From ea765d8ad2d22809743f9c0a08430896458cdfd7 Mon Sep 17 00:00:00 2001
From: Scott Idem <stidem@gmail.com>
Date: Thu, 21 May 2026 18:11:32 -0400
Subject: [PATCH] fix(api): lower patch/delete timeout to 20s and add delete
 auth error banner

Two gaps found during review of the recent retry-hardening commits:

1. api_patch_object.ts and api_delete_object.ts still defaulted to 60s
   timeout while GET/POST were lowered to 20s. No callers set an explicit
   timeout, so the default was the only value used. With retry_count=5 and
   the new backoff policy, 60s per attempt = 5+ minutes worst-case wait.
   Lowered to 20s to match GET/POST and keep worst-case under ~2 minutes.

2. api_delete_object.ts had no ae_auth_error import and no session-expired
   banner on 401/403. A stale-session DELETE would silently return false
   with no user feedback. Added browser + ae_auth_error imports and the
   ae_auth_error.set() call matching the pattern in GET/POST/PATCH.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 src/lib/ae_api/api_delete_object.ts | 15 ++++++++++++++-
 src/lib/ae_api/api_patch_object.ts  |  2 +-
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/src/lib/ae_api/api_delete_object.ts b/src/lib/ae_api/api_delete_object.ts
index 4a6ef9e8..b7d991c3 100644
--- a/src/lib/ae_api/api_delete_object.ts
+++ b/src/lib/ae_api/api_delete_object.ts
@@ -1,3 +1,5 @@
+import { browser } from '$app/environment';
+import { ae_auth_error } from '$lib/stores/ae_stores';
 import type { key_val } from '$lib/stores/ae_stores';
 
 /**
@@ -11,7 +13,7 @@ export const delete_object = async function delete_object({
     headers = {},
     params = {},
     data = {},
-    timeout = 60000,
+    timeout = 20000,
     return_meta = false,
     log_lvl = 0,
     retry_count = 5
@@ -200,6 +202,17 @@ export const delete_object = async function delete_object({
                     response.status === 403 ||
                     response.status === 422
                 ) {
+                    if (response.status === 401 || response.status === 403) {
+                        console.warn(
+                            `AUTH DIAGNOSTICS (DELETE): Headers sent for ${endpoint}:`,
+                            {
+                                has_api_key: !!headers_cleaned['x-aether-api-key'],
+                                has_account_id: !!headers_cleaned['x-account-id']
+                            }
+                        );
+                        // Signal the root layout to show the session-expired banner.
+                        if (browser) ae_auth_error.set({ type: 'expired', ts: Date.now() });
+                    }
                     return false;
                 }
 
diff --git a/src/lib/ae_api/api_patch_object.ts b/src/lib/ae_api/api_patch_object.ts
index d4c5f5ee..4d7a309f 100644
--- a/src/lib/ae_api/api_patch_object.ts
+++ b/src/lib/ae_api/api_patch_object.ts
@@ -13,7 +13,7 @@ export const patch_object = async function patch_object({
     headers = {},
     params = {},
     data = {},
-    timeout = 60000,
+    timeout = 20000,
     return_meta = false,
     log_lvl = 0,
     retry_count = 5