diff --git a/server/internal/handler/daemon.go b/server/internal/handler/daemon.go index 5dbe1ef3d..81d358a6d 100644 --- a/server/internal/handler/daemon.go +++ b/server/internal/handler/daemon.go @@ -1033,6 +1033,8 @@ func (h *Handler) GetIssueUsage(w http.ResponseWriter, r *http.Request) { } // GetIssueGCCheck returns minimal issue info needed by the daemon GC loop. +// Gated on workspace access so a daemon token scoped to workspace A cannot +// read issue metadata from workspace B via UUID enumeration. func (h *Handler) GetIssueGCCheck(w http.ResponseWriter, r *http.Request) { issueID := chi.URLParam(r, "issueId") issue, err := h.Queries.GetIssue(r.Context(), parseUUID(issueID)) @@ -1040,6 +1042,9 @@ func (h *Handler) GetIssueGCCheck(w http.ResponseWriter, r *http.Request) { writeError(w, http.StatusNotFound, "issue not found") return } + if !h.requireDaemonWorkspaceAccess(w, r, uuidToString(issue.WorkspaceID)) { + return + } writeJSON(w, http.StatusOK, map[string]any{ "status": issue.Status, "updated_at": issue.UpdatedAt.Time,