From b9cbb7e895dfd16b622c73e3736362959fca6f14 Mon Sep 17 00:00:00 2001
From: hzhang <hzhang@hangman-lab.top>
Date: Thu, 9 Apr 2026 01:15:29 +0100
Subject: [PATCH] fix: change control page routes from gateway to plugin auth

auth: "gateway" requires Bearer token in Authorization header,
which browser direct navigation never sends (no session cookies).
auth: "plugin" allows unauthenticated access on loopback, which
is sufficient since gateway is bound to 127.0.0.1 only.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 plugin/web/control-page.ts | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/plugin/web/control-page.ts b/plugin/web/control-page.ts
index b877783..ce65a1f 100644
--- a/plugin/web/control-page.ts
+++ b/plugin/web/control-page.ts
@@ -102,7 +102,7 @@ export function registerControlPage(deps: {
   // ── Main page ──────────────────────────────────────────────────────────────
   api.registerHttpRoute({
     path: "/dirigent",
-    auth: "gateway",
+    auth: "plugin",
     match: "exact",
     handler: async (_req, res) => {
       const entries = identityRegistry.list();
@@ -219,7 +219,7 @@ export function registerControlPage(deps: {
   // ── API: add identity ──────────────────────────────────────────────────────
   api.registerHttpRoute({
     path: "/dirigent/api/identity",
-    auth: "gateway",
+    auth: "plugin",
     match: "exact",
     handler: (req, res) => {
       if (req.method !== "POST") { res.writeHead(405); res.end(); return; }
@@ -243,7 +243,7 @@ export function registerControlPage(deps: {
   // ── API: remove identity ───────────────────────────────────────────────────
   api.registerHttpRoute({
     path: "/dirigent/api/identity/",
-    auth: "gateway",
+    auth: "plugin",
     match: "prefix",
     handler: (req, res) => {
       if (req.method !== "DELETE") { res.writeHead(405); res.end(); return; }
@@ -257,7 +257,7 @@ export function registerControlPage(deps: {
   // ── API: set channel mode ──────────────────────────────────────────────────
   api.registerHttpRoute({
     path: "/dirigent/api/channel-mode",
-    auth: "gateway",
+    auth: "plugin",
     match: "exact",
     handler: (req, res) => {
       if (req.method !== "POST") { res.writeHead(405); res.end(); return; }
@@ -282,7 +282,7 @@ export function registerControlPage(deps: {
   // ── API: rescan padded-cell ────────────────────────────────────────────────
   api.registerHttpRoute({
     path: "/dirigent/api/rescan-padded-cell",
-    auth: "gateway",
+    auth: "plugin",
     match: "exact",
     handler: (req, res) => {
       if (req.method !== "POST") { res.writeHead(405); res.end(); return; }