fix: add authentication to GPU detail, topology, and history endpoints

[yasinBursali]

What

Add missing authentication to three GPU API endpoints that were accessible without credentials.

Why

GET /api/gpu/detailed, /api/gpu/topology, and /api/gpu/history had no Depends(verify_api_key) — every other non-health endpoint in dashboard-api requires auth. These endpoints expose per-GPU UUIDs, VRAM usage, topology, and utilization history.

How

• Added Depends and verify_api_key imports to gpu.py
• Added dependencies=[Depends(verify_api_key)] to all 3 route decorators
• Uses decorator style matching updates.py convention

Testing

• Python syntax: PASS
• Manual: verify endpoints return 401 without Bearer token

Review

Critique Guardian: APPROVED (all four pillars clean)

Platform Impact

All platforms

[Lightheartdevs]

Audit Review

The fix is correct — these are the only three non-health endpoints in dashboard-api without auth. They expose GPU UUIDs, per-GPU VRAM usage, temperature, power draw, service assignments, and 5-minute utilization history.

The implementation is clean: imports Depends and verify_api_key, adds dependencies=[Depends(verify_api_key)] to the three route decorators. Matches the pattern used everywhere else in the codebase.

Blocking: Frontend doesn't pass auth headers

The dashboard frontend (useGPUDetailed.js) calls these endpoints without an Authorization header:

fetch('/api/gpu/detailed')  // No auth

Merging this PR alone will break the GPU panel on the dashboard with 401s. Needs a coordinated frontend change to pass Authorization: Bearer ${DASHBOARD_API_KEY}.

Either include the frontend fix in this PR, or open a companion frontend PR to merge simultaneously.

[yasinBursali]

Thanks for the review! I investigated the concern about useGPUDetailed.js and wanted to clarify:

The dashboard frontend does use bare fetch() calls without explicit Authorization headers — you're right about that. However, these calls never need manual auth because nginx injects the Bearer token server-side for all /api/ requests.

In dream-server/extensions/services/dashboard/nginx.conf (line 29–31):

location /api/ {
    ...
    proxy_set_header Authorization "Bearer ${DASHBOARD_API_KEY}";
}

The entrypoint.sh substitutes the actual key value into the nginx config at container startup (read from DASHBOARD_API_KEY env var or /data/dashboard-api-key.txt).

This is the same mechanism that serves every other authenticated endpoint in the codebase — features.py, agents.py, workflows.py, setup.py, privacy.py, and 15+ endpoints in main.py all use Depends(verify_api_key), and none of the dashboard's JS hooks set auth headers explicitly. They all rely on the nginx injection.

Adding auth to these 3 GPU endpoints closes the last remaining auth gap in dashboard-api, which also protects the directly-exposed port 3002 against unauthorized LAN access (requests that bypass the nginx proxy entirely).

No frontend changes needed — the PR is safe to merge as-is.