Problem

A drop-in client authenticates via OAuth2 client_credentials → JWT Bearer before it reads any diagnostics. If the /auth/* token endpoints don't exist, the client's login fails and never reaches the surface it's compatible with. But full JWT validation + RBAC (viewer/operator/configurator/admin, enforcement modes none/write/all) is out of scope for v1 — the deployment posture is network-layer auth (NetBird/mTLS), gateway auth-light.

Proposal

Ship an auth-light v1 that preserves the client login flow behind a seam:

• An Authenticator trait seam in the gateway so real JWT validation can drop in later without reworking handlers.
• The /api/v1/auth/* token endpoint(s) (exact path pinned from the contract/ capture in medkit: capture ros2_medkit REST contract from the C++ Docker demo into a versioned contract/ corpus #79) accept client_credentials and issue a valid-shaped JWT (access_token, token_type: "Bearer", expires_in, scope), but validation is permissive (dev mode — any credentials succeed).
• Resource routes run enforcement = none: a Bearer token is accepted and not verified. The default Authenticator is the permissive one; the seam allows a strict impl later.

Acceptance

• POST to the captured /api/v1/auth/* token path returns a contract-shaped token response; a client can complete client_credentials login.
• Resource endpoints accept requests with or without a Bearer token (enforcement none) and never reject on auth in v1.
• Auth flows through an Authenticator trait seam; the permissive impl is the default and a strict impl can be substituted without touching handlers.
• An integration test runs the full client shape: login → obtain token → call a read-core endpoint with the token → 200. REQ_0900/TEST_0900 linked.

Blocked by

• medkit-gateway-axum: walking skeleton serving the read-diagnostic core over the mock provider (501 for deferred families) #81 (walking skeleton: the axum router the middleware wraps and the token routes mount onto)