fix: API key auth sends Bearer header, handle null aegis_role for consumer users

Theaxiom · claude · Theaxiom · commit 980ba17fb239 · 2026-04-16T03:32:54.000-07:00
Three bugs:
1. Sent key in JSON body instead of Authorization header
2. Rejected null aegis_role (consumer users have zaru_tier, not aegis_role)
3. Hardcoded isOperator=true and operator security context for all API keys

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/zaru-mcp-server/src/middleware/auth.ts b/zaru-mcp-server/src/middleware/auth.ts
@@ -42,7 +42,9 @@ export function isApiKey(token: string): boolean {
  */
 export interface ApiKeyIdentity {
   user_id: string;
-  aegis_role: AegisRole;
+  tenant_id: string | null;
+  aegis_role: AegisRole | null;
+  zaru_tier: string | null;
   scopes: string[];
 }
 
@@ -61,8 +63,8 @@ export async function validateApiKeyWithOrchestrator(
     method: "POST",
     headers: {
       "Content-Type": "application/json",
+      Authorization: `Bearer ${token}`,
     },
-    body: JSON.stringify({ api_key: token }),
   });
 
   if (!response.ok) {
@@ -78,11 +80,7 @@ export async function validateApiKeyWithOrchestrator(
   if (!body.user_id) {
     throw new Error("API key validation response missing user_id");
   }
-  if (!isValidAegisRole(body.aegis_role)) {
-    throw new Error(
-      `API key validation response has invalid aegis_role: ${body.aegis_role}`,
-    );
-  }
+  // aegis_role is null for consumer users (they have zaru_tier instead)
 
   return body;
 }
@@ -227,12 +225,18 @@ export function createZaruAuthMiddleware(
     if (isApiKey(rawToken)) {
       try {
         const identity = await apiKeyValidator(rawToken);
+        const isOp =
+          identity.aegis_role === "admin" || identity.aegis_role === "operator";
+        const tier = identity.aegis_role ?? identity.zaru_tier ?? "free";
+        const secCtx = isOp
+          ? OPERATOR_SECURITY_CONTEXT
+          : `zaru-${identity.zaru_tier ?? "free"}`;
         req.zaruUser = {
           userId: identity.user_id,
-          tier: identity.aegis_role,
-          securityContext: OPERATOR_SECURITY_CONTEXT,
+          tier,
+          securityContext: secCtx,
           token: rawToken,
-          isOperator: true,
+          isOperator: isOp,
         };
         next();
       } catch (error) {
