Add coverage for the X-API-Key recognition middleware and req.apiKey tagging

[mikewheeleer]

Test the optional API-key recognition middleware

Description

The recognition middleware in src/index.ts reads X-API-Key, checks it against apiKeyStore, and tags req.apiKey for downstream handlers "without yet rejecting unkeyed requests" — the foundation the planned auth enforcement and tenant scoping build on. None of this is tested in src/health.test.ts: there is no test that a created key is recognised, that an unknown key is ignored, or that the API stays open without a key. This issue locks in the current (open) behaviour so the upcoming enforcement work has a baseline.

Requirements and context

• Repository scope: Agentpay-Org/Agentpay-backend only.
• Create a key via POST /api/v1/api-keys, then assert a request carrying that X-API-Key is recognised (observable via behaviour that the recognition enables, or by an added test-only assertion path) while an unknown key is silently ignored.
• Assert the API remains open: a write with no X-API-Key still succeeds today (documenting the current pre-enforcement contract).
• Assert recognition is case-insensitive on the header name (per HTTP) and exact on the key value.
• Keep the tests forward-compatible so they can be tightened when enforcement lands.

Suggested execution

• Fork the repo and create a branch
• git checkout -b test/testing-79-apikey-recognition
• Implement changes
  • Write comprehensive tests in: new src/apikey-recognition.test.ts using supertest.
  • Write code in: no production change expected; if the middleware mis-tags, fix it and note it.
  • Add documentation: none beyond test descriptions.
  • Add clear test titles.
  • Validate security assumptions: the raw key is never echoed and unknown keys are ignored, not errored.
• Test and commit

Test and commit

• Run npm test and npm run lint.
• Cover edge cases: valid key, unknown key, no key, revoked key after deletion.
• Include the full npm test output in the PR description.

Example commit message

test: cover the x-api-key recognition middleware

Guidelines

• Minimum 95 percent test coverage for impacted modules.
• Clear, reviewer-focused documentation.
• Timeframe: 96 hours.

Community & contribution rewards

• 💬 Join the AgentPay community on Discord for questions, reviews, and faster merges: https://discord.gg/eXvRKkgcv
• ⭐ This is a GrantFox OSS / Official Campaign task and may be rewarded. When your PR is merged you'll be prompted to rate the project — if this issue and the maintainers helped you ship, we'd be grateful for a 5-star rating. Clear questions in Discord and tidy, well-tested PRs are the fastest path to a merge and a reward.