fix(security): add workspace token auth to CLI auth endpoints

Fixes bd-critical-016: Workspace Daemon Auth - Unauthenticated Endpoints

The workspace daemon's CLI auth endpoints were exposed without
authentication. In cloud mode, attackers could potentially:
- Submit malicious codes to active auth sessions
- Enumerate active sessions
- DoS the PTY processes
- Hijack OAuth flows mid-completion

Changes:
- Add validateWorkspaceToken middleware to dashboard-server
- Apply middleware to all /auth/cli/* endpoints
- Skip auth in local mode (no WORKSPACE_TOKEN set)
- Update cloud server onboarding.ts to send Authorization header
- Add generateWorkspaceToken() helper matching provisioner logic
- Store workspaceId in session for subsequent requests

The workspace token is an HMAC-SHA256 hash of the workspace ID,
signed with the session secret. This matches the token generation
in the provisioner.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>

Author: Agent Relay

.trajectories/active/traj_7ludwvz45veh.json

@@ -191,6 +191,18 @@
             "reasoning": "Hamburger menu visibility, logs button always visible on mobile, responsive padding throughout"
           },
           "significance": "high"
+        },
+        {
+          "ts": 1767636873294,
+          "type": "decision",
+          "content": "Starting work on bd-critical-016: Workspace Daemon Auth security fix: Starting work on bd-critical-016: Workspace Daemon Auth security fix",
+          "raw": {
+            "question": "Starting work on bd-critical-016: Workspace Daemon Auth security fix",
+            "chosen": "Starting work on bd-critical-016: Workspace Daemon Auth security fix",
+            "alternatives": [],
+            "reasoning": ""
+          },
+          "significance": "high"
         }
       ]
     }

.trajectories/index.json

@@ -1,6 +1,6 @@
 {
   "version": 1,
-  "lastUpdated": "2026-01-05T17:59:19.223Z",
+  "lastUpdated": "2026-01-05T18:14:33.532Z",
   "trajectories": {
     "traj_ozd98si6a7ns": {
       "title": "Fix thinking indicator showing on all messages",

src/cloud/api/onboarding.ts

@@ -16,6 +16,7 @@ import * as crypto from 'crypto';
 import { requireAuth } from './auth.js';
 import { db } from '../db/index.js';
 import { vault } from '../vault/index.js';
+import { getConfig } from '../config.js';
 
 // Import for local use
 import {
@@ -51,6 +52,25 @@ export {
 
 export const onboardingRouter = Router();
 
+/**
+ * Generate workspace token for authenticating requests to workspace daemon.
+ * Must match the token generation in provisioner/index.ts
+ */
+function generateWorkspaceToken(workspaceId: string): string {
+  const config = getConfig();
+  return crypto
+    .createHmac('sha256', config.sessionSecret)
+    .update(`workspace:${workspaceId}`)
+    .digest('hex');
+}
+
+/**
+ * Get Authorization header for workspace daemon requests
+ */
+function getWorkspaceAuthHeader(workspaceId: string): string {
+  return `Bearer ${generateWorkspaceToken(workspaceId)}`;
+}
+
 // Debug: log all requests to this router
 onboardingRouter.use((req, res, next) => {
   console.log(`[onboarding] ${req.method} ${req.path} - body:`, JSON.stringify(req.body));
@@ -80,6 +100,7 @@ interface CLIAuthSession {
   // Workspace delegation fields (set when auth runs in workspace daemon)
   workspaceUrl?: string;
   workspaceSessionId?: string;
+  workspaceId?: string; // For generating auth token
 }
 
 const activeSessions = new Map<string, CLIAuthSession>();
@@ -185,7 +206,10 @@ onboardingRouter.post('/cli/:provider/start', async (req: Request, res: Response
 
     const authResponse = await fetch(targetUrl, {
       method: 'POST',
-      headers: { 'Content-Type': 'application/json' },
+      headers: {
+        'Content-Type': 'application/json',
+        'Authorization': getWorkspaceAuthHeader(workspace.id),
+      },
       body: JSON.stringify({ useDeviceFlow }),
     });
 
@@ -217,6 +241,7 @@ onboardingRouter.post('/cli/:provider/start', async (req: Request, res: Response
       // Store workspace info for status polling and auth code forwarding
       workspaceUrl,
       workspaceSessionId: workspaceSession.sessionId,
+      workspaceId: workspace.id,
     };
 
     activeSessions.set(sessionId, session);
@@ -253,10 +278,13 @@ onboardingRouter.get('/cli/:provider/status/:sessionId', async (req: Request, re
   }
 
   // If we have workspace info, poll the workspace for status
-  if (session.workspaceUrl && session.workspaceSessionId) {
+  if (session.workspaceUrl && session.workspaceSessionId && session.workspaceId) {
     try {
       const statusResponse = await fetch(
-        `${session.workspaceUrl}/auth/cli/${provider}/status/${session.workspaceSessionId}`
+        `${session.workspaceUrl}/auth/cli/${provider}/status/${session.workspaceSessionId}`,
+        {
+          headers: { 'Authorization': getWorkspaceAuthHeader(session.workspaceId) },
+        }
       );
       if (statusResponse.ok) {
         const workspaceStatus = await statusResponse.json() as {
@@ -311,7 +339,7 @@ onboardingRouter.post('/cli/:provider/complete/:sessionId', async (req: Request,
     let tokenExpiresAt = session.tokenExpiresAt;
 
     // If using workspace delegation, forward complete request first
-    if (session.workspaceUrl && session.workspaceSessionId) {
+    if (session.workspaceUrl && session.workspaceSessionId && session.workspaceId) {
       // Forward authCode to workspace if provided (for Codex-style redirects)
       if (authCode) {
         const backendProviderId = provider === 'anthropic' ? 'anthropic' : provider;
@@ -320,7 +348,10 @@ onboardingRouter.post('/cli/:provider/complete/:sessionId', async (req: Request,
 
         const completeResponse = await fetch(targetUrl, {
           method: 'POST',
-          headers: { 'Content-Type': 'application/json' },
+          headers: {
+            'Content-Type': 'application/json',
+            'Authorization': getWorkspaceAuthHeader(session.workspaceId),
+          },
           body: JSON.stringify({ authCode }),
         });
 
@@ -337,7 +368,10 @@ onboardingRouter.post('/cli/:provider/complete/:sessionId', async (req: Request,
       if (!accessToken) {
         try {
           const credsResponse = await fetch(
-            `${session.workspaceUrl}/auth/cli/${provider}/creds/${session.workspaceSessionId}`
+            `${session.workspaceUrl}/auth/cli/${provider}/creds/${session.workspaceSessionId}`,
+            {
+              headers: { 'Authorization': getWorkspaceAuthHeader(session.workspaceId) },
+            }
           );
           if (credsResponse.ok) {
             const creds = await credsResponse.json() as {
@@ -424,14 +458,17 @@ onboardingRouter.post('/cli/:provider/code/:sessionId', async (req: Request, res
   });
 
   // Forward to workspace daemon
-  if (session.workspaceUrl && session.workspaceSessionId) {
+  if (session.workspaceUrl && session.workspaceSessionId && session.workspaceId) {
     try {
       const targetUrl = `${session.workspaceUrl}/auth/cli/${provider}/code/${session.workspaceSessionId}`;
       console.log('[onboarding] Forwarding auth code to workspace:', targetUrl);
 
       const codeResponse = await fetch(targetUrl, {
         method: 'POST',
-        headers: { 'Content-Type': 'application/json' },
+        headers: {
+          'Content-Type': 'application/json',
+          'Authorization': getWorkspaceAuthHeader(session.workspaceId),
+        },
         body: JSON.stringify({ code }),
       });
 
@@ -485,11 +522,14 @@ onboardingRouter.post('/cli/:provider/cancel/:sessionId', async (req: Request, r
   const session = activeSessions.get(sessionId);
   if (session?.userId === userId) {
     // Cancel on workspace side if applicable
-    if (session.workspaceUrl && session.workspaceSessionId) {
+    if (session.workspaceUrl && session.workspaceSessionId && session.workspaceId) {
       try {
         await fetch(
           `${session.workspaceUrl}/auth/cli/${provider}/cancel/${session.workspaceSessionId}`,
-          { method: 'POST' }
+          {
+            method: 'POST',
+            headers: { 'Authorization': getWorkspaceAuthHeader(session.workspaceId) },
+          }
         );
       } catch {
         // Ignore cancel errors

src/dashboard-server/server.ts

@@ -2110,6 +2110,35 @@ export async function startDashboard(
 
   // ===== CLI Auth API (for workspace-based provider authentication) =====
 
+  /**
+   * Middleware to validate workspace token for internal endpoints.
+   * In cloud mode, requests to /auth/cli/* must include a valid WORKSPACE_TOKEN
+   * to prevent unauthorized access to auth sessions.
+   */
+  const validateWorkspaceToken: express.RequestHandler = (req, res, next) => {
+    // Skip auth validation in local mode (no WORKSPACE_TOKEN set)
+    const expectedToken = process.env.WORKSPACE_TOKEN;
+    if (!expectedToken) {
+      return next();
+    }
+
+    // Extract token from Authorization header
+    const authHeader = req.headers.authorization;
+    const token = authHeader?.startsWith('Bearer ')
+      ? authHeader.substring(7)
+      : null;
+
+    if (!token || token !== expectedToken) {
+      console.warn('[dashboard] Unauthorized CLI auth request - invalid or missing workspace token');
+      return res.status(401).json({ error: 'Unauthorized - invalid workspace token' });
+    }
+
+    next();
+  };
+
+  // Apply workspace token validation to all CLI auth endpoints
+  app.use('/auth/cli', validateWorkspaceToken);
+
   /**
    * POST /auth/cli/:provider/start - Start CLI auth flow
    * Body: { useDeviceFlow?: boolean }