merge batch 7: TODO marker for /my/* auth model divergence (ssoRequired vs serviceTokenAuth)

src/server/src/app/server.ts

@@ -100,6 +100,11 @@ export async function createApp() {
       return deviceTokenAuth(config.SERVICE_TOKEN)(c, next);
     })
     .route('/client', clientSurface)
+    // TODO(merge-conflict): plum gates /my/* with `ssoRequired(SSO_VALIDATE_URL, SERVICE_TOKEN)`
+    // (cookie/SSO session against an external validator); apricot gates it with
+    // `serviceTokenAuth(SERVICE_TOKEN)` (single shared bearer token). These are
+    // production auth models for the dashboard — pick one before deploy.
+    // Currently using apricot's simpler service-token mode.
     .use('/my/*', corsMiddleware('same-origin'))
     .use('/my/*', rateLimitMiddleware('my'))
     .use('/my/*', serviceTokenAuth(config.SERVICE_TOKEN))