fix(security): Implement Phase 1 critical security fixes

CORS:
- Restrict CORS to DASHBOARD_URL environment variable
- Default to production dashboard domain

Authentication:
- Add AuthUser requirement to all agent management endpoints
- Add AuthUser requirement to all command endpoints
- Add AuthUser requirement to all metrics endpoints
- Add audit logging for command execution (user_id tracked)

Agent Security:
- Replace Unicode characters with ASCII markers [OK]/[ERROR]/[WARNING]
- Add certificate pinning for update downloads (allowlist domains)
- Fix insecure temp file creation (use /var/run/gururmm with 0700 perms)
- Fix rollback script backgrounding (use setsid instead of literal &)

Dashboard Security:
- Move token storage from localStorage to sessionStorage
- Add proper TypeScript types (remove 'any' from error handlers)
- Centralize token management functions

Legacy Agent:
- Add -AllowInsecureTLS parameter (opt-in required)
- Add Windows Event Log audit trail when insecure mode used
- Update documentation with security warnings

Closes: Phase 1 items in issue #1

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

projects/msp-tools/guru-rmm/dashboard/src/api/client.ts

@@ -1,4 +1,4 @@
-import axios from "axios";
+import axios, { AxiosError } from "axios";
 
 // Default to production URL, override with VITE_API_URL for local dev
 const API_URL = import.meta.env.VITE_API_URL || "https://rmm-api.azcomputerguru.com";
@@ -10,22 +10,41 @@ export const api = axios.create({
   },
 });
 
-// Add auth token to requests
+// Token management - use sessionStorage (cleared on tab close) instead of localStorage
+// This provides better security against XSS attacks as tokens are not persisted
+const TOKEN_KEY = "gururmm_auth_token";
+
+export const getToken = (): string | null => {
+  return sessionStorage.getItem(TOKEN_KEY);
+};
+
+export const setToken = (token: string): void => {
+  sessionStorage.setItem(TOKEN_KEY, token);
+};
+
+export const clearToken = (): void => {
+  sessionStorage.removeItem(TOKEN_KEY);
+};
+
+// Request interceptor - add auth header
 api.interceptors.request.use((config) => {
-  const token = localStorage.getItem("token");
+  const token = getToken();
   if (token) {
     config.headers.Authorization = `Bearer ${token}`;
   }
   return config;
 });
 
-// Handle auth errors
+// Response interceptor - handle 401 unauthorized
 api.interceptors.response.use(
   (response) => response,
-  (error) => {
+  (error: AxiosError) => {
     if (error.response?.status === 401) {
-      localStorage.removeItem("token");
-      window.location.href = "/login";
+      clearToken();
+      // Use a more graceful redirect that preserves SPA state
+      if (window.location.pathname !== "/login") {
+        window.location.href = "/login";
+      }
     }
     return Promise.reject(error);
   }
@@ -156,9 +175,31 @@ export interface RegisterRequest {
 
 // API functions
 export const authApi = {
-  login: (data: LoginRequest) => api.post<LoginResponse>("/api/auth/login", data),
-  register: (data: RegisterRequest) => api.post<LoginResponse>("/api/auth/register", data),
+  login: async (data: LoginRequest): Promise<LoginResponse> => {
+    const response = await api.post<LoginResponse>("/api/auth/login", data);
+    if (response.data.token) {
+      setToken(response.data.token);
+    }
+    return response.data;
+  },
+
+  register: async (data: RegisterRequest): Promise<LoginResponse> => {
+    const response = await api.post<LoginResponse>("/api/auth/register", data);
+    if (response.data.token) {
+      setToken(response.data.token);
+    }
+    return response.data;
+  },
+
   me: () => api.get<User>("/api/auth/me"),
+
+  logout: (): void => {
+    clearToken();
+  },
+
+  isAuthenticated: (): boolean => {
+    return !!getToken();
+  },
 };
 
 export const agentsApi = {