fix(auth): honor trusted root api key role

[Hinotoi-agent]

Summary

Fixes #1722.

In trusted mode, requests authenticated with the configured root_api_key were accepted as valid trusted requests but still resolved to Role.USER unless the supplied account/user existed in the API key manager with a higher role. That meant ov reindex --sudo could send the right root key and tenant headers, but privileged non-admin routes such as /api/v1/maintenance/reindex still failed with PERMISSION_DENIED.

This PR makes the trusted-mode root key behave as the deployment-level root credential after it has been validated.

What changed

• Track when trusted-mode authentication succeeded via the configured root_api_key.
• Resolve matching trusted root-key requests as Role.ROOT while preserving the explicit tenant headers on the resulting identity.
• Update existing trusted-mode root-key coverage to assert the resolved root role.
• Add an HTTP regression test for a maintenance-style route requiring ROOT/ADMIN, matching the ov reindex --sudo failure mode.

Relationship to prior work

This complements #1589, which wired --sudo to use root_api_key on the CLI side. That PR made the client send the correct credential; this PR fixes the remaining server-side trusted-mode role resolution so the credential satisfies privileged route checks.

Related but different prior work:

• feat: support trusted admin tenant management #1616 enabled trusted-mode admin behavior, but did not cover privileged non-admin maintenance routes.
• fix(api_keys): proxy get_user_role in NewAPIKeyManager (trusted-mode 500 regression) #1691 fixed a NewAPIKeyManager.get_user_role proxy regression that caused 500s, but not the root_api_key resolving as USER behavior.

Files changed

• openviking/server/auth.py
  • Matching trusted-mode root_api_key requests now resolve as Role.ROOT.
• tests/server/test_auth.py
  • Adds/updates trusted-mode root-key regression coverage.

Test plan

• PYTHONPATH=. /Users/$USER/.hermes/hermes-agent/venv/bin/python -m py_compile openviking/server/auth.py tests/server/test_auth.py
• PYTHONPATH=. /Users/$USER/.hermes/hermes-agent/venv/bin/python -m pytest -o addopts='' tests/server/test_auth.py::test_trusted_mode_with_root_api_key_requires_matching_api_key tests/server/test_auth.py::test_trusted_mode_with_root_api_key_accepts_matching_api_key tests/server/test_auth.py::test_trusted_mode_http_routes_require_api_key_when_root_key_configured tests/server/test_auth.py::test_trusted_mode_http_routes_accept_api_key_when_root_key_configured tests/server/test_auth.py::test_trusted_mode_root_api_key_grants_root_role_for_maintenance_routes -q
• ruff check openviking/server/auth.py tests/server/test_auth.py
• ruff format --check openviking/server/auth.py tests/server/test_auth.py
• git diff --check

Note: I also tried the full tests/server/test_auth.py file locally, but unrelated existing fixture setup in this environment reads the operator's ~/.openviking/ov.conf and fails before many tests run because local Volcengine embedding/VLM API keys are not configured. The focused auth tests above avoid that unrelated environment dependency and cover this regression directly.

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

🎫 Ticket compliance analysis ✅ 1722 - Fully compliant Compliant requirements: In TRUSTED mode, requests authenticated with root_api_key now resolve to Role.ROOT for all paths Added regression test for maintenance route requiring ROOT/ADMIN role

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪

🏅 Score: 92

🧪 PR contains tests

🔒 No security concerns identified

✅ No TODO sections

🔀 No multiple PR themes

⚡ No major issues detected

[github-actions]

PR Code Suggestions ✨

No code suggestions found for the PR.