docs: audit and archive completed Journals and Badges projects

documentation/AE__Permissions_and_Security.md

@@ -1,6 +1,6 @@
 # Aether — Permissions and Security
 
-**Last Updated:** 2026-02-27
+**Last Updated:** 2026-06-12
 **Source of truth:** `src/lib/ae_utils/ae_utils__perm_checks.ts`, `src/lib/stores/ae_stores.ts`
 
 ---
@@ -76,15 +76,18 @@ $ae_loc.adv_mode             // boolean — advanced mode toggle
 | AE Username + Password | `trusted` and above | Staff with AE accounts |
 | Novi UUID | `authenticated` | IDAA members (Novi membership system) |
 
-Passcodes are stored per-level in `$ae_loc.site_access_code_kv`:
-```typescript
-site_access_code_kv: {
-    administrator: null,  // highest passcode tier
-    trusted: null,        // onsite staff passcode
-    public: 'public1980', // example
-    authenticated: 'auth1980'
-}
-```
+### Site Passcode Security Warning
+
+The current frontend receives every site passcode in `access_code_kv_json`, copies the map into
+persisted `$ae_loc.site_access_code_kv`, and compares entered passcodes locally. Verbose logging
+can also expose the complete map. This is a known active security gap, not the target design.
+
+Do not add new consumers of `site_access_code_kv`, log passcodes, or treat persisted
+`access_type` as durable proof of authentication. The target flow verifies passcodes through
+`/authenticate_passcode`, stores a signed JWT with a role-specific TTL, and removes passcodes from
+the public bootstrap response and client state.
+
+See `documentation/PROJECT__AE_Site_Passcode_Security.md` for the active migration plan.
 
 ### `x-no-account-id` — Narrow Transport Exception