Bead pdftract-zltqd implements bearer-token authentication for the
MCP HTTP+SSE transport. The implementation was already complete.
This verification note confirms all acceptance criteria are met.
Verification summary:
- Non-loopback binds without token abort with exit code 78
- Env var and token-file auth sources work correctly
- Insecure CLI token requires PDFTRACT_INSECURE_CLI_TOKEN=1
- /health endpoint is auth-exempt (returns 200 without credentials)
- POST requests require valid Authorization: Bearer header
- Constant-time token comparison using subtle crate
- IPv4 and IPv6 loopback addresses are exempt from token requirement
All unit tests pass (90 MCP tests). Manual testing confirms
the plan critical test: "--bind 0.0.0.0:8080 without token
aborts startup; with token, valid requests succeed and
missing tokens get 401"
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
