Stop persisting session auth token in localStorage

## Problem
The auth store persists `token` to browser storage via Zustand `persist`.

## Code references
- `packages/client/src/stores/auth.ts`
  - `persist(...)` wrapper
  - `partialize` includes `token`

## Why it matters
If any XSS occurs, `localStorage`-stored bearer tokens are straightforward to exfiltrate, increasing account/session takeover risk.

## Proposed approach
- Remove `token` from persisted state (`partialize`).
- Keep token in-memory only, and rely on secure httpOnly cookie session or silent refresh endpoint for continuity.
- Preserve low-risk preferences in storage (`user` snapshot if needed, model prefs), but not bearer credentials.

## Acceptance criteria
- [ ] Persisted auth payload does not contain auth token.
- [ ] Reload/session restore still works via secure server-side session mechanism.
- [ ] Logout clears both in-memory auth state and any auth-related persisted remnants.
- [ ] Add regression test for “no token in persisted storage”.


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Stop persisting session auth token in localStorage #12

Problem

Code references

Why it matters

Proposed approach

Acceptance criteria

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Stop persisting session auth token in localStorage #12

Description

Problem

Code references

Why it matters

Proposed approach

Acceptance criteria

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions