HIGH: Add API authentication, request size limits, and CORS

## Security Findings - HIGH

**Source**: Security audit (2026-02-24)

### No Authentication (Finding 4)
All API routes (`/extract`, `/treatments`, `/recommend`, `/validate-pgx`, `/ws/recommend`) are exposed without any authentication middleware.

### No Request Size Limits (Finding 5)
No body size limits configured. Clients can send multi-GB JSON payloads causing OOM.

### No CORS / Rate Limiting
Missing `CorsLayer`, `RateLimitLayer`.

### Remediation
1. Add API key or JWT middleware to clinical endpoints
2. Add `axum::extract::DefaultBodyLimit::max(1_048_576)` (1MB)
3. Add `tower::limit::RateLimitLayer`
4. Add `tower_http::cors::CorsLayer`
5. Configure WebSocket message size limits and connection caps

### Locations
- `crates/terraphim-api/src/routes/mod.rs`
- `crates/terraphim-api/src/lib.rs`

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

HIGH: Add API authentication, request size limits, and CORS #53

Security Findings - HIGH

No Authentication (Finding 4)

No Request Size Limits (Finding 5)

No CORS / Rate Limiting

Remediation

Locations

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

HIGH: Add API authentication, request size limits, and CORS #53

Description

Security Findings - HIGH

No Authentication (Finding 4)

No Request Size Limits (Finding 5)

No CORS / Rate Limiting

Remediation

Locations

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions