Priority: P0 — Critical
Source
Senior Architect Code Review (2026-04-03)
Problem
All API endpoints — including mutation endpoints like POST /api/network-nodes/:id/solar-system and DELETE /api/network-nodes/:id/solar-system — are publicly accessible without any authentication or authorization.
The dashboard enforces wallet connection on the client side, but the API itself is wide open. Any internet user can mutate solar-system assignments directly via the API.
Affected Files
apps/api/src/routes.tsapps/api/src/server.ts.github/workflows/deploy.yml
Recommendation
At minimum, add a shared API key validated via middleware on mutation endpoints. Longer term, consider JWT validation tied to the Eve Vault wallet session.
Options to evaluate:
- Shared secret —
X-API-Key header checked against a API_SECRET env var
- JWT validation — verify a token signed by the Eve Vault session
- Sui signature verification — require a signed message from the connected wallet
Acceptance Criteria
Priority: P0 — Critical
Source
Senior Architect Code Review (2026-04-03)
Problem
All API endpoints — including mutation endpoints like
POST /api/network-nodes/:id/solar-systemandDELETE /api/network-nodes/:id/solar-system— are publicly accessible without any authentication or authorization.The dashboard enforces wallet connection on the client side, but the API itself is wide open. Any internet user can mutate solar-system assignments directly via the API.
Affected Files
apps/api/src/routes.tsapps/api/src/server.ts.github/workflows/deploy.ymlRecommendation
At minimum, add a shared API key validated via middleware on mutation endpoints. Longer term, consider JWT validation tied to the Eve Vault wallet session.
Options to evaluate:
X-API-Keyheader checked against aAPI_SECRETenv varAcceptance Criteria
POST,DELETE) require authenticationGET) remain publicly accessible