PaulJPhilp
diff --git a/‎packages/mcp-server/app/api/admin/circuit-breaker/route.ts‎
Lines changed: 6 additions & 1 deletion b/‎packages/mcp-server/app/api/admin/circuit-breaker/route.ts‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎packages/mcp-server/app/api/env-check/route.ts‎
Lines changed: 14 additions & 10 deletions b/‎packages/mcp-server/app/api/env-check/route.ts‎
Lines changed: 14 additions & 10 deletions
diff --git a/‎packages/mcp-server/app/api/test/route.ts‎
Lines changed: 58 additions & 59 deletions b/‎packages/mcp-server/app/api/test/route.ts‎
Lines changed: 58 additions & 59 deletions
diff --git a/‎packages/mcp-server/src/auth/__tests__/adminAuth.test.ts‎
Lines changed: 24 additions & 18 deletions b/‎packages/mcp-server/src/auth/__tests__/adminAuth.test.ts‎
Lines changed: 24 additions & 18 deletions
diff --git a/‎packages/mcp-server/src/auth/__tests__/apiKey.test.ts‎
Lines changed: 8 additions & 16 deletions b/‎packages/mcp-server/src/auth/__tests__/apiKey.test.ts‎
Lines changed: 8 additions & 16 deletions
diff --git a/‎packages/mcp-server/src/auth/adminAuth.ts‎
Lines changed: 3 additions & 10 deletions b/‎packages/mcp-server/src/auth/adminAuth.ts‎
Lines changed: 3 additions & 10 deletions
diff --git a/‎packages/mcp-server/src/auth/apiKey.ts‎
Lines changed: 5 additions & 12 deletions b/‎packages/mcp-server/src/auth/apiKey.ts‎
Lines changed: 5 additions & 12 deletions
@@ -11,6 +11,7 @@
 import { NextResponse, type NextRequest } from "next/server";
 import { randomUUID } from "crypto";
 import { Effect } from "effect";
+import { constantTimeEquals } from "../../../../src/auth/secureCompare";
 import { CircuitBreakerService } from "../../../../src/services/circuit-breaker";
 import { runWithRuntime } from "../../../../src/server/init";
 
@@ -28,7 +29,11 @@ function verifyAdminAccess(request: NextRequest): boolean {
     return false;
   }
 
-  return adminKey === expectedKey;
+  if (!adminKey) {
+    return false;
+  }
+
+  return constantTimeEquals(adminKey, expectedKey);
 }
 
 /**
 
@@ -4,15 +4,19 @@
  * Returns non-sensitive env presence only. Do not expose lengths, prefixes, or key names.
  */
 
-import { NextResponse } from "next/server";
+import { Effect } from "effect";
+import type { NextRequest } from "next/server";
+import { createSimpleHandler } from "../../../src/server/routeHandler";
 
-export async function GET() {
-	const envVars = {
-		hasDatabaseUrl: !!process.env.DATABASE_URL,
-		nodeEnv: process.env.NODE_ENV || "not set",
-		customNodeEnv: process.env.CUSTOM_NODE_ENV || "not set",
-		hasApiKey: !!process.env.PATTERN_API_KEY,
-	};
+const handleEnvCheck = (_request: NextRequest) =>
+  Effect.succeed({
+    hasDatabaseUrl: !!process.env.DATABASE_URL,
+    nodeEnv: process.env.NODE_ENV || "not set",
+    customNodeEnv: process.env.CUSTOM_NODE_ENV || "not set",
+    hasApiKey: !!process.env.PATTERN_API_KEY,
+  });
 
-	return NextResponse.json(envVars);
-}
+export const GET = createSimpleHandler(handleEnvCheck, {
+  requireAuth: false,
+  requireAdmin: true,
+});
@@ -1,63 +1,62 @@
 /**
- * Simple test endpoint to verify database connection
+ * Admin-only database connectivity check.
  */
 
-import { createDatabase, effectPatterns } from "@effect-patterns/toolkit"
-import { Effect } from "effect"
-import { NextResponse } from "next/server"
-
-export async function GET() {
-	try {
-		const dbUrl = process.env.DATABASE_URL
-		if (!dbUrl) {
-			return NextResponse.json({
-				success: false,
-				error: "DATABASE_URL not set",
-				envKeys: Object.keys(process.env).filter(k => k.includes("DATABASE") || k.includes("POSTGRES"))
-			}, { status: 500 })
-		}
-
-		const result = await Effect.runPromise(
-			Effect.gen(function* () {
-				const { db, close } = createDatabase(dbUrl)
-
-				const patterns = yield* Effect.tryPromise(async () => {
-					return await db.select({
-						id: effectPatterns.id,
-						title: effectPatterns.title,
-						skillLevel: effectPatterns.skillLevel,
-						category: effectPatterns.category
-					}).from(effectPatterns).limit(5)
-				})
-
-				yield* Effect.promise(() => close())
-				return patterns
-			})
-		)
-
-		return NextResponse.json({
-			success: true,
-			count: result.length,
-			patterns: result.map((p: any) => ({
-				id: p.id,
-				title: p.title,
-				skillLevel: p.skillLevel,
-				category: p.category
-			}))
-		})
-	} catch (error) {
-		console.error("Database test error:", error)
-		const errorMessage = error instanceof Error ? error.message : String(error)
-		const errorStack = error instanceof Error ? error.stack : undefined
-		return NextResponse.json(
-			{
-				success: false,
-				error: "Database connection failed",
-				details: errorMessage,
-				stack: errorStack?.split('\n').slice(0, 5)
-			},
-			{ status: 500 }
-		)
-	}
-}
+import { createDatabase, effectPatterns } from "@effect-patterns/toolkit";
+import { Effect } from "effect";
+import { type NextRequest, NextResponse } from "next/server";
+import { validateAdminKey } from "../../../src/auth/adminAuth";
+import { errorHandler } from "../../../src/server/errorHandler";
+import { runWithRuntime } from "../../../src/server/init";
+
+const handleDatabaseTest = (request: NextRequest) =>
+  Effect.gen(function* () {
+    yield* validateAdminKey(request);
+
+    const dbUrl = process.env.DATABASE_URL;
+    if (!dbUrl) {
+      return yield* Effect.fail(new Error("DATABASE_URL not set"));
+    }
+
+    const { db, close } = createDatabase(dbUrl);
+    const rows = yield* Effect.tryPromise({
+      try: () =>
+        db
+          .select({
+            id: effectPatterns.id,
+            title: effectPatterns.title,
+            skillLevel: effectPatterns.skillLevel,
+            category: effectPatterns.category,
+          })
+          .from(effectPatterns)
+          .limit(5),
+      catch: (error) => new Error(`Database connection failed: ${String(error)}`),
+    }).pipe(
+      Effect.ensuring(
+        Effect.tryPromise({
+          try: () => close(),
+          catch: (error) => new Error(`Failed to close database connection: ${String(error)}`),
+        }).pipe(Effect.ignore),
+      ),
+    );
 
+    return {
+      success: true,
+      count: rows.length,
+      patterns: rows,
+    };
+  });
+
+export async function GET(request: NextRequest) {
+  const result = await runWithRuntime(
+    handleDatabaseTest(request).pipe(
+      Effect.catchAll((error) => errorHandler(error)),
+    ),
+  );
+
+  if (result instanceof Response) {
+    return result;
+  }
+
+  return NextResponse.json(result, { status: 200 });
+}
@@ -72,24 +72,30 @@ describe("Admin Authentication", () => {
 			expect(result).toBeUndefined(); // Success
 		});
 
-		it("should allow valid admin key from query parameter", async () => {
-			const request = createMockRequest({
-				url: "http://localhost:3000/api/test?admin-key=admin-secret-key",
+			it("should reject admin key passed via query parameter", async () => {
+				const request = createMockRequest({
+					url: "http://localhost:3000/api/test?admin-key=admin-secret-key",
+				});
+
+				const result = await Effect.runPromise(
+					validateAdminKey(request).pipe(
+						Effect.provide(MCPConfigService.Default),
+						Effect.either
+					)
+				);
+
+				expect(result._tag).toBe("Left");
+				if (result._tag === "Left") {
+					const errorObj = result.left as any;
+					expect(errorObj._tag).toBe("AuthorizationError");
+					expect(errorObj.message).toContain("required");
+				}
 			});
 
-			const result = await Effect.runPromise(
-				validateAdminKey(request).pipe(
-					Effect.provide(MCPConfigService.Default)
-				)
-			);
-
-			expect(result).toBeUndefined();
-		});
-
-		it("should prefer header over query parameter", async () => {
-			const request = createMockRequest({
-				headers: { "x-admin-key": "admin-secret-key" },
-				url: "http://localhost:3000/api/test?admin-key=wrong-key",
+			it("should use header key and ignore query parameter", async () => {
+				const request = createMockRequest({
+					headers: { "x-admin-key": "admin-secret-key" },
+					url: "http://localhost:3000/api/test?admin-key=wrong-key",
 			});
 
 			const result = await Effect.runPromise(
@@ -98,8 +104,8 @@ describe("Admin Authentication", () => {
 				)
 			);
 
-			expect(result).toBeUndefined(); // Header takes precedence
-		});
+				expect(result).toBeUndefined();
+			});
 
 		it("should reject missing admin key in production", async () => {
 			const request = createMockRequest({});
 
@@ -1,7 +1,7 @@
 /**
  * API Key Authentication Tests
  *
- * Tests for API key validation from headers and query parameters.
+ * Tests for API key validation from headers.
  *
  * Architecture:
  * - HTTP API is where ALL authentication happens
@@ -61,16 +61,6 @@ function validateApiKeySimple(
     };
   }
 
-  // Check query parameter
-  const { searchParams } = new URL(request.url);
-  const queryKey = searchParams.get("key");
-  if (queryKey) {
-    return {
-      valid: queryKey === configuredApiKey,
-      error: queryKey !== configuredApiKey ? "Invalid API key" : undefined,
-    };
-  }
-
   return {
     valid: false,
     error: "Missing API key",
@@ -90,15 +80,16 @@ describe("validateApiKey Logic", () => {
     expect(result.error).toBeUndefined();
   });
 
-  it("should pass with valid API key in query parameter", () => {
+  it("should reject query parameter API key", () => {
     const testApiKey = "test-api-key-query";
     const request = createMockRequest({
       url: `http://localhost:3000/api/test?key=${testApiKey}`,
     });
 
     const result = validateApiKeySimple(request, testApiKey);
 
-    expect(result.valid).toBe(true);
+    expect(result.valid).toBe(false);
+    expect(result.error).toBe("Missing API key");
   });
 
   it("should fail with missing API key", () => {
@@ -121,7 +112,7 @@ describe("validateApiKey Logic", () => {
     expect(result.error).toBe("Invalid API key");
   });
 
-  it("should prefer header over query parameter", () => {
+  it("should use header key and ignore query parameter", () => {
     const testApiKey = "header-key";
     const request = createMockRequest({
       headers: { "x-api-key": testApiKey },
@@ -200,7 +191,7 @@ describe("validateApiKey Logic", () => {
     expect(result.valid).toBe(false);
   });
 
-  it("should decode URL-encoded query parameters", () => {
+  it("should not accept URL-encoded query API key", () => {
     const testApiKey = "test key with spaces";
     const encodedKey = encodeURIComponent(testApiKey);
     const request = createMockRequest({
@@ -209,6 +200,7 @@ describe("validateApiKey Logic", () => {
 
     const result = validateApiKeySimple(request, testApiKey);
 
-    expect(result.valid).toBe(true);
+    expect(result.valid).toBe(false);
+    expect(result.error).toBe("Missing API key");
   });
 });
@@ -11,24 +11,17 @@ import { Effect } from "effect";
 import type { NextRequest } from "next/server";
 import { AuthorizationError } from "../errors";
 import { MCPConfigService } from "../services/config";
+import { constantTimeEquals } from "./secureCompare";
 
 /**
  * Extract admin API key from request
  *
- * Checks:
- * 1. x-admin-key header
- * 2. ?admin-key query parameter (less preferred, less secure)
+ * Checks `x-admin-key` header only.
  */
 function extractAdminKey(request: NextRequest): string | null {
-  // Check header first (more secure)
   const headerKey = request.headers.get("x-admin-key");
   if (headerKey) return headerKey;
 
-  // Check query parameter (less secure, but supported)
-  const { searchParams } = new URL(request.url);
-  const queryKey = searchParams.get("admin-key");
-  if (queryKey) return queryKey;
-
   return null;
 }
 
@@ -80,7 +73,7 @@ export const validateAdminKey = (
     }
 
     // Validate key (never include provided key in error for security)
-    if (providedKey !== adminKey) {
+    if (!constantTimeEquals(providedKey, adminKey)) {
       return yield* Effect.fail(
         new AuthorizationError({
           message: "Invalid admin credentials",
 
@@ -1,32 +1,25 @@
 /**
  * API Key Authentication Middleware
  *
- * Validates PATTERN_API_KEY from x-api-key header or ?key query param.
+ * Validates PATTERN_API_KEY from x-api-key header.
  * Returns 401 Unauthorized for invalid/missing keys.
  */
 
 import { Effect } from "effect";
 import type { NextRequest } from "next/server";
 import { AuthenticationError } from "../errors";
 import { MCPConfigService } from "../services/config";
+import { constantTimeEquals } from "./secureCompare";
 
 /**
  * Extract API key from request
  *
- * Checks:
- * 1. x-api-key header
- * 2. ?key query parameter
+ * Checks `x-api-key` header only.
  */
 function extractApiKey(request: NextRequest): string | null {
-  // Check header first
   const headerKey = request.headers.get("x-api-key");
   if (headerKey) return headerKey;
 
-  // Check query parameter
-  const { searchParams } = new URL(request.url);
-  const queryKey = searchParams.get("key");
-  if (queryKey) return queryKey;
-
   return null;
 }
 
@@ -71,7 +64,7 @@ export const validateApiKey = (
       }
 
       // Key provided - validate it matches configured key
-      if (providedKey !== apiKey) {
+      if (!constantTimeEquals(providedKey, apiKey)) {
         return yield* Effect.fail(
           new AuthenticationError({
             message: "Invalid API key"
@@ -96,7 +89,7 @@ export const validateApiKey = (
     }
 
     // Validate key
-    if (providedKey !== apiKey) {
+    if (!constantTimeEquals(providedKey, apiKey)) {
       return yield* Effect.fail(
         new AuthenticationError({
           message: "Invalid API key"