[ENG-3365] feat: area51 export-archive with host trust validation (#4440)

Depends on https://github.com/overmindtech/workspace/pull/4438

## Summary

Adds an `area51 export-archive` command to download production/dogfood
`ChangeArchive` data (protojson format), and hardens both CLIs against
credential exfiltration via untrusted `--app`/`--change` URLs.

### New command: `area51 export-archive`

- Downloads a full change archive by URL (`--change`) or UUID (`--uuid`)
- Supports OAuth device flow and API key authentication (`--api-key` /
`OVM_API_KEY`)
- Writes output with `0600` permissions to prevent other users from
reading production data
- Blocks cross-origin redirects to prevent bearer token leakage
- Caps error response body reads to 64 KiB to prevent memory exhaustion
from malicious servers

### Security: trusted host validation (shared libraries)

Addresses the SSRF-style credential exfiltration vector where a crafted
`--change` or `--app` URL could send API keys/OAuth tokens to
attacker-controlled hosts.

**`go/sdp-go`:**
- New `IsTrustedHost(host)` — validates against `*.overmind.tech`,
`*.overmind-demo.com`, and localhost (case-insensitive, port-aware)
- New `ValidateAppURL(url)` — enforces HTTPS for all non-localhost hosts
- `NewOvermindInstance` now calls `ValidateAppURL`, rejecting `http://`
for remote targets

**`go/cliauth`:**
- New `ConfirmUntrustedHost(appURL, hasAPIKey, stdin, writer)` — shared
interactive `[y/N]` prompt that warns users before sending credentials
to non-Overmind domains, with explicit mention of API key exposure when
relevant

**Both CLIs (`cli/cmd/root.go` +
`tools/area51-cli/cmd/export_archive.go`):**
- Call `cliauth.ConfirmUntrustedHost` before instance discovery,
blocking the flow where a crafted URL exfiltrates credentials

### Files changed

| Area | Files | What |
| --- | --- | --- |
| Shared: sdp-go | `host_trust.go`, `host_trust_test.go`,
`instance_detect.go` | Trusted host validation, HTTPS enforcement |
| Shared: cliauth | `cliauth.go`, `cliauth_test.go` | Untrusted host
confirmation prompt |
| Public CLI | `cli/cmd/root.go` | Trust check in `login()` gateway |
| Area51 CLI | `cmd/export_archive.go`, `cmd/export_archive_test.go`,
`cmd/auth.go`, `cmd/root.go` | New export-archive command with trust
check |
| Docs | `tools/area51-cli/README.md`, `.gitignore` | Usage docs and
ignore built binary |

## Test plan

- [x] `go test ./go/sdp-go/` — 37 cases for `IsTrustedHost`,
`IsLocalHost`, `ValidateAppURL` (including suffix-bypass attempts)
- [x] `go test ./go/cliauth/` — 11 cases for `ConfirmUntrustedHost`
(trusted skip, y/yes/YES/n/empty/other, API key warning)
- [x] `go test ./tools/area51-cli/cmd/` — parseChangeURL, download
permissions, cross-origin redirect blocking
- [x] `go build ./cli/...` and `go build ./tools/area51-cli/...` — both
compile cleanly

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Touches authentication/credential-handling paths and adds a new
production-data export command; mistakes could leak credentials or allow
unintended network targets despite the added safeguards.
>
> **Overview**
> Adds a new `area51 export-archive` CLI command to download protojson
`ChangeArchive` data by change URL or UUID, supporting OAuth device flow
or API key auth and writing outputs with `0600` permissions.
>
> Hardens both the public `overmind` CLI and `area51` CLI against
credential exfiltration by introducing trusted-host checks
(`sdp.IsTrustedHost`), enforcing HTTPS for non-local targets
(`sdp.ValidateAppURL` used by `NewOvermindInstance`), prompting on
untrusted hosts (`cliauth.ConfirmUntrustedHost`), and blocking
cross-origin redirects on authenticated HTTP clients.
>
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
0bf77bdd51136e58cf2e401aca95a2dfe04ecf51. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: David Schmitt <david.schmitt@overmind.tech>
GitOrigin-RevId: 34b1ef18d86892017d9d5e667d784fb4a7e4fdde

Author: 2 people

cmd/root.go

@@ -508,9 +508,15 @@ func login(ctx context.Context, cmd *cobra.Command, scopes []string, writer io.W
 		multi = pterm.DefaultMultiPrinter.WithWriter(writer)
 	}
 
+	app := viper.GetString("app")
+	if err := cliauth.ConfirmUntrustedHost(app, viper.GetString("api-key") != "", os.Stdin, os.Stderr); err != nil {
+		_, _ = multi.Stop()
+		return ctx, sdp.OvermindInstance{}, nil, err
+	}
+
 	connectSpinner, _ := pterm.DefaultSpinner.WithWriter(multi.NewWriter()).Start("Connecting to Overmind")
 
-	oi, err := sdp.NewOvermindInstance(ctx, viper.GetString("app"))
+	oi, err := sdp.NewOvermindInstance(ctx, app)
 	if err != nil {
 		connectSpinner.Fail("Failed to get instance data from app")
 		_, _ = multi.Stop()
@@ -600,3 +606,4 @@ func getAppUrl(frontend, app string) string {
 	}
 	return app
 }
+

go/cliauth/cliauth.go

@@ -6,11 +6,14 @@
 package cliauth
 
 import (
+	"bufio"
 	"context"
 	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
+	"io"
+	"net/url"
 	"os"
 	"path/filepath"
 	"strings"
@@ -32,6 +35,47 @@ type Logger interface {
 	Error(msg string, keysAndValues ...any)
 }
 
+// ConfirmUntrustedHost checks whether appURL points to a trusted Overmind host
+// (see [sdp.IsTrustedHost]). If not, it writes a warning to w and reads a
+// [y/N] confirmation from stdin. Returns nil when the host is trusted or the
+// user confirms; returns an error otherwise.
+//
+// Set hasAPIKey to true when an API key is configured so the warning can
+// mention that the key will be sent to the untrusted host.
+func ConfirmUntrustedHost(appURL string, hasAPIKey bool, stdin io.Reader, w io.Writer) error {
+	parsed, err := url.Parse(appURL)
+	if err != nil {
+		return fmt.Errorf("invalid app URL %q: %w", appURL, err)
+	}
+
+	if sdp.IsTrustedHost(parsed.Hostname()) {
+		return nil
+	}
+
+	credentialDetail := "OAuth tokens" //nolint:gosec // G101 false positive: this is a user-facing label, not a credential
+	if hasAPIKey {
+		credentialDetail = "your API key and OAuth tokens"
+	}
+
+	fmt.Fprintf(w, "\n  WARNING: The target host %q is not a known Overmind domain.\n", parsed.Hostname())
+	fmt.Fprintf(w, "  Credentials (%s) will be sent to this host.\n", credentialDetail)
+	fmt.Fprintf(w, "\n  Only continue if you trust this host.\n\n")
+	fmt.Fprintf(w, "  Continue? [y/N]: ")
+
+	reader := bufio.NewReader(stdin)
+	line, err := reader.ReadString('\n')
+	if err != nil && (!errors.Is(err, io.EOF) || len(line) == 0) {
+		return fmt.Errorf("failed to read confirmation: %w", err)
+	}
+
+	answer := strings.TrimSpace(strings.ToLower(line))
+	if answer != "y" && answer != "yes" {
+		return errors.New("aborted: untrusted host not confirmed")
+	}
+
+	return nil
+}
+
 // TokenFile represents the ~/.overmind/token.json file structure.
 // This format is shared between all Overmind CLI tools.
 type TokenFile struct {

go/cliauth/cliauth_test.go

@@ -4,6 +4,7 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
+	"io"
 	"os"
 	"path/filepath"
 	"strings"
@@ -458,6 +459,116 @@ func TestNoSliceMutationInScopeMerge(t *testing.T) {
 	}
 }
 
+func TestConfirmUntrustedHost_TrustedSkipsPrompt(t *testing.T) {
+	trustedURLs := []string{
+		"https://app.overmind.tech",
+		"https://df.overmind-demo.com",
+		"http://localhost:3000",
+		"http://127.0.0.1:8080",
+	}
+
+	for _, u := range trustedURLs {
+		t.Run(u, func(t *testing.T) {
+			err := ConfirmUntrustedHost(u, false, strings.NewReader(""), io.Discard)
+			if err != nil {
+				t.Errorf("Expected no prompt for trusted URL %q, got error: %v", u, err)
+			}
+		})
+	}
+}
+
+func TestConfirmUntrustedHost_UntrustedPrompts(t *testing.T) {
+	tests := []struct {
+		name      string
+		url       string
+		input     string
+		wantError bool
+		errMsg    string
+	}{
+		{
+			name:  "user confirms with y",
+			url:   "https://custom.example.com",
+			input: "y\n",
+		},
+		{
+			name:  "user confirms with yes",
+			url:   "https://custom.example.com",
+			input: "yes\n",
+		},
+		{
+			name:  "user confirms with YES (case insensitive)",
+			url:   "https://custom.example.com",
+			input: "YES\n",
+		},
+		{
+			name:      "user declines with n",
+			url:       "https://custom.example.com",
+			input:     "n\n",
+			wantError: true,
+			errMsg:    "aborted",
+		},
+		{
+			name:      "user declines with empty (default N)",
+			url:       "https://custom.example.com",
+			input:     "\n",
+			wantError: true,
+			errMsg:    "aborted",
+		},
+		{
+			name:      "user types something else",
+			url:       "https://custom.example.com",
+			input:     "maybe\n",
+			wantError: true,
+			errMsg:    "aborted",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := ConfirmUntrustedHost(tt.url, false, strings.NewReader(tt.input), io.Discard)
+			if tt.wantError {
+				if err == nil {
+					t.Fatal("Expected error, got nil")
+				}
+				if tt.errMsg != "" && !strings.Contains(err.Error(), tt.errMsg) {
+					t.Errorf("Expected error containing %q, got: %v", tt.errMsg, err)
+				}
+			} else {
+				if err != nil {
+					t.Fatalf("Unexpected error: %v", err)
+				}
+			}
+		})
+	}
+}
+
+func TestConfirmUntrustedHost_PipedInputWithoutNewline(t *testing.T) {
+	// Simulates: echo -n y | area51 export-archive --change https://custom.example.com/changes/UUID
+	err := ConfirmUntrustedHost("https://custom.example.com", false, strings.NewReader("y"), io.Discard)
+	if err != nil {
+		t.Fatalf("Expected piped 'y' without newline to be accepted, got error: %v", err)
+	}
+
+	err = ConfirmUntrustedHost("https://custom.example.com", false, strings.NewReader("n"), io.Discard)
+	if err == nil {
+		t.Fatal("Expected piped 'n' without newline to be rejected")
+	}
+
+	err = ConfirmUntrustedHost("https://custom.example.com", false, strings.NewReader(""), io.Discard)
+	if err == nil {
+		t.Fatal("Expected empty piped input to be rejected")
+	}
+}
+
+func TestConfirmUntrustedHost_WarningMentionsAPIKey(t *testing.T) {
+	var buf strings.Builder
+	_ = ConfirmUntrustedHost("https://custom.example.com", true, strings.NewReader("n\n"), &buf)
+	output := buf.String()
+	if !strings.Contains(output, "API key") {
+		t.Errorf("Expected warning to mention API key when hasAPIKey=true, got: %s", output)
+	}
+}
+
 // createTestJWT creates a minimal JWT token for testing (no signature verification)
 func createTestJWT(scopes string) string {
 	header := "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9"

go/sdp-go/host_trust.go

@@ -0,0 +1,72 @@
+package sdp
+
+import (
+	"fmt"
+	"net"
+	"net/url"
+	"slices"
+	"strings"
+)
+
+var trustedDomainSuffixes = []string{
+	".overmind.tech",
+	".overmind-demo.com",
+}
+
+var trustedExactDomains = []string{
+	"overmind.tech",
+	"overmind-demo.com",
+}
+
+// IsTrustedHost reports whether the given host (without port) belongs
+// to a known Overmind domain (*.overmind.tech, *.overmind-demo.com) or is a
+// local address. Callers should prompt for explicit user confirmation before
+// sending credentials to untrusted hosts.
+func IsTrustedHost(hostname string) bool {
+	hostname = strings.ToLower(hostname)
+
+	if IsLocalHost(hostname) {
+		return true
+	}
+
+	if slices.Contains(trustedExactDomains, hostname) {
+		return true
+	}
+
+	for _, suffix := range trustedDomainSuffixes {
+		if strings.HasSuffix(hostname, suffix) {
+			return true
+		}
+	}
+
+	return false
+}
+
+// IsLocalHost reports whether the given host (without port) resolves
+// to a loopback address. HTTP (non-TLS) is only acceptable for local hosts.
+func IsLocalHost(hostname string) bool {
+	if hostname == "localhost" {
+		return true
+	}
+	ip := net.ParseIP(hostname)
+	return ip != nil && ip.IsLoopback()
+}
+
+// ValidateAppURL parses appURLString and enforces that non-local hosts use
+// HTTPS. It returns the parsed URL or an error.
+func ValidateAppURL(appURLString string) (*url.URL, error) {
+	appURL, err := url.Parse(appURLString)
+	if err != nil {
+		return nil, fmt.Errorf("invalid app URL %q: %w", appURLString, err)
+	}
+
+	if !IsLocalHost(appURL.Hostname()) && appURL.Scheme != "https" {
+		return nil, fmt.Errorf(
+			"HTTPS is required for non-local hosts (got %s://%s); "+
+				"use https:// or target localhost for development",
+			appURL.Scheme, appURL.Host,
+		)
+	}
+
+	return appURL, nil
+}

go/sdp-go/host_trust_test.go

@@ -0,0 +1,105 @@
+package sdp
+
+import "testing"
+
+func TestIsTrustedHost(t *testing.T) {
+	tests := []struct {
+		host    string
+		trusted bool
+	}{
+		// Trusted Overmind domains (callers must pass hostname without port)
+		{"app.overmind.tech", true},
+		{"api.overmind.tech", true},
+		{"overmind.tech", true},
+		{"df.overmind-demo.com", true},
+		{"staging.overmind-demo.com", true},
+		{"overmind-demo.com", true},
+
+		// Case insensitive
+		{"APP.OVERMIND.TECH", true},
+		{"DF.Overmind-Demo.Com", true},
+
+		// Localhost variants
+		{"localhost", true},
+		{"127.0.0.1", true},
+		{"127.0.0.2", true},
+		{"127.255.255.254", true},
+		{"::1", true},
+
+		// Untrusted domains
+		{"evil.com", false},
+		{"attacker.io", false},
+		{"overmind.tech.evil.com", false},
+		{"notovermind.tech", false},
+		{"fakeovermind-demo.com", false},
+		{"overmind-demo.com.evil.com", false},
+
+		// Sneaky substrings that should not match
+		{"xovermind.tech", false},
+		{"xovermind-demo.com", false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.host, func(t *testing.T) {
+			got := IsTrustedHost(tt.host)
+			if got != tt.trusted {
+				t.Errorf("IsTrustedHost(%q) = %v, want %v", tt.host, got, tt.trusted)
+			}
+		})
+	}
+}
+
+func TestIsLocalHost(t *testing.T) {
+	tests := []struct {
+		host  string
+		local bool
+	}{
+		{"localhost", true},
+		{"127.0.0.1", true},
+		{"127.0.0.2", true},
+		{"127.255.255.254", true},
+		{"::1", true},
+		{"app.overmind.tech", false},
+		{"evil.com", false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.host, func(t *testing.T) {
+			got := IsLocalHost(tt.host)
+			if got != tt.local {
+				t.Errorf("IsLocalHost(%q) = %v, want %v", tt.host, got, tt.local)
+			}
+		})
+	}
+}
+
+func TestValidateAppURL(t *testing.T) {
+	tests := []struct {
+		name    string
+		url     string
+		wantErr bool
+	}{
+		{"https production", "https://app.overmind.tech", false},
+		{"https dogfood", "https://df.overmind-demo.com", false},
+		{"http localhost", "http://localhost:3000", false},
+		{"http 127.0.0.1", "http://127.0.0.1:8080", false},
+		{"http ipv6 loopback", "http://[::1]", false},
+		{"http ipv6 loopback with port", "http://[::1]:8080", false},
+
+		// HTTP to non-local is rejected
+		{"http remote", "http://app.overmind.tech", true},
+		{"http evil", "http://evil.com", true},
+
+		// Invalid URL
+		{"invalid", "://bad", true},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			_, err := ValidateAppURL(tt.url)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("ValidateAppURL(%q) error = %v, wantErr %v", tt.url, err, tt.wantErr)
+			}
+		})
+	}
+}