feat: restructure routes to separate authenticated and public endpoints

Co-authored-by: aider (openai/andrew/openrouter/deepseek/deepseek-chat-v3.1) <aider@aider.chat>

src/modes/server.rs

@@ -98,34 +98,28 @@ async fn run_server(
         .route("/mcp", post(mcp::handle_mcp_request))
         .with_state(state.clone());
     
-    // Create routes that don't require authentication
+    // Create the app with documentation routes open and others protected
-    let open_routes = Router::new()
+    let app = Router::new()
+        // Add documentation routes without authentication
         .merge(api::add_docs_routes(Router::new()))
-        .with_state(state.clone())
+        // Add API, pages, and MCP routes with authentication
-        .layer(axum::middleware::from_fn(logging_middleware))
+        .merge(
-        .layer(
+            Router::new()
-            ServiceBuilder::new()
-                .layer(TraceLayer::new_for_http())
-                .layer(CorsLayer::permissive())
-        );
-
-    // Create routes that require authentication
-    let protected_routes = Router::new()
                 .merge(api::add_routes(Router::new()))
                 .merge(pages::add_routes(Router::new()))
                 .merge(mcp_router)
-        .with_state(state)
-        .layer(axum::middleware::from_fn(logging_middleware))
                 .layer(axum::middleware::from_fn(create_auth_middleware(config.password.clone(), config.password_hash.clone())))
+        )
+        // Apply state to all routes
+        .with_state(state)
+        // Add other middleware layers to all routes
+        .layer(axum::middleware::from_fn(logging_middleware))
         .layer(
             ServiceBuilder::new()
                 .layer(TraceLayer::new_for_http())
                 .layer(CorsLayer::permissive())
         );
     
-    // Combine both route groups
-    let app = open_routes.merge(protected_routes);
-    
     let addr: SocketAddr = bind_address.parse()?;
     
     info!("SERVER: HTTP server listening on {}", addr);