API authentication configured but not enforced on any endpoint

[SL-Mar]

Problem

Authentication infrastructure exists (api/auth.py, api/models.py:APIKey), and api/config.py has auth_enabled=True, but no endpoints in api/main.py use the @Depends(get_api_key) decorator. All 30+ endpoints are publicly accessible regardless of auth configuration.

Impact

• All data mutation endpoints (vessel specs, zones, calibration) are unprotected
• Rate limiting that depends on API key identification doesn't work
• Security gap for any deployment

Steps to fix

1. Audit endpoints and determine which need auth:
   • Mutation endpoints: vessel specs, zones POST/DELETE, calibration → require auth
   • Health, metrics, read-only weather → public
2. Add Depends(get_api_key) to protected endpoints
3. Add tests for authenticated vs unauthenticated requests
4. Update OpenAPI docs to show auth requirements

Files

• api/auth.py
• api/main.py (all endpoint handlers)
• api/config.py (auth_enabled flag)