feat: add auth to gatekeeper

packages/gatekeeper/src/app/api/verify/route.ts

@@ -9,8 +9,32 @@ export async function GET(req: NextRequest) {
 
   const session = cookieStore.get(authCookieName);
 
-  if (session?.value === password) {
-    return new NextResponse("OK", { status: 200 });
+  let isAuthenticated = false;
+  let identity = "Guest";
+
+  if (session?.value) {
+    if (session.value === password) {
+      isAuthenticated = true;
+    } else {
+      try {
+        const payload = JSON.parse(session.value);
+        if (payload.identity) {
+          isAuthenticated = true;
+          identity = payload.identity;
+        }
+      } catch (e) {
+        // Fallback or old format
+      }
+    }
+  }
+
+  if (isAuthenticated) {
+    return new NextResponse("OK", {
+      status: 200,
+      headers: {
+        "X-Auth-User": identity,
+      },
+    });
   }
 
   // Traefik ForwardAuth headers

packages/gatekeeper/src/app/api/whoami/route.ts

@@ -0,0 +1,26 @@
+import { NextRequest, NextResponse } from "next/server";
+import { cookies } from "next/headers";
+
+export async function GET(req: NextRequest) {
+  const cookieStore = await cookies();
+  const authCookieName =
+    process.env.AUTH_COOKIE_NAME || "mintel_gatekeeper_session";
+  const session = cookieStore.get(authCookieName);
+
+  if (!session?.value) {
+    return NextResponse.json({ authenticated: false }, { status: 401 });
+  }
+
+  let identity = "Guest";
+  try {
+    const payload = JSON.parse(session.value);
+    identity = payload.identity || "Guest";
+  } catch (e) {
+    // Old format probably just the password
+  }
+
+  return NextResponse.json({
+    authenticated: true,
+    identity: identity,
+  });
+}