Patch release shipping the 2026-07-05 review housekeeping (#461).
- Removed the dead
--workspace-tokenflag — it was documented as cross-workspace-access auth but no code read it (a control that looked active and wasn't). Transport auth is--mcp-token; workspace scoping is a routing control, not an enforced boundary (seedocs/THREAT-MODEL.md). Passing--workspace-tokennow errors instead of silently no-op'ing.
See docs/security-review-2026-07-05.md.