Exempt /liveness and /readiness from auth (#10)

Kubernetes liveness and readiness probes can't carry Bearer tokens or
API keys, so authenticating them gates the router's own readiness on
having a valid token, which is a chicken-and-egg problem when JWT
verification is enabled:

  /readiness -> 401 -> probe fails -> pod NotReady -> service has no
  ready endpoints -> platform's find_router_url returns None -> the
  orchestrator bypasses the router entirely -> no per-run metrics

The endpoints expose no sensitive data — just 'process is alive' and
'at least one worker is ready' — so it's safe to leave them open.

User-facing /health and /health_generate keep auth.

Author: JannikSt

src/server.rs

@@ -189,21 +189,16 @@ async fn transparent_proxy_handler(State(state): State<Arc<AppState>>, req: Requ
 }
 
 // Health check endpoints
-async fn liveness(State(state): State<Arc<AppState>>, req: Request) -> Response {
-    let headers = req.headers().clone();
-    if let Err(response) = authorize_request(&state, &headers).await {
-        return response;
-    }
-
+//
+// /liveness and /readiness are intentionally unauthenticated so kube
+// probes (which can't carry Bearer tokens) keep working when JWT or
+// API-key auth is enabled. They expose no sensitive information — just
+// "the router process is alive" / "at least one worker is ready".
+async fn liveness(State(state): State<Arc<AppState>>, _req: Request) -> Response {
     state.router.liveness()
 }
 
-async fn readiness(State(state): State<Arc<AppState>>, req: Request) -> Response {
-    let headers = req.headers().clone();
-    if let Err(response) = authorize_request(&state, &headers).await {
-        return response;
-    }
-
+async fn readiness(State(state): State<Arc<AppState>>, _req: Request) -> Response {
     state.router.readiness()
 }