security: use bootstrap key in manifest, add .tmp cache cleanup

- manifest.webmanifest/+server.ts: swap PUBLIC_AE_API_SECRET_KEY →
  PUBLIC_AE_BOOTSTRAP_KEY (least privilege; endpoint only needs a
  site-domain lookup, same as the bootstrap use case)
- electron_relay.ts: add cleanup_tmp_files() — runs `find ... -name
  "*.tmp" -mmin +N -delete` via native run_cmd bridge
- launcher_background_sync.svelte: call cleanup_tmp_files() on mount
  when is_native && cache_root are present (once per startup)
- AE__Permissions_and_Security.md: close Sev-1 audit language
- TODO__Agents.md: mark PUBLIC_AE_API_SECRET_KEY audit as complete

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/lib/electron/electron_relay.ts

@@ -54,6 +54,18 @@ export async function run_cmd_sync({ cmd, return_stdout = true }: { cmd: string,
   return await native.run_cmd_sync({ cmd, return_stdout });
 }
 
+/**
+ * Stale .tmp Cleanup
+ * Deletes in-progress download artifacts (*.tmp) older than max_age_minutes from the cache root.
+ * Called at launcher startup to prevent cache directory bloat from interrupted downloads.
+ * Default: 1440 minutes = 24 hours.
+ */
+export async function cleanup_tmp_files({ cache_root, max_age_minutes = 1440 }: { cache_root: string, max_age_minutes?: number }) {
+    if (!native) return { success: false, error: 'Native bridge not available' };
+    const cmd = `find "${cache_root}" -name "*.tmp" -mmin +${max_age_minutes} -type f -delete`;
+    return await native.run_cmd({ cmd, timeout: 30000, return_stdout: false });
+}
+
 export async function run_osascript(script: string) {
   if (!native) return { success: false, error: 'Native bridge not available' };
   return await native.run_osascript(script);