Replaces Bearer-token-only auth on GUI routes with a proper browser
login flow. Visiting /admin or /dashboard now redirects to /gui-login
if no valid session exists. Submitting the OAUTH_PASSWORD sets a
secure httpOnly session cookie (8h TTL). /gui-logout clears it.
- /dashboard/status also accepts session cookie (for the dashboard JS
to call back without needing a separate token)
- API routes (/users/*, /keys/*) still require Bearer token as before
- /gui-login, /gui-logout added as new public routes
/admin, /dashboard, /dashboard/status, and all /users/* and /keys/*
endpoints were publicly accessible with no authentication, exposing
user management, API key generation, and backend topology to anyone.
- /dashboard and /dashboard/status now require Bearer token
- /admin (user management UI) now requires Bearer token
- All /users/* and /keys/revoke routes now require Bearer token
- /health scrubbed of sensitive fields (token counts, client counts)
- /linkedin/* left public (required for OAuth callback flow)
Auth checks use GATEWAY_STATIC_API_KEY or valid OAuth access tokens,
consistent with the existing /mcp and /status endpoints.
