Harden security, modularize API bootstrap, and fix scale SSE auth.

Block web access to sensitive paths, require API_TOKEN for mutations, encrypt GitHub issue credentials in .env, auto-provision tokens for same-origin clients, and pass api_token in scale relay URLs since EventSource cannot send headers.

Co-authored-by: Cursor <cursoragent@cursor.com>

api/scale_relay.php

@@ -8,6 +8,16 @@
  * Usage: GET /api/scale_relay.php?url=ws%3A%2F%2F192.168.1.100%3A8765
  */
 
+require_once __DIR__ . '/lib/env.php';
+require_once __DIR__ . '/lib/security.php';
+
+if (evershelfApiTokenRequired() && !evershelfApiTokenValid() && !evershelfIsSameOriginBrowser()) {
+    header('Content-Type: application/json; charset=utf-8');
+    http_response_code(401);
+    echo json_encode(['error' => 'unauthorized', 'api_token_required' => true]);
+    exit;
+}
+
 // ── Input validation ──────────────────────────────────────────────────────────
 $rawUrl = $_GET['url'] ?? '';
 
@@ -19,7 +29,7 @@ if (!preg_match('#^ws://[0-9a-zA-Z][\w.\-]*(:\d{1,5})?(/.*)?$#', $rawUrl)) {
 }
 
 $parsed = parse_url($rawUrl);
-$wsHost = $parsed['host'] ?? '';
+$wsHost = strtolower($parsed['host'] ?? '');
 $wsPort = (int)($parsed['port'] ?? 8765);
 $wsPath = ($parsed['path'] ?? '') ?: '/';
 
@@ -29,6 +39,12 @@ if (!$wsHost || $wsPort < 1 || $wsPort > 65535) {
     exit;
 }
 
+if (!evershelfScaleHostAllowed($wsHost)) {
+    header('Content-Type: text/event-stream');
+    echo 'data: ' . json_encode(['type' => 'error', 'message' => 'Gateway host not allowed']) . "\n\n";
+    exit;
+}
+
 // ── SSE headers ───────────────────────────────────────────────────────────────
 header('Content-Type: text/event-stream');
 header('Cache-Control: no-cache, no-store, must-revalidate');