Problem
The REST API (spurrestd) has zero authentication. Any HTTP client can submit, cancel, and query jobs without credentials. The router is created with no auth middleware — all routes are publicly accessible. This is a critical security gap that blocks production deployment.
Expected Behavior
Slurm's slurmrestd supports JWT token authentication via Authorization: Bearer <token> header, with user identity extracted from JWT claims and authorization checks for admin vs regular user operations.
Spur already has an AuthConfig in spur-core/src/config.rs with plugin: "jwt" and jwt_key fields — the config infrastructure exists but is unused by spurrestd.
Acceptance Criteria
Problem
The REST API (spurrestd) has zero authentication. Any HTTP client can submit, cancel, and query jobs without credentials. The router is created with no auth middleware — all routes are publicly accessible. This is a critical security gap that blocks production deployment.
Expected Behavior
Slurm's slurmrestd supports JWT token authentication via
Authorization: Bearer <token>header, with user identity extracted from JWT claims and authorization checks for admin vs regular user operations.Spur already has an
AuthConfiginspur-core/src/config.rswithplugin: "jwt"andjwt_keyfields — the config infrastructure exists but is unused by spurrestd.Acceptance Criteria
AuthorizationheaderAuthUserAuthorizationheader returns 401/pingendpoint remains accessible without auth--no-authflag available for development/testing (with warning log)AuthConfigfrom spur-core