[P7.0.3] Move JWT off localStorage / shorten lifetime + add CSP (M3)

[frankbria]

Problem (defense-in-depth)

The auth JWT is stored in localStorage (auth_token) and attached via an axios interceptor and SSE/WS ?token= params. Any XSS in the SPA could read and exfiltrate the bearer token; the 7-day token lifetime (JWT_LIFETIME_SECONDS default 604800) widens the window.

No active XSS sink exists today (no dangerouslySetInnerHTML; react-markdown v10 with no rehype-raw is safe), so this is hardening, not an active exploit — but it pairs with the hosted/multi-user threat model.

Evidence

• web-ui/src/lib/auth.ts:5 — token in localStorage
• web-ui/src/components/sessions/AgentTerminal.tsx:12, web-ui/src/hooks/useAgentChat.ts:20 — ?token= usage

Fix

• Prefer an HttpOnly, Secure, SameSite cookie for the session token where feasible.
• If localStorage must stay (EventSource header limitation drove the ?token= design), shorten token lifetime + add refresh, and add a strict Content-Security-Policy to contain any future XSS.

Acceptance criteria

• Session token is not trivially readable by injected JS (HttpOnly cookie) or lifetime shortened + CSP added.

Source: release-readiness audit 2026-06-13 (security agent, finding M3). Defense-in-depth; prioritize alongside hosted readiness.

[coderabbitai]

⚠️ Possible Duplicate Issue(s)

• [P2] Security: Migrate JWT storage from localStorage to httpOnly cookies #165

---

📝 Issue Planner

_{Check the box below or use the @coderabbitai plan command to generate an implementation plan and prompts that you can use with your favorite coding assistant.}

• Create Plan

---

🧪 Issue enrichment is currently in open beta.

To disable automatic issue enrichment, add the following to your .coderabbit.yaml:

issue_enrichment:
  auto_enrich:
    enabled: false

💬 Have feedback or questions? Drop into our discord!