fix(proxy): use project default account instead of hash-based selection (#157)

* fix(proxy): use project default account instead of hash-based selection

Changes account selection logic to follow proper priority:
1. MSL-Account header (if provided)
2. Project's default_account_id from database
3. Error if no default account configured

Removed hash-based deterministic account selection as it was not the
intended behavior. Projects should explicitly configure their default
account via the dashboard.

**Changes:**
- Modified getProjectCredentials() to return only the project's default account
- Simplified AuthenticationService.authenticate() to remove hash logic
- Removed unused rankCredentials() method and crypto import
- Updated tests to match new behavior
- Updated documentation (ADR-024, API reference, configuration guide, README)

**Breaking Change:**
Projects that relied on hash-based account selection will now need
to have a default account configured. Use the dashboard to set the
default account for each project.

Refs: #157

* test(proxy): fix Slack configuration test for new account selection logic

Author: crystalin

IMPORTANT_FILES.yaml

@@ -340,13 +340,13 @@ See the [Documentation](docs/README.md) for complete configuration options.
    ```bash
    curl -X POST http://localhost:3000/v1/messages \
      -H "MSL-Project-Id: project-alpha" \
-     -H "MSL-Account: account-primary" \
+     -H "MSL-Account: acc_abc123xyz" \
      -H "Authorization: Bearer cnp_live_team_alpha" \
      -H "Content-Type: application/json" \
      -d '{"model":"claude-3-opus-20240229","messages":[{"role":"user","content":"Hello"}]}'
    ```
 
-If `MSL-Account` is omitted, the proxy deterministically maps each project to an available account (hash-based), falling back to others only if the primary account is unavailable.
+If `MSL-Account` is omitted, the proxy uses the project's configured default account. Each project must have a default account set via the dashboard.
 
 ## Usage
 

README.md

@@ -76,7 +76,7 @@ Proxy access tokens live under `credentials/project-client-keys/<project-id>.cli
 ```
 
 - `MSL-Project-Id` header selects the project and unlocks analytics.
-- `MSL-Account` chooses the account credential file; when omitted, the proxy deterministically maps the project to an account using a stable hash.
+- `MSL-Account` chooses the account credential by account ID; when omitted, the proxy uses the project's configured default account.
 
 ## Database Configuration
 

docs/01-Getting-Started/configuration.md

@@ -26,9 +26,15 @@ Use the `MSL-Project-Id` header to associate requests with a project/train, and
 
 ```bash
 MSL-Project-Id: project-alpha
-MSL-Account: account-primary  # optional
+MSL-Account: acc_abc123xyz  # optional - account ID to override project default
 ```
 
+**Account Selection Priority:**
+
+1. If `MSL-Account` header is present, use the specified account ID
+2. Otherwise, use the project's configured default account
+3. If no default account is configured, return an error
+
 ## Endpoints
 
 ### Messages API

docs/02-User-Guide/api-reference.md

@@ -23,9 +23,8 @@ credentials** are used to fulfil it (account).
 
 1. **Explicit Headers**
    - `MSL-Project-Id` remains mandatory for analytics but now defaults to `DEFAULT_PROJECT_ID` when absent.
-   - `MSL-Account` selects the Anthropic account credential file. When omitted the proxy chooses a
-     deterministic account based on the project identifier, falling back to other accounts only when the
-     preferred one fails to load.
+   - `MSL-Account` selects the Anthropic account credential by account ID. When omitted, the proxy uses the
+     project's configured default account. If no default account is configured, an error is returned.
    - Neither header is forwarded to Anthropic; only configured custom headers (e.g. via
      `ANTHROPIC_CUSTOM_HEADERS`) are propagated.
 
@@ -45,11 +44,11 @@ credentials** are used to fulfil it (account).
 ### Positive
 
 - Clear separation between projects (analytics) and accounts (credentials).
-- Simpler operational model: new projects require only a header; new accounts require only a credential
-  file.
+- Simpler operational model: new projects require only a header and default account configuration; new
+  accounts require only a credential entry in the database.
 - Eliminates wildcard precedence edge cases and large path traversal surface area.
-- Deterministic hashing provides consistent per-project account selection while still distributing load
-  across multiple keys.
+- Project default accounts provide consistent account selection per project while allowing override via
+  `MSL-Account` header.
 
 ### Negative
 

docs/04-Architecture/ADRs/adr-024-train-id-header-routing.md

@@ -225,15 +225,21 @@ export async function setProjectDefaultAccount(
 }
 
 /**
- * Get all credentials available to a project (all credentials)
+ * Get the default credential for a project
+ * Returns only the project's default_account_id credential
  */
 export async function getProjectCredentials(
   pool: Pool,
-  _projectId: string
+  projectId: string
 ): Promise<AnthropicCredential[]> {
-  // All projects have access to all credentials
   const result = await pool.query<AnthropicCredential>(
-    `SELECT * FROM anthropic_credentials ORDER BY account_name ASC`
+    `
+    SELECT ac.*
+    FROM projects p
+    JOIN anthropic_credentials ac ON p.default_account_id = ac.id
+    WHERE p.project_id = $1
+    `,
+    [projectId]
   )
 
   return result.rows