Admin endpoints unprotected unless handler regex covers them

## Summary

`/admin/keys/rotate` and `/admin/keys/deactivate` are always routed. The `enforce_basic_auth` gate only triggers for paths that match a configured `handlers[].path` regex. The default config (`^/secure`) does not cover `/admin/*`. An operator who doesn't add an explicit admin handler has **publicly-accessible key rotation/deletion endpoints**.

## Refs

- `crates/fastly/src/main.rs` lines 97-98 — admin route matching
- `crates/common/src/auth.rs` line 10 — `enforce_basic_auth` checks `handlers` list
- `crates/common/src/settings.rs` line 381 — `handlers` parsing
- `trusted-server.toml` line 1 — default handler only covers `^/secure`

## Recommendation

Either hard-require auth for `/admin/*` paths regardless of handler config, or validate at startup that an admin handler exists.

## Context

Production readiness audit — see #396

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Admin endpoints unprotected unless handler regex covers them #400

Summary

Refs

Recommendation

Context

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Admin endpoints unprotected unless handler regex covers them #400

Description

Summary

Refs

Recommendation

Context

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions