Status: ready-for-agent # 02 — A2: Unified auth boundary for privileged and financial reads ## What to build Replace header-presence stubs with a single auth middleware that resolves API keys, admin sessions, validator service tokens, and hive peer identity. Close leaks on financial and operator endpoints. **Code refs:** - `packages/tracker/meshnet_tracker/server.py` — `_handle_billing_forfeit` (~2429–2464) — H3: non-empty `Authorization` only - `packages/tracker/meshnet_tracker/server.py` — `_handle_benchmark_hop_penalty` (~2650–2658), `_handle_benchmark_results` (~2745–2748) — H3 - `packages/tracker/meshnet_tracker/server.py` — `_handle_billing_summary` (~2366–2371) — H4 - `packages/tracker/meshnet_tracker/server.py` — `_handle_billing_settlements` (~2407–2412) — H4 - `packages/tracker/meshnet_tracker/server.py` — `_handle_registry_wallets` (~2391–2405) — H4 - `packages/tracker/meshnet_tracker/server.py` — `_session_account` (~2468+), `_handle_admin_accounts` (~2588–2608) — H4 - `packages/tracker/meshnet_tracker/accounts.py` — `session_account()`, `create_session()` only (session store; not handler wiring) Per ADR-0017 §4: forfeit → validator or admin; benchmark → admin; billing summary/settlements/registry wallets → admin session. Forfeit validator identity: see `20-validator-service-token.md`. ## Test-first 1. Red: POST `/v1/billing/forfeit` with `Authorization: Bearer garbage` succeeds today — must require validator/admin identity. 2. Red: GET `/v1/billing/summary` without admin session returns 401/403. 3. Green: middleware + role checks; existing inference API-key path unchanged. ## Acceptance criteria - [ ] Single `_require_auth(role=...)` (or equivalent) used by all privileged handlers - [ ] Forfeit accepts only validator service token or admin session — not arbitrary Bearer strings - [ ] Financial read endpoints require admin session (alpha posture) - [ ] Benchmark write/read require admin or service token - [ ] Integration tests for each endpoint class (reject unauth, accept valid) ## ADR links - [ADR-0017](../../docs/adr/0017-tracker-authentication-and-authorization.md) ## Related - `20-validator-service-token.md` — validator service token format, rotation, forfeit auth ## Blocked by - `01-c1-gossip-auth.md` (shared auth config)