From b4f0ca3e64825c7e11a1f3bde692acdccef0cb51 Mon Sep 17 00:00:00 2001
From: Scott Idem <stidem@gmail.com>
Date: Tue, 28 Apr 2026 16:10:10 -0400
Subject: [PATCH] fix(auth): re-enable ?key= access gate with persistent-state
 fix

The key gate was disabled 2026-04-01 after a page-refresh lockout bug.
Root cause: +layout.ts unconditionally wrote ae_loc_init['allow_access'],
which the +layout.svelte merge spread clobbered the persisted key string
on every navigation/refresh without ?key= in the URL, causing the gate
comparison to fail and showing "Access Denied".

Fix: only write allow_access to ae_loc_init when access_key is present
in the URL. On refresh/navigation without the key param, the persisted
value survives the spread unchanged.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 src/routes/+layout.svelte |  3 ++-
 src/routes/+layout.ts     | 15 ++++++++++-----
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/src/routes/+layout.svelte b/src/routes/+layout.svelte
index b8fcb8bb..ca1cf020 100644
--- a/src/routes/+layout.svelte
+++ b/src/routes/+layout.svelte
@@ -405,7 +405,8 @@ $effect(() => {
                     size="3rem"
                     class="text-primary-500 animate-spin" />
                 <div class="text-center text-xl font-bold">
-                    Hydrating Aether...
+                    <!-- Hydrating Aether... -->
+                    Loading Aether data...
                 </div>
             </div>
         </div>
diff --git a/src/routes/+layout.ts b/src/routes/+layout.ts
index 838fc0be..e776bf61 100644
--- a/src/routes/+layout.ts
+++ b/src/routes/+layout.ts
@@ -357,7 +357,7 @@ export async function load({ fetch, params, parent, route, url }) {
             account_code: 'ghost',
             account_name: api_error
                 ? 'API Connection Failed'
-                : 'Domain Not Registered',
+                : 'Domain Not Found or Missing Access Key',
             site_id_random: 'ghost',
             site_domain_id_random: 'ghost',
             enable: '1',
@@ -455,11 +455,16 @@ export async function load({ fetch, params, parent, route, url }) {
     ae_loc_init['base_url'] = url.origin;
     ae_loc_init['hostname'] = url.hostname;
 
-    // --- Access key verification — DISABLED (2026-04-01) ---
-    // Access keys cleared from all site_domain records. Always grant access.
-    // TODO: Re-enable this block when access key enforcement is restored.
+    // Access key gate — re-enabled 2026-04-28.
+    // Only write allow_access when a key is actively present in the URL.
+    // If no key on refresh/navigation, do NOT set allow_access — the persisted
+    // value from the original keyed visit survives the ae_loc spread in +layout.svelte.
+    // Setting it unconditionally (even to `true`) overwrites the persisted key string
+    // on every refresh, which was the root cause of the 2026-04-01 lockout bug.
     ae_loc_init['key_checked'] = true;
-    ae_loc_init['allow_access'] = true;
+    if (access_key) {
+        ae_loc_init['allow_access'] = access_key;
+    }
 
     // if (!account_id) {
     //     error(500, {