Guard admin endpoints behind auth by default

[ChristianPavilonis]

Summary

• Fix security vulnerability where /admin/keys/rotate and /admin/keys/deactivate were publicly accessible when no handler regex covered /admin/* paths
• Settings::from_toml_and_env() now returns a hard error when no handler covers admin endpoints, catching misconfiguration at build time
• enforce_basic_auth remains a single, simple mechanism — admin protection is enforced by requiring handler coverage in the configuration

Changes

File	Change
crates/common/src/auth.rs	Simplify enforce_basic_auth — remove is_admin_path() and runtime admin guard; admin paths use standard handler-based auth
crates/common/src/settings.rs	Add build-time validation: from_toml_and_env() errors when uncovered_admin_endpoints() finds unprotected admin paths; update doc comments and tests
crates/common/build.rs	Remove cargo:warning loop (redundant — from_toml_and_env now errors on uncovered admin endpoints)
crates/common/src/test_support.rs	Add ^/admin handler to base test settings
trusted-server.toml	Add ^/admin handler to dev config

Closes

Closes #400

Test plan

• cargo test --workspace (472 tests pass)
• cargo clippy --all-targets --all-features -- -D warnings
• cargo fmt --all -- --check

Checklist

• Changes follow CLAUDE.md conventions
• No unwrap() in production code — use expect("should ...")
• Uses tracing macros (not println!)
• New code has tests
• No secrets or credentials committed

[aram356]

Summary

This PR correctly identifies and fixes the security gap where admin endpoints could be accessed without authentication when no handler is configured. The fail-closed approach is sound. However, the implementation adds complexity that may not be necessary given the existing handler-based auth system.

♻️ refactor

• Simplify: use config validation instead of runtime guard: The handler-based auth already enforces credentials correctly. Instead of adding is_admin_path() and special-case logic in enforce_basic_auth, make Settings::validate() return an error when no handler covers admin endpoints. This keeps enforce_basic_auth unchanged, eliminates the dual-mechanism (is_admin_path prefix check vs ADMIN_ENDPOINTS list), and catches misconfiguration at build time as an error rather than silently returning 401s at runtime. The existing uncovered_admin_endpoints() method is the right building block — call it from validate() instead of build.rs.

[aram356]

To clarify the refactor suggestion above — the required config is just a standard [[handlers]] entry in trusted-server.toml:

[[handlers]]
path = "^/admin"
username = "admin"
password = "a-strong-password"

With the validation approach, Settings::validate() would error at build time if this entry is missing, ensuring admin endpoints are always covered by the existing handler-based auth — no runtime special-casing needed.

[ChristianPavilonis]

Addressed the review feedback — refactored from runtime guard to build-time config validation:

• Removed is_admin_path() and the special-case admin branch from enforce_basic_auth — it's back to a single, simple mechanism
• Added a hard error in Settings::from_toml_and_env() when uncovered_admin_endpoints() returns any uncovered paths — build fails immediately with a clear message
• Removed the cargo:warning loop in build.rs (redundant now that from_toml_and_env errors)
• Added ^/admin handler to trusted-server.toml and test fixtures
• Added from_toml_and_env_rejects_config_without_admin_handler test

All 472 tests pass, clippy clean, fmt clean.