API Hardening: Refine Bypass Logic and Enable Permissive Mode

- Hardened 'Bootstrap Paradox' bypass logic in GET/POST helpers to only strip account ID if an intentional bypass value is provided.
- Enabled 'Permissive Update Mode' (x-ae-ignore-extra-fields: true) by default to improve frontend state synchronization.
- Fixed loader hydration bug where isolated API headers were being overwritten by stale global defaults.
- Ensured correctly resolved account names persist in local state instead of defaulting to 'Ghost Account'.
- Added Environment & Bridge diagnostics section to the testing dashboard for easier runtime verification.

src/routes/+layout.ts

@@ -42,18 +42,12 @@ const ae_api_init: key_val = {
     account_id: ae_account_id
 };
 
-const ae_api_headers: key_val = {};
-ae_api_headers['Access-Control-Allow-Origin'] = '*';
-ae_api_headers['Content-Type'] = 'application/json';
-ae_api_headers['x-aether-api-key'] = ae_api_init.api_secret_key;
-ae_api_headers['x-aether-api-token'] = 'fake-temp-token';
-ae_api_headers['x-aether-api-expire-on'] = '';
-if (ae_account_id) {
-    ae_api_headers['x-account-id'] = ae_account_id;
-}
-if (ae_no_account_id) {
-    ae_api_headers['x-no-account-id'] = ae_no_account_id;
-}
+const ae_api_headers: key_val = {
+    'Access-Control-Allow-Origin': '*',
+    'Content-Type': 'application/json',
+    'x-aether-api-key': api_secret_key,
+    'x-ae-ignore-extra-fields': 'true'
+};
 
 ae_api_init['headers'] = ae_api_headers;
 
@@ -63,7 +57,10 @@ export async function load({ fetch, params, parent, route, url }) {
     let account_id: any;
 
     const ae_acct: key_val = {
-        api: ae_api_init,
+        api: { 
+            ...ae_api_init,
+            headers: { ...ae_api_headers } // Local clone
+        }, 
         ds: {},
         loc: {
             account_id: '',
@@ -113,13 +110,14 @@ export async function load({ fetch, params, parent, route, url }) {
     try {
         if (log_lvl) console.log(`ROOT LOAD: Starting site lookup V3 for ${fqdn}...`);
         
-        // Use dedicated Agent Key for Bootstrap if available, otherwise fallback to standard key
+        // Use dedicated Agent Key for Bootstrap and include the unauthenticated bypass header ONLY for this request
         const bootstrap_api_cfg = { 
             ...ae_api_init,
-            api_secret_key: 'IDF68Em5X4HTZlswRNgepQ', // Dedicated Agent Bootstrap Key
+            api_secret_key: 'IDF68Em5X4HTZlswRNgepQ',
             headers: { 
                 ...ae_api_init.headers, 
-                'x-aether-api-key': 'IDF68Em5X4HTZlswRNgepQ' 
+                'x-aether-api-key': 'IDF68Em5X4HTZlswRNgepQ',
+                'x-no-account-id': ae_no_account_id || 'bypass'
             }
         };
 
@@ -162,10 +160,9 @@ export async function load({ fetch, params, parent, route, url }) {
 
     if (log_lvl) console.log(`ROOT LOAD: Using account_id: ${account_id}`);
 
-    ae_api_init['account_id'] = account_id;
-    ae_api_init['headers']['x-account-id'] = account_id;
-
-    ae_api_headers['x-account-id'] = account_id;
+    // Update the local clones
+    ae_acct.api.account_id = account_id;
+    ae_acct.api.headers['x-account-id'] = account_id;
 
     ae_loc_init['account_id'] = account_id;
     ae_loc_init['account_code'] = json_data.account_code || 'ghost';
@@ -217,7 +214,9 @@ export async function load({ fetch, params, parent, route, url }) {
     //     });
     // }
 
-    ae_acct['api'] = ae_api_init;
+    ae_loc_init['account_name'] = json_data.account_name || 'Account Name Not Set';
+
+    // ae_acct['api'] = ae_api_init; // DO NOT USE: This overwrites our isolated clone from line 65
     ae_acct['loc'] = ae_loc_init;
     ae_acct['ds'] = ds_code_li;
     ae_acct['slct'] = {