Unify authentication: store secrets as API keys

- Secrets are now added to ApiKeyStore on supervisor initialization
- Removed duplicate authentication logic in verify_api_key
- Single source of truth: all authentication goes through ApiKeyStore
- Admin/user/register secrets are treated as API keys with appropriate scopes
- Simplified auth_verify - no special case handling needed

core/src/supervisor.rs

@@ -238,6 +238,36 @@ impl SupervisorBuilder {
                 reason: format!("Invalid Redis URL: {}", e),
             })?;
 
+        // Create API key store and add secrets as API keys
+        let mut api_key_store = crate::auth::ApiKeyStore::new();
+        
+        // Add admin secrets as API keys
+        for secret in &self.admin_secrets {
+            api_key_store.add_key(crate::auth::ApiKey::with_key(
+                secret.clone(),
+                "Admin Secret".to_string(),
+                crate::auth::ApiKeyScope::Admin,
+            ));
+        }
+        
+        // Add user secrets as API keys
+        for secret in &self.user_secrets {
+            api_key_store.add_key(crate::auth::ApiKey::with_key(
+                secret.clone(),
+                "User Secret".to_string(),
+                crate::auth::ApiKeyScope::User,
+            ));
+        }
+        
+        // Add register secrets as API keys
+        for secret in &self.register_secrets {
+            api_key_store.add_key(crate::auth::ApiKey::with_key(
+                secret.clone(),
+                "Register Secret".to_string(),
+                crate::auth::ApiKeyScope::Registrar,
+            ));
+        }
+
         Ok(Supervisor {
             client: self.client_builder.build().await.unwrap(),
             runners: self.runners,
@@ -247,7 +277,7 @@ impl SupervisorBuilder {
             admin_secrets: self.admin_secrets,
             user_secrets: self.user_secrets,
             register_secrets: self.register_secrets,
-            api_keys: Arc::new(Mutex::new(crate::auth::ApiKeyStore::new())),
+            api_keys: Arc::new(Mutex::new(api_key_store)),
             services: crate::services::Services::new(),
         })
     }
@@ -980,44 +1010,7 @@ impl Supervisor {
     }
 
     /// Verify an API key and return its metadata
-    /// Checks secrets first (admin, user, register), then stored API keys
     pub async fn verify_api_key(&self, key: &str) -> Option<crate::auth::ApiKey> {
-        use chrono::Utc;
-        
-        // Check if it's an admin secret
-        if self.has_admin_secret(key) {
-            return Some(crate::auth::ApiKey {
-                key: key.to_string(),
-                name: "Admin Secret".to_string(),
-                scope: crate::auth::ApiKeyScope::Admin,
-                created_at: Utc::now().to_rfc3339(),
-                expires_at: None,
-            });
-        }
-        
-        // Check if it's a user secret
-        if self.has_user_secret(key) {
-            return Some(crate::auth::ApiKey {
-                key: key.to_string(),
-                name: "User Secret".to_string(),
-                scope: crate::auth::ApiKeyScope::User,
-                created_at: Utc::now().to_rfc3339(),
-                expires_at: None,
-            });
-        }
-        
-        // Check if it's a register secret
-        if self.has_register_secret(key) {
-            return Some(crate::auth::ApiKey {
-                key: key.to_string(),
-                name: "Register Secret".to_string(),
-                scope: crate::auth::ApiKeyScope::Registrar,
-                created_at: Utc::now().to_rfc3339(),
-                expires_at: None,
-            });
-        }
-        
-        // Fall back to stored API keys
         let store = self.api_keys.lock().await;
         store.verify_key(key).cloned()
     }