Function bearer_auth 

pub async fn bearer_auth(
    __arg0: State<AuthState>,
    req: Request<Body>,
    next: Next,
) -> Response

axum middleware：Bearer Token + scope 校验

v1.4.86 SEC-003 Q4 真 fix: legacy 模式 (未配 keys.json) 下, 仍然 拦截 mutating endpoint (place-order / modify-order / cancel-all-order / unlock-trade / reconfirm-order / admin/*) 未经 auth 的访问. 只读 endpoint (行情 / 账户 read-only) 继续 legacy 允许 (backward compat 大部分用户).

理由: 本机任何 skill / agent / 脚本可以无 auth curl POST /api/order 下单, 这是安全风险. v1.4.84 stderr warn 不够, v1.4.86 作硬门禁.

v1.4.104 阶段 5: pipeline 委托

transport-only 逻辑 (legacy mutating-block / /api/* 路由 / Bearer 头解析 / 404 unknown route / KeyRecord 注入 extensions) 仍在本地. scope 检查 + expiry + super-scope semantics + rate gate + audit emit 全 委托给 [futu_auth_pipeline::authenticate_request] (跨 surface 共享同一份). LoC 减 ~80 行. 行为 byte-identical:

• 401 Unauthenticated (含 WWW-Authenticate header) on missing Bearer
• 401 on invalid/expired key (pipeline reason)
• 404 on unknown /api/* route (REST-specific fail-closed)
• 403 generic “forbidden” body on scope miss / acc_id whitelist (BUG-011 不泄 key_id/scope)
• 429 with limit reason on rate fail