feat: Phase 2 — Delegated State, Auth, Review-Gate, Notifications, Zombie-Reset

backend/Middleware/ApiKeyMiddleware.cs

@@ -0,0 +1,39 @@
+using System.Security.Claims;
+
+namespace Nexus.Api.Middleware;
+
+/// <summary>
+/// Middleware that authenticates requests via the X-Nexus-Api-Key header.
+/// On match, sets a ClaimsPrincipal with role "Service".
+/// On mismatch or absent header, passes through to next middleware (JWT auth).
+/// </summary>
+public sealed class ApiKeyMiddleware(RequestDelegate next)
+{
+    public async Task InvokeAsync(HttpContext context)
+    {
+        var configuration = context.RequestServices.GetRequiredService<IConfiguration>();
+        var apiKey = configuration["NexusApiKey"];
+
+        if (!string.IsNullOrWhiteSpace(apiKey) &&
+            context.Request.Headers.TryGetValue("X-Nexus-Api-Key", out var providedKey) &&
+            string.Equals(apiKey, providedKey, StringComparison.Ordinal))
+        {
+            var claims = new[]
+            {
+                new Claim(ClaimTypes.NameIdentifier, "service"),
+                new Claim(ClaimTypes.Name, "ApiService"),
+                new Claim(ClaimTypes.Role, "Service")
+            };
+            var identity = new ClaimsIdentity(claims, "ApiKey");
+            context.User = new ClaimsPrincipal(identity);
+        }
+
+        await next(context);
+    }
+}
+
+public static class ApiKeyMiddlewareExtensions
+{
+    public static IApplicationBuilder UseApiKeyAuthentication(this IApplicationBuilder builder)
+        => builder.UseMiddleware<ApiKeyMiddleware>();
+}