feat: implement auth, rate limiting, and cost attribution from AgentRelay reference spec #18
Description
Context
The AgentRelay architecture spec has been committed to docs/reference-agentrelay-architecture.md as both a design reference and scaffold quality benchmark (from project archaeology, aegis#319).
This 901-line architecture package covers the exact features the MCP gateway needs but doesn't yet have.
Features to Implement (from spec)
1. Scoped API Key Auth
- API keys as primary auth for the data plane
- Per-key permission scopes (tool-level access control)
- Key lifecycle: create, rotate, revoke with audit trail
- Hash-based key storage (SHA-256, never store plaintext)
Reference: Already extracted and proven in smart_revenue_recovery_adf/src/shared/tenant-auth.ts — can port directly.
2. Per-Key Rate Limiting
- Sliding window rate limiting per API key
- 429 response with retry-after header
- Configurable limits per key/tier
3. Usage Tracking + Cost Attribution
- Per-request metering (tool, key, tokens, latency)
- Cost rollup per API key, per tenant
- Dashboard visibility into usage patterns
- Ties into existing Stripe billing
4. Sync + Async Tool Calls
- Synchronous path for immediate results
- Async path: queue job → return job ID → poll for status
- Streaming responses for long-running tools
Reference Files
docs/reference-agentrelay-architecture.md— full architecture spec (Product → UX → Risk → Architect → TDD → Sprint)docs/reference-agentrelay-architecture.json— structured JSON version
Priority
Auth and rate limiting are prerequisites for public MCP gateway access. Cost attribution feeds into the billing system. Async tool calls are a nice-to-have for v1.