Problem
Several API route modules are missing requireAuth middleware, making them publicly accessible without authentication:
src/routes/workspaces.ts — workspace CRUD, dashboard, activitysrc/routes/conversations.ts — conversation list, detail, closesrc/routes/connectors.ts — MCP + consumer connector managementsrc/routes/query.ts — agent loop entry point
Only src/routes/org.ts and src/routes/queues.ts currently apply requireAuth.
Impact
Any unauthenticated request can list workspaces, read conversations, manage connectors, and trigger AI queries.
Fix
Add requireAuth middleware to each unprotected route module, following the pattern in src/routes/org.ts:
import { requireAuth, type AuthUser, type AuthEnv } from '../middleware/auth.js'
workspaces.use('/api/workspaces/*', requireAuth)
workspaces.use('/api/workspaces', requireAuth)Files
src/routes/workspaces.tssrc/routes/conversations.tssrc/routes/connectors.tssrc/routes/query.ts
Problem
Several API route modules are missing
requireAuthmiddleware, making them publicly accessible without authentication:src/routes/workspaces.ts— workspace CRUD, dashboard, activitysrc/routes/conversations.ts— conversation list, detail, closesrc/routes/connectors.ts— MCP + consumer connector managementsrc/routes/query.ts— agent loop entry pointOnly
src/routes/org.tsandsrc/routes/queues.tscurrently applyrequireAuth.Impact
Any unauthenticated request can list workspaces, read conversations, manage connectors, and trigger AI queries.
Fix
Add
requireAuthmiddleware to each unprotected route module, following the pattern insrc/routes/org.ts:Files
src/routes/workspaces.tssrc/routes/conversations.tssrc/routes/connectors.tssrc/routes/query.ts