Critical: POST /api/debate/trigger has no authentication (C-5). Anyone can create debates causing DoS and cost amplification. Implement API key authentication using FastAPI Depends and Header. Add SCIDEX_API_KEY env var check. See security_audit_2026-04-02.md for implementation example.
## REOPENED TASK — CRITICAL CONTEXT
This task was previously marked 'done' but the audit could not verify
the work actually landed on main. The original work may have been:
- Lost to an orphan branch / failed push
- Only a spec-file edit (no code changes)
- Already addressed by other agents in the meantime
- Made obsolete by subsequent work
**Before doing anything else:**
1. **Re-evaluate the task in light of CURRENT main state.** Read the
spec and the relevant files on origin/main NOW. The original task
may have been written against a state of the code that no longer
exists.
2. **Verify the task still advances SciDEX's aims.** If the system
has evolved past the need for this work (different architecture,
different priorities), close the task with reason "obsolete: "
instead of doing it.
3. **Check if it's already done.** Run `git log --grep=''`
and read the related commits. If real work landed, complete the
task with `--no-sha-check --summary 'Already done in '`.
4. **Make sure your changes don't regress recent functionality.** Many
agents have been working on this codebase. Before committing, run
`git log --since='24 hours ago' -- ` to see what
changed in your area, and verify you don't undo any of it.
5. **Stay scoped.** Only do what this specific task asks for. Do not
refactor, do not "fix" unrelated issues, do not add features that
weren't requested. Scope creep at this point is regression risk.
If you cannot do this task safely (because it would regress, conflict
with current direction, or the requirements no longer apply), escalate
via `orchestra escalate` with a clear explanation instead of committing.
Completion Notes
Auto-completed by supervisor after successful deploy to main
Git Commits (1)
[Senate] Implement API key auth on POST /api/debate/trigger endpoint [task:f6b0ff49-db9c-4e4b-83d3-98b807154bcd]2026-04-13
Spec File
[Senate] Implement authentication on POST /api/debate/trigger endpoint
ID: f6b0ff49-db9
Priority: 95
Type: one_shot
Status: open
Goal
Critical: POST /api/debate/trigger has no authentication (C-5). Anyone can create debates causing DoS and cost amplification. Implement API key authentication using FastAPI Depends and Header. Add SCIDEX_API_KEY env var check. See security_audit_2026-04-02.md for implementation example.
Acceptance Criteria
☑ Concrete deliverables created
☑ Work log updated with timestamped entry
Work Log
2026-04-13 21:30 PT — Slot 56
Implemented API key authentication on POST /api/debate/trigger endpoint
Added verify_api_key function using FastAPI Depends and Header pattern from security_audit_2026-04-02.md
Checks SCIDEX_API_KEY environment variable; logs warning if unset (backwards compatible)