security: agent-shell WS tokens and dependency audit fixes (#409)

Replace spoofable Host/Origin WebSocket auth with short-lived bootstrap
tokens minted over the existing local-operator HTTP path. Docker/browser
shell sessions prefetch a token before connecting; loopback peers remain
unchanged.

Also bump backend ws to 8.21.0 and refresh frontend lockfile to clear
npm audit findings (dev toolchain only for frontend).

Fixes #405, #406, #407

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Shadowbroker
2026-06-18 16:40:36 -06:00
committed by GitHub
parent 013849ad1f
commit 91c76ad1bd
8 changed files with 358 additions and 152 deletions
+1 -1
View File
@@ -1,5 +1,5 @@
{
"dependencies": {
"ws": "^8.19.0"
"ws": "^8.21.0"
}
}