# Issue #194: Fix workspace ID transmission mismatch between API and client ## Objective Fix the mismatch between how the API expects workspace IDs (header/param/body) and how the web client sends them (query string). ## Current State Analysis Need to examine: 1. WorkspaceGuard implementation 2. Web client API calls 3. Consistent transmission strategy ## Approach **Recommended: Use X-Workspace-Id header** - Most consistent across all HTTP methods (GET/POST/PATCH/DELETE) - Doesn't clutter URLs - Standard practice for context/scope headers - Easy to validate and extract ## Implementation Plan - [x] Analyze current WorkspaceGuard implementation - [x] Examine web client API calls - [x] Write tests for workspace ID extraction (header, query, param, body) - [x] Update WorkspaceGuard to check query string as fallback (priority 4) - [x] Update web client to send X-Workspace-Id header (recommended) - [x] Add validation tests for workspace isolation (11 tests passing) - [x] Test cross-workspace access prevention (covered in existing tests) - [x] Update web client tests (6 new tests for workspace ID handling) ## Changes Made ### API (WorkspaceGuard) - Added query string support as fallback (priority 4 after header/param/body) - Updated documentation to reflect all extraction methods - Priority: Header > Param > Body > Query - All tests passing (11 tests) ### Web Client - Extended `apiRequest` to accept `workspaceId` option - `workspaceId` is sent via `X-Workspace-Id` header (not query string) - Updated all helper functions (apiGet, apiPost, apiPatch, apiDelete) - Updated `fetchTasks` to use header instead of query parameter - Added tests for workspace ID header transmission (6 new tests) - All tests passing (494 tests) ## Testing Strategy ### Unit Tests - WorkspaceGuard extracts workspace ID from all sources - Workspace ID validation (UUID format) - Missing workspace ID rejection ### Integration Tests - Workspace isolation enforcement - Cross-workspace access blocked - All API routes respect workspace context ## Notes - Need to maintain backward compatibility during transition - Should support both header and query string initially - Document preferred method (header)