diff --git a/src/routes/+layout.svelte b/src/routes/+layout.svelte index b8fcb8bb..ca1cf020 100644 --- a/src/routes/+layout.svelte +++ b/src/routes/+layout.svelte @@ -405,7 +405,8 @@ $effect(() => { size="3rem" class="text-primary-500 animate-spin" />
- Hydrating Aether... + + Loading Aether data...
diff --git a/src/routes/+layout.ts b/src/routes/+layout.ts index 838fc0be..e776bf61 100644 --- a/src/routes/+layout.ts +++ b/src/routes/+layout.ts @@ -357,7 +357,7 @@ export async function load({ fetch, params, parent, route, url }) { account_code: 'ghost', account_name: api_error ? 'API Connection Failed' - : 'Domain Not Registered', + : 'Domain Not Found or Missing Access Key', site_id_random: 'ghost', site_domain_id_random: 'ghost', enable: '1', @@ -455,11 +455,16 @@ export async function load({ fetch, params, parent, route, url }) { ae_loc_init['base_url'] = url.origin; ae_loc_init['hostname'] = url.hostname; - // --- Access key verification — DISABLED (2026-04-01) --- - // Access keys cleared from all site_domain records. Always grant access. - // TODO: Re-enable this block when access key enforcement is restored. + // Access key gate — re-enabled 2026-04-28. + // Only write allow_access when a key is actively present in the URL. + // If no key on refresh/navigation, do NOT set allow_access — the persisted + // value from the original keyed visit survives the ae_loc spread in +layout.svelte. + // Setting it unconditionally (even to `true`) overwrites the persisted key string + // on every refresh, which was the root cause of the 2026-04-01 lockout bug. ae_loc_init['key_checked'] = true; - ae_loc_init['allow_access'] = true; + if (access_key) { + ae_loc_init['allow_access'] = access_key; + } // if (!account_id) { // error(500, {