@venturewild/workspace 0.1.8 → 0.1.10

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@venturewild/workspace",
-  "version": "0.1.8",
+  "version": "0.1.10",
   "description": "Claude Code Web — Replit/Lovable-style chat-first browser UI that wraps the AI agent already installed on your machine.",
   "license": "MIT",
   "bin": {

package/server/bin/wild-workspace.mjs

@@ -570,6 +570,17 @@ async function runOperatorCommand(action = 'status', opts = {}) {
 // autostart (docs/always-on-design.md). `run` is the HIDDEN supervisor entry
 // the per-OS launcher invokes at login; the others manage registration. All
 // per-user, no admin.
+// The URL to open for the LOCAL owner. A slug-linked install runs in public
+// mode (the server denies anon — C1), so the owner must authenticate: append
+// the partner token, which the SPA immediately exchanges for an HttpOnly cookie
+// and strips from the address bar (S1). A localhost-only install needs no token.
+// The token is only ever placed in the URL we hand the browser — never printed.
+function localBrowserUrl(config) {
+  const host = config.host === '0.0.0.0' ? '127.0.0.1' : config.host;
+  const base = `http://${host}:${config.port}`;
+  return config.publicMode ? `${base}/?t=${encodeURIComponent(config.partnerToken)}` : base;
+}
+
 async function runServiceCommand(action = 'status', opts = {}) {
   const config = buildConfig(opts);
 
@@ -586,6 +597,7 @@ async function runServiceCommand(action = 'status', opts = {}) {
     console.log(`  mechanism : ${r.mechanism} (per-user, no admin)`);
     console.log(`  launcher  : ${r.launcher || r.vbs}`);
     console.log(`  workspace : ${config.workspaceDir}`);
+    if (r.note) console.log(`  note      : ${r.note}`);
     console.log('  disable   : wild-workspace service uninstall');
     return;
   }
@@ -684,6 +696,24 @@ async function main() {
     return;
   }
 
+  // If a workspace server is already serving this port — always-on started it at
+  // login, or another `wild-workspace` is running — don't fight it for the socket
+  // (createServer would reject on EADDRINUSE and crash). Just open the browser to
+  // the one already up. This is the common case now that always-on is real.
+  {
+    const probeCfg = buildConfig(opts);
+    if (await probeHealth(probeCfg.port)) {
+      const host = probeCfg.host === '0.0.0.0' ? '127.0.0.1' : probeCfg.host;
+      const displayUrl = `http://${host}:${probeCfg.port}`; // shown without the token
+      console.log(`\n  wild-workspace is already running at ${displayUrl}`);
+      if (probeCfg.openBrowser) {
+        console.log('  opening it in your browser…');
+        try { const open = (await import('open')).default; await open(localBrowserUrl(probeCfg)); } catch { /* best-effort */ }
+      }
+      return;
+    }
+  }
+
   const server = await createServer(opts);
   const { config } = server;
   console.log(`\n  wild-workspace v${APP_VERSION}`);
@@ -703,10 +733,14 @@ async function main() {
   } catch {}
   console.log('');
 
+  if (config.publicMode) {
+    // Public mode denies anon — tell the owner how to reach it authenticated.
+    console.log(`  mode      : PUBLIC — opening with a one-time sign-in token`);
+  }
   if (config.openBrowser) {
     try {
       const open = (await import('open')).default;
-      open(`http://${config.host}:${config.port}`);
+      open(localBrowserUrl(config));
     } catch {}
   }
 

package/server/src/config.mjs

@@ -193,24 +193,35 @@ export function buildConfig(overrides = {}) {
   let _secrets = null;
   const secrets = () => (_secrets ??= loadOrCreateSecrets(dataDir));
   const host = overrides.host || env.WILD_WORKSPACE_HOST || '127.0.0.1';
+  // Per-install bmo-sync account — null until the user runs `wild-workspace
+  // login` with the payload from `workspace.venturewild.llc`. Its presence
+  // upgrades the install to a real slug (shareBaseUrl flips to the user's
+  // subdomain) and lights up the /api/session.account field for the UI.
+  // Loaded BEFORE publicMode because a logged-in install is publicly reachable.
+  const account =
+    overrides.account === undefined ? loadAccount(dataDir) : overrides.account;
   // publicMode = "treat every request as untrusted". True for a non-localhost
   // bind, OR when WILD_WORKSPACE_PUBLIC=1 — needed when a tunnel (Cloudflare
   // etc.) forwards public traffic to a localhost-bound server, since the bind
   // address alone would otherwise look local. Drives the C1 auth posture.
   const publicMode =
     overrides.publicMode ??
-    (env.WILD_WORKSPACE_PUBLIC === '1' || !isLocalhost(host));
+    (env.WILD_WORKSPACE_PUBLIC === '1' ||
+      !isLocalhost(host) ||
+      // CRITICAL (C1): a slug-linked install is reachable from the public
+      // internet via <slug>.venturewild.llc — the daemon forwards that traffic
+      // to this server FROM 127.0.0.1, so a non-public server would auto-grant
+      // `partner` (full RCE) to every anonymous visitor. Having an account token
+      // ⟺ the tunnel is exposing this machine, so force public mode even when the
+      // always-on supervisor (or a bare `wild-workspace`) launches without
+      // WILD_WORKSPACE_PUBLIC=1. The local owner authenticates via the partner
+      // token the launcher appends to the localhost URL (?t=, then S1 cookie).
+      Boolean(account?.accountToken));
   // bmo-sync: the local daemon's event feed (a WebSocket URL).
   const daemonUrl =
     overrides.daemonUrl ||
     env.WILD_WORKSPACE_DAEMON_URL ||
     'ws://127.0.0.1:8320/api/events';
-  // Per-install bmo-sync account — null until the user runs `wild-workspace
-  // login` with the payload from `workspace.venturewild.llc`. Its presence
-  // upgrades the install to a real slug (shareBaseUrl flips to the user's
-  // subdomain) and lights up the /api/session.account field for the UI.
-  const account =
-    overrides.account === undefined ? loadAccount(dataDir) : overrides.account;
   const accountShareBase = account?.slug
     ? `https://${account.slug}.venturewild.llc`
     : null;

package/server/src/index.mjs

@@ -18,6 +18,7 @@ import {
   APP_VERSION,
   DEFAULT_AGENTS,
   assertSecureBinding,
+  isLocalhost,
 } from './config.mjs';
 import { detectAgents, AgentSession, pickDefaultAgent } from './agent.mjs';
 import { mintShareToken, verifyShareToken, buildShareUrl, TokenRegistry } from './share.mjs';
@@ -108,7 +109,11 @@ export async function createServer(overrides = {}) {
   if (!existsSync(config.dataDir)) mkdirSync(config.dataDir, { recursive: true });
 
   const activityBus = new ActivityBus();
-  const tokenRegistry = new TokenRegistry();
+  // Persist the revocation list so a revoked share token stays revoked across a
+  // server restart (concern C8). Lives in the gitignored .wild-workspace dir.
+  const tokenRegistry = new TokenRegistry({
+    persistPath: path.join(config.dataDir, 'revoked.json'),
+  });
   const inboxWatcher = new InboxWatcher(config.workspaceDir).start();
   inboxWatcher.on('change', (payload) => {
     activityBus.publish({ type: 'inbox-change', snapshot: payload.snapshot });
@@ -250,6 +255,18 @@ export async function createServer(overrides = {}) {
   const chatClients = new Set(); // every connected /ws/chat socket
   let currentTurn = null; //       { session, messageId } — at most one at a time
 
+  // Per-connection chat rate limit (SECURITY.md S6 / concern C4). Every send
+  // spawns an agent subprocess that costs real API tokens, so cap the burst a
+  // single socket can drive. Sliding window; overridable for tests/env.
+  const chatRate = {
+    max:
+      overrides.chatRateLimit?.max ??
+      (Number(process.env.WILD_WORKSPACE_CHAT_RATE_MAX) || 30),
+    windowMs:
+      overrides.chatRateLimit?.windowMs ??
+      (Number(process.env.WILD_WORKSPACE_CHAT_RATE_WINDOW_MS) || 60_000),
+  };
+
   function broadcastChat(obj) {
     const data = JSON.stringify(obj);
     for (const ws of chatClients) {
@@ -426,49 +443,86 @@ export async function createServer(overrides = {}) {
 
   const app = new Hono();
 
+  // --- auth helpers ---------------------------------------------------------
+  // Classify one raw token into a role. Shared by the Authorization header, the
+  // HttpOnly auth cookie, and the `?t=` query so all three stay consistent.
+  // `allowOperator` is true ONLY for the header path — the operator (support)
+  // token is header-only so it can never leak via a URL or a shared cookie
+  // (SECURITY.md S1).
+  async function classifyToken(token, { allowOperator = false, source } = {}) {
+    if (!token) return null;
+    if (token === config.partnerToken) {
+      return { role: ROLES.PARTNER, sub: 'partner', source };
+    }
+    if (allowOperator && config.operatorToken && token === config.operatorToken) {
+      return { role: ROLES.OPERATOR, sub: 'operator', source: source || 'operator-token' };
+    }
+    const payload = await verifyShareToken(token, config.shareSecret);
+    if (payload && !tokenRegistry.isRevoked(payload.sub)) {
+      return {
+        role: payload.role,
+        sub: payload.sub,
+        workspaceId: payload.workspaceId,
+        source,
+        exp: payload.exp,
+      };
+    }
+    return null;
+  }
+
+  // Parse a single cookie value out of a raw Cookie header. Avoids a dependency
+  // on hono/cookie and works the same for the Node WS upgrade request.
+  function readCookie(rawCookie, name) {
+    if (!rawCookie) return null;
+    for (const part of rawCookie.split(';')) {
+      const idx = part.indexOf('=');
+      if (idx === -1) continue;
+      if (part.slice(0, idx).trim() === name) return part.slice(idx + 1).trim();
+    }
+    return null;
+  }
+
+  const AUTH_COOKIE = 'wild_auth';
+  function authCookieAttrs(value, maxAgeSeconds) {
+    const attrs = [
+      `${AUTH_COOKIE}=${value}`,
+      'HttpOnly',
+      'SameSite=Strict',
+      'Path=/',
+      `Max-Age=${Math.max(0, Math.floor(maxAgeSeconds))}`,
+    ];
+    // Secure only in public mode — the edge (Cloudflare) terminates TLS, so the
+    // browser sees HTTPS. On a localhost (http) dev bind, Secure would drop it.
+    if (config.publicMode) attrs.push('Secure');
+    return attrs.join('; ');
+  }
+
   // --- auth + role resolution ---
   async function resolveRole(c) {
+    // 1. Authorization: Bearer — the only path that may carry the operator token.
     const auth = c.req.header('authorization');
     if (auth?.startsWith('Bearer ')) {
-      const token = auth.slice('Bearer '.length).trim();
-      if (token === config.partnerToken) {
-        return { role: ROLES.PARTNER, sub: 'partner', source: 'partner-token' };
-      }
-      // The operator (support) token — header-only, and only when the channel is
-      // explicitly enabled (a token exists). Never accepted via `?t=` (below),
-      // so it can't leak through URLs/logs/referrer (SECURITY.md S1).
-      if (config.operatorToken && token === config.operatorToken) {
-        return { role: ROLES.OPERATOR, sub: 'operator', source: 'operator-token' };
-      }
-      const payload = await verifyShareToken(token, config.shareSecret);
-      if (payload && !tokenRegistry.isRevoked(payload.sub)) {
-        return {
-          role: payload.role,
-          sub: payload.sub,
-          workspaceId: payload.workspaceId,
-          source: 'share-jwt',
-          exp: payload.exp,
-        };
-      }
+      const hit = await classifyToken(auth.slice('Bearer '.length).trim(), {
+        allowOperator: true,
+        source: 'bearer',
+      });
+      if (hit) return hit;
     }
+    // 2. HttpOnly auth cookie — set by /api/auth/exchange so the partner token
+    //    never has to live in the URL after first load (SECURITY.md S1). The
+    //    browser sends it automatically on both API fetches and WS handshakes.
+    const cookieToken = readCookie(c.req.header('cookie'), AUTH_COOKIE);
+    if (cookieToken) {
+      const hit = await classifyToken(cookieToken, { source: 'cookie' });
+      if (hit) return hit;
+    }
+    // 3. `?t=` query — a fresh navigation can only carry a token this way. Kept
+    //    for the share-link first-hit + backward compatibility; the client
+    //    exchanges it for the cookie and strips it from the URL immediately.
     const queryToken = c.req.query('t');
     if (queryToken) {
-      // A browser opening the workspace URL can only carry a token in the
-      // query string, not an Authorization header — so the partner token is
-      // accepted here too, mirroring the WebSocket upgrade handler.
-      if (queryToken === config.partnerToken) {
-        return { role: ROLES.PARTNER, sub: 'partner', source: 'partner-token-query' };
-      }
-      const payload = await verifyShareToken(queryToken, config.shareSecret);
-      if (payload && !tokenRegistry.isRevoked(payload.sub)) {
-        return {
-          role: payload.role,
-          sub: payload.sub,
-          workspaceId: payload.workspaceId,
-          source: 'share-jwt-query',
-          exp: payload.exp,
-        };
-      }
+      const hit = await classifyToken(queryToken, { source: 'query' });
+      if (hit) return hit;
     }
     // Default for local partner UX — same machine, no token expected.
     if (!config.publicMode) {
@@ -487,6 +541,53 @@ export async function createServer(overrides = {}) {
     return null;
   }
 
+  // Persistent audit trail for privileged actions (SECURITY.md S8). The [http]
+  // line is ephemeral (stdout, rotated); this records WHO did WHAT to a durable
+  // log under ~/.wild-workspace (outside the synced repo) that doctor/logs and
+  // the operator channel can read. Never throws.
+  function auditAction(c, action, detail) {
+    const s = c.get('session') || {};
+    appendLine(
+      'audit',
+      `${action} role=${c.get('role') || '-'} sub=${s.sub || '-'} src=${s.source || '-'}` +
+        (detail ? ` ${detail}` : ''),
+    );
+  }
+
+  // Security headers on every response (SECURITY.md S7). Set AFTER next() so they
+  // land on static-asset + SPA-fallback responses too. Referrer-Policy: no-referrer
+  // also backstops S1 — a stale `?t=` in the URL can't leak via the Referer header.
+  app.use('*', async (c, next) => {
+    await next();
+    const h = c.res.headers;
+    h.set('X-Content-Type-Options', 'nosniff');
+    h.set('Referrer-Policy', 'no-referrer');
+    h.set('X-Frame-Options', 'SAMEORIGIN');
+    h.set('Cross-Origin-Opener-Policy', 'same-origin');
+    // Conservative CSP: locks framing (anti-clickjacking), object/base, and the
+    // connect surface, while leaving script/style permissive so the prebuilt
+    // SPA bundle isn't broken. `frame-src *` keeps the live-preview iframe (which
+    // points at the user's local dev server) working. Tightening script-src is a
+    // follow-up that needs a bundle audit.
+    if (!h.has('Content-Security-Policy')) {
+      h.set(
+        'Content-Security-Policy',
+        [
+          "default-src 'self'",
+          "script-src 'self' 'unsafe-inline' 'unsafe-eval'",
+          "style-src 'self' 'unsafe-inline'",
+          "img-src 'self' data: blob:",
+          "font-src 'self' data:",
+          "connect-src 'self' ws: wss: https:",
+          'frame-src *',
+          "frame-ancestors 'self'",
+          "object-src 'none'",
+          "base-uri 'self'",
+        ].join('; '),
+      );
+    }
+  });
+
   app.use('*', async (c, next) => {
     const session = await resolveRole(c);
     c.set('role', session.role);
@@ -544,6 +645,47 @@ export async function createServer(overrides = {}) {
     });
   });
 
+  // --- auth: token → HttpOnly cookie exchange (SECURITY.md S1) ---------------
+  // A browser opening <slug>.venturewild.llc?t=<token> can only carry the token
+  // in the URL. The partner token is RCE-grade, so it must NOT linger there
+  // (history / referrer / edge logs). The SPA calls this once at boot with the
+  // token in an Authorization header (never a logged URL), we move it into an
+  // HttpOnly cookie, and the client strips ?t= from the address bar. Every
+  // later request — API fetch or WS handshake — authenticates via the cookie.
+  // The global middleware already verified the token before this runs, so the
+  // session is trustworthy; we just persist it.
+  app.post('/api/auth/exchange', async (c) => {
+    const session = c.get('session');
+    if (!session || session.denied || !session.role) {
+      return c.json({ error: 'invalid-token' }, 401);
+    }
+    // Operator tokens stay header-only — never minted into a cookie.
+    if (session.role === ROLES.OPERATOR) {
+      return c.json({ error: 'not-exchangeable' }, 400);
+    }
+    // The exact token to persist: whatever authenticated this request.
+    const auth = c.req.header('authorization');
+    const token =
+      (auth?.startsWith('Bearer ') ? auth.slice('Bearer '.length).trim() : null) ||
+      c.req.query('t');
+    if (!token) {
+      // localhost (no token) — cookie auth is unnecessary; nothing to persist.
+      return c.json({ ok: true, role: session.role, cookie: false });
+    }
+    // Cookie lifetime: a share JWT lives until its exp; the partner token has no
+    // exp, so cap the cookie at 7 days and re-exchange on the next visit.
+    const now = Math.floor(Date.now() / 1000);
+    const maxAge = session.exp ? Math.max(60, session.exp - now) : 7 * 24 * 3600;
+    c.header('Set-Cookie', authCookieAttrs(token, maxAge));
+    log('[auth]', `exchange role=${session.role} src=${session.source} ttl=${maxAge}s`);
+    return c.json({ ok: true, role: session.role, cookie: true });
+  });
+
+  app.post('/api/auth/logout', (c) => {
+    c.header('Set-Cookie', authCookieAttrs('', 0));
+    return c.json({ ok: true });
+  });
+
   // --- agent identity (onboarding) ---
   // Persisted to <dataDir>/agent-identity.json. Absence of this file is the
   // signal the UI uses to launch the 5-step onboarding flow.
@@ -581,18 +723,16 @@ export async function createServer(overrides = {}) {
 
   // In-app "Sign in to Claude" — drives `claude auth login` in a real PTY so the
   // browser OAuth callback auto-completes and the user never touches a terminal.
-  // (See agent-login.mjs.) Degrades to `{status:'unsupported'}` if node-pty is
-  // absent, and the gate falls back to the terminal instruction. The OAuth URL is
-  // opened on this machine — the server runs locally, so it's the user's browser.
+  // (See agent-login.mjs.) Claude opens the OAuth URL in the user's browser itself
+  // (the server is local), so we do NOT open it again here — doing so spawned a
+  // duplicate tab; the UI surfaces the captured URL as a "didn't open?" fallback.
+  // Degrades to `{status:'unsupported'}` if node-pty is absent (gate → terminal).
   let _loginSession = null;
-  const openUrl = async (u) => {
-    try { const open = (await import('open')).default; await open(u); } catch { /* best-effort */ }
-  };
   const emptyLoginSnap = { status: 'idle', url: null, error: null, verdict: null };
   app.post('/api/agent/login/start', async (c) => {
     const forbidden = require(c, 'chatWrite');
     if (forbidden) return forbidden;
-    if (!_loginSession) _loginSession = new ClaudeLoginSession({ agent: activeAgent, openImpl: openUrl });
+    if (!_loginSession) _loginSession = new ClaudeLoginSession({ agent: activeAgent });
     _loginSession.agent = activeAgent; // track the active agent if it changed
     const snap = await _loginSession.start();
     _readinessCache = null; // a sign-in is about to change auth state — don't serve stale
@@ -772,18 +912,23 @@ export async function createServer(overrides = {}) {
     return c.json({ ok: true, started: started !== false });
   });
 
-  app.get('/api/agents', (c) =>
-    c.json({
+  app.get('/api/agents', (c) => {
+    const forbidden = require(c, 'chat');
+    if (forbidden) return forbidden;
+    // resolvedPath is a local filesystem path — only the owner (partner) needs
+    // it; don't leak the install layout to a share-link viewer/client. (S2.)
+    const isPartner = c.get('role') === ROLES.PARTNER;
+    return c.json({
       available: detectedAgents.map(({ id, label, description, available, resolvedPath }) => ({
         id,
         label,
         description,
         available,
-        resolvedPath,
+        resolvedPath: isPartner ? resolvedPath : undefined,
       })),
       active: activeAgent?.id,
-    }),
-  );
+    });
+  });
 
   app.post('/api/agents/select', async (c) => {
     const forbidden = require(c, 'chatWrite');
@@ -793,6 +938,7 @@ export async function createServer(overrides = {}) {
     if (!next) return c.json({ error: 'unknown-agent', id: body.id }, 400);
     activeAgent = next;
     activityBus.publish({ type: 'agent-changed', agentId: next.id });
+    auditAction(c, 'agent-select', `id=${next.id}`);
     return c.json({ ok: true, active: activeAgent.id });
   });
 
@@ -942,25 +1088,44 @@ export async function createServer(overrides = {}) {
 
   // --- component inbox ---
   app.get('/api/inbox', async (c) => {
+    // Enforce the `inbox` capability (partner-only). It existed in the matrix
+    // but the route never checked it — a share-link viewer could read it. (S2.)
+    const forbidden = require(c, 'inbox');
+    if (forbidden) return forbidden;
     const snapshot = await inboxWatcher.snapshot();
     return c.json(snapshot);
   });
 
   // --- live preview port detection ---
   app.get('/api/preview/ports', async (c) => {
+    const forbidden = require(c, 'preview');
+    if (forbidden) return forbidden;
     const ports = await detectPreviewPorts();
     return c.json({ ports });
   });
 
   app.get('/api/preview/check', async (c) => {
+    const forbidden = require(c, 'preview');
+    if (forbidden) return forbidden;
     const port = Number(c.req.query('port'));
     if (!port) return c.json({ error: 'port-required' }, 400);
+    // Preview detection is for LOCAL dev servers only. Reject any non-loopback
+    // host so this can't be used as an SSRF / internal port scanner. (S2.)
     const host = c.req.query('host') || '127.0.0.1';
+    if (!isLocalhost(host)) {
+      return c.json({ error: 'host-not-allowed', host }, 400);
+    }
     return c.json({ port, host, listening: await checkPort(port, host) });
   });
 
   // --- activity stream snapshot (WebSocket carries live updates) ---
-  app.get('/api/activity', (c) => c.json(activityBus.snapshot()));
+  // Gated on `chat`: the snapshot's `recent` feed can carry conversation text,
+  // so only roles allowed to see the chat may read it (anon already denied). (S2.)
+  app.get('/api/activity', (c) => {
+    const forbidden = require(c, 'chat');
+    if (forbidden) return forbidden;
+    return c.json(activityBus.snapshot());
+  });
 
   // --- share-by-URL (AR-20) ---
   app.post('/api/share', async (c) => {
@@ -994,6 +1159,7 @@ export async function createServer(overrides = {}) {
         exp: minted.exp,
         label,
       });
+      auditAction(c, 'share-mint', `grant=${role} grantSub=${minted.sub} ttl=${ttlSeconds}s`);
       return c.json({ ...minted, shareUrl, label });
     } catch (e) {
       return c.json({ error: String(e.message || e) }, 400);
@@ -1012,6 +1178,7 @@ export async function createServer(overrides = {}) {
     const sub = c.req.param('sub');
     tokenRegistry.revoke(sub);
     activityBus.publish({ type: 'share-revoked', sub });
+    auditAction(c, 'share-revoke', `revokedSub=${sub}`);
     return c.json({ ok: true, sub });
   });
 
@@ -1040,6 +1207,7 @@ export async function createServer(overrides = {}) {
         workspaceId: workspace.workspaceId,
         projectName: workspace.projectName,
       });
+      auditAction(c, 'sync-pair', `workspace=${workspace.workspaceId}`);
       return c.json({ ok: true, workspace });
     } catch (e) {
       return c.json({ error: String(e.message || e) }, 400);
@@ -1053,6 +1221,7 @@ export async function createServer(overrides = {}) {
     try {
       const result = await syncControl.detach(body.workspaceId);
       activityBus.publish({ type: 'sync-detached', workspaceId: body.workspaceId });
+      auditAction(c, 'sync-detach', `workspace=${body.workspaceId}`);
       return c.json({ ok: true, ...result });
     } catch (e) {
       return c.json({ error: String(e.message || e) }, 400);
@@ -1115,6 +1284,7 @@ export async function createServer(overrides = {}) {
         path: body.path,
         action: body.action,
       });
+      auditAction(c, 'conflict-resolve', `path=${body.path} action=${body.action}`);
       return c.json({ ok: true });
     } catch (e) {
       return c.json({ error: String(e.message || e) }, 400);
@@ -1141,7 +1311,11 @@ export async function createServer(overrides = {}) {
     return c.json({ ok: true, entry });
   });
 
-  app.get('/api/request-changes', (c) => c.json({ requests: changeRequests }));
+  app.get('/api/request-changes', (c) => {
+    const forbidden = require(c, 'chat');
+    if (forbidden) return forbidden;
+    return c.json({ requests: changeRequests });
+  });
 
   // --- frontend bundle (built by `npm run build:web`) ---
   if (existsSync(config.webDir)) {
@@ -1191,19 +1365,21 @@ export async function createServer(overrides = {}) {
       socket.destroy();
       return;
     }
+    // Auth precedence mirrors resolveRole: the HttpOnly cookie (set via
+    // /api/auth/exchange) first — the browser sends it automatically on the WS
+    // upgrade handshake, so the token never has to ride in the WS URL (S1) —
+    // then the `?t=` query fallback, then the localhost default.
+    const cookieToken = readCookie(req.headers.cookie, AUTH_COOKIE);
     const tokenFromQuery = reqUrl.searchParams.get('t');
     let role = null;
     let sub = 'anon';
-    if (tokenFromQuery === config.partnerToken) {
-      role = ROLES.PARTNER;
-      sub = 'partner';
-    } else if (tokenFromQuery) {
-      const payload = await verifyShareToken(tokenFromQuery, config.shareSecret);
-      if (payload && !tokenRegistry.isRevoked(payload.sub)) {
-        role = payload.role;
-        sub = payload.sub;
-      }
-    } else if (!config.publicMode) {
+    const hit =
+      (await classifyToken(cookieToken, { source: 'cookie' })) ||
+      (await classifyToken(tokenFromQuery, { source: 'query' }));
+    if (hit) {
+      role = hit.role;
+      sub = hit.sub;
+    } else if (!cookieToken && !tokenFromQuery && !config.publicMode) {
       role = ROLES.PARTNER;
       sub = 'local-partner';
     }
@@ -1277,6 +1453,21 @@ export async function createServer(overrides = {}) {
           );
           return;
         }
+        // Rate limit per connection (S6 / C4): drop sends that exceed the burst.
+        const now = Date.now();
+        ws._sendTimes = (ws._sendTimes || []).filter((t) => now - t < chatRate.windowMs);
+        if (ws._sendTimes.length >= chatRate.max) {
+          log('[ws]', `rate-limited /ws/chat sub=${ws._wsSub} (${chatRate.max}/${chatRate.windowMs}ms)`);
+          ws.send(
+            JSON.stringify({
+              type: 'error',
+              messageId: msg.messageId,
+              message: `rate limit reached — max ${chatRate.max} messages per ${Math.round(chatRate.windowMs / 1000)}s. Wait a moment and try again.`,
+            }),
+          );
+          return;
+        }
+        ws._sendTimes.push(now);
         // The turn-runner is server-level: it streams to every chat client and
         // resumes the persisted claude session, so the agent keeps its memory.
         runChatTurn({
@@ -1359,7 +1550,11 @@ if (isDirectRun) {
     if (config.openBrowser) {
       try {
         const open = (await import('open')).default;
-        open(`http://${config.host}:${config.port}`);
+        const host = config.host === '0.0.0.0' ? '127.0.0.1' : config.host;
+        const base = `http://${host}:${config.port}`;
+        // Public mode denies anon, so the owner needs the partner token in the
+        // URL (the SPA exchanges it for a cookie + strips it — S1).
+        open(config.publicMode ? `${base}/?t=${encodeURIComponent(config.partnerToken)}` : base);
       } catch (e) {
         // browser is best-effort; not having one isn't fatal
       }

package/server/src/logpaths.mjs

@@ -33,6 +33,7 @@ export const LOG_FILES = Object.freeze({
   daemon: 'daemon.log', //         the bmo-sync daemon
   cli: 'cli.log', //               every `wild-workspace …` invocation (first-run capture)
   operator: 'operator.log', //     the consented operator channel's audit trail
+  audit: 'audit.log', //           privileged action audit trail (share/sync/agent — S8)
 });
 
 // Logs the operator channel may tail BY NAME — never an arbitrary path.