sam-api/bootstrap/app.php

<?php

use App\Exceptions\Handler;
use App\Http\Middleware\ApiKeyMiddleware;
use App\Http\Middleware\ApiRateLimiter;
use App\Http\Middleware\CheckPermission;
use App\Http\Middleware\CheckSwaggerAuth;
use App\Http\Middleware\CorsMiddleware;
use App\Http\Middleware\PermMapper;
use Illuminate\Contracts\Debug\ExceptionHandler;
use Illuminate\Foundation\Application;
use Illuminate\Foundation\Configuration\Exceptions;
use Illuminate\Foundation\Configuration\Middleware;

$app = Application::configure(basePath: dirname(__DIR__))
    ->withRouting(
        web: __DIR__.'/../routes/web.php',
        api: __DIR__.'/../routes/api.php',
        commands: __DIR__.'/../routes/console.php',
        health: '/up',
    )
    ->withMiddleware(function (Middleware $middleware) {
        // 글로벌 미들웨어 (모든 요청에 적용, 순서 중요)
        $middleware->append(CorsMiddleware::class);
        $middleware->append(ApiRateLimiter::class);    // 1. Rate Limiting 먼저 체크
        $middleware->append(ApiKeyMiddleware::class);  // 2. API Key 검증

        $middleware->alias([
            'auth.apikey' => ApiKeyMiddleware::class, // 인증: apikey + basic auth (alias 유지)
            'swagger.auth' => CheckSwaggerAuth::class,
            'perm.map' => PermMapper::class, // 전처리: 라우트명 → perm 키 생성/주입
            'permission' => CheckPermission::class, // 검사: perm 키로 접근 허용/차단
        ]);
    })
    ->withExceptions(function (Exceptions $exceptions) {
        // 이건 비워두세요
    })
    ->create();

// 🔥 핵심: create() 이후에 반드시 등록
$app->singleton(ExceptionHandler::class, Handler::class);

return $app;