fix(security): require API key for production score endpoint

.env.example

@@ -1,4 +1,5 @@
 # OpenRouter (for LLM persuasion interpretation)
+SCORE_API_KEY=change-me-to-a-long-random-secret
 OPENROUTER_API_KEY=
 OPENROUTER_MODEL=anthropic/claude-sonnet-4.6
 OPENROUTER_TIMEOUT_SECONDS=20

app/api/score/route.ts

@@ -4,8 +4,41 @@ import { platformValues, type Platform } from "@/shared/types";
 export const runtime = "nodejs";
 export const dynamic = "force-dynamic";
 
+function isAuthorized(request: Request): { ok: true } | { ok: false; status: number; error: string } {
+  // In production, require a shared secret header to protect costly scoring compute.
+  if (process.env.NODE_ENV !== "production") {
+    return { ok: true };
+  }
+
+  const configuredApiKey = process.env.SCORE_API_KEY?.trim();
+  if (!configuredApiKey) {
+    return {
+      ok: false,
+      status: 503,
+      error: "Server misconfiguration: SCORE_API_KEY is not set.",
+    };
+  }
+
+  const headerApiKey = request.headers.get("x-api-key")?.trim();
+  const bearerToken = request.headers
+    .get("authorization")
+    ?.match(/^Bearer\s+(.+)$/i)?.[1]
+    ?.trim();
+
+  if (headerApiKey === configuredApiKey || bearerToken === configuredApiKey) {
+    return { ok: true };
+  }
+
+  return { ok: false, status: 401, error: "Unauthorized." };
+}
+
 export async function POST(request: Request) {
   try {
+    const auth = isAuthorized(request);
+    if (!auth.ok) {
+      return Response.json({ error: auth.error }, { status: auth.status });
+    }
+
     const body = await request.json().catch(() => null);
     if (!body || typeof body !== "object") {
       return Response.json(

docker-compose.yml

@@ -10,6 +10,7 @@ services:
       NODE_ENV: production
       PORT: 3000
       TRIBE_SERVICE_URL: http://tribe-service:8090
+      SCORE_API_KEY: ${SCORE_API_KEY:?SCORE_API_KEY must be set}
     depends_on:
       tribe-service:
         condition: service_healthy

tests/api/score.test.ts

@@ -1,4 +1,4 @@
-import { describe, it, expect, vi, beforeEach } from "vitest";
+import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
 
 // Mock fetch globally
 const mockFetch = vi.fn();
@@ -17,8 +17,46 @@ function makeRequest(body: unknown): Request {
 }
 
 describe("POST /api/score", () => {
+  const originalNodeEnv = process.env.NODE_ENV;
+  const originalApiKey = process.env.SCORE_API_KEY;
+
   beforeEach(() => {
     vi.clearAllMocks();
+    process.env.NODE_ENV = originalNodeEnv;
+    process.env.SCORE_API_KEY = originalApiKey;
+  });
+
+  afterEach(() => {
+    process.env.NODE_ENV = originalNodeEnv;
+    process.env.SCORE_API_KEY = originalApiKey;
+  });
+
+  it("returns 503 in production when SCORE_API_KEY is not configured", async () => {
+    process.env.NODE_ENV = "production";
+    delete process.env.SCORE_API_KEY;
+
+    const res = await POST(
+      makeRequest({
+        message: "Our platform reduces deployment time by 80%",
+        persona: "CTO at startup, technical",
+      }),
+    );
+
+    expect(res.status).toBe(503);
+  });
+
+  it("returns 401 in production when API key is missing", async () => {
+    process.env.NODE_ENV = "production";
+    process.env.SCORE_API_KEY = "test-key";
+
+    const res = await POST(
+      makeRequest({
+        message: "Our platform reduces deployment time by 80%",
+        persona: "CTO at startup, technical",
+      }),
+    );
+
+    expect(res.status).toBe(401);
   });
 
   it("returns 400 when message is missing", async () => {