From 35bc7e34b17eb84e98ee19f77af8d0720b9edc7e Mon Sep 17 00:00:00 2001
From: Garry Tan <garrytan@gmail.com>
Date: Sun, 5 Apr 2026 18:05:05 -0700
Subject: [PATCH] docs: add security rationale for token in /health on
 localhost

Explains why this is an accepted risk (no escalation over file-based
token access), CORS protection, and tunnel guard. Prevents future
CSO scans from stripping it without providing an alternative auth path.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 browse/src/server.ts | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/browse/src/server.ts b/browse/src/server.ts
index 048ea7ca..f2ff82ea 100644
--- a/browse/src/server.ts
+++ b/browse/src/server.ts
@@ -1290,7 +1290,13 @@ async function start() {
         };
         // Sensitive fields only served on localhost (not through tunnel).
         // currentUrl reveals internal URLs, currentMessage reveals user intent.
-        // token needed by extension to authenticate subsequent requests.
+        //
+        // SECURITY NOTE (accepted risk): token is served on localhost /health so the
+        // Chrome extension can authenticate. This is NOT an escalation over baseline:
+        // any local process can already read the same token from ~/.gstack/.auth.json
+        // and .gstack/browse.json. Browser CORS blocks cross-origin reads (no
+        // Access-Control-Allow-Origin header). When tunneled, token is stripped.
+        // Do not remove this without providing an alternative extension auth path.
         if (!tunnelActive) {
           healthResponse.token = AUTH_TOKEN;
           healthResponse.currentUrl = browserManager.getCurrentUrl();