refactor(api): Use middleware to control management route availability

Previously, management API routes were conditionally registered at server startup based on the presence of the `remote-management-key`. This static approach meant a server restart was required to enable or disable these endpoints.

This commit refactors the route handling by:
1.  Introducing an `atomic.Bool` flag, `managementRoutesEnabled`, to track the state.
2.  Always registering the management routes at startup.
3.  Adding a new `managementAvailabilityMiddleware` to the management route group.

This middleware checks the `managementRoutesEnabled` flag for each request, rejecting it if management is disabled. This change provides the same initial behavior but creates a more flexible architecture that will allow for dynamically enabling or disabling management routes at runtime in the future.

internal/api/server.go

@@ -13,6 +13,7 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+	"sync/atomic"
 	"time"
 
 	"github.com/gin-gonic/gin"
@@ -126,6 +127,9 @@ type Server struct {
 	// management handler
 	mgmt *managementHandlers.Handler
 
+	// managementRoutesEnabled controls whether management endpoints serve real handlers.
+	managementRoutesEnabled atomic.Bool
+
 	localPassword string
 
 	keepAliveEnabled   bool
@@ -203,6 +207,7 @@ func NewServer(cfg *config.Config, authManager *auth.Manager, accessManager *sdk
 		s.mgmt.SetLocalPassword(optionState.localPassword)
 	}
 	s.localPassword = optionState.localPassword
+	s.managementRoutesEnabled.Store(cfg.RemoteManagement.SecretKey != "")
 
 	// Setup routes
 	s.setupRoutes()
@@ -309,10 +314,8 @@ func (s *Server) setupRoutes() {
 	})
 
 	// Management API routes (delegated to management handlers)
-	// New logic: if remote-management-key is empty, do not expose any management endpoint (404).
-	if s.cfg.RemoteManagement.SecretKey != "" {
 	mgmt := s.engine.Group("/v0/management")
-		mgmt.Use(s.mgmt.Middleware())
+	mgmt.Use(s.managementAvailabilityMiddleware(), s.mgmt.Middleware())
 	{
 		mgmt.GET("/usage", s.mgmt.GetUsageStatistics)
 		mgmt.GET("/config", s.mgmt.GetConfig)
@@ -387,6 +390,15 @@ func (s *Server) setupRoutes() {
 		mgmt.GET("/qwen-auth-url", s.mgmt.RequestQwenToken)
 		mgmt.GET("/get-auth-status", s.mgmt.GetAuthStatus)
 	}
+}
+
+func (s *Server) managementAvailabilityMiddleware() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		if !s.managementRoutesEnabled.Load() {
+			c.AbortWithStatus(http.StatusNotFound)
+			return
+		}
+		c.Next()
 	}
 }
 
@@ -641,6 +653,22 @@ func (s *Server) UpdateClients(cfg *config.Config) {
 		}
 	}
 
+	prevSecretEmpty := true
+	if oldCfg != nil {
+		prevSecretEmpty = oldCfg.RemoteManagement.SecretKey == ""
+	}
+	newSecretEmpty := cfg.RemoteManagement.SecretKey == ""
+	switch {
+	case prevSecretEmpty && !newSecretEmpty:
+		if s.managementRoutesEnabled.CompareAndSwap(false, true) {
+			log.Info("management routes enabled after secret key update")
+		}
+	case !prevSecretEmpty && newSecretEmpty:
+		if s.managementRoutesEnabled.CompareAndSwap(true, false) {
+			log.Info("management routes disabled after secret key removal")
+		}
+	}
+
 	s.applyAccessConfig(oldCfg, cfg)
 	s.cfg = cfg
 	s.handlers.UpdateClients(&cfg.SDKConfig)

internal/watcher/watcher.go

@@ -532,6 +532,9 @@ func (w *Watcher) reloadConfig() bool {
 		if oldConfig.RemoteManagement.AllowRemote != newConfig.RemoteManagement.AllowRemote {
 			log.Debugf("  remote-management.allow-remote: %t -> %t", oldConfig.RemoteManagement.AllowRemote, newConfig.RemoteManagement.AllowRemote)
 		}
+		if oldConfig.RemoteManagement.SecretKey != newConfig.RemoteManagement.SecretKey {
+			log.Debug("  remote-management.secret-key: updated (value hidden)")
+		}
 		if oldConfig.RemoteManagement.DisableControlPanel != newConfig.RemoteManagement.DisableControlPanel {
 			log.Debugf("  remote-management.disable-control-panel: %t -> %t", oldConfig.RemoteManagement.DisableControlPanel, newConfig.RemoteManagement.DisableControlPanel)
 		}