Scott.Idem/OSIT-AE-App-Svelte
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: use bootstrap key in manifest, add .tmp cache cleanup

Browse Source 
- manifest.webmanifest/+server.ts: swap PUBLIC_AE_API_SECRET_KEY →
  PUBLIC_AE_BOOTSTRAP_KEY (least privilege; endpoint only needs a
  site-domain lookup, same as the bootstrap use case)
- electron_relay.ts: add cleanup_tmp_files() — runs `find ... -name
  "*.tmp" -mmin +N -delete` via native run_cmd bridge
- launcher_background_sync.svelte: call cleanup_tmp_files() on mount
  when is_native && cache_root are present (once per startup)
- AE__Permissions_and_Security.md: close Sev-1 audit language
- TODO__Agents.md: mark PUBLIC_AE_API_SECRET_KEY audit as complete

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Scott Idem
2026-03-11 10:54:17 -04:00
parent a34f70d3dd
commit f6344008ea
5 changed files with 29 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
documentation/AE__Permissions_and_Security.md
View File

@@ -118,8 +118,10 @@ Returns `1` if `level_a` is higher, `-1` if lower, `0` if equal. Useful for thre
- Never expose journal content publicly.
### `PUBLIC_AE_API_SECRET_KEY`
- Ongoing Sev-1 audit. Do not introduce new usages.
- Prefer per-request API key headers (`x-aether-api-key` + `x-account-id`).
- Audit closed 2026-03-11. `PUBLIC_*` prefix is by design — key is always in the client bundle.
- Anonymous site-domain lookup uses the limited-permission `PUBLIC_AE_BOOTSTRAP_KEY` instead.
- Security model: API key is one layer; JWT + `x-account-id` scoping provides the primary auth.
- Do not introduce new usages. Prefer `PUBLIC_AE_BOOTSTRAP_KEY` for unauthenticated lookups.
### Email Display
Non-trusted users must never see a full email address. Obscure using:

2
documentation/TODO__Agents.md
View File

@@ -3,7 +3,7 @@
> **Status:** <20> Stable — ongoing development.
## 📋 Open: Security
- [ ] **PUBLIC_AE_API_SECRET_KEY Audit:** Conduct full audit of usage. Determine if it can be moved to server-side only.
- [x] **PUBLIC_AE_API_SECRET_KEY Audit:** Completed 2026-03-11. Key is `PUBLIC_*` by design (always in client bundle). Highest-risk anonymous path now uses limited-permission `PUBLIC_AE_BOOTSTRAP_KEY`. Full server-side migration would require a major API proxy refactor — not justified given JWT + account_id auth layers. `manifest.webmanifest/+server.ts` is a minor cleanup candidate (could use bootstrap key instead), but no security urgency. Current state is acceptable.
## 🚧 Upcoming High Priority