fix(auth): accept ea_* prefix in isApiKey — staleness bug from edge-auth migration (#31)

The isApiKey() prefix sniffer only matched sb_live_*/sb_test_*, the legacy
stackbilt-auth key format. When edge-auth took over as the ecosystem auth
SoT and started minting ea_* keys, this check was never updated — so any
ea_* bearer would fall through to the validateJwt path and fail, leaving
ea_* API keys effectively unreachable through the gateway.

Aligns with edge-auth's own resolvePrincipal at src/security/identity.ts:44,
which already accepts all three prefixes. No functional change for existing
sb_* keys; purely additive.

Closes #28 partially — OAuth default-scope
fix still pending as Option A in that issue.

Co-authored-by: Kurt Overmier <kurt@stackbilt.dev>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: 3 people

src/auth.ts

@@ -5,7 +5,15 @@
 import type { AuthResult, AuthServiceRpc, Tier } from './types.js';
 
 function isApiKey(token: string): boolean {
-  return token.startsWith('sb_live_') || token.startsWith('sb_test_');
+  // Must match edge-auth's `resolvePrincipal` / `extractKeyPrefix` — edge-auth
+  // is the SoT for key format. The old `sb_*` checks are legacy from the
+  // pre-migration stackbilt-auth era and were never updated when edge-auth
+  // took over and started minting `ea_*` keys.
+  return (
+    token.startsWith('ea_') ||
+    token.startsWith('sb_live_') ||
+    token.startsWith('sb_test_')
+  );
 }
 
 function mapError(error?: string): string {