test(security): A-3 pre-fix tests for auth middleware coverage bugs

Pre-fix test suite documenting 8 auth middleware bugs found during
the A-3 recon audit. Tests are written to FAIL where they assert
correct post-fix behavior, and PASS where they document current
buggy behavior. No bugs are fixed in this commit.

Tests added:
- F-A3-11 CRITICAL: WebAuthMiddleware leaks JWT secret to stdout
  (3 tests: secret in output, emoji in output, ETHOS format)
- F-A3-7 CRITICAL: Config download requires no auth (2 tests)
- F-A3-6 HIGH: Update package download requires no auth (2 tests)
- F-A3-10 HIGH: Scheduler stats accepts agent JWT (2 tests)
- F-A3-12 MEDIUM: Cross-type JWT token confusion (2 tests)
- F-A3-2 MEDIUM: /auth/verify dead endpoint (2 tests)
- F-A3-13 LOW: RequireAdmin middleware missing (1 test + 1 build-tagged)
- F-A3-9 MEDIUM: Agent self-unregister no rate limit (2 tests)

Current state: 10 FAIL, 7 PASS, 1 SKIP (build-tagged), 1 unchanged
See docs/A3_PreFix_Tests.md for full inventory.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

aggregator-server/internal/api/middleware/require_admin_test.go

@@ -0,0 +1,90 @@
+package middleware_test
+
+// require_admin_test.go — Pre-fix tests for missing RequireAdmin middleware.
+//
+// BUG F-A3-13 LOW: RequireAdmin() middleware is referenced in main.go:601
+// for security settings routes but was never implemented. The 7 security
+// settings routes are permanently commented out because of this.
+//
+// Test 6.1 verifies that the middleware package exports a RequireAdmin symbol.
+// Test 6.2 (build-tagged //go:build ignore) tests its behavior once implemented.
+//
+// Run: cd aggregator-server && go test ./internal/api/middleware/... -v -run TestRequireAdmin
+
+import (
+	"go/ast"
+	"go/parser"
+	"go/token"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+)
+
+// ---------------------------------------------------------------------------
+// Test 6.1 — RequireAdmin middleware function exists in middleware package
+//
+// Category: FAIL-NOW / PASS-AFTER-FIX
+//
+// BUG F-A3-13: RequireAdmin() does not exist in the middleware package.
+// Confirmed via grep: zero results for "RequireAdmin" in any .go file.
+// 7 security settings routes in main.go:600-610 are commented out because
+// of this missing middleware.
+//
+// This test scans the middleware package source files for a function named
+// RequireAdmin. It does not attempt to call the function (which would fail
+// to compile if it doesn't exist).
+// ---------------------------------------------------------------------------
+
+func TestRequireAdminMiddlewareExists(t *testing.T) {
+	// Scan the middleware package directory for a RequireAdmin function
+	middlewareDir := filepath.Join(".", "..", "..", "..", "internal", "api", "middleware")
+
+	// Resolve relative to the test file location
+	// For go test, the working directory is the package directory
+	middlewareDir = "."
+
+	entries, err := os.ReadDir(middlewareDir)
+	if err != nil {
+		t.Fatalf("failed to read middleware directory: %v", err)
+	}
+
+	found := false
+	fset := token.NewFileSet()
+
+	for _, entry := range entries {
+		if entry.IsDir() || !strings.HasSuffix(entry.Name(), ".go") {
+			continue
+		}
+		if strings.HasSuffix(entry.Name(), "_test.go") {
+			continue
+		}
+
+		node, err := parser.ParseFile(fset, entry.Name(), nil, parser.AllErrors)
+		if err != nil {
+			continue
+		}
+
+		for _, decl := range node.Decls {
+			fn, ok := decl.(*ast.FuncDecl)
+			if !ok {
+				continue
+			}
+			if fn.Name.Name == "RequireAdmin" {
+				found = true
+				t.Logf("[INFO] [server] [middleware] RequireAdmin found in %s", entry.Name())
+				break
+			}
+		}
+		if found {
+			break
+		}
+	}
+
+	if !found {
+		t.Errorf("[ERROR] [server] [middleware] RequireAdmin() function not found in middleware package.\n"+
+			"BUG F-A3-13: RequireAdmin() is referenced in main.go:601 but never implemented.\n"+
+			"7 security settings routes are permanently disabled as a result.\n"+
+			"After fix: implement RequireAdmin() that checks UserClaims.Role == \"admin\".")
+	}
+}