security: move hardcoded bootstrap API key to env var

PUBLIC_AE_BOOTSTRAP_KEY replaces the hardcoded 'IDF68Em5X4HTZlswRNgepQ' in: - src/routes/+layout.ts (site-domain bootstrap request) - src/routes/testing/+page.svelte (trace agent key) Added to .env.staging, .env.prod, .env.local (gitignored), and updated .env.staging.default / .env.prod.default with XXXX placeholders. Key can now be rotated independently from the main API secret key.
2026-03-10 16:30:11 -04:00
parent b7d9e9669d
commit f03627ef3c
4 changed files with 13 additions and 4 deletions
--- a/src/routes/+layout.ts
+++ b/src/routes/+layout.ts
@@ -17,6 +17,7 @@ import {
    PUBLIC_AE_API_PATH,
    PUBLIC_AE_API_SECRET_KEY,
    PUBLIC_AE_API_CRUD_SUPER_KEY,
+    PUBLIC_AE_BOOTSTRAP_KEY,
    // PUBLIC_AE_NO_ACCOUNT_ID,
    // PUBLIC_AE_NO_ACCOUNT_ID_TOKEN
 } from '$env/static/public';
@@ -206,13 +207,14 @@ export async function load({ fetch, params, parent, route, url }) {
        try {
            if (log_lvl) console.log(`ROOT LOAD: No cache. Starting site lookup V3 for ${fqdn}...`);

-            // Use dedicated Agent Key for Bootstrap and include the unauthenticated bypass header ONLY for this request
+            // Use dedicated Bootstrap key — limited permissions, no account_id required.
+            // Key is injected at build time from PUBLIC_AE_BOOTSTRAP_KEY in .env.
            const bootstrap_api_cfg = {
                ...ae_api_init,
-                api_secret_key: 'IDF68Em5X4HTZlswRNgepQ',
+                api_secret_key: PUBLIC_AE_BOOTSTRAP_KEY,
                headers: {
                    ...ae_api_init.headers,
-                    'x-aether-api-key': 'IDF68Em5X4HTZlswRNgepQ',
+                    'x-aether-api-key': PUBLIC_AE_BOOTSTRAP_KEY,
                    'x-no-account-id': 'bypass' // Force explicit bypass for bootstrap
                }
            };