Umbrella: #396 (portal-boundary hardening). From the 2026-06-18 security audit, action B / the highest-value gap.
Problem
The portal uses a single shared bearer token (~/.agentwire/portal.token). Every device — your laptop and a phone that only ever does push-to-talk — holds the same god-token. You can't revoke one device, can't attribute actions, and rotating logs out everyone.
Scope
- Replace the single token with named, individually-revocable device credentials.
- Issue them via a host-shown pairing code / QR (
agentwire portal pair), with a device registry under ~/.agentwire/.
- Each request/WS carries its device identity (enables per-device scoping in the sibling issue, and attribution in the audit-log issue).
Verification
Pair two devices; revoke one; confirm the revoked device gets 401 on every non-public route while the other keeps working. Confirm actions are attributable to a named device.
From #396 audit (action B). Prereq for PTT capability scopes.
Umbrella: #396 (portal-boundary hardening). From the 2026-06-18 security audit, action B / the highest-value gap.
Problem
The portal uses a single shared bearer token (
~/.agentwire/portal.token). Every device — your laptop and a phone that only ever does push-to-talk — holds the same god-token. You can't revoke one device, can't attribute actions, and rotating logs out everyone.Scope
agentwire portal pair), with a device registry under~/.agentwire/.Verification
Pair two devices; revoke one; confirm the revoked device gets 401 on every non-public route while the other keeps working. Confirm actions are attributable to a named device.
From #396 audit (action B). Prereq for PTT capability scopes.