[C1] Secrets/tokens in WebSocket URL query strings #10
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Severity: Critical
Component(s): agent + dashboard
Affected file(s):
agent/src/transport/websocket.rs(+session/mod.rs,viewer/transport.rs,install.rs)dashboard/src/features/sessions/JoinSessionModal.tsx(buildViewerUrl)Problem:
The agent
api_key/cak_/support_code/machine_uidand the dashboard session-scoped viewer token travel in WebSocket URL query strings. These are logged by proxies, the relay, and browser history even over wss. Both Gemini and Grok flagged this #1 on both surfaces. This is partly by current design (guru-connect CLAUDE.md mandates the viewer token in a query param), so the fix starts with changing that spec rule.Recommended fix:
Move auth out of the URL into the first post-connect protobuf frame, or into the
Sec-WebSocket-Protocolheader.Remediation phase: P1 (SPEC-020)
From the 2026-06-05 three-way review (Claude+Gemini+Grok) — see reports/review-2026-06-05/SYNTHESIS-three-way.md (finding C1) and REMEDIATION-PLAN.md (P1).