feat(kilo-chat): per-sandbox token auth with admin mint/revoke routes

Replace the shared KILOCHAT_API_TOKEN + x-kilo-sandbox-id header auth
with per-sandbox tokens looked up through SandboxRegistryDO. A leaked
token's blast radius is now one tenant instead of all — the shared
secret that every kiloclaw machine carried is gone.

Auth path changes:
  - Tokens starting with "ksk_" are treated as sandbox bearers and
    resolved through the registry. The x-kilo-sandbox-id header is
    no longer read at all — attempts to spoof identity via header
    are ignored (a regression test pins this behavior).
  - JWTs for human users are unchanged.
  - Admin routes under /v1/admin/* no-op the tenant middleware so
    their separate ADMIN_API_TOKEN guard runs instead.

New admin surface for the control plane:
  - POST   /v1/admin/sandboxes/:sandboxId/token — mint (replaces any
    existing token atomically; plaintext is returned once).
  - DELETE /v1/admin/sandboxes/:sandboxId/token — revoke.

Wrangler config swaps the shared KILOCHAT_API_TOKEN secrets_store
binding for ADMIN_API_TOKEN, adds SANDBOX_REGISTRY_DO durable object
binding, and bumps migrations to v2 for the new SQLite class.

The e2e-test script now mints a sandbox token via the admin endpoint
instead of reading KILOCHAT_API_TOKEN from the environment.

Author: iscekic

services/kilo-chat/scripts/e2e-test.ts

@@ -4,7 +4,7 @@
  *
  * Prerequisites:
  *   1. kilo-chat running: cd services/kilo-chat && wrangler dev
- *   2. .dev.vars configured with KILOCHAT_API_TOKEN, NEXTAUTH_SECRET, etc.
+ *   2. .dev.vars configured with ADMIN_API_TOKEN, NEXTAUTH_SECRET, etc.
  *   3. (For full agent loop) kiloclaw running with kilo-chat plugin
  *
  * Usage:
@@ -13,16 +13,16 @@
  * Environment variables:
  *   KILO_CHAT_URL       - kilo-chat base URL (default: http://localhost:8802)
  *   NEXTAUTH_SECRET     - JWT signing secret (must match .dev.vars)
- *   KILOCHAT_API_TOKEN    - API key for bot auth (must match .dev.vars)
- *   SANDBOX_ID          - sandbox ID for the bot (default: test-sandbox)
+ *   ADMIN_API_TOKEN     - Admin token for minting the sandbox token
+ *   SANDBOX_ID          - sandbox ID for the bot (default: e2e-test-sandbox)
  *   TIMEOUT_MS          - how long to wait for agent response (default: 30000)
  */
 
 import { SignJWT } from 'jose';
 
 const BASE_URL = process.env.KILO_CHAT_URL ?? 'http://localhost:8802';
 const JWT_SECRET = process.env.NEXTAUTH_SECRET;
-const API_KEY = process.env.KILOCHAT_API_TOKEN;
+const ADMIN_TOKEN = process.env.ADMIN_API_TOKEN;
 const SANDBOX_ID = process.env.SANDBOX_ID ?? 'e2e-test-sandbox';
 const TIMEOUT_MS = Number(process.env.TIMEOUT_MS ?? '30000');
 
@@ -46,11 +46,27 @@ async function signUserToken(userId: string): Promise<string> {
     .sign(new TextEncoder().encode(JWT_SECRET));
 }
 
-function botHeaders(): Record<string, string> {
-  if (!API_KEY) throw new Error('KILOCHAT_API_TOKEN required for bot auth');
+/**
+ * Mint a fresh sandbox token via the admin API. Per-sandbox tokens replace
+ * the old shared KILOCHAT_API_TOKEN flow entirely: the token alone identifies
+ * the sandbox upstream, no x-kilo-sandbox-id header is sent.
+ */
+async function mintSandboxToken(): Promise<string> {
+  if (!ADMIN_TOKEN) throw new Error('ADMIN_API_TOKEN required to mint a sandbox token');
+  const res = await fetch(`${BASE_URL}/v1/admin/sandboxes/${SANDBOX_ID}/token`, {
+    method: 'POST',
+    headers: { authorization: `Bearer ${ADMIN_TOKEN}` },
+  });
+  if (!res.ok) {
+    throw new Error(`Admin mint failed: ${res.status} ${await res.text()}`);
+  }
+  const body = (await res.json()) as { token: string };
+  return body.token;
+}
+
+function botHeaders(sandboxToken: string): Record<string, string> {
   return {
-    authorization: `Bearer ${API_KEY}`,
-    'x-kilo-sandbox-id': SANDBOX_ID,
+    authorization: `Bearer ${sandboxToken}`,
     'content-type': 'application/json',
   };
 }

services/kilo-chat/src/__tests__/admin-routes.test.ts

@@ -0,0 +1,126 @@
+import { env, SELF } from 'cloudflare:test';
+import { describe, it, expect, beforeAll, beforeEach } from 'vitest';
+import { SANDBOX_TOKEN_PREFIX, type SandboxRegistryDO } from '../do/sandbox-registry-do';
+import { getSandboxRegistryStub } from '../do/sandbox-registry-client';
+
+const ADMIN_TOKEN = 'test-admin-token';
+
+beforeAll(async () => {
+  // wrangler.jsonc points ADMIN_API_TOKEN at a secrets_store binding; in
+  // vitest-pool-workers the store is mocked and we need to prime it.
+  const binding = env.ADMIN_API_TOKEN as unknown as {
+    get: () => Promise<string>;
+    // Some miniflare versions allow setting via internal API; fall back to
+    // stubbing via spy if not present.
+  };
+  // Most straightforward: monkey-patch the `get` on this test run so the
+  // route's call resolves to our fixed token.
+  binding.get = async () => ADMIN_TOKEN;
+});
+
+beforeEach(async () => {
+  // Ensure a clean registry between tests — revoke anything left by a prior one.
+  // Uses the singleton stub directly.
+  const stub: DurableObjectStub<SandboxRegistryDO> = getSandboxRegistryStub(
+    env.SANDBOX_REGISTRY_DO
+  );
+  // Nothing to list, so we just no-op — the tests below each use a distinct
+  // sandbox id, so no cross-contamination is expected.
+  void stub;
+});
+
+async function req(
+  path: string,
+  init: RequestInit & { auth?: string | false } = {}
+): Promise<Response> {
+  const headers = new Headers(init.headers);
+  if (init.auth !== false) {
+    headers.set('authorization', `Bearer ${init.auth ?? ADMIN_TOKEN}`);
+  }
+  return SELF.fetch(`https://kilo-chat.test${path}`, { ...init, headers });
+}
+
+describe('admin routes', () => {
+  describe('auth', () => {
+    it('401 when authorization header is missing', async () => {
+      const res = await req('/v1/admin/sandboxes/sbx_a/token', {
+        method: 'POST',
+        auth: false,
+      });
+      expect(res.status).toBe(401);
+    });
+
+    it('401 when admin token is wrong', async () => {
+      const res = await req('/v1/admin/sandboxes/sbx_a/token', {
+        method: 'POST',
+        auth: 'wrong',
+      });
+      expect(res.status).toBe(401);
+    });
+
+    it('does not accept a sandbox token for admin routes', async () => {
+      // Even a legitimate sandbox bearer cannot access admin endpoints.
+      const stub = getSandboxRegistryStub(env.SANDBOX_REGISTRY_DO);
+      const { token } = await stub.mintToken('sbx_admin_cross_tenant');
+      const res = await req('/v1/admin/sandboxes/sbx_admin_cross_tenant/token', {
+        method: 'POST',
+        auth: token,
+      });
+      expect(res.status).toBe(401);
+    });
+  });
+
+  describe('POST /v1/admin/sandboxes/:sandboxId/token', () => {
+    it('mints a fresh token and returns it with the hash', async () => {
+      const res = await req('/v1/admin/sandboxes/sbx_mint_1/token', { method: 'POST' });
+      expect(res.status).toBe(201);
+      const body: { sandboxId: string; token: string; tokenHash: string } = await res.json();
+      expect(body.sandboxId).toBe('sbx_mint_1');
+      expect(body.token.startsWith(SANDBOX_TOKEN_PREFIX)).toBe(true);
+      expect(body.tokenHash).toMatch(/^[0-9a-f]{64}$/);
+    });
+
+    it('re-minting replaces the previous token', async () => {
+      const first: { token: string } = await (
+        await req('/v1/admin/sandboxes/sbx_remint/token', { method: 'POST' })
+      ).json();
+      const second: { token: string } = await (
+        await req('/v1/admin/sandboxes/sbx_remint/token', { method: 'POST' })
+      ).json();
+      expect(first.token).not.toBe(second.token);
+
+      const stub = getSandboxRegistryStub(env.SANDBOX_REGISTRY_DO);
+      expect(await stub.lookupSandbox(first.token)).toBeNull();
+      expect(await stub.lookupSandbox(second.token)).toBe('sbx_remint');
+    });
+
+    it('rejects malformed sandboxId with 400', async () => {
+      const res = await req('/v1/admin/sandboxes/has%20spaces/token', { method: 'POST' });
+      expect(res.status).toBe(400);
+    });
+  });
+
+  describe('DELETE /v1/admin/sandboxes/:sandboxId/token', () => {
+    it('revokes a live token (204) and the token stops authenticating', async () => {
+      const minted: { token: string } = await (
+        await req('/v1/admin/sandboxes/sbx_revoke_1/token', { method: 'POST' })
+      ).json();
+
+      const del = await req('/v1/admin/sandboxes/sbx_revoke_1/token', { method: 'DELETE' });
+      expect(del.status).toBe(204);
+
+      const stub = getSandboxRegistryStub(env.SANDBOX_REGISTRY_DO);
+      expect(await stub.lookupSandbox(minted.token)).toBeNull();
+    });
+
+    it('404 when no token exists for that sandbox', async () => {
+      const res = await req('/v1/admin/sandboxes/sbx_never_minted/token', { method: 'DELETE' });
+      expect(res.status).toBe(404);
+    });
+
+    it('rejects malformed sandboxId with 400', async () => {
+      const res = await req('/v1/admin/sandboxes/a b/token', { method: 'DELETE' });
+      expect(res.status).toBe(400);
+    });
+  });
+});

services/kilo-chat/src/__tests__/auth.test.ts

@@ -3,135 +3,142 @@ import { Hono } from 'hono';
 import { signKiloToken } from '@kilocode/worker-utils';
 import { authMiddleware } from '../auth';
 import type { AuthContext } from '../auth';
+import { SANDBOX_TOKEN_PREFIX } from '../do/sandbox-registry-do';
+
+const TEST_JWT_SECRET = 'test-secret-that-is-long-enough-for-hs256';
+
+/**
+ * Minimal fake of the SandboxRegistryDO binding: tests supply a token→sandbox
+ * map and the fake's stub surfaces only `lookupSandbox` (the one method auth
+ * touches). Avoids pulling in cloudflare:test just to exercise middleware.
+ */
+function fakeRegistryBinding(tokens: Record<string, string>) {
+  const stub = {
+    lookupSandbox: async (token: string) => tokens[token] ?? null,
+  };
+  return {
+    idFromName: (_name: string) => ({ toString: () => 'fake-id' }),
+    get: (_id: unknown) => stub,
+  } as unknown;
+}
 
 type MockEnv = {
-  KILOCHAT_API_TOKEN: { get: () => Promise<string> };
   NEXTAUTH_SECRET: { get: () => Promise<string> };
+  SANDBOX_REGISTRY_DO: unknown;
 };
 
-const TEST_API_KEY = 'test-api-key';
-const TEST_JWT_SECRET = 'test-secret-that-is-long-enough-for-hs256';
+function makeEnv(tokens: Record<string, string> = {}): MockEnv {
+  return {
+    NEXTAUTH_SECRET: { get: async () => TEST_JWT_SECRET },
+    SANDBOX_REGISTRY_DO: fakeRegistryBinding(tokens),
+  };
+}
 
-function makeApp(_env: MockEnv) {
+function makeApp() {
   const app = new Hono<{ Bindings: MockEnv; Variables: AuthContext }>();
   app.use('*', authMiddleware);
   app.get('/test', c => c.json({ callerId: c.get('callerId'), callerKind: c.get('callerKind') }));
   return app;
 }
 
-const defaultEnv: MockEnv = {
-  KILOCHAT_API_TOKEN: { get: async () => TEST_API_KEY },
-  NEXTAUTH_SECRET: { get: async () => TEST_JWT_SECRET },
-};
-
 describe('authMiddleware', () => {
   it('returns 401 with no authorization header', async () => {
-    const app = makeApp(defaultEnv);
-    const res = await app.request('/test', {}, defaultEnv);
+    const env = makeEnv();
+    const res = await makeApp().request('/test', {}, env);
     expect(res.status).toBe(401);
-    const body = await res.json();
-    expect(body).toEqual({ error: 'Unauthorized' });
+    expect(await res.json()).toEqual({ error: 'Unauthorized' });
   });
 
-  it('authenticates with valid API key + sandbox header', async () => {
-    const app = makeApp(defaultEnv);
-    const res = await app.request(
+  it('authenticates a valid sandbox token and derives identity from the registry', async () => {
+    const sandboxToken = `${SANDBOX_TOKEN_PREFIX}valid-token-for-sandbox-A`;
+    const env = makeEnv({ [sandboxToken]: 'sandbox-A' });
+    const res = await makeApp().request(
       '/test',
-      {
-        headers: {
-          authorization: `Bearer ${TEST_API_KEY}`,
-          'x-kilo-sandbox-id': 'sandbox-abc123',
-        },
-      },
-      defaultEnv
+      { headers: { authorization: `Bearer ${sandboxToken}` } },
+      env
     );
     expect(res.status).toBe(200);
-    const body = await res.json();
-    expect(body).toEqual({
-      callerId: 'bot:kiloclaw:sandbox-abc123',
+    expect(await res.json()).toEqual({
+      callerId: 'bot:kiloclaw:sandbox-A',
       callerKind: 'bot',
     });
   });
 
-  it('returns 401 with valid API key but missing sandbox header', async () => {
-    const app = makeApp(defaultEnv);
-    const res = await app.request(
+  it('ignores x-kilo-sandbox-id - identity is derived from the token, never the header', async () => {
+    // A caller that knows a valid token for sandbox-A cannot impersonate
+    // sandbox-B by setting x-kilo-sandbox-id: sandbox-B. The header is not
+    // consulted at all by the new auth path.
+    const sandboxToken = `${SANDBOX_TOKEN_PREFIX}token-bound-to-sandbox-A`;
+    const env = makeEnv({ [sandboxToken]: 'sandbox-A' });
+    const res = await makeApp().request(
       '/test',
       {
         headers: {
-          authorization: `Bearer ${TEST_API_KEY}`,
+          authorization: `Bearer ${sandboxToken}`,
+          'x-kilo-sandbox-id': 'sandbox-B',
         },
       },
-      defaultEnv
+      env
     );
-    expect(res.status).toBe(401);
-    const body = await res.json();
-    expect(body).toEqual({ error: 'Unauthorized' });
+    expect(res.status).toBe(200);
+    expect(await res.json()).toMatchObject({ callerId: 'bot:kiloclaw:sandbox-A' });
   });
 
-  it('returns 401 with wrong API key and no valid JWT', async () => {
-    const app = makeApp(defaultEnv);
-    const res = await app.request(
+  it('returns 401 when a ksk_-prefixed token is unknown to the registry', async () => {
+    const env = makeEnv({}); // no tokens registered
+    const res = await makeApp().request(
       '/test',
-      {
-        headers: {
-          authorization: 'Bearer wrong-key',
-          'x-kilo-sandbox-id': 'sandbox-abc123',
-        },
-      },
-      defaultEnv
+      { headers: { authorization: `Bearer ${SANDBOX_TOKEN_PREFIX}unknown` } },
+      env
     );
     expect(res.status).toBe(401);
-    const body = await res.json();
-    expect(body).toEqual({ error: 'Unauthorized' });
+    expect(await res.json()).toEqual({ error: 'Unauthorized' });
   });
 
-  it('authenticates with valid JWT and sets callerId + callerKind', async () => {
+  it('authenticates with a valid JWT and sets user identity', async () => {
     const { token } = await signKiloToken({
       userId: 'user-xyz-789',
       pepper: null,
       secret: TEST_JWT_SECRET,
       expiresInSeconds: 3600,
     });
-
-    const app = makeApp(defaultEnv);
-    const res = await app.request(
+    const env = makeEnv();
+    const res = await makeApp().request(
       '/test',
-      {
-        headers: {
-          authorization: `Bearer ${token}`,
-        },
-      },
-      defaultEnv
+      { headers: { authorization: `Bearer ${token}` } },
+      env
     );
     expect(res.status).toBe(200);
-    const body = await res.json();
-    expect(body).toEqual({
+    expect(await res.json()).toEqual({
       callerId: 'user-xyz-789',
       callerKind: 'user',
     });
   });
 
-  it('returns 401 with expired JWT', async () => {
+  it('returns 401 with an expired JWT', async () => {
     const { token } = await signKiloToken({
       userId: 'user-xyz-789',
       pepper: null,
       secret: TEST_JWT_SECRET,
       expiresInSeconds: -1,
     });
+    const env = makeEnv();
+    const res = await makeApp().request(
+      '/test',
+      { headers: { authorization: `Bearer ${token}` } },
+      env
+    );
+    expect(res.status).toBe(401);
+    expect(await res.json()).toEqual({ error: 'Unauthorized' });
+  });
 
-    const app = makeApp(defaultEnv);
-    const res = await app.request(
+  it('returns 401 with a bearer token that is neither a sandbox token nor a valid JWT', async () => {
+    const env = makeEnv();
+    const res = await makeApp().request(
       '/test',
-      {
-        headers: {
-          authorization: `Bearer ${token}`,
-        },
-      },
-      defaultEnv
+      { headers: { authorization: 'Bearer not-a-jwt-and-not-ksk' } },
+      env
     );
     expect(res.status).toBe(401);
-    const body = await res.json();
-    expect(body).toEqual({ error: 'Unauthorized' });
   });
 });