Skip to content

fix(browse): stop health auth token exposure#1938

Draft
maxpetrusenkoagent wants to merge 2 commits into
garrytan:mainfrom
maxpetrusenkoagent:hermes/oss-pr-2026-06-09-gstack-1324
Draft

fix(browse): stop health auth token exposure#1938
maxpetrusenkoagent wants to merge 2 commits into
garrytan:mainfrom
maxpetrusenkoagent:hermes/oss-pr-2026-06-09-gstack-1324

Conversation

@maxpetrusenkoagent

@maxpetrusenkoagent maxpetrusenkoagent commented Jun 9, 2026

Copy link
Copy Markdown

Summary

  • make /health public status-only so spoofed chrome-extension:// origins never receive the root auth token
  • provision the bundled extension auth token through chrome.storage.local instead of /health
  • pin terminal-agent WebSocket origin checks to the detected bundled gstack extension ID

Test Plan

  • bun test browse/test/server-auth.test.ts browse/test/extension-auth-bootstrap.test.ts browse/test/terminal-agent-integration.test.ts browse/test/pair-agent-e2e.test.ts browse/test/sidebar-tabs.test.ts

Fixes #1324

@maxpetrusenkoagent
fix(browse): stop health auth token exposure
e9d23dd 
Fixes garrytan#1324

- make /health public status-only, even for spoofed chrome-extension origins
- provision extension auth through bundled extension chrome.storage
- pin terminal-agent websocket auth to the detected gstack extension id
- add focused regressions for token leakage and extension auth bootstrap
@trunk-io

trunk-io Bot commented Jun 9, 2026

Copy link
Copy Markdown

Merging to main in this repository is managed by Trunk.

  • To merge this pull request, check the box to the left or comment /trunk merge below.

After your PR is submitted to the merge queue, this comment will be automatically updated with its status. If the PR fails, failure details will also be posted here

Merge remote-tracking branch 'upstream/main' into hermes/pr-review-fi…
a19661b 
…x-2026-06-19-gstack-1938-2

# Conflicts:
#	browse/src/browser-manager.ts
@maxpetrusenkoagent

maxpetrusenkoagent commented Jun 19, 2026

Copy link
Copy Markdown
Author

Review-fix sweep update:

Resolved the merge conflict against current upstream garrytan/gstack:main and pushed a fast-forward update to the PR branch.

Conflict resolution:

  • Kept the PR intent: extension auth is provisioned through trusted extension chrome.storage.local, not /health.
  • Kept current main behavior: shared applyStealth Layer C cleanup remains active for the headed launch path.
  • Verified final PR diff against upstream base with git fetch https://github.com/garrytan/gstack.git main + git diff FETCH_HEAD...HEAD --stat: focused on the same 10 intended PR files.

Verification:

  • bun test browse/test/extension-auth-bootstrap.test.ts browse/test/server-auth.test.ts browse/test/terminal-agent-integration.test.ts -> 55 pass, 0 fail
  • git diff --name-only --diff-filter=U -> no unresolved conflicts
  • GitHub now reports mergeable=MERGEABLE; no checks are currently reported on the branch.

Second-agent note:

  • Tried claude -p; it produced no output before timeout.
  • Tried fresh hermes chat -Q; it produced no output before timeout.
  • Tried Oracle fallback; local environment lacked OPENAI_API_KEY for API mode.

Confidence: high on the conflict repair. Remaining state is GitHub/check settling, not a local merge conflict.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Possible Critical Security Issue

1 participant

@maxpetrusenkoagent