refactor: use Supabase service role key for worker authentication (#472)

# Use Supabase Service Role Key for Worker Authentication

This PR simplifies the authentication mechanism for workers by leveraging the `SUPABASE_SERVICE_ROLE_KEY` that's automatically available in Edge Functions, eliminating the need for a separate `PGFLOW_SECRET_KEY`.

Changes:
- Workers now authenticate with the Control Plane using the Supabase service role key
- Removed the `secretKey` option from `ControlPlaneOptions` interface
- Updated the `verifyAuth` function to check against `SUPABASE_SERVICE_ROLE_KEY` environment variable
- Modified tests to properly set and clean up the environment variable during testing
- Added a test case for when the service role key is not set in the environment

This change reduces configuration overhead as both Control Plane and Worker Edge Functions automatically have access to this key via `Deno.env`.

Author: jumski

PLAN.md

@@ -30,26 +30,25 @@
 
 ## Authentication
 
-Workers authenticate with ControlPlane using a dedicated secret key:
+Workers authenticate with ControlPlane using the Supabase service role key (zero-config):
 
 ```
-Env var: PGFLOW_SECRET_KEY
-Header: apikey: <secret_key>
+Env var: SUPABASE_SERVICE_ROLE_KEY (automatically available in Edge Functions)
+Header: apikey: <service_role_key>
 ```
 
 **Setup:**
-1. Users generate a secret key in Supabase dashboard (Supabase Secrets)
-2. Set `PGFLOW_SECRET_KEY` env var for both ControlPlane and Worker edge functions
-3. Workers include `apikey` header in compilation requests
-4. ControlPlane verifies `apikey` header matches `PGFLOW_SECRET_KEY` env var
+- No setup required - both ControlPlane and Worker Edge Functions automatically have access to `SUPABASE_SERVICE_ROLE_KEY` via `Deno.env`
+- Workers include `apikey` header in compilation requests
+- ControlPlane verifies `apikey` header matches `SUPABASE_SERVICE_ROLE_KEY` env var
 
 **ControlPlane Verification:**
 ```typescript
 function verifyAuth(request: Request): boolean {
+  const serviceRoleKey = Deno.env.get('SUPABASE_SERVICE_ROLE_KEY');
+  if (!serviceRoleKey) return false;  // Not configured - reject all
   const apikey = request.headers.get('apikey');
-  const secretKey = Deno.env.get('PGFLOW_SECRET_KEY');
-  if (!secretKey) return false;  // Not configured - reject all
-  return apikey === secretKey;
+  return apikey === serviceRoleKey;
 }
 ```
 
@@ -66,7 +65,7 @@ Worker.start(MyFlow)
     │
     └── POST /flows/:slug/ensure-compiled
         │   Body: { shape: workerShape, mode: 'development' | 'production' }
-        │   Headers: { apikey: PGFLOW_SECRET_KEY }
+        │   Headers: { apikey: SUPABASE_SERVICE_ROLE_KEY }
         │
         └── ControlPlane (Layer 1: Deployment Validation)
             │
@@ -119,7 +118,7 @@ Worker.start(MyFlow)
 
 ```
 POST /flows/:slug/ensure-compiled
-  Headers: { apikey: PGFLOW_SECRET_KEY }
+  Headers: { apikey: SUPABASE_SERVICE_ROLE_KEY }
   Body: {
     shape: FlowShape,
     mode: 'development' | 'production'
@@ -718,7 +717,7 @@ Test-Driven Development order - write tests FIRST, then implement:
 ### Phase 7: ControlPlane Endpoint (~0.5 day)
 
 **Order within phase:**
-1. Add auth verification (check `PGFLOW_SECRET_KEY`)
+1. Add auth verification (check `SUPABASE_SERVICE_ROLE_KEY`)
 2. Add flow registry lookup (404 if not found)
 3. Add Layer 1: TypeScript comparison (409 if worker≠ControlPlane)
 4. Add Layer 2: SQL function call

pkgs/edge-worker/src/control-plane/server.ts

@@ -47,8 +47,6 @@ export type SqlFunction = (strings: TemplateStringsArray, ...values: any[]) => P
 export interface ControlPlaneOptions {
   /** SQL function for database operations (required for ensure-compiled endpoint) */
   sql?: SqlFunction;
-  /** Secret key for authentication (required for ensure-compiled endpoint) */
-  secretKey?: string;
 }
 
 /**
@@ -195,12 +193,13 @@ function jsonResponse(data: unknown, status: number): Response {
 }
 
 /**
- * Verifies authentication using apikey header
+ * Verifies authentication using apikey header against SUPABASE_SERVICE_ROLE_KEY env var
  */
-function verifyAuth(request: Request, secretKey: string | undefined): boolean {
-  if (!secretKey) return false;
+function verifyAuth(request: Request): boolean {
+  const serviceRoleKey = Deno.env.get('SUPABASE_SERVICE_ROLE_KEY');
+  if (!serviceRoleKey) return false;
   const apikey = request.headers.get('apikey');
-  return apikey === secretKey;
+  return apikey === serviceRoleKey;
 }
 
 /**
@@ -249,7 +248,7 @@ async function handleEnsureCompiled(
   }
 
   // Verify authentication
-  if (!verifyAuth(request, options.secretKey)) {
+  if (!verifyAuth(request)) {
     return jsonResponse(
       {
         error: 'Unauthorized',