feat(mam-api): mount requireAuth gate at /api/v1 with auth + cluster carve-outs

services/mam-api/src/index.js

@@ -8,6 +8,7 @@ import os from 'node:os';
 import { exec } from 'node:child_process';
 import pool from './db/pool.js';
 import { errorHandler } from './middleware/errors.js';
+import { requireAuth } from './middleware/auth.js';
 import { loadS3ConfigFromDb } from './s3/client.js';
 
 // Routes
@@ -86,6 +87,17 @@ app.use(session({
 // ── Health ────────────────────────────────────────────────────────────────────
 app.get('/health', (_req, res) => res.json({ status: 'ok' }));
 
+// ── Auth gate ─────────────────────────────────────────────────────────────────
+// Mount once for everything under /api/v1, with an explicit allowlist for
+// the three pre-login auth paths and a carve-out for /cluster/* (node-agent
+// uses migration 019's token-binding, not user auth). See spec.
+const UNAUTH_PATHS = new Set(['/auth/login', '/auth/setup', '/auth/setup-required']);
+app.use('/api/v1', (req, res, next) => {
+  if (UNAUTH_PATHS.has(req.path)) return next();
+  if (req.path.startsWith('/cluster')) return next();   // node-agent service auth, not user auth
+  return requireAuth(req, res, next);
+});
+
 // ── API Routes ────────────────────────────────────────────────────────────────
 app.use('/api/v1/assets',    assetsRouter);
 app.use('/api/v1/projects',  projectsRouter);