fix: scaffold_classify 401 — missing auth header on TarotScript /run calls

[stackbilt-admin]

Bug

scaffold_classify returns classify-cast failed: HTTP 401 when called via MCP.

Root cause

In src/gateway.ts, the scaffold_classify handler calls TarotScript's /run endpoint via the TAROTSCRIPT service binding and only sends X-Gateway-Tenant-Id. The /run endpoint requires authentication that the gateway is not providing — either the TAROTSCRIPT_API_KEY as a Bearer token or an HMAC service binding secret.

scaffold_status works because /health and /spreads are unauthenticated. /run is not.

Fix

Add the required auth header to all TAROTSCRIPT service binding calls that hit /run:

headers: {
  'Content-Type': 'application/json',
  'Authorization': `Bearer ${env.TAROTSCRIPT_API_KEY}`,
  'X-Gateway-Tenant-Id': session.tenantId ?? '',
},

Verify TAROTSCRIPT_API_KEY is set in wrangler.toml secrets and matches the value in the TarotScript worker's API_KEY secret (see AEGIS memory: feedback_tarotscript_api_key).

Note

If scaffold_classify is migrated to @stackbilt/scaffold-core (see companion issue), this bug becomes moot for the classify path. Fix should still land regardless to unblock the TarotScript-backed classify path in the interim.

[stackbilt-admin]

Fixed in PR #53: scaffold_classify now calls classify() from @stackbilt/scaffold-core directly. Zero network, zero inference, eliminates the TarotScript /run 401 entirely.