fix(security): add workspace token auth to CLI auth endpoints

[khaliqgant]

Fixes bd-critical-016: Workspace Daemon Auth - Unauthenticated Endpoints

The workspace daemon's CLI auth endpoints were exposed without authentication. In cloud mode, attackers could potentially:

• Submit malicious codes to active auth sessions
• Enumerate active sessions
• DoS the PTY processes
• Hijack OAuth flows mid-completion

Changes:

• Add validateWorkspaceToken middleware to dashboard-server
• Apply middleware to all /auth/cli/* endpoints
• Skip auth in local mode (no WORKSPACE_TOKEN set)
• Update cloud server onboarding.ts to send Authorization header
• Add generateWorkspaceToken() helper matching provisioner logic
• Store workspaceId in session for subsequent requests

The workspace token is an HMAC-SHA256 hash of the workspace ID, signed with the session secret. This matches the token generation in the provisioner.

🤖 Generated with Claude Code

[my-senior-dev-pr-review]

🤖 My Senior Dev — Analysis Complete

👤 For @khaliqgant

⚡ 8th PR this month

View your contributor analytics →

---

📊 4 files reviewed • 2 high risk • 5 need attention

🚨 High Risk:

• src/cloud/api/onboarding.ts — Critical security vulnerabilities and bugs related to authentication performance need urgent attention.

⚠️ Needs Attention:

• src/cloud/api/onboarding.ts — Important logic changes affecting authentication require thorough testing and review.

---

🚀 Open Interactive Review →

The full interface unlocks features not available in GitHub:

• 💬 AI Chat — Ask questions on any file, get context-aware answers
• 🔍 Smart Hovers — See symbol definitions and usage without leaving the diff
• 📚 Code Archeology — Understand how files evolved over time (/archeology)
• 🎯 Learning Insights — See how this PR compares to similar changes

---

💬 Chat here: @my-senior-dev explain this change — or try @chaos-monkey @security-auditor @optimizer @skeptic @junior-dev

📖 View all 12 personas & slash commands

You can interact with me by mentioning @my-senior-dev in any comment:

In PR comments or on any line of code:

• Ask questions about the code or PR
• Request explanations of specific changes
• Get suggestions for improvements

Slash commands:

• /help — Show all available commands
• /archeology — See the history and evolution of changed files
• /profile — Performance analysis and suggestions
• /expertise — Find who knows this code best
• /personas — List all available AI personas

AI Personas (mention to get their perspective):

Persona	Focus
@chaos-monkey 🐵	Edge cases & failure scenarios
@skeptic 🤨	Challenge assumptions
@optimizer ⚡	Performance & efficiency
@security-auditor 🔒	Security vulnerabilities
@accessibility-advocate ♿	Inclusive design
@junior-dev 🌱	Simple explanations
@tech-debt-collector 💳	Code quality & shortcuts
@ux-champion 🎨	User experience
@devops-engineer 🚀	Deployment & scaling
@documentation-nazi 📚	Documentation gaps
@legacy-whisperer 🏛️	Working with existing code
@test-driven-purist ✅	Testing & TDD

For the best experience, view this PR on myseniordev.com — includes AI chat, file annotations, and interactive reviews.