fix(gateway): enforce API key auth on inventory and budget services (#5)

- Added X-API-Key middleware to inventory-service and budget-service
- Services reject all requests without valid API key (401)
- Gateway proxy injects service API keys for inventory and budget
- Dashboard widget fetchers inject API keys
- Generated unique API keys per service, stored in .env
- Added SERVICE_API_KEY env var to docker-compose for both services

Partial fix for #5 — internal services now require auth.
Remaining: document trust model, validate service token semantics.

services/budget/server.js

@@ -11,6 +11,18 @@ const app = express();
 app.use(cors());
 app.use(express.json());
 
+// API key auth middleware — require X-API-Key header on all routes
+const SERVICE_API_KEY = process.env.SERVICE_API_KEY || '';
+if (SERVICE_API_KEY) {
+    app.use((req, res, next) => {
+        const key = req.headers['x-api-key'] || req.query.api_key;
+        if (key !== SERVICE_API_KEY) {
+            return res.status(401).json({ error: 'Unauthorized: invalid API key' });
+        }
+        next();
+    });
+}
+
 // ---------------------------------------------------------------------------
 // Configuration
 // ---------------------------------------------------------------------------

services/inventory/server.js

@@ -27,6 +27,18 @@ app.use(express.json());
 // Allow form-encoded payloads from NocoDB webhook buttons
 app.use(express.urlencoded({ extended: true }));
 
+// API key auth middleware — require X-API-Key header on all routes
+const SERVICE_API_KEY = process.env.SERVICE_API_KEY || '';
+if (SERVICE_API_KEY) {
+    app.use((req, res, next) => {
+        const key = req.headers['x-api-key'] || req.query.api_key;
+        if (key !== SERVICE_API_KEY) {
+            return res.status(401).json({ error: 'Unauthorized: invalid API key' });
+        }
+        next();
+    });
+}
+
 const upload = multer({
     storage: multer.memoryStorage(),
     limits: { fileSize: 10 * 1024 * 1024 }