Fix auth: serve UI without key, support ?apiKey= URL param

- Static files load without auth (UI handles it client-side)
- API routes still require X-API-Key header
- Also accept ?apiKey= query param for API calls
- UI reads key from URL on first load, saves to localStorage, cleans URL

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Ubuntu

src/public/index.html

@@ -730,7 +730,14 @@
 let sending = false;
 
 // --- API Key ---
-let apiKey = localStorage.getItem('apiKey') || '';
+// Pick up key from ?apiKey= param, then localStorage
+const urlKey = new URLSearchParams(location.search).get('apiKey');
+let apiKey = urlKey || localStorage.getItem('apiKey') || '';
+if (urlKey) {
+  localStorage.setItem('apiKey', urlKey);
+  // Clean URL so key isn't visible in address bar
+  history.replaceState(null, '', location.pathname);
+}
 
 function authHeaders(extra = {}) {
   return { 'X-API-Key': apiKey, ...extra };

src/server.ts

@@ -16,7 +16,7 @@ function requireApiKey(req: Request, res: Response, next: NextFunction): void {
     next();
     return;
   }
-  const provided = req.header("X-API-Key") ?? "";
+  const provided = req.header("X-API-Key") ?? req.query.apiKey ?? "";
   if (provided === API_KEY) {
     next();
     return;
@@ -29,10 +29,12 @@ app.get("/health", (_req: Request, res: Response) => {
   res.json({ status: "ok" });
 });
 
-// Static files and all API routes require the key
-app.use(requireApiKey);
+// Static files are public (UI handles auth via JS)
 app.use(express.static(path.join(__dirname, "public")));
 
+// API routes require the key
+app.use(requireApiKey);
+
 // Base directory where session working dirs live
 const BASE_DIR = path.resolve(process.env.BASE_DIR ?? path.join(process.cwd(), "workspaces"));