## ADDED Requirements

### Requirement: Next.js API key middleware
The system SHALL enforce API key authentication on all `/api/*` routes via Next.js middleware (`src/middleware.ts`). The middleware SHALL read the expected key from the `API_KEY` environment variable. Requests MUST include the key in the `X-API-Key` header. If the key is missing or incorrect, the middleware SHALL return HTTP 401 with `{ "error": "Unauthorized" }`. The `/api/health` endpoint SHALL be exempt from authentication.

#### Scenario: Valid API key
- **WHEN** a request to `/api/candles` includes header `X-API-Key: <correct key>`
- **THEN** the request proceeds to the route handler normally

#### Scenario: Missing API key
- **WHEN** a request to `/api/candles` has no `X-API-Key` header
- **THEN** the middleware returns HTTP 401 with `{ "error": "Unauthorized" }`

#### Scenario: Invalid API key
- **WHEN** a request to `/api/candles` includes header `X-API-Key: wrong-key`
- **THEN** the middleware returns HTTP 401 with `{ "error": "Unauthorized" }`

#### Scenario: Health endpoint exempt
- **WHEN** a request to `/api/health` has no `X-API-Key` header
- **THEN** the request proceeds normally (health check is unauthenticated)

#### Scenario: API_KEY not configured
- **WHEN** the `API_KEY` environment variable is not set
- **THEN** the middleware SHALL allow all requests (auth disabled) and log a warning at startup

### Requirement: FastAPI API key dependency
The FastAPI ML service SHALL enforce API key authentication via a shared `Depends()` dependency. The dependency SHALL read the expected key from the `API_KEY` environment variable. Requests MUST include the key in the `X-API-Key` header. The `/health` endpoint SHALL be exempt.

#### Scenario: Valid API key on ML service
- **WHEN** a request to `/predict` includes the correct `X-API-Key` header
- **THEN** the request proceeds to the endpoint handler

#### Scenario: Unauthorized ML service request
- **WHEN** a request to `/predict` has no `X-API-Key` header and `API_KEY` is configured
- **THEN** the service returns HTTP 401 with `{ "detail": "Unauthorized" }`

#### Scenario: Next.js proxy forwards API key
- **WHEN** the Next.js proxy route calls the ML service
- **THEN** it SHALL include the `X-API-Key` header from its own environment variable