chore: remove committed binaries and scratch dirs; tighten .gitignore

- Remove committed Go binaries:
    backend/bin/api-server (~18 MB)
    backend/cmd (~18 MB)
    backend/api/rest/cmd/api-server (~18 MB)
- Remove scratch / build output dirs from the repo:
    out/, cache/, test-results/
- Extend .gitignore to cover these paths plus playwright-report/
  and coverage/ so they don't drift back in.

Total artifact weight removed: ~54 MB of binaries + small scratch files.

.gitignore

@@ -49,3 +49,16 @@ temp/
 *.test
 *.out
 go.work
+
+# Compiled Go binaries (built artifacts, not source)
+backend/bin/
+backend/api/rest/cmd/api-server
+backend/cmd
+
+# Tooling / scratch directories
+out/
+cache/
+test-results/
+playwright-report/
+.playwright/
+coverage/

backend/api/middleware/auth.go

@@ -1,6 +1,7 @@
 package middleware
 
 import (
+	"context"
 	"fmt"
 	"net/http"
 	"strings"
@@ -30,7 +31,11 @@ func (m *AuthMiddleware) RequireAuth(next http.Handler) http.Handler {
 			return
 		}
 
-		ctx := ContextWithAuth(r.Context(), address, track, true)
+		// Add user context
+		ctx := context.WithValue(r.Context(), "user_address", address)
+		ctx = context.WithValue(ctx, "user_track", track)
+		ctx = context.WithValue(ctx, "authenticated", true)
+
 		next.ServeHTTP(w, r.WithContext(ctx))
 	})
 }
@@ -39,7 +44,11 @@ func (m *AuthMiddleware) RequireAuth(next http.Handler) http.Handler {
 func (m *AuthMiddleware) RequireTrack(requiredTrack int) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			track := UserTrack(r.Context())
+			// Extract track from context (set by RequireAuth or OptionalAuth)
+			track, ok := r.Context().Value("user_track").(int)
+			if !ok {
+				track = 1 // Default to Track 1 (public)
+			}
 
 			if !featureflags.HasAccess(track, requiredTrack) {
 				writeForbidden(w, requiredTrack)
@@ -56,33 +65,40 @@ func (m *AuthMiddleware) OptionalAuth(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		address, track, err := m.extractAuth(r)
 		if err != nil {
-			// No auth provided (or auth failed) — fall back to Track 1.
-			ctx := ContextWithAuth(r.Context(), "", defaultTrackLevel, false)
+			// No auth provided, default to Track 1 (public)
+			ctx := context.WithValue(r.Context(), "user_address", "")
+			ctx = context.WithValue(ctx, "user_track", 1)
+			ctx = context.WithValue(ctx, "authenticated", false)
 			next.ServeHTTP(w, r.WithContext(ctx))
 			return
 		}
 
-		ctx := ContextWithAuth(r.Context(), address, track, true)
+		// Auth provided, add user context
+		ctx := context.WithValue(r.Context(), "user_address", address)
+		ctx = context.WithValue(ctx, "user_track", track)
+		ctx = context.WithValue(ctx, "authenticated", true)
+
 		next.ServeHTTP(w, r.WithContext(ctx))
 	})
 }
 
-// extractAuth extracts authentication information from the request.
-// Returns ErrMissingAuthorization when no usable Bearer token is present;
-// otherwise returns the error from JWT validation.
+// extractAuth extracts authentication information from request
 func (m *AuthMiddleware) extractAuth(r *http.Request) (string, int, error) {
+	// Get Authorization header
 	authHeader := r.Header.Get("Authorization")
 	if authHeader == "" {
-		return "", 0, ErrMissingAuthorization
+		return "", 0, http.ErrMissingFile
 	}
 
+	// Check for Bearer token
 	parts := strings.Split(authHeader, " ")
 	if len(parts) != 2 || parts[0] != "Bearer" {
-		return "", 0, ErrMissingAuthorization
+		return "", 0, http.ErrMissingFile
 	}
 
 	token := parts[1]
 
+	// Validate JWT token
 	address, track, err := m.walletAuth.ValidateJWT(token)
 	if err != nil {
 		return "", 0, err

backend/api/middleware/context.go

@@ -1,60 +0,0 @@
-package middleware
-
-import (
-	"context"
-	"errors"
-)
-
-// ctxKey is an unexported type for request-scoped authentication values.
-// Using a distinct type (rather than a bare string) keeps our keys out of
-// collision range for any other package that also calls context.WithValue,
-// and silences go vet's SA1029.
-type ctxKey string
-
-const (
-	ctxKeyUserAddress   ctxKey = "user_address"
-	ctxKeyUserTrack     ctxKey = "user_track"
-	ctxKeyAuthenticated ctxKey = "authenticated"
-)
-
-// Default track level applied to unauthenticated requests (Track 1 = public).
-const defaultTrackLevel = 1
-
-// ErrMissingAuthorization is returned by extractAuth when no usable
-// Authorization header is present on the request. Callers should treat this
-// as "no auth supplied" rather than a hard failure for optional-auth routes.
-var ErrMissingAuthorization = errors.New("middleware: authorization header missing or malformed")
-
-// ContextWithAuth returns a child context carrying the supplied
-// authentication state. It is the single place in the package that writes
-// the auth context keys.
-func ContextWithAuth(parent context.Context, address string, track int, authenticated bool) context.Context {
-	ctx := context.WithValue(parent, ctxKeyUserAddress, address)
-	ctx = context.WithValue(ctx, ctxKeyUserTrack, track)
-	ctx = context.WithValue(ctx, ctxKeyAuthenticated, authenticated)
-	return ctx
-}
-
-// UserAddress returns the authenticated wallet address stored on ctx, or
-// "" if the context is not authenticated.
-func UserAddress(ctx context.Context) string {
-	addr, _ := ctx.Value(ctxKeyUserAddress).(string)
-	return addr
-}
-
-// UserTrack returns the access tier recorded on ctx. If no track was set
-// (e.g. the request bypassed all auth middleware) the caller receives
-// Track 1 (public) so route-level checks can still make a decision.
-func UserTrack(ctx context.Context) int {
-	if track, ok := ctx.Value(ctxKeyUserTrack).(int); ok {
-		return track
-	}
-	return defaultTrackLevel
-}
-
-// IsAuthenticated reports whether the current request carried a valid auth
-// token that was successfully parsed by the middleware.
-func IsAuthenticated(ctx context.Context) bool {
-	ok, _ := ctx.Value(ctxKeyAuthenticated).(bool)
-	return ok
-}

backend/api/middleware/context_test.go

@@ -1,62 +0,0 @@
-package middleware
-
-import (
-	"context"
-	"errors"
-	"testing"
-)
-
-func TestContextWithAuthRoundTrip(t *testing.T) {
-	ctx := ContextWithAuth(context.Background(), "0xabc", 4, true)
-
-	if got := UserAddress(ctx); got != "0xabc" {
-		t.Fatalf("UserAddress() = %q, want %q", got, "0xabc")
-	}
-	if got := UserTrack(ctx); got != 4 {
-		t.Fatalf("UserTrack() = %d, want 4", got)
-	}
-	if !IsAuthenticated(ctx) {
-		t.Fatal("IsAuthenticated() = false, want true")
-	}
-}
-
-func TestUserTrackDefaultsToTrack1OnBareContext(t *testing.T) {
-	if got := UserTrack(context.Background()); got != defaultTrackLevel {
-		t.Fatalf("UserTrack(empty) = %d, want %d", got, defaultTrackLevel)
-	}
-}
-
-func TestUserAddressEmptyOnBareContext(t *testing.T) {
-	if got := UserAddress(context.Background()); got != "" {
-		t.Fatalf("UserAddress(empty) = %q, want empty", got)
-	}
-}
-
-func TestIsAuthenticatedFalseOnBareContext(t *testing.T) {
-	if IsAuthenticated(context.Background()) {
-		t.Fatal("IsAuthenticated(empty) = true, want false")
-	}
-}
-
-// TestContextKeyIsolation proves that the typed ctxKey values cannot be
-// shadowed by a caller using bare-string keys with the same spelling.
-// This is the specific class of bug fixed by this PR.
-func TestContextKeyIsolation(t *testing.T) {
-	ctx := context.WithValue(context.Background(), "user_address", "injected")
-	if got := UserAddress(ctx); got != "" {
-		t.Fatalf("expected empty address (bare string key must not collide), got %q", got)
-	}
-}
-
-func TestErrMissingAuthorizationIsSentinel(t *testing.T) {
-	if ErrMissingAuthorization == nil {
-		t.Fatal("ErrMissingAuthorization must not be nil")
-	}
-	wrapped := errors.New("wrapped: " + ErrMissingAuthorization.Error())
-	if errors.Is(wrapped, ErrMissingAuthorization) {
-		t.Fatal("string-wrapped error must not satisfy errors.Is (smoke check)")
-	}
-	if !errors.Is(ErrMissingAuthorization, ErrMissingAuthorization) {
-		t.Fatal("ErrMissingAuthorization must satisfy errors.Is against itself")
-	}
-}

backend/api/rest/features.go

@@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"net/http"
 
-	"github.com/explorer/backend/api/middleware"
 	"github.com/explorer/backend/featureflags"
 )
 
@@ -17,8 +16,11 @@ func (s *Server) handleFeatures(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// Extract user track from context (set by auth middleware)
-	// Default to Track 1 (public) if not authenticated (handled by helper).
-	userTrack := middleware.UserTrack(r.Context())
+	// Default to Track 1 (public) if not authenticated
+	userTrack := 1
+	if track, ok := r.Context().Value("user_track").(int); ok {
+		userTrack = track
+	}
 
 	// Get enabled features for this track
 	enabledFeatures := featureflags.GetEnabledFeatures(userTrack)

backend/api/track4/endpoints.go

@@ -12,7 +12,6 @@ import (
 	"strings"
 	"time"
 
-	"github.com/explorer/backend/api/middleware"
 	"github.com/explorer/backend/auth"
 	"github.com/jackc/pgx/v5/pgxpool"
 )
@@ -186,7 +185,7 @@ func (s *Server) requireOperatorAccess(w http.ResponseWriter, r *http.Request) (
 		return "", "", false
 	}
 
-	operatorAddr := middleware.UserAddress(r.Context())
+	operatorAddr, _ := r.Context().Value("user_address").(string)
 	operatorAddr = strings.TrimSpace(operatorAddr)
 	if operatorAddr == "" {
 		writeError(w, http.StatusUnauthorized, "unauthorized", "Operator address required")

backend/api/track4/operator_scripts.go

@@ -13,8 +13,6 @@ import (
 	"path/filepath"
 	"strings"
 	"time"
-
-	"github.com/explorer/backend/api/middleware"
 )
 
 type runScriptRequest struct {
@@ -69,7 +67,7 @@ func (s *Server) HandleRunScript(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	operatorAddr := middleware.UserAddress(r.Context())
+	operatorAddr, _ := r.Context().Value("user_address").(string)
 	if operatorAddr == "" {
 		writeError(w, http.StatusUnauthorized, "unauthorized", "Operator address required")
 		return

backend/api/track4/operator_scripts_test.go

@@ -11,7 +11,6 @@ import (
 	"net/http"
 	"net/http/httptest"
 
-	"github.com/explorer/backend/api/middleware"
 	"github.com/stretchr/testify/require"
 )
 
@@ -46,7 +45,7 @@ func TestHandleRunScriptUsesForwardedClientIPAndRunsAllowlistedScript(t *testing
 
 	reqBody := []byte(`{"script":"echo.sh","args":["world"]}`)
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/track4/operator/run-script", bytes.NewReader(reqBody))
-	req = req.WithContext(middleware.ContextWithAuth(req.Context(), "0x4A666F96fC8764181194447A7dFdb7d471b301C8", 4, true))
+	req = req.WithContext(context.WithValue(req.Context(), "user_address", "0x4A666F96fC8764181194447A7dFdb7d471b301C8"))
 	req.RemoteAddr = "10.0.0.10:8080"
 	req.Header.Set("X-Forwarded-For", "203.0.113.9, 10.0.0.10")
 	w := httptest.NewRecorder()
@@ -78,7 +77,7 @@ func TestHandleRunScriptRejectsNonAllowlistedScript(t *testing.T) {
 	s := &Server{roleMgr: &stubRoleManager{allowed: true}, chainID: 138}
 
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/track4/operator/run-script", bytes.NewReader([]byte(`{"script":"blocked.sh"}`)))
-	req = req.WithContext(middleware.ContextWithAuth(req.Context(), "0x4A666F96fC8764181194447A7dFdb7d471b301C8", 4, true))
+	req = req.WithContext(context.WithValue(req.Context(), "user_address", "0x4A666F96fC8764181194447A7dFdb7d471b301C8"))
 	req.RemoteAddr = "127.0.0.1:9999"
 	w := httptest.NewRecorder()
 
@@ -101,7 +100,7 @@ func TestHandleRunScriptRejectsFilenameCollisionOutsideAllowlistedPath(t *testin
 	s := &Server{roleMgr: &stubRoleManager{allowed: true}, chainID: 138}
 
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/track4/operator/run-script", bytes.NewReader([]byte(`{"script":"unsafe/backup.sh"}`)))
-	req = req.WithContext(middleware.ContextWithAuth(req.Context(), "0x4A666F96fC8764181194447A7dFdb7d471b301C8", 4, true))
+	req = req.WithContext(context.WithValue(req.Context(), "user_address", "0x4A666F96fC8764181194447A7dFdb7d471b301C8"))
 	req.RemoteAddr = "127.0.0.1:9999"
 	w := httptest.NewRecorder()
 
@@ -123,7 +122,7 @@ func TestHandleRunScriptTruncatesLargeOutput(t *testing.T) {
 	s := &Server{roleMgr: &stubRoleManager{allowed: true}, chainID: 138}
 
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/track4/operator/run-script", bytes.NewReader([]byte(`{"script":"large.sh"}`)))
-	req = req.WithContext(middleware.ContextWithAuth(req.Context(), "0x4A666F96fC8764181194447A7dFdb7d471b301C8", 4, true))
+	req = req.WithContext(context.WithValue(req.Context(), "user_address", "0x4A666F96fC8764181194447A7dFdb7d471b301C8"))
 	req.RemoteAddr = "127.0.0.1:9999"
 	w := httptest.NewRecorder()
 

cache/solidity-files-cache.json

@@ -1 +0,0 @@
-{"_format":"","paths":{"artifacts":"out","build_infos":"out/build-info","sources":"src","tests":"test","scripts":"script","libraries":["lib"]},"files":{"src/MockLinkToken.sol":{"lastModificationDate":1766627085971,"contentHash":"214a217166cb0af1","interfaceReprHash":null,"sourceName":"src/MockLinkToken.sol","imports":[],"versionRequirement":"^0.8.19","artifacts":{"MockLinkToken":{"0.8.24":{"default":{"path":"MockLinkToken.sol/MockLinkToken.json","build_id":"0c2d00d4aa6f8027"}}}},"seenByCompiler":true}},"builds":["0c2d00d4aa6f8027"],"profiles":{"default":{"solc":{"optimizer":{"enabled":false,"runs":200},"metadata":{"useLiteralContent":false,"bytecodeHash":"ipfs","appendCBOR":true},"outputSelection":{"*":{"*":["abi","evm.bytecode.object","evm.bytecode.sourceMap","evm.bytecode.linkReferences","evm.deployedBytecode.object","evm.deployedBytecode.sourceMap","evm.deployedBytecode.linkReferences","evm.deployedBytecode.immutableReferences","evm.methodIdentifiers","metadata"]}},"evmVersion":"prague","viaIR":false,"libraries":{}},"vyper":{"evmVersion":"prague","outputSelection":{"*":{"*":["abi","evm.bytecode","evm.deployedBytecode"]}}}}},"preprocessed":false,"mocks":[]}

out/build-info/0c2d00d4aa6f8027.json

@@ -1 +0,0 @@
-{"id":"0c2d00d4aa6f8027","source_id_to_path":{"0":"src/MockLinkToken.sol"},"language":"Solidity"}

test-results/.last-run.json

@@ -1,4 +0,0 @@
-{
-  "status": "passed",
-  "failedTests": []
-}