Fix the CsrfGuard in ~/src/mosaic-stack to skip CSRF validation when the request is authenticated via Bearer token (Authorization header). ## Background CSRF attacks exploit cookie-based authentication — a malicious site tricks the browser into sending authenticated cookies. When a client uses `Authorization: Bearer `, CSRF is not a valid attack vector because malicious sites cannot set or read Authorization headers. The CSRF guard should not fire for Bearer-authenticated API clients. ## File to Change apps/api/src/common/guards/csrf.guard.ts ## What to Do 1. git checkout main && git pull --ff-only origin main 2. Create branch: fix/csrf-bearer-bypass 3. Read csrf.guard.ts carefully 4. Update `canActivate` to skip CSRF check when the request has an `Authorization: Bearer` header - Extract the Authorization header - If it starts with "Bearer ", return true (skip CSRF — Bearer auth is not CSRF-vulnerable) - Otherwise, proceed with existing CSRF token validation as-is 5. Do NOT change any other logic — surgical change only 6. Read auth.guard.ts to confirm you are using the same header extraction pattern for consistency ## Completion Requirements (MANDATORY) 1. Run quality gates: pnpm turbo lint typecheck --filter=@mosaic/api 2. Run tests: pnpm --filter @mosaic/api test -- --run 3. Review the change: confirm existing CSRF tests still pass, confirm Bearer bypass is correct 4. Commit: "fix(api): skip CSRF for Bearer-authenticated requests" 5. Push branch 6. Create PR: ~/.config/mosaic/tools/git/pr-create.sh -t "fix(api): skip CSRF for Bearer-authenticated API clients" -b "CSRF protection is only relevant for cookie-based sessions. Requests using Authorization: Bearer are not CSRF-vulnerable — malicious sites cannot inject Authorization headers. This change skips CSRF validation when a Bearer token is present, enabling programmatic API access from agents and service accounts." When completely finished, run: openclaw system event --text "Done: CSRF Bearer bypass PR ready for review" --mode now