Auth middleware should skip health/readiness probe endpoints

[gandalf-at-lerian]

Problem

Kubernetes liveness and readiness probes hit HTTP endpoints without an Authorization header. The auth middleware intercepts these requests and logs a WARN for every probe check:

{"level":"WARN","caller":"middleware/...","msg":"missing Authorization header"}

This generates constant log noise in every service that uses the auth middleware from lib-commons, since K8s probes fire every few seconds.

Expected Behavior

Health and readiness probe endpoints (/healthz, /readyz, /livez, or equivalent) should bypass the auth middleware entirely. No WARN log should be emitted for probe requests.

Suggested Fix

Add a skip list (or allowlist) of paths in the auth middleware that are excluded from authorization checks. Probe paths should be pre-configured by default, with the option for services to extend the list.

Example approach:

// Default paths that skip auth
var defaultSkipPaths = []string{"/healthz", "/readyz", "/livez"}

func AuthMiddleware(opts ...Option) func(http.Handler) http.Handler {
    // If request path is in skip list, call next handler directly
}

Alternatively, services can register health endpoints on a separate mux/router that does not go through the auth middleware chain.

Context

• Observed in multi-tenant task force services running on K8s (Clotilde/Firmino clusters)
• Affects all services using the lib-commons auth middleware
• Not a security issue — probes are internal cluster traffic
• The fix should be in lib-commons so all consuming services benefit automatically

Acceptance Criteria

• Probe endpoints are excluded from auth middleware by default
• No WARN logs emitted for probe requests
• Skip paths are configurable (services can add custom paths)
• Existing auth behavior unchanged for all other endpoints

[gandalf-at-lerian]

Resolved by merged PR. Closing.