security: move hardcoded bootstrap API key to env var

PUBLIC_AE_BOOTSTRAP_KEY replaces the hardcoded 'IDF68Em5X4HTZlswRNgepQ' in:
- src/routes/+layout.ts (site-domain bootstrap request)
- src/routes/testing/+page.svelte (trace agent key)

Added to .env.staging, .env.prod, .env.local (gitignored), and updated
.env.staging.default / .env.prod.default with XXXX placeholders.
Key can now be rotated independently from the main API secret key.

.env.prod.default

@@ -13,6 +13,9 @@ PUBLIC_AE_API_PORT=443
 PUBLIC_AE_API_PATH=
 PUBLIC_AE_API_SECRET_KEY=XXXX
 PUBLIC_AE_API_CRUD_SUPER_KEY=XXXX
+# Bootstrap key: used only for the unauthenticated site-domain lookup on first load.
+# Separate from the main API key — has limited permissions (no account_id required).
+PUBLIC_AE_BOOTSTRAP_KEY=XXXX
 PUBLIC_AE_NO_ACCOUNT_ID=No_Account_ID_Here
 PUBLIC_AE_NO_ACCOUNT_ID_TOKEN=Nothing_to_see_here
 

.env.staging.default

@@ -13,6 +13,9 @@ PUBLIC_AE_API_PORT=443
 PUBLIC_AE_API_PATH=
 PUBLIC_AE_API_SECRET_KEY=XXXX
 PUBLIC_AE_API_CRUD_SUPER_KEY=XXXX
+# Bootstrap key: used only for the unauthenticated site-domain lookup on first load.
+# Separate from the main API key — has limited permissions (no account_id required).
+PUBLIC_AE_BOOTSTRAP_KEY=XXXX
 PUBLIC_AE_NO_ACCOUNT_ID=No_Account_ID_Here
 PUBLIC_AE_NO_ACCOUNT_ID_TOKEN=Nothing_to_see_here
 

src/routes/+layout.ts

@@ -17,6 +17,7 @@ import {
     PUBLIC_AE_API_PATH,
     PUBLIC_AE_API_SECRET_KEY,
     PUBLIC_AE_API_CRUD_SUPER_KEY,
+    PUBLIC_AE_BOOTSTRAP_KEY,
     // PUBLIC_AE_NO_ACCOUNT_ID,
     // PUBLIC_AE_NO_ACCOUNT_ID_TOKEN
 } from '$env/static/public';
@@ -206,13 +207,14 @@ export async function load({ fetch, params, parent, route, url }) {
         try {
             if (log_lvl) console.log(`ROOT LOAD: No cache. Starting site lookup V3 for ${fqdn}...`);
 
-            // Use dedicated Agent Key for Bootstrap and include the unauthenticated bypass header ONLY for this request
+            // Use dedicated Bootstrap key — limited permissions, no account_id required.
+            // Key is injected at build time from PUBLIC_AE_BOOTSTRAP_KEY in .env.
             const bootstrap_api_cfg = {
                 ...ae_api_init,
-                api_secret_key: 'IDF68Em5X4HTZlswRNgepQ',
+                api_secret_key: PUBLIC_AE_BOOTSTRAP_KEY,
                 headers: {
                     ...ae_api_init.headers,
-                    'x-aether-api-key': 'IDF68Em5X4HTZlswRNgepQ',
+                    'x-aether-api-key': PUBLIC_AE_BOOTSTRAP_KEY,
                     'x-no-account-id': 'bypass' // Force explicit bypass for bootstrap
                 }
             };

src/routes/testing/+page.svelte

@@ -1,5 +1,6 @@
 <script lang="ts">
     import { onMount } from 'svelte';
+    import { PUBLIC_AE_BOOTSTRAP_KEY } from '$env/static/public';
 
     import { api } from '$lib/api/api';
     import { ae_loc, ae_api, ae_sess } from '$lib/stores/ae_stores';
@@ -52,7 +53,7 @@
     let trace_use_jwt = $state(true);
     let trace_jwt_method = $state('header'); // 'header' or 'url'
     let trace_use_bypass = $state(false);
-    let trace_agent_key = 'IDF68Em5X4HTZlswRNgepQ';
+    let trace_agent_key = PUBLIC_AE_BOOTSTRAP_KEY;
     let trace_use_agent_key = $state(false);
 
     onMount(async () => {