Scott.Idem/OSIT-AE-App-Svelte
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: use bootstrap key in manifest, add .tmp cache cleanup

Browse Source 
- manifest.webmanifest/+server.ts: swap PUBLIC_AE_API_SECRET_KEY →
  PUBLIC_AE_BOOTSTRAP_KEY (least privilege; endpoint only needs a
  site-domain lookup, same as the bootstrap use case)
- electron_relay.ts: add cleanup_tmp_files() — runs `find ... -name
  "*.tmp" -mmin +N -delete` via native run_cmd bridge
- launcher_background_sync.svelte: call cleanup_tmp_files() on mount
  when is_native && cache_root are present (once per startup)
- AE__Permissions_and_Security.md: close Sev-1 audit language
- TODO__Agents.md: mark PUBLIC_AE_API_SECRET_KEY audit as complete

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Scott Idem
2026-03-11 10:54:17 -04:00
parent a34f70d3dd
commit f6344008ea
5 changed files with 29 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/routes/manifest.webmanifest/+server.ts
View File

@@ -19,7 +19,8 @@ export const GET: RequestHandler = async ({ url, fetch }) => {
const api_cfg = {
base_url: api_base_url,
headers: {
'x-aether-api-key': public_env.PUBLIC_AE_API_SECRET_KEY,
// Bootstrap key: limited-permission key for unauthenticated domain lookups (least privilege)
'x-aether-api-key': public_env.PUBLIC_AE_BOOTSTRAP_KEY,
'x-no-account-id': public_env.PUBLIC_AE_NO_ACCOUNT_ID
},
fetch