chore(backend): finalize backend baseline and frontend handoff contract

freeze the current backend contract for frontend integration

document the stabilized backend surface and handoff expectations
mark the current state as the baseline for further frontend work

backend/scripts/smoke_auth_negative.sh

@@ -0,0 +1,78 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+TMP_DIR="$(mktemp -d)"
+trap 'rm -rf "${TMP_DIR}"' EXIT
+
+# shellcheck source=backend/scripts/smoke_common.sh
+source "${SCRIPT_DIR}/smoke_common.sh"
+
+INVALID_API_KEY="${INVALID_API_KEY:-definitely-invalid-api-key}"
+VIEWER_API_KEY="${VIEWER_API_KEY:-viewer-local-dev-key}"
+
+wait_for_health
+
+create_fresh_scheme_from_upload "smoke-auth-negative"
+
+request "scheme_current" "GET" "${API_URL}/api/v1/schemes/${SCHEME_ID}/current" "200"
+CURRENT_VERSION_ID="$(json_get "${TMP_DIR}/scheme_current.body" "scheme_version_id")"
+echo "CURRENT_VERSION_ID=${CURRENT_VERSION_ID}"
+
+request_without_api_key "manifest_missing_key" "GET" \
+  "${API_URL}/api/v1/manifest" \
+  "401"
+request_with_api_key "${INVALID_API_KEY}" "manifest_invalid_key" "GET" \
+  "${API_URL}/api/v1/manifest" \
+  "403"
+assert_file_contains "${TMP_DIR}/manifest_missing_key.body" "Missing API key"
+assert_file_contains "${TMP_DIR}/manifest_invalid_key.body" "Invalid API key"
+
+request_without_api_key "editor_context_missing_key" "GET" \
+  "${API_URL}/api/v1/schemes/${SCHEME_ID}/editor/context" \
+  "401"
+request_with_api_key "${INVALID_API_KEY}" "editor_context_invalid_key" "GET" \
+  "${API_URL}/api/v1/schemes/${SCHEME_ID}/editor/context" \
+  "403"
+assert_file_contains "${TMP_DIR}/editor_context_missing_key.body" "Missing API key"
+assert_file_contains "${TMP_DIR}/editor_context_invalid_key.body" "Invalid API key"
+
+request_without_api_key "pricing_bundle_missing_key" "GET" \
+  "${API_URL}/api/v1/schemes/${SCHEME_ID}/pricing" \
+  "401"
+request_with_api_key "${INVALID_API_KEY}" "pricing_bundle_invalid_key" "GET" \
+  "${API_URL}/api/v1/schemes/${SCHEME_ID}/pricing" \
+  "403"
+assert_file_contains "${TMP_DIR}/pricing_bundle_missing_key.body" "Missing API key"
+assert_file_contains "${TMP_DIR}/pricing_bundle_invalid_key.body" "Invalid API key"
+
+request_without_api_key "admin_audit_missing_key" "GET" \
+  "${API_URL}/api/v1/admin/artifacts/publish-preview/audit" \
+  "401"
+request_with_api_key "${INVALID_API_KEY}" "admin_audit_invalid_key" "GET" \
+  "${API_URL}/api/v1/admin/artifacts/publish-preview/audit" \
+  "403"
+request_with_api_key "${VIEWER_API_KEY}" "admin_audit_wrong_role" "GET" \
+  "${API_URL}/api/v1/admin/artifacts/publish-preview/audit" \
+  "403"
+assert_file_contains "${TMP_DIR}/admin_audit_missing_key.body" "Missing API key"
+assert_file_contains "${TMP_DIR}/admin_audit_invalid_key.body" "Invalid API key"
+assert_file_contains "${TMP_DIR}/admin_audit_wrong_role.body" "Admin role required"
+
+request_without_api_key "admin_cleanup_preview_missing_key" "GET" \
+  "${API_URL}/api/v1/admin/schemes/${SCHEME_ID}/pricing/categories/cleanup-preview" \
+  "401"
+request_with_api_key "${INVALID_API_KEY}" "admin_cleanup_preview_invalid_key" "GET" \
+  "${API_URL}/api/v1/admin/schemes/${SCHEME_ID}/pricing/categories/cleanup-preview" \
+  "403"
+request_with_api_key "${VIEWER_API_KEY}" "admin_cleanup_preview_wrong_role" "GET" \
+  "${API_URL}/api/v1/admin/schemes/${SCHEME_ID}/pricing/categories/cleanup-preview" \
+  "403"
+assert_file_contains "${TMP_DIR}/admin_cleanup_preview_missing_key.body" "Missing API key"
+assert_file_contains "${TMP_DIR}/admin_cleanup_preview_invalid_key.body" "Invalid API key"
+assert_file_contains "${TMP_DIR}/admin_cleanup_preview_wrong_role.body" "Admin role required"
+
+echo
+echo "===== done ====="
+echo "[OK] smoke auth negative completed successfully"
+echo "FRESH_SCHEME_ID=${SCHEME_ID}"