Athena API Key Crate

crates/athena-api-key is the extraction seam for Athena's API-key domain. The crate owns the durable API-key stores, per-key IP policy helpers, request header extraction, static admin-key helpers, and pure rights utilities that can be shared without dragging in the rest of the server runtime.

What Lives Here Today

• API-key record, secret, rights, and config store helpers.
• API-key auth-attempt log persistence helpers.
• Per-key and global IP whitelist/blacklist persistence plus virgin-mode learning helpers.
• Request-key extraction from X-Athena-Key and static admin-key validation.
• Pure rights helpers for gateway.*, <table>.read, <table>.write, and related wildcard matching.

What Still Stays In athena_rs

• Actix route handlers for /admin/api-keys* and related management routes.
• Gateway auth orchestration, cache policy, and request logging side effects.
• Runtime pool selection and gateway request execution.

Current Extraction Rule

Use athena-api-key when code is about API-key persistence, IP-policy state, request-key extraction, or rights matching and does not need AppState or the full gateway runtime.

Keep code in athena_rs when it needs:

• route mounting
• app-specific runtime state
• gateway request execution
• background logging task plumbing

Near-Term Direction

The next API-key slices should keep shrinking the runtime wrapper around the same boundary:

1. Keep the core stores and request parsing in athena-api-key.
2. Move more gateway auth logic only when its runtime dependencies are isolated behind narrow traits.
3. Leave unrelated generic Actix helpers to athena-actix instead of growing this crate into a transport bucket.