Treat secrets as API keys - unify authentication

- Updated verify_api_key() to check secrets first (admin, user, register)
- Secrets are now treated as API keys with appropriate scopes
- All OpenRPC methods now work with secrets (register_runner, list_runners, etc.)
- Simplified auth_verify since verify_api_key handles everything
- Admin UI now fully functional with admin secret from .env

core/src/openrpc.rs

@@ -964,34 +964,7 @@ impl SupervisorRpcServer for Arc<Mutex<Supervisor>> {
         let key = get_current_api_key()
             .ok_or_else(|| ErrorObject::owned(-32602, "Missing Authorization header", None::<()>))?;
         
-        // Check if it's an admin secret
+        // verify_api_key now checks secrets first, then API keys
-        if supervisor.has_admin_secret(&key) {
-            return Ok(crate::auth::AuthVerifyResponse {
-                valid: true,
-                name: "Admin Secret".to_string(),
-                scope: "admin".to_string(),
-            });
-        }
-        
-        // Check if it's a user secret
-        if supervisor.has_user_secret(&key) {
-            return Ok(crate::auth::AuthVerifyResponse {
-                valid: true,
-                name: "User Secret".to_string(),
-                scope: "user".to_string(),
-            });
-        }
-        
-        // Check if it's a register secret
-        if supervisor.has_register_secret(&key) {
-            return Ok(crate::auth::AuthVerifyResponse {
-                valid: true,
-                name: "Register Secret".to_string(),
-                scope: "register".to_string(),
-            });
-        }
-        
-        // Check if it's an API key
         match supervisor.verify_api_key(&key).await {
             Some(api_key) => {
                 Ok(crate::auth::AuthVerifyResponse {

core/src/supervisor.rs

@@ -980,7 +980,44 @@ impl Supervisor {
     }
 
     /// Verify an API key and return its metadata
+    /// Checks secrets first (admin, user, register), then stored API keys
     pub async fn verify_api_key(&self, key: &str) -> Option<crate::auth::ApiKey> {
+        use chrono::Utc;
+        
+        // Check if it's an admin secret
+        if self.has_admin_secret(key) {
+            return Some(crate::auth::ApiKey {
+                key: key.to_string(),
+                name: "Admin Secret".to_string(),
+                scope: crate::auth::ApiKeyScope::Admin,
+                created_at: Utc::now().to_rfc3339(),
+                expires_at: None,
+            });
+        }
+        
+        // Check if it's a user secret
+        if self.has_user_secret(key) {
+            return Some(crate::auth::ApiKey {
+                key: key.to_string(),
+                name: "User Secret".to_string(),
+                scope: crate::auth::ApiKeyScope::User,
+                created_at: Utc::now().to_rfc3339(),
+                expires_at: None,
+            });
+        }
+        
+        // Check if it's a register secret
+        if self.has_register_secret(key) {
+            return Some(crate::auth::ApiKey {
+                key: key.to_string(),
+                name: "Register Secret".to_string(),
+                scope: crate::auth::ApiKeyScope::Registrar,
+                created_at: Utc::now().to_rfc3339(),
+                expires_at: None,
+            });
+        }
+        
+        // Fall back to stored API keys
         let store = self.api_keys.lock().await;
         store.verify_key(key).cloned()
     }