Mercato API Security Flaw: Missing Route Metadata Left Key Sales Endpoints Unprotected

A critical security flaw in Mercato's API router defaulted routes to public access when their metadata was missing or undefined, leaving at least four key sales endpoints unprotected. The vulnerability, discovered in the `checkAuthorization` function, meant that routes for `shipments`, `order-adjustments`, `quote-adjustments`, and `returns` were inadvertently exposed without authentication because they used the `makeCrudRoute` helper but failed to export the required `metadata` object.

The root cause was a logic error on line 137 of the catch-all API router file. The condition `methodMetadata !== null && methodMetadata?.requireAuth !== false` would short-circuit to `false` when `methodMetadata` was `null`, effectively skipping the authentication check entirely. This design flaw meant that any route with missing metadata was automatically treated as public, a dangerous inversion of the security principle of least privilege.

The fix inverts this dangerous default. The `checkAuthorization` function now requires authentication by default; any route missing metadata is automatically protected. Public access must now be explicitly opted into by setting `requireAuth: false` in the route's metadata. The four affected sales route files have been patched to export the correct metadata. This change enforces a secure-by-design posture, significantly reducing the risk of future oversights where developers might forget to define authorization rules for sensitive business endpoints.