Authentication Boundary

BatteryBee does not provide a public API authentication contract. User authentication is handled by the Next.js app through Firebase.

Current boundary

Internal planning and export services run behind the web app flow.
CORS is permissive for development.
Firestore rules and frontend ProtectedRoute guard project access.
Do not expose the backend publicly without adding token validation, request limits, and owner authorization.

No bearer token contract

There is no stable public bearer-token or API-key contract in this repository today.