Status: done # 02 — A2: Unified auth boundary for privileged and financial reads ## What to build Replace header-presence stubs with a single auth middleware that resolves API keys, admin sessions, validator service tokens, and hive peer identity. Close leaks on financial and operator endpoints. This is the auth foundation issue; issue 01 should only apply hive auth to gossip endpoints once the helper exists. **Code refs:** - `packages/tracker/meshnet_tracker/server.py` — `_handle_billing_forfeit` (~2429–2464) — H3: non-empty `Authorization` only - `packages/tracker/meshnet_tracker/server.py` — `_handle_benchmark_hop_penalty` (~2650–2658), `_handle_benchmark_results` (~2745–2748) — H3 - `packages/tracker/meshnet_tracker/server.py` — `_handle_billing_summary` (~2366–2371) — H4 - `packages/tracker/meshnet_tracker/server.py` — `_handle_billing_settlements` (~2407–2412) — H4 - `packages/tracker/meshnet_tracker/server.py` — `_handle_registry_wallets` (~2391–2405) — H4 - `packages/tracker/meshnet_tracker/server.py` — `_session_account` (~2468+), `_handle_admin_accounts` (~2588–2608) — H4 - `packages/tracker/meshnet_tracker/accounts.py` — `session_account()`, `create_session()` only (session store; not handler wiring) Per ADR-0017 §4: forfeit → validator or admin; benchmark → admin; billing summary/settlements/registry wallets → admin session. Include the validator service token shape from `20-validator-service-token_completed.md` in the same implementation if practical. ## Test-first 1. Red: POST `/v1/billing/forfeit` with `Authorization: Bearer garbage` succeeds today — must require validator/admin identity. 2. Red: GET `/v1/billing/summary` without admin session returns 401/403. 3. Green: middleware + role checks; existing inference API-key path unchanged. ## Acceptance criteria - [ ] Single `_require_auth(role=...)` (or equivalent) used by all privileged handlers - [ ] Shared auth config supports admin sessions, validator service token, and hive peer HMAC/mTLS - [ ] Forfeit accepts only validator service token or admin session — not arbitrary Bearer strings - [ ] Financial read endpoints require admin session (alpha posture) - [ ] Benchmark write/read require admin or service token - [ ] Integration tests for each endpoint class (reject unauth, accept valid) ## ADR links - [ADR-0017](../../docs/adr/0017-tracker-authentication-and-authorization.md) ## Related - `20-validator-service-token_completed.md` — checklist for validator service token format, rotation, forfeit auth ## Blocked by None. This issue should land before `01-c1-gossip-auth_completed.md`.