From 9de4fe9ab9e1cbf4bfb1523599d8d85b887993f2 Mon Sep 17 00:00:00 2001
From: Zac Gaetano <zacgaetano@Zacs-M3-Max-128gb.local>
Date: Wed, 27 May 2026 14:13:21 -0400
Subject: [PATCH] feat(mam-api): mount requireAuth gate at /api/v1 with auth +
 cluster carve-outs

---
 services/mam-api/src/index.js | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/services/mam-api/src/index.js b/services/mam-api/src/index.js
index 2adf7b8..934b5c8 100644
--- a/services/mam-api/src/index.js
+++ b/services/mam-api/src/index.js
@@ -8,6 +8,7 @@ import os from 'node:os';
 import { exec } from 'node:child_process';
 import pool from './db/pool.js';
 import { errorHandler } from './middleware/errors.js';
+import { requireAuth } from './middleware/auth.js';
 import { loadS3ConfigFromDb } from './s3/client.js';
 
 // Routes
@@ -86,6 +87,17 @@ app.use(session({
 // ── Health ────────────────────────────────────────────────────────────────────
 app.get('/health', (_req, res) => res.json({ status: 'ok' }));
 
+// ── Auth gate ─────────────────────────────────────────────────────────────────
+// Mount once for everything under /api/v1, with an explicit allowlist for
+// the three pre-login auth paths and a carve-out for /cluster/* (node-agent
+// uses migration 019's token-binding, not user auth). See spec.
+const UNAUTH_PATHS = new Set(['/auth/login', '/auth/setup', '/auth/setup-required']);
+app.use('/api/v1', (req, res, next) => {
+  if (UNAUTH_PATHS.has(req.path)) return next();
+  if (req.path.startsWith('/cluster')) return next();   // node-agent service auth, not user auth
+  return requireAuth(req, res, next);
+});
+
 // ── API Routes ────────────────────────────────────────────────────────────────
 app.use('/api/v1/assets',    assetsRouter);
 app.use('/api/v1/projects',  projectsRouter);