From 73c2bf2c0448a88204763c9f6d9dea83c6deafd3 Mon Sep 17 00:00:00 2001
From: Garry Tan <garrytan@gmail.com>
Date: Sat, 4 Apr 2026 21:20:29 -0700
Subject: [PATCH] fix: add auth gate to /inspector/events SSE endpoint (C3)

The /inspector/events endpoint had no authentication, unlike /activity/stream
which validates tokens. Now requires the same Bearer header or ?token= query
param check. Closes C3 from security audit #783.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 browse/src/server.ts | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/browse/src/server.ts b/browse/src/server.ts
index b2ade603..ceff414c 100644
--- a/browse/src/server.ts
+++ b/browse/src/server.ts
@@ -1556,8 +1556,14 @@ async function start() {
         });
       }
 
-      // GET /inspector/events — SSE for inspector state changes
+      // GET /inspector/events — SSE for inspector state changes (auth required)
       if (url.pathname === '/inspector/events' && req.method === 'GET') {
+        const streamToken = url.searchParams.get('token');
+        if (!validateAuth(req) && streamToken !== AUTH_TOKEN) {
+          return new Response(JSON.stringify({ error: 'Unauthorized' }), {
+            status: 401, headers: { 'Content-Type': 'application/json' },
+          });
+        }
         const encoder = new TextEncoder();
         const stream = new ReadableStream({
           start(controller) {