d42ca8dc57
Hardening follow-ups from PR #526 review (no defect fixes): - DO1: add auth.controller.spec tests for the collab-token handler, the arm-seam of the anti-laundering defense. Assert getCollabToken is invoked with { apiKeyId } only when the SIGNED req.raw marks an api_key principal, and undefined otherwise (session, missing apiKeyId, or a spoofed body). Verified non-vacuous: nulling the ternary reddens the ARMED test. - DO2: document the API_KEYS_ENABLED kill-switch in .env.example next to the other feature flags (default ON; strict true/false; OFF denies api-key auth and 404s the management endpoints). - DO3: remove dead bindAccessJwtVerifier (+ its now-orphaned AccessJwtVerifier interface and its dedicated spec block); prod switched to bindMcpBearerVerifier. verifyBearerAccess is retained (still used). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>