# ABE — API Security Specification

## Authentication: API Key

All API endpoints require an API key passed in the header:
`X-ABE-API-Key: <key>`

If missing or invalid → 401 Unauthorized.

## Configuration

API key is set via environment variable: `ABE_API_KEY`
If not set, server logs a warning and runs without auth (dev mode only).

## Implementation

Create `src/server/middleware/auth.ts`:
```typescript
export function apiKeyAuth(req, res, next) {
  const apiKey = process.env.ABE_API_KEY;
  if (!apiKey) return next(); // dev mode: no auth
  const provided = req.headers['x-abe-api-key'];
  if (!provided || provided !== apiKey) {
    return res.status(401).json({ error: 'Invalid or missing API key' });
  }
  next();
}
```

Apply this middleware to ALL routes EXCEPT:
- GET /health
- GET /ready

## CORS

Only allow requests from the frontend origin.
Configure via environment variable: `ABE_CORS_ORIGIN` (default: `http://localhost:5173`)

## Rate Limiting

Add `express-rate-limit`:
- Max 20 POST /api/sessions per hour per IP
- Max 200 requests per minute per IP for other endpoints

## Environment Variables (full list for .env)
```
ABE_API_KEY=change-me-in-production
ABE_CORS_ORIGIN=http://localhost:5173
ABE_PORT=3001
ABE_DB_PATH=./data/abe.db
ABE_REPORTS_DIR=./reports
ABE_LOGS_DIR=./logs
NODE_ENV=production
```

## docker-compose update

Add .env file support and environment variables to docker-compose.yml.
Add a volumes entry for `data/` directory for SQLite persistence.