fix(bridge): require token when Bridge is enabled for security

[chenhg5]

Summary

• Bridge server now requires token to be set unless insecure = true is explicitly configured
• Added insecure config option for local development only
• WebSocket origin check now validates against CORS origins or same-host
• Clear error message and exit when token is missing

Root Cause

Issue #403 identified that when bridge.token is not set:

1. authenticate() returned true for all requests
2. WebSocket CheckOrigin always returned true
3. Bridge server listened on all interfaces (:9810)

This allowed unauthenticated access to the Bridge API.

Changes

• config/config.go: Added Insecure *bool field to BridgeConfig
• core/bridge.go:
  • Added insecure field to BridgeServer
  • Added NewBridgeServerInsecure() for explicit local-dev mode
  • authenticate() now requires token unless insecure is true
  • Added checkOrigin() that validates against CORS origins or same-host
• cmd/cc-connect/main.go: Check insecure flag and exit with error if token is missing
• core/bridge_test.go: Updated tests to use insecure mode when testing without token

Breaking Change

Bridge with empty token now fails to start with error:

bridge: token is required when insecure mode is not enabled

For local development, add to config:

[bridge]
enabled = true
insecure = true  # Only for local dev!

Test plan

• go build ./... passes
• go vet ./... passes
• go test ./core/... passes
• Manual test: Bridge with token works correctly
• Manual test: Bridge without token fails to start
• Manual test: Bridge with insecure = true starts without token

🤖 Generated with Claude Code

Fixes #403

[chenhg5]

✅ QA review: Ready to merge

Critical security fix for Bridge server.

Review summary:

• ✅ Security fix: Requires token when Bridge is enabled (previously allowed unauthenticated access)
• ✅ insecure = true option for local development
• ✅ WebSocket origin check validates against CORS origins
• ✅ Clear error message when token is missing
• ✅ Tests updated for insecure mode
• ✅ CI passes
• ✅ Fixes [Bug] Bridge security defaults are weaker than documented when token is unset #403

Breaking change documented: Bridge with empty token now fails to start unless insecure = true is set.

Good security hardening for production deployments.

[chenhg5]

LGTM! This is a solid security fix for the Bridge server.

✅ Security: Token is now required unless insecure = true is explicitly set. No more accidental unauthenticated access.

✅ Implementation:

• checkOrigin properly validates WebSocket origins against CORS origins or same host
• authenticate returns bs.insecure when token is empty, not true
• Clear error message and graceful exit when token is missing

✅ Breaking change handling: Clear documentation on how to configure insecure = true for local dev.

✅ Tests: Updated tests use insecure mode appropriately.

✅ CI: All checks pass.

Ready for merge.

[chenhg5]

QA review passed. 重要安全修复。

Review summary:

• ✅ Bridge 启动时强制要求 token（除非显式设置 insecure=true）
• ✅ insecure 模式仅用于本地开发，有明确警告日志
• ✅ 验证失败时返回 nil 并打印错误信息
• ✅ 文档更新：config.go 注释说明 token 必填条件
• ✅ CI passes

Ready to merge (owner PR).

⚠️ 注意：这是安全修复，建议尽快合并。