fix: remove auth token from /health, secure extension bootstrap (CRITICAL-02 + HIGH-03)

- Remove token from /health response (was leaked to any localhost process) - Write .auth.json to extension dir for Manifest V3 bootstrap - sidebar-agent reads token from state file via BROWSE_STATE_FILE env var - Remove getToken handler from extension (token via health broadcast) - Extension loads token before first health poll to prevent race condition
2026-05-07 05:56:41 +02:00 · 2026-03-27 22:13:45 -07:00
parent 11695e3aca
commit e16bf23ca0
6 changed files with 114 additions and 40 deletions
@@ -6,6 +6,7 @@ bin/gstack-global-discover
 .claude/skills/
 .agents/
 .context/
+extension/.auth.json
 .gstack-worktrees/
 /tmp/
 *.log