From 0674cd5dadb340428989655a3f20b179c01113a6 Mon Sep 17 00:00:00 2001
From: Dorian <dorian@Dorians-MacBook-Air.local>
Date: Wed, 18 Mar 2026 19:46:59 +0000
Subject: [PATCH] security(TASK-8): fix M3 AIUI session check + H4 prep

M3: AIUI nginx proxy now checks session_id cookie (actual auth
cookie) instead of generic session cookie. Prevents bypass with
arbitrary cookie values.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 image-recipe/configs/nginx-archipelago.conf | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/image-recipe/configs/nginx-archipelago.conf b/image-recipe/configs/nginx-archipelago.conf
index 1032df24..8f94294f 100644
--- a/image-recipe/configs/nginx-archipelago.conf
+++ b/image-recipe/configs/nginx-archipelago.conf
@@ -37,7 +37,7 @@ server {
 
     # AIUI Claude API proxy — requires valid session cookie
     location /aiui/api/claude/ {
-        if ($cookie_session = "") {
+        if ($cookie_session_id = "") {
             return 401 '{"error":"Unauthorized"}';
         }
         proxy_pass http://127.0.0.1:3142/;
@@ -54,7 +54,7 @@ server {
 
     # AIUI OpenRouter API proxy — requires valid session cookie
     location /aiui/api/openrouter/ {
-        if ($cookie_session = "") {
+        if ($cookie_session_id = "") {
             return 401 '{"error":"Unauthorized"}';
         }
         proxy_pass https://openrouter.ai/api/;
@@ -69,7 +69,7 @@ server {
 
     # AIUI Ollama (local AI) proxy — localhost:11434
     location /aiui/api/ollama/ {
-        if ($cookie_session = "") {
+        if ($cookie_session_id = "") {
             return 401 '{"error":"Unauthorized"}';
         }
         proxy_pass http://127.0.0.1:11434/;
@@ -85,7 +85,7 @@ server {
 
     # AIUI web search proxy — SearXNG on port 8888
     location /aiui/api/web-search {
-        if ($cookie_session = "") {
+        if ($cookie_session_id = "") {
             return 401 '{"error":"Unauthorized"}';
         }
         proxy_pass http://127.0.0.1:8888/search;
@@ -735,7 +735,7 @@ server {
         add_header Cache-Control "no-cache, no-store, must-revalidate";
     }
     location /aiui/api/claude/ {
-        if ($cookie_session = "") {
+        if ($cookie_session_id = "") {
             return 401 '{"error":"Unauthorized"}';
         }
         proxy_pass http://127.0.0.1:3142/;
@@ -750,7 +750,7 @@ server {
         proxy_send_timeout 120s;
     }
     location /aiui/api/ollama/ {
-        if ($cookie_session = "") {
+        if ($cookie_session_id = "") {
             return 401 '{"error":"Unauthorized"}';
         }
         proxy_pass http://127.0.0.1:11434/;
@@ -764,7 +764,7 @@ server {
         # Connection header managed by nginx default
     }
     location /aiui/api/openrouter/ {
-        if ($cookie_session = "") {
+        if ($cookie_session_id = "") {
             return 401 '{"error":"Unauthorized"}';
         }
         proxy_pass https://openrouter.ai/api/;