From f03627ef3c65c5020ca2d280139e1f7c63ad0eeb Mon Sep 17 00:00:00 2001
From: Scott Idem <stidem@gmail.com>
Date: Tue, 10 Mar 2026 16:30:11 -0400
Subject: [PATCH] security: move hardcoded bootstrap API key to env var

PUBLIC_AE_BOOTSTRAP_KEY replaces the hardcoded 'IDF68Em5X4HTZlswRNgepQ' in:
- src/routes/+layout.ts (site-domain bootstrap request)
- src/routes/testing/+page.svelte (trace agent key)

Added to .env.staging, .env.prod, .env.local (gitignored), and updated
.env.staging.default / .env.prod.default with XXXX placeholders.
Key can now be rotated independently from the main API secret key.
---
 .env.prod.default               | 3 +++
 .env.staging.default            | 3 +++
 src/routes/+layout.ts           | 8 +++++---
 src/routes/testing/+page.svelte | 3 ++-
 4 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/.env.prod.default b/.env.prod.default
index 200857a2..63242891 100644
--- a/.env.prod.default
+++ b/.env.prod.default
@@ -13,6 +13,9 @@ PUBLIC_AE_API_PORT=443
 PUBLIC_AE_API_PATH=
 PUBLIC_AE_API_SECRET_KEY=XXXX
 PUBLIC_AE_API_CRUD_SUPER_KEY=XXXX
+# Bootstrap key: used only for the unauthenticated site-domain lookup on first load.
+# Separate from the main API key — has limited permissions (no account_id required).
+PUBLIC_AE_BOOTSTRAP_KEY=XXXX
 PUBLIC_AE_NO_ACCOUNT_ID=No_Account_ID_Here
 PUBLIC_AE_NO_ACCOUNT_ID_TOKEN=Nothing_to_see_here
 
diff --git a/.env.staging.default b/.env.staging.default
index 65763887..1f65c148 100644
--- a/.env.staging.default
+++ b/.env.staging.default
@@ -13,6 +13,9 @@ PUBLIC_AE_API_PORT=443
 PUBLIC_AE_API_PATH=
 PUBLIC_AE_API_SECRET_KEY=XXXX
 PUBLIC_AE_API_CRUD_SUPER_KEY=XXXX
+# Bootstrap key: used only for the unauthenticated site-domain lookup on first load.
+# Separate from the main API key — has limited permissions (no account_id required).
+PUBLIC_AE_BOOTSTRAP_KEY=XXXX
 PUBLIC_AE_NO_ACCOUNT_ID=No_Account_ID_Here
 PUBLIC_AE_NO_ACCOUNT_ID_TOKEN=Nothing_to_see_here
 
diff --git a/src/routes/+layout.ts b/src/routes/+layout.ts
index 03abce26..d948a83e 100644
--- a/src/routes/+layout.ts
+++ b/src/routes/+layout.ts
@@ -17,6 +17,7 @@ import {
     PUBLIC_AE_API_PATH,
     PUBLIC_AE_API_SECRET_KEY,
     PUBLIC_AE_API_CRUD_SUPER_KEY,
+    PUBLIC_AE_BOOTSTRAP_KEY,
     // PUBLIC_AE_NO_ACCOUNT_ID,
     // PUBLIC_AE_NO_ACCOUNT_ID_TOKEN
 } from '$env/static/public';
@@ -206,13 +207,14 @@ export async function load({ fetch, params, parent, route, url }) {
         try {
             if (log_lvl) console.log(`ROOT LOAD: No cache. Starting site lookup V3 for ${fqdn}...`);
 
-            // Use dedicated Agent Key for Bootstrap and include the unauthenticated bypass header ONLY for this request
+            // Use dedicated Bootstrap key — limited permissions, no account_id required.
+            // Key is injected at build time from PUBLIC_AE_BOOTSTRAP_KEY in .env.
             const bootstrap_api_cfg = {
                 ...ae_api_init,
-                api_secret_key: 'IDF68Em5X4HTZlswRNgepQ',
+                api_secret_key: PUBLIC_AE_BOOTSTRAP_KEY,
                 headers: {
                     ...ae_api_init.headers,
-                    'x-aether-api-key': 'IDF68Em5X4HTZlswRNgepQ',
+                    'x-aether-api-key': PUBLIC_AE_BOOTSTRAP_KEY,
                     'x-no-account-id': 'bypass' // Force explicit bypass for bootstrap
                 }
             };
diff --git a/src/routes/testing/+page.svelte b/src/routes/testing/+page.svelte
index 0d1d89a2..6a393656 100644
--- a/src/routes/testing/+page.svelte
+++ b/src/routes/testing/+page.svelte
@@ -1,5 +1,6 @@
 <script lang="ts">
     import { onMount } from 'svelte';
+    import { PUBLIC_AE_BOOTSTRAP_KEY } from '$env/static/public';
 
     import { api } from '$lib/api/api';
     import { ae_loc, ae_api, ae_sess } from '$lib/stores/ae_stores';
@@ -52,7 +53,7 @@
     let trace_use_jwt = $state(true);
     let trace_jwt_method = $state('header'); // 'header' or 'url'
     let trace_use_bypass = $state(false);
-    let trace_agent_key = 'IDF68Em5X4HTZlswRNgepQ';
+    let trace_agent_key = PUBLIC_AE_BOOTSTRAP_KEY;
     let trace_use_agent_key = $state(false);
 
     onMount(async () => {