feat: add optional swarm API key auth

[rtmalikian]

Summary

• Studied rtmalikian/llm-swarm README, changelog, Python services, Docker config, tests, and dependency list.
• Implemented the README Roadmap/TODO item for swarm API key hardening by adding optional shared bearer-token authentication.
• Added regression tests covering tracker registration and node layer-processing authorization.
• Updated README usage guidance, Docker Compose environment propagation, and CHANGELOG Unreleased notes.

README/docs TODOs reviewed

The README includes several roadmap TODOs. I chose the bounded security item:

• [x] Security Hardening: Implement Swarm-wide API Keys for tracker and node-to-node authentication via SWARM_API_KEY.

Skipped broader items for this run because they are larger architectural efforts: libp2p/Noise/TLS, tensor validation/checksums, tensor compression, dynamic slicing, GUI, and geographic routing.

Security probing performed

• Reviewed FastAPI tracker/node endpoints for missing authentication on public tracker and node-to-node HTTP calls.
• Searched for obvious secret/token patterns; no real credentials were committed or exposed.
• Attempted Python dependency audit with python3 -m pip_audit -r requirements.txt, but pip_audit is not installed in the local environment.

Improvement made

When SWARM_API_KEY is set:

• Tracker endpoints (/register, /heartbeat, /peers, /coverage, /find_peer) require Authorization: Bearer <SWARM_API_KEY>.
• Node-to-node /process_layers calls require the same bearer token.
• Nodes automatically attach the bearer token on tracker and peer requests.

When SWARM_API_KEY is unset, the existing unauthenticated local-development behavior is preserved.

Files changed

• auth_utils.py — shared auth dependency and outgoing auth header helper.
• tracker.py — protects tracker control-plane endpoints.
• swarm_node.py — protects layer processing and sends auth headers to tracker/peers.
• docker-compose.yml — propagates SWARM_API_KEY to tracker and node containers.
• tests/test_api_key_auth.py — regression coverage for auth behavior.
• README.md — usage/security docs and roadmap checkbox update.
• CHANGELOG.md — Unreleased security entry.

Verification

• pytest tests/test_api_key_auth.py -q — passed (3 tests).
• pytest -q — passed (3 tests; existing FastAPI on_event deprecation warnings only).
• python3 -m py_compile auth_utils.py tracker.py swarm_node.py launch_leader.py slice_model.py slice_qwen.py test_mesh.py tests/test_api_key_auth.py — passed.
• python3 -m pip_audit -r requirements.txt — not run successfully because pip_audit is unavailable locally.

Notes / limitations

• This adds shared-key authentication, not encrypted transport. README still warns that raw HTTP is used and the TLS/libp2p roadmap item remains open.
• The OpenAI-compatible /v1/chat/completions entry endpoint remains public unless deployed behind the authenticated node-to-node path or external access controls; this PR focuses on the specific tracker/node-to-node TODO.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 770d0e7364

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Check tracker registration response before declaring success

When SWARM_API_KEY is enabled and a node has a mismatched/missing key, /register returns 401, but this code logs a successful registration unconditionally because httpx does not raise on non-2xx responses unless raise_for_status() is called. In that configuration the node appears registered locally, but it never enters peers_db on the tracker, which breaks downstream peer discovery and forwarding while hiding the real auth failure.

Useful? React with 👍 / 👎.