="badge variant-filled-tertiary font-mono p-2 uppercase">
+                            Runtime: {is_native ? 'Electron' : 'Web Browser'}
+                        </span>
+                    </header>
+                    <div class="grid grid-cols-1 md:grid-cols-3 gap-4">
+                        <div class="flex flex-col p-3 bg-gray-500/10 rounded" title="The current logic mode of the application (e.g. native, onsite, web).">
+                            <span class="text-[10px] uppercase opacity-50 font-bold">App Mode</span>
+                            <span class="text-sm font-bold text-tertiary-600 dark:text-tertiary-400 uppercase tracking-widest">{app_mode}</span>
+                        </div>
+                        <div class="flex flex-col p-3 bg-gray-500/10 rounded" title="Presence of window.native_app bridge object.">
+                            <span class="text-[10px] uppercase opacity-50 font-bold">Bridge Detected</span>
+                            <div class="flex items-center gap-2">
+                                <div class="w-2 h-2 rounded-full {is_native ? 'bg-success-500 animate-pulse' : 'bg-surface-500'}"></div>
+                                <span class="text-sm font-semibold">{is_native ? 'Active' : 'Missing / Inactive'}</span>
+                            </div>
+                        </div>
+                        <div class="flex flex-col p-3 bg-gray-500/10 rounded" title="The host string being used for bootstrap site resolution.">
+                            <span class="text-[10px] uppercase opacity-50 font-bold">Bootstrap Host</span>
+                            <span class="font-mono text-xs truncate">{$ae_loc.hostname || '--'}</span>
+                        </div>
+                    </div>
+                </div>
+
                 <!-- Session Context Card -->
                 <div class="card p-6 variant-soft-surface space-y-4 border border-gray-500 shadow-lg">
                     <header class="flex justify-between items-center border-b border-gray-500 pb-3">