@openparachute/agent 0.2.3-rc.4 → 0.2.3-rc.6

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openparachute/agent",
-  "version": "0.2.3-rc.4",
+  "version": "0.2.3-rc.6",
   "description": "Vault-native agents for Claude Code — a #agent/definition note + an inbound message becomes a sandboxed claude turn; the reply is written back as a note. Messaging gateway on :1941.",
   "license": "AGPL-3.0",
   "type": "module",

package/src/agent-defs.ts

@@ -389,6 +389,15 @@ export function parseAgentDef(note: {
   }
 
   // Filesystem read scope.
+  //
+  // NOTE (step-up, agent#80): `filesystem: "full"` is the dangerous, full-disk
+  // case. The step-up PIN gate is enforced on the HTTP spawn path only
+  // (`POST /api/agents` in daemon.ts). This VAULT-NATIVE path (a #agent/definition
+  // note with `filesystem: full`) is NOT step-up-gated — registering it requires
+  // `vault:write` to author the note, which is itself separately scope-gated, so a
+  // step-up challenge here would gate a capability the caller already had to hold a
+  // write credential to reach. If the threat model is ever revisited (e.g. less-
+  // trusted note authors), this is the gap to close.
   const filesystem = metaStr(meta.filesystem);
   if (filesystem !== undefined) {
     if (filesystem !== "workspace" && filesystem !== "full") {

package/src/auth.ts

@@ -7,13 +7,26 @@
  *   - Layer 1 (bridge / session↔channel): the bridge presents the token as an
  *     `Authorization: Bearer` header on `/events` + `/api/*`.
  *   - Layer 2 (human / chat UI): the page fetches a short-lived token from the
- *     hub (`/admin/agent-token`) and attaches it — as a Bearer header on the
- *     `send` POST, and as a `?token=` query param on the `/ui/events` SSE
- *     (EventSource can't set headers).
+ *     hub (`/admin/agent-token`) and attaches it as a Bearer header on the
+ *     `send` POST. For the browser SSE streams (`/ui/events`,
+ *     `/api/channels/<ch>/turn-events`) — which an `EventSource` can't set a
+ *     header on — the page does NOT put the JWT in the URL. Instead it mints a
+ *     one-time SSE TICKET (`POST /api/ui/sse-ticket`, Bearer-authenticated) and
+ *     opens `…?ticket=<nonce>`. See `requireSseTicket` below + `ui-ticket.ts`.
  *
- * `requireScope` accepts the token from EITHER source so one helper guards both
- * layers. The no-token path short-circuits before any JWKS fetch, keeping it
- * unit-testable without a live hub (same approach Layer 1 used).
+ * `requireScope` accepts the token from a Bearer header (and, for the
+ * agent:admin terminal WebSocket only, a `?token=` query param). The no-token
+ * path short-circuits before any JWKS fetch, keeping it unit-testable without a
+ * live hub (same approach Layer 1 used).
+ *
+ * WHY THE TICKET (agent#25). A full hub JWT in a `?token=` URL lands in any
+ * access/proxy log, browser history, or network trace — a credential leak
+ * mitigated before only by the token's short TTL. The browser SSE endpoints now
+ * trade the JWT for an opaque, single-use, ≤60s ticket (`requireSseTicket`); the
+ * JWT only ever travels in a `fetch` Bearer header. The legacy `?token=` SSE
+ * path was REMOVED (pre-1.0, no deprecation window). The terminal WebSocket
+ * (`agent:admin`) still uses `?token=` — a separate, operator-gated mechanism
+ * out of this change's scope.
  *
  * DUAL-ACCEPT (channel→agent rename transition,
  * `parachute-patterns/migrations/2026-06-17-channel-to-agent.md` rule 1). New
@@ -26,6 +39,8 @@
 
 import { validateHubJwt, HubJwtError } from "./hub-jwt.ts";
 import { extractBearer } from "@openparachute/scope-guard";
+import { consumeTicket } from "./ui-ticket.ts";
+import { isStepUpTokenValid, isStepUpConfigured } from "./step-up.ts";
 
 /** Agent scopes, declared here so callers share one spelling. */
 export const SCOPE_READ = "agent:read" as const;
@@ -79,15 +94,18 @@ export function json(data: unknown, status = 200): Response {
 
 /**
  * Extract a presented token from a request: the `Authorization: Bearer` header
- * first (the bridge + the UI's POST), falling back to a `?token=` query param
- * (the SSE case — `EventSource` can't set headers). Returns null if neither is
- * present.
+ * first (the bridge, the UI's POST, the SSE-ticket mint), falling back to a
+ * `?token=` query param only when `allowQueryParam` is set. The ONLY caller that
+ * opts into the query param is the agent:admin terminal WebSocket
+ * (`new WebSocket()` can't set headers); the browser SSE streams moved to the
+ * one-time-ticket path (`requireSseTicket`) so a JWT never rides in a URL. Returns
+ * null if neither source is present.
  */
 export function extractToken(req: Request, url: URL, allowQueryParam = false): string | null {
   const bearer = extractBearer(req.headers.get("authorization"));
   if (bearer) return bearer;
-  // `?token=` is opt-in (the SSE case only). The bridge + the UI POST present a
-  // Bearer header, so they never enable it — keeps query-param tokens off every
+  // `?token=` is opt-in (the terminal WebSocket only). Every other caller presents
+  // a Bearer header, so they leave it false — keeping query-param JWTs off every
   // endpoint that doesn't strictly need them (and out of those access logs).
   if (allowQueryParam) {
     const q = url.searchParams.get("token");
@@ -99,9 +117,10 @@ export function extractToken(req: Request, url: URL, allowQueryParam = false): s
 /**
  * Guard an HTTP endpoint on a hub-issued JWT carrying `scope`. The token arrives
  * as an `Authorization: Bearer` header; pass `allowQueryParam: true` to also
- * accept a `?token=` query param (the SSE case only — `EventSource` can't set
- * headers). Bridge + UI-POST callers leave it false, so query-param tokens are
- * confined to the one endpoint that needs them.
+ * accept a `?token=` query param (the agent:admin terminal WebSocket only —
+ * `new WebSocket()` can't set headers). All other callers leave it false, so
+ * query-param JWTs are confined to that one endpoint. Browser SSE streams use
+ * `requireSseTicket` (the one-time ticket), not this.
  *
  * Returns `null` when the request is authorized (caller proceeds), or a
  * `Response` (401/403) the caller must return as-is.
@@ -138,3 +157,152 @@ export async function requireScope(
     );
   }
 }
+
+/**
+ * Mint endpoint for a one-time SSE ticket (agent#25). Authenticate the presented
+ * Bearer JWT for `scope` (the SAME validation `requireScope` runs — no-token →
+ * 401 pre-JWKS, bad/insufficient → 401/403), then issue a single-use, ≤60s
+ * opaque ticket carrying ONLY the token's validated scopes. The ticket — never
+ * the JWT — goes in the SSE URL. Returns the mint `Response` (200 `{ ticket,
+ * expires_at }`, or the gate's 401/403) for the caller to return as-is.
+ *
+ * `mintTicket` is injected (defaults to the real `ui-ticket.ts` store) so unit
+ * tests can assert what scopes get carried without reaching into the singleton.
+ * Critically, an UNAUTHENTICATED mint is impossible: the scope gate runs first
+ * and short-circuits before any ticket is created — minting without a valid
+ * bearer would be an auth bypass.
+ */
+export async function mintSseTicket(
+  req: Request,
+  url: URL,
+  scope: string,
+  mint: (scopes: readonly string[]) => { ticket: string; expiresAt: number },
+): Promise<Response> {
+  const token = extractToken(req, url); // Bearer header ONLY — never a query param.
+  if (!token) {
+    return json({ error: "unauthorized", message: "Bearer token required" }, 401);
+  }
+  let scopes: string[];
+  try {
+    const claims = await validateHubJwt(token);
+    if (!grantsScope(claims.scopes, scope)) {
+      return json(
+        { error: "insufficient_scope", message: `requires ${scope}`, granted: claims.scopes },
+        403,
+      );
+    }
+    // Carry the token's OWN validated scopes — never widen beyond what it holds.
+    scopes = claims.scopes;
+  } catch (err) {
+    return json(
+      { error: "unauthorized", message: err instanceof HubJwtError ? err.message : "invalid token" },
+      401,
+    );
+  }
+  const { ticket, expiresAt } = mint(scopes);
+  return json({ ticket, expires_at: new Date(expiresAt).toISOString() });
+}
+
+/**
+ * Guard a browser SSE endpoint on a one-time `?ticket=<nonce>` (agent#25 — the
+ * EventSource auth path that replaced the leaky `?token=<JWT>`). Look up + CONSUME
+ * the ticket (single-use: a second connect 401s), then assert the ticket's carried
+ * scopes include `scope` (the ticket can never authorize more than the JWT that
+ * minted it — `mintSseTicket` stored exactly that JWT's scopes). Returns `null`
+ * when authorized (caller opens the stream) or a 401 `Response` to return as-is.
+ *
+ * No JWKS fetch on this path — the JWT was validated at MINT time and its scopes
+ * captured in the ticket; consume is a pure in-memory lookup. So an absent /
+ * expired / already-used / under-scoped ticket all map to 401 with no network I/O.
+ */
+export function requireSseTicket(url: URL, scope: string): Response | null {
+  const consumed = consumeTicket(url.searchParams.get("ticket"));
+  if (!consumed) {
+    return json({ error: "unauthorized", message: "valid one-time SSE ticket required" }, 401);
+  }
+  if (!grantsScope(consumed.scopes, scope)) {
+    return json(
+      { error: "insufficient_scope", message: `ticket lacks ${scope}`, granted: consumed.scopes },
+      403,
+    );
+  }
+  return null;
+}
+
+/**
+ * The header a request carries the step-up token on (agent#80). The terminal
+ * WebSocket — which `new WebSocket()` can't set a header on — uses the
+ * `?step_up=` query param instead (mirroring the `?token=` exception).
+ */
+export const STEP_UP_TOKEN_HEADER = "x-step-up-token";
+
+/** Extract a presented step-up token: the header first, then `?step_up=` when allowed. */
+export function extractStepUpToken(req: Request, url: URL, allowQueryParam = false): string | null {
+  const header = req.headers.get(STEP_UP_TOKEN_HEADER);
+  if (header && header.length > 0) return header;
+  if (allowQueryParam) {
+    const q = url.searchParams.get("step_up");
+    if (q && q.length > 0) return q;
+  }
+  return null;
+}
+
+/**
+ * SECOND-FACTOR gate (agent#80) for the genuinely dangerous `agent:admin` actions:
+ * set/rotate credentials, open a terminal, spawn a `filesystem: full` agent. The
+ * caller runs {@link requireScope}(`agent:admin`) FIRST; this asserts — IN ADDITION —
+ * a valid step-up token (the operator entered their PIN recently).
+ *
+ *   - Step-up NOT configured (no PIN set) → returns `{ ok: false, reason: "setup" }`.
+ *     The caller maps it to `403 { error: "step_up_required", reason: "setup" }` so
+ *     the UI runs its FIRST-TIME PIN-setup flow before the action.
+ *   - PIN configured + valid token → `{ ok: true }` (the action proceeds).
+ *   - PIN configured + missing/expired token → `{ ok: false, reason: "token" }` →
+ *     `403 { error: "step_up_required" }` so the UI PROMPTS for the PIN.
+ *
+ * The 403 is deliberately DISTINCT from `requireScope`'s 401 (no/invalid Bearer):
+ * a 401 means "re-authenticate", a 403 `step_up_required` means "enter your PIN".
+ * The step-up token NEVER widens scope — the request already passed `agent:admin`;
+ * this is purely a recency re-confirm on top.
+ *
+ * `allowQueryParam: true` accepts `?step_up=` for the terminal WebSocket only.
+ * Pure in-memory token check — no I/O on the gated request path, no secret logged.
+ */
+export function requireStepUp(
+  req: Request,
+  url: URL,
+  allowQueryParam = false,
+  opts?: { configured?: () => boolean; valid?: (token: string | null) => boolean },
+): { ok: true } | { ok: false; response: Response } {
+  const isConfigured = opts?.configured ?? (() => isStepUpConfigured());
+  const isValid = opts?.valid ?? ((t: string | null) => isStepUpTokenValid(t));
+  if (!isConfigured()) {
+    // No PIN yet — the UI must set one before this action can proceed.
+    return {
+      ok: false,
+      response: json(
+        {
+          error: "step_up_required",
+          reason: "setup",
+          message: "set a step-up PIN before performing this action",
+        },
+        403,
+      ),
+    };
+  }
+  const token = extractStepUpToken(req, url, allowQueryParam);
+  if (!isValid(token)) {
+    return {
+      ok: false,
+      response: json(
+        {
+          error: "step_up_required",
+          reason: "token",
+          message: "enter your step-up PIN to confirm this action",
+        },
+        403,
+      ),
+    };
+  }
+  return { ok: true };
+}

package/src/daemon.ts

@@ -85,6 +85,10 @@ import { ClientRegistry, sseFrame } from "./routing.ts";
 import { DeliveryState } from "./delivery-state.ts";
 import {
   requireScope,
+  mintSseTicket,
+  requireSseTicket,
+  requireStepUp,
+  grantsScope,
   extractToken,
   json as authJson,
   SCOPE_READ,
@@ -93,6 +97,16 @@ import {
   SCOPE_ADMIN,
   SCOPE_TERMINAL,
 } from "./auth.ts";
+import {
+  isStepUpConfigured,
+  isValidPinFormat,
+  setStepUpPin,
+  verifyStepUpPin,
+  mintStepUpToken,
+  stepUpLimiter,
+  StepUpPinFormatError,
+} from "./step-up.ts";
+import { mintTicket } from "./ui-ticket.ts";
 import {
   createTerminalWsHandlers,
   type TerminalWsData,
@@ -1124,8 +1138,13 @@ function redirect(location: string): Response {
 // is `agent:write`.
 //
 // Layer 2 — human / chat UI — gates the http-ui transport's `send` (POST,
-// `agent:send`) + `/ui/events` SSE (`?token=` query, `agent:read`) inside
-// `http-ui.ts`'s ingestHttp using the same `requireScope`.
+// `agent:send`, Bearer) with `requireScope`. The browser SSE streams
+// (`/ui/events`, `/api/channels/<ch>/turn-events`, `agent:read`) gate on a
+// ONE-TIME ticket (`requireSseTicket`) instead of a `?token=<JWT>` query —
+// `EventSource` can't set a header, and a JWT in a URL leaks into access logs
+// (agent#25). The page mints the ticket at `POST /api/ui/sse-ticket` (Bearer,
+// agent:read) and opens `…?ticket=<nonce>`; the ticket is single-use + ≤60s and
+// carries only the minting token's scopes.
 //
 // Discovery + the page itself (/health, /.parachute/config[/schema], /ui) stay
 // OPEN — non-sensitive, and /ui must load to bootstrap its token fetch.
@@ -1182,6 +1201,12 @@ export async function authorizeTerminalUpgrade(
   const denied = await requireScope(req, url, SCOPE_TERMINAL, true);
   if (denied) return { ok: false, response: denied };
 
+  // STEP-UP required (agent#80): a terminal is a raw host shell — the single most
+  // dangerous capability. allowQueryParam: true so the WS presents the step-up
+  // token as `?step_up=` (it can't set the `X-Step-Up-Token` header).
+  const step = requireStepUp(req, url, true);
+  if (!step.ok) return { ok: false, response: step.response };
+
   // tmux session name convention: `<name>-agent`. Attach a viewer pty to THIS
   // session; the session itself is created by the spawn path.
   const session = `${agentName}-agent`;
@@ -1783,6 +1808,169 @@ export function createFetchHandler(
       }
     }
 
+    // ---------------------------------------------------------------------
+    // STEP-UP AUTH (PIN) — second factor for high-privilege actions (agent#80).
+    //
+    // The dangerous `agent:admin` actions (set credentials, open a terminal,
+    // spawn a `filesystem: full` agent) require a step-up token IN ADDITION to
+    // the `agent:admin` Bearer. This block is the PIN setup + exchange surface;
+    // the gating lives at each dangerous endpoint (via `requireStepUp`).
+    //
+    //   GET  /api/step-up          → { configured } — is a PIN set? (UI: setup vs prompt)
+    //   POST /api/step-up { pin }  → validate PIN (rate-limited) → { stepUpToken, expires_at }
+    //   POST /api/step-up/pin { newPin, currentPin? } → set/rotate the PIN
+    //
+    // All `agent:admin`-gated (the operator's cookie-minted Bearer). The PIN is
+    // hashed+salted server-side (step-up.ts); it is NEVER returned or logged.
+    // Externally hub strips `/agent`, so these are `<hub>/agent/api/step-up`.
+    // ---------------------------------------------------------------------
+    if (url.pathname === "/api/step-up" && req.method === "GET") {
+      const denied = await requireScope(req, url, SCOPE_ADMIN);
+      if (denied) return denied;
+      // Whether a PIN is configured — the UI branches setup-flow vs PIN-prompt.
+      return json({ configured: isStepUpConfigured() });
+    }
+
+    if (url.pathname === "/api/step-up" && req.method === "POST") {
+      // Exchange: validate the PIN, then mint a short-lived step-up token. The
+      // session must already hold `agent:admin` (this is a SECOND factor on top,
+      // never a substitute — the token carries no scope of its own).
+      let claims;
+      try {
+        const token = extractToken(req, url);
+        if (!token) return json({ error: "unauthorized", message: "Bearer token required" }, 401);
+        claims = await validateHubJwt(token);
+      } catch (err) {
+        return json(
+          { error: "unauthorized", message: err instanceof Error ? err.message : "invalid token" },
+          401,
+        );
+      }
+      if (!grantsScope(claims.scopes, SCOPE_ADMIN)) {
+        return json(
+          { error: "insufficient_scope", message: `requires ${SCOPE_ADMIN}`, granted: claims.scopes },
+          403,
+        );
+      }
+      // No PIN configured yet — there's nothing to exchange. Tell the UI to run
+      // its first-time setup (distinct from a wrong-PIN 401).
+      if (!isStepUpConfigured()) {
+        return json(
+          { error: "step_up_not_configured", message: "set a step-up PIN first (POST /api/step-up/pin)" },
+          409,
+        );
+      }
+      let body: { pin?: unknown };
+      try {
+        body = (await req.json()) as typeof body;
+      } catch {
+        return json({ error: "invalid JSON body" }, 400);
+      }
+      if (typeof body.pin !== "string" || body.pin.length === 0) {
+        return json({ error: "body.pin (non-empty string) is required" }, 400);
+      }
+      // Rate-limit BEFORE the (expensive, brute-forceable) argon2 verify, keyed by
+      // the operator subject — a stolen-cookie attacker can't grind the PIN. A
+      // DENIED attempt returns 429 (the limiter does not count it again).
+      const limited = stepUpLimiter.checkAndRecord(`step-up:${claims.sub}`);
+      if (!limited.allowed) {
+        return new Response(
+          JSON.stringify({
+            error: "rate_limited",
+            message: "too many PIN attempts — wait before retrying",
+            retry_after_seconds: limited.retryAfterSeconds,
+          }),
+          {
+            status: 429,
+            headers: {
+              "content-type": "application/json",
+              "retry-after": String(limited.retryAfterSeconds ?? 60),
+            },
+          },
+        );
+      }
+      const ok = await verifyStepUpPin(body.pin);
+      if (!ok) {
+        // Wrong PIN — 401. The attempt already counted toward the lockout above.
+        // Never echo the PIN back.
+        return json({ error: "invalid_pin", message: "incorrect PIN" }, 401);
+      }
+      // Correct PIN — clear the attempt bucket (a fresh window for the next time)
+      // and mint a reusable, short-TTL step-up token.
+      stepUpLimiter.clear(`step-up:${claims.sub}`);
+      const { token: stepUpToken, expiresAt } = mintStepUpToken();
+      return json({ stepUpToken, expires_at: new Date(expiresAt).toISOString() });
+    }
+
+    if (url.pathname === "/api/step-up/pin" && req.method === "POST") {
+      // Set (first time) or rotate the step-up PIN. agent:admin-gated; if a PIN
+      // already exists, the CURRENT PIN must be supplied + verified (rotation
+      // needs the old PIN, so a hijacked session can't silently replace it).
+      let claims;
+      try {
+        const token = extractToken(req, url);
+        if (!token) return json({ error: "unauthorized", message: "Bearer token required" }, 401);
+        claims = await validateHubJwt(token);
+      } catch (err) {
+        return json(
+          { error: "unauthorized", message: err instanceof Error ? err.message : "invalid token" },
+          401,
+        );
+      }
+      if (!grantsScope(claims.scopes, SCOPE_ADMIN)) {
+        return json(
+          { error: "insufficient_scope", message: `requires ${SCOPE_ADMIN}`, granted: claims.scopes },
+          403,
+        );
+      }
+      let body: { newPin?: unknown; currentPin?: unknown };
+      try {
+        body = (await req.json()) as typeof body;
+      } catch {
+        return json({ error: "invalid JSON body" }, 400);
+      }
+      if (!isValidPinFormat(body.newPin)) {
+        return json({ error: "body.newPin must be 4–12 digits" }, 400);
+      }
+      // Rotation: a PIN already exists → require + verify the current one (rate-limited).
+      // SHARES the exchange bucket (same `step-up:<sub>` key) on purpose: both verify
+      // the PIN, so an attacker can't get a fresh grind window by alternating endpoints.
+      if (isStepUpConfigured()) {
+        const limited = stepUpLimiter.checkAndRecord(`step-up:${claims.sub}`);
+        if (!limited.allowed) {
+          return new Response(
+            JSON.stringify({
+              error: "rate_limited",
+              message: "too many PIN attempts — wait before retrying",
+              retry_after_seconds: limited.retryAfterSeconds,
+            }),
+            {
+              status: 429,
+              headers: {
+                "content-type": "application/json",
+                "retry-after": String(limited.retryAfterSeconds ?? 60),
+              },
+            },
+          );
+        }
+        if (typeof body.currentPin !== "string" || !(await verifyStepUpPin(body.currentPin))) {
+          return json(
+            { error: "invalid_pin", message: "the current PIN is required to change it" },
+            401,
+          );
+        }
+        stepUpLimiter.clear(`step-up:${claims.sub}`);
+      }
+      try {
+        await setStepUpPin(body.newPin);
+      } catch (err) {
+        if (err instanceof StepUpPinFormatError) return json({ error: err.message }, 400);
+        return json({ error: `failed to set PIN: ${(err as Error).message}` }, 500);
+      }
+      // Echo back only the fact of the write — never the PIN.
+      return json({ ok: true, configured: true });
+    }
+
     // ---------------------------------------------------------------------
     // Claude OAuth credential store (design §6) — the per-channel secret a
     // launched agent session runs on (`CLAUDE_CODE_OAUTH_TOKEN`). Same
@@ -1802,11 +1990,15 @@ export function createFetchHandler(
 
       if (req.method === "GET") {
         // Inspect WITHOUT leaking the secret: whether a default is set + which
-        // channels carry an override (names only).
+        // channels carry an override (names only). A status read — no step-up.
         return json(describeClaudeCredentials(defaultStateDir()));
       }
 
-      // POST — set the default / operator-level token.
+      // POST — set the default / operator-level token. STEP-UP required (agent#80):
+      // setting a credential can exfiltrate the operator's Claude token.
+      const step = requireStepUp(req, url);
+      if (!step.ok) return step.response;
+
       let credBody: { token?: unknown };
       try {
         credBody = (await req.json()) as typeof credBody;
@@ -1829,6 +2021,10 @@ export function createFetchHandler(
     if (credMatch && (req.method === "POST" || req.method === "DELETE")) {
       const denied = await requireScope(req, url, SCOPE_ADMIN);
       if (denied) return denied;
+      // STEP-UP required (agent#80): both set + remove of a per-channel Claude
+      // credential are high-privilege credential-store mutations.
+      const step = requireStepUp(req, url);
+      if (!step.ok) return step.response;
       const channel = decodeURIComponent(credMatch[1]!);
 
       if (req.method === "DELETE") {
@@ -1883,9 +2079,15 @@ export function createFetchHandler(
 
       if (req.method === "GET") {
         // Inspect WITHOUT leaking values: names per channel + the default layer.
+        // A status read — no step-up.
         return json(describeChannelEnv(defaultStateDir()));
       }
 
+      // STEP-UP required (agent#80): set/remove of an env secret (GH_TOKEN,
+      // CLOUDFLARE_API_TOKEN, …) is a credential-store mutation.
+      const step = requireStepUp(req, url);
+      if (!step.ok) return step.response;
+
       let envBody: { channel?: unknown; name?: unknown; value?: unknown };
       try {
         envBody = (await req.json()) as typeof envBody;
@@ -1979,6 +2181,15 @@ export function createFetchHandler(
         throw err;
       }
 
+      // STEP-UP required (agent#80) ONLY for the dangerous filesystem case: a
+      // `filesystem: "full"` agent runs UNSANDBOXED with read access to the whole
+      // disk. Ordinary sandboxed (workspace-confined) spawns stay frictionless —
+      // gate just the high-blast-radius case.
+      if (spec.filesystem === "full") {
+        const step = requireStepUp(req, url);
+        if (!step.ok) return step.response;
+      }
+
       // CHANNEL EXCLUSION: a channel routes inbound to at most one agent. Refuse a
       // spawn for a DIFFERENT programmatic agent onto an already-occupied wake channel
       // (re-spawning the SAME name onto its OWN channel is the idempotent-replace path).
@@ -2745,8 +2956,21 @@ export function createFetchHandler(
       return json({ ok: true, reloaded: result });
     }
 
+    // One-time SSE ticket mint — POST /api/ui/sse-ticket (agent#25). The chat
+    // page can't put its hub JWT in an EventSource URL without leaking it into
+    // access logs, so it trades the JWT (presented HERE as a Bearer header — no
+    // leak) for a single-use, ≤60s opaque ticket it puts in the SSE URL instead.
+    // Bearer-gated on `agent:read` (the scope both browser SSE streams require);
+    // the minted ticket carries ONLY the token's own validated scopes, so it can
+    // never authorize more than the JWT did. An unauthenticated mint is impossible
+    // — `mintSseTicket` runs the scope gate before issuing anything. Returns
+    // `{ ticket, expires_at }`. Externally `<hub>/agent/api/ui/sse-ticket`.
+    if (req.method === "POST" && url.pathname === "/api/ui/sse-ticket") {
+      return mintSseTicket(req, url, SCOPE_READ, mintTicket);
+    }
+
     // Turn-event SSE — GET /api/channels/<ch>/turn-events (chat-facing; gated on
-    // `agent:read`, same scope as the transcript poll + /ui/events). The streaming
+    // a one-time SSE ticket carrying `agent:read`). The streaming
     // view (design 2026-06-16 build item #1): the chat subscribes here to watch a
     // PROGRAMMATIC turn work in real time — interim assistant text + tool_use, then a
     // done/error lifecycle event. EPHEMERAL by design: no backlog/replay (the durable
@@ -2758,11 +2982,12 @@ export function createFetchHandler(
     {
       const turnMatch = url.pathname.match(/^\/api\/channels\/([^/]+)\/turn-events$/);
       if (req.method === "GET" && turnMatch) {
-        // allowQueryParam=true: this SSE is consumed by a browser EventSource, which
-        // cannot set an Authorization header — it authenticates via ?token=. Without
-        // this the live-streaming view 401s in the browser and never connects. (The
-        // stdio-bridge /events SSE uses a Bearer header, so it doesn't need this.)
-        const denied = await requireScope(req, url, SCOPE_READ, true);
+        // Browser EventSource can't set an Authorization header, so this SSE
+        // authenticates via a one-time `?ticket=<nonce>` (agent#25) — minted by
+        // POST /api/ui/sse-ticket (Bearer-gated) and consumed single-use here. The
+        // hub JWT never rides in this URL. (The stdio-bridge /events SSE uses a
+        // Bearer header, so it never needed a query credential at all.)
+        const denied = requireSseTicket(url, SCOPE_READ);
         if (denied) return denied;
         const channelName = decodeURIComponent(turnMatch[1]!);
         const clientId = crypto.randomUUID();