fix: add agent key auth for ingest endpoints

cmd/agent/main.go

@@ -103,7 +103,7 @@ func loadConfig() *Config {
 
 	return &Config{
 		ServerURL:       getEnv("OPHION_SERVER", "http://localhost:8080"),
-		APIKey:          getEnv("OPHION_API_KEY", ""),
+		APIKey:          getEnv("OPHION_API_KEY", getEnv("AGENT_KEY", "")),
 		Hostname:        getEnv("OPHION_HOSTNAME", hostname),
 		CollectInterval: interval,
 		DockerEnabled:   dockerEnabled,

cmd/server/main.go

@@ -307,10 +307,10 @@ func (s *Server) setupRoutes() {
 	ingest.Post("/logs", s.ingestLogs)
 	ingest.Post("/traces", s.ingestTraces)
 
-	// Legacy ingest routes (also protected, for backwards compat)
-	api.Post("/metrics", s.authMiddleware(), s.ingestMetrics)
-	api.Post("/logs", s.authMiddleware(), s.ingestLogs)
-	api.Post("/traces", s.authMiddleware(), s.ingestTraces)
+	// Legacy ingest routes (agent key auth for simplicity)
+	api.Post("/metrics", s.agentAuthMiddleware(), s.ingestMetrics)
+	api.Post("/logs", s.agentAuthMiddleware(), s.ingestLogs)
+	api.Post("/traces", s.agentAuthMiddleware(), s.ingestTraces)
 
 	// Protected routes
 	protected := api.Group("", s.authMiddleware())
@@ -894,3 +894,32 @@ func parseInt(s string, def int) int {
 	}
 	return def
 }
+
+// agentAuthMiddleware creates middleware that accepts a simple agent key
+func (s *Server) agentAuthMiddleware() fiber.Handler {
+	agentKey := getEnv("AGENT_KEY", "")
+	return func(c *fiber.Ctx) error {
+		// If no agent key is configured, allow all (for backwards compat)
+		if agentKey == "" {
+			return c.Next()
+		}
+
+		authHeader := c.Get("Authorization")
+		token := strings.TrimPrefix(authHeader, "Bearer ")
+
+		// Check agent key
+		if token == agentKey {
+			return c.Next()
+		}
+
+		// Also check X-Agent-Key header
+		if c.Get("X-Agent-Key") == agentKey {
+			return c.Next()
+		}
+
+		return c.Status(401).JSON(fiber.Map{
+			"error":   "Unauthorized",
+			"message": "Invalid agent key",
+		})
+	}
+}