Nora security hardening sprint #5
Description
Objective
Execute the first bounded security hardening pass for Nora's self-hosted MVP.
Scope
- Lock down OAuth login flow
- Add centralized ownership/authorization checks for agent/workspace/channel/integration/log routes
- Remove or reduce insecure token/query-string auth patterns
- Enforce encrypted secret handling and redact secret-bearing config from API responses
- Remove insecure default bootstrap credential paths
Acceptance criteria
- OAuth login cannot mint trusted sessions from unverified client assertions
- Agent-scoped routes enforce ownership centrally
- Sensitive tokens/secrets are not exposed in query strings or API responses where avoidable
- Default bootstrap credentials are removed or forced into explicit setup
- New/updated tests cover the critical auth and authorization cases
Branch / worktree
- Branch:
sec/auth-hardening - Worktree:
worktrees/security