Mike Swanson
4614df04fb
- REST API: All session/code/machine endpoints now require AuthenticatedUser - Viewer WebSocket: Requires JWT token in query params (token=...) - Agent WebSocket: Requires either valid support code OR API key - Dashboard: Passes JWT token when connecting to viewer WS - Native viewer: Passes token in protocol URL and WebSocket connection - Added AGENT_API_KEY env var support for persistent agents - Added get_status() to SupportCodeManager for auth validation This fixes the security vulnerability where unauthenticated agents could connect and appear in the dashboard without any credentials. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>