Unify API keys around workspace scope with per-mount permissions

- Collapse MCP and CLI tokens into one workspace-composition-scoped API
  key. Auth dispatch is now by token prefix so the same key works for
  both the MCP server and the CLI HTTP API.
- Add per-mount capabilities on workspace keys so /skills can be
  read-only while /memory is read-write on the same key. Validated
  against the composition manifest at create time.
- New POST /v2/workspaces/:id/api-keys endpoint; MCP server resolves the
  composition manifest on auth and routes file_* tool calls by path
  prefix to the matching volume, enforcing per-mount capability.
- Frontend: rename MCP -> API Keys (sidebar, route alias at /api-keys),
  drop the Access Type radio, single workspace composition picker, per-
  volume permission picker. Drop the Type column; scope = Workspace or
  Control plane. Filter via dropdown next to Local/Create. Workspace
  profile gets a Settings-tab API keys summary; volume Settings keys
  panel removed.
- MountsSection Add Volumes dialog now has one permission dropdown per
  row instead of a single global setting.
- Read-only mount enforcement: fullReconciler.execUpload rejects writes
  for readonly daemons (the real source of the silent-import bug);
  mount reconcile planner downgrades local-side ops to Skipped on
  readonly and resolves remote-wins conflicts as redownloads; daemon
  chmods the mount root to 0o555 after initial sync so shell writes
  fail with EACCES.
- Misc: remove "Agent search tools are built in" notice + MCP Endpoint
  panel from API Keys page (endpoint lives at /mcp/connect); drop the
  "Mounted" tag from the Filesystem table; update empty-state hero copy.
- Plan doc at plans/api-keys-unification.md captures the design pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: rowantrollope

cmd/afs/mount_reconcile.go

@@ -93,7 +93,7 @@ func buildMountReconcilePlan(ctx context.Context, d *syncDaemon) (mountReconcile
 		r, rok := remote[path]
 		switch {
 		case lok && !rok:
-			plan.addLocalOnly(path, l, d.cfg.MaxFileBytes)
+			plan.addLocalOnly(path, l, d.cfg.MaxFileBytes, d.cfg.Readonly)
 		case !lok && rok:
 			plan.DownloadCount++
 			plan.Operations = append(plan.Operations, mountReconcileOperation{
@@ -138,7 +138,21 @@ func (p mountReconcilePlan) requiresConfirmation() bool {
 	return p.ImportCount > 0 || p.UploadCount > 0 || p.DownloadCount > 0 || p.SkippedCount > 0
 }
 
-func (p *mountReconcilePlan) addLocalOnly(path string, meta observedMeta, maxFileBytes int64) {
+func (p *mountReconcilePlan) addLocalOnly(path string, meta observedMeta, maxFileBytes int64, readonly bool) {
+	if readonly {
+		// Read-only mounts never push local changes upstream. Surface the
+		// local file in the plan as a skip so the user knows it will stay
+		// local-only (and can move it aside if they actually meant to add it
+		// to the workspace).
+		p.SkippedCount++
+		p.Operations = append(p.Operations, mountReconcileOperation{
+			Code:    "S",
+			Path:    path,
+			Kind:    meta.kind,
+			Details: "local only; mount is read-only — file stays local and is not uploaded",
+		})
+		return
+	}
 	if meta.kind == "file" && maxFileBytes > 0 && meta.size > maxFileBytes {
 		p.SkippedCount++
 		p.Operations = append(p.Operations, mountReconcileOperation{
@@ -177,7 +191,7 @@ func buildKnownMountReconcilePlan(ctx context.Context, d *syncDaemon, local, rem
 				})
 				continue
 			}
-			plan.addKnownUpload(path, l, d.cfg.MaxFileBytes)
+			plan.addKnownUpload(path, l, d.cfg.MaxFileBytes, d.cfg.Readonly)
 		case !lok && rok:
 			if hasStored && stored.Deleted {
 				if r.kind == "dir" && mountRemoteDirHasLiveDescendants(path, remote, st.Entries) {
@@ -190,6 +204,16 @@ func buildKnownMountReconcilePlan(ctx context.Context, d *syncDaemon, local, rem
 					})
 					continue
 				}
+				if d.cfg.Readonly {
+					plan.SkippedCount++
+					plan.Operations = append(plan.Operations, mountReconcileOperation{
+						Code:    "S",
+						Path:    path,
+						Kind:    r.kind,
+						Details: "local deletion pending; mount is read-only — remote kept and will be redownloaded",
+					})
+					continue
+				}
 				plan.DeleteRemoteCount++
 				plan.Operations = append(plan.Operations, mountReconcileOperation{
 					Code:    "DR",
@@ -200,6 +224,20 @@ func buildKnownMountReconcilePlan(ctx context.Context, d *syncDaemon, local, rem
 				continue
 			}
 			if hasStored {
+				if d.cfg.Readonly {
+					// Read-only mounts treat the remote as source of truth. Any
+					// state where remote exists and local is gone — whether or
+					// not the remote also changed — resolves to a redownload,
+					// never a "local deleted" / conflict.
+					plan.DownloadCount++
+					plan.Operations = append(plan.Operations, mountReconcileOperation{
+						Code:    "D",
+						Path:    path,
+						Kind:    r.kind,
+						Details: "local deleted while mount is read-only — redownload from workspace",
+					})
+					continue
+				}
 				if observedChangedFromStored(r, stored, false) {
 					plan.addConflict(path, "local deleted while remote changed")
 					continue
@@ -231,6 +269,19 @@ func buildKnownMountReconcilePlan(ctx context.Context, d *syncDaemon, local, rem
 					plan.Baseline[path] = entry
 					continue
 				}
+				if d.cfg.Readonly {
+					// Read-only mounts let the remote win without prompting; the
+					// local divergence is preserved as a conflict-copy by the
+					// downloader.
+					plan.DownloadCount++
+					plan.Operations = append(plan.Operations, mountReconcileOperation{
+						Code:    "D",
+						Path:    path,
+						Kind:    r.kind,
+						Details: "mount is read-only — redownload remote, keep local as conflict-copy",
+					})
+					continue
+				}
 				plan.addConflict(path, detail)
 				continue
 			}
@@ -240,7 +291,7 @@ func buildKnownMountReconcilePlan(ctx context.Context, d *syncDaemon, local, rem
 			case !localChanged && !remoteChanged:
 				plan.SameCount++
 			case localChanged && !remoteChanged:
-				plan.addKnownUpload(path, l, d.cfg.MaxFileBytes)
+				plan.addKnownUpload(path, l, d.cfg.MaxFileBytes, d.cfg.Readonly)
 			case !localChanged && remoteChanged:
 				plan.DownloadCount++
 				plan.Operations = append(plan.Operations, mountReconcileOperation{
@@ -250,6 +301,17 @@ func buildKnownMountReconcilePlan(ctx context.Context, d *syncDaemon, local, rem
 					Details: "remote changed while unmounted; download to local folder",
 				})
 			default:
+				if d.cfg.Readonly {
+					// Both diverged but read-only mounts always defer to remote.
+					plan.DownloadCount++
+					plan.Operations = append(plan.Operations, mountReconcileOperation{
+						Code:    "D",
+						Path:    path,
+						Kind:    r.kind,
+						Details: "mount is read-only — redownload remote, keep local as conflict-copy",
+					})
+					continue
+				}
 				entry, same, _, err := mountBaselineEntry(ctx, d, path, l, r, now)
 				if err != nil {
 					return mountReconcilePlan{}, err
@@ -266,7 +328,20 @@ func buildKnownMountReconcilePlan(ctx context.Context, d *syncDaemon, local, rem
 	return plan, nil
 }
 
-func (p *mountReconcilePlan) addKnownUpload(path string, meta observedMeta, maxFileBytes int64) {
+func (p *mountReconcilePlan) addKnownUpload(path string, meta observedMeta, maxFileBytes int64, readonly bool) {
+	if readonly {
+		// Read-only mounts can't push their local edits back. Mark as skipped
+		// so the user sees that the local divergence is intentional and the
+		// remote stays the source of truth.
+		p.SkippedCount++
+		p.Operations = append(p.Operations, mountReconcileOperation{
+			Code:    "S",
+			Path:    path,
+			Kind:    meta.kind,
+			Details: "local changed while unmounted; mount is read-only — local divergence kept, remote unchanged",
+		})
+		return
+	}
 	if meta.kind == "file" && maxFileBytes > 0 && meta.size > maxFileBytes {
 		p.SkippedCount++
 		p.Operations = append(p.Operations, mountReconcileOperation{

cmd/afs/sync_daemon.go

@@ -177,6 +177,16 @@ func (d *syncDaemon) start(ctx context.Context, onProgress ProgressFunc, skipRec
 			cancel()
 			return fmt.Errorf("initial reconcile: %w", err)
 		}
+		if d.cfg.Readonly {
+			// Lock down the mount root so user shells can't add new top-level
+			// files into a read-only volume. We can't blanket-chmod the whole
+			// tree without breaking subsequent steady-state downloads into
+			// existing subdirs; locking the root catches the most common
+			// "echo > file.txt in a readonly mount" mistake.
+			if err := os.Chmod(d.cfg.LocalRoot, 0o555); err != nil {
+				fmt.Fprintf(os.Stderr, "afs sync: chmod read-only mount root %s: %v\n", d.cfg.LocalRoot, err)
+			}
+		}
 	}
 
 	d.startQueryIndexWorker(dctx)

cmd/afs/sync_full_reconciler.go

@@ -926,6 +926,14 @@ func (f *fullReconciler) execDeleteRemote(ctx context.Context, a syncAction) err
 }
 
 func (f *fullReconciler) execUpload(ctx context.Context, a syncAction) error {
+	if f.r.readonly {
+		// Read-only mounts must never push local changes back to the workspace.
+		// The mount reconcile planner already downgrades imports/uploads to
+		// "skipped" so users see this in the plan; this is the runtime guard
+		// for any path that schedules an upload directly.
+		fmt.Fprintf(os.Stderr, "afs sync: skipping upload of %s — mount is read-only\n", a.path)
+		return nil
+	}
 	data, err := os.ReadFile(a.absPath)
 	if err != nil {
 		if os.IsNotExist(err) {

internal/controlplane/auth.go

@@ -73,6 +73,11 @@ type AuthIdentity struct {
 	ScopedWorkspace   string
 	MCPProfile        string
 	Readonly          bool
+	// WorkspaceMountCapabilities is set for workspace-scoped MCP tokens. It
+	// maps volume_id → capability (ro/rw/rw-checkpoint) for the volumes
+	// mounted in the bound Agent Workspace composition. The MCP server and CLI
+	// HTTP middleware use this map to enforce per-mount access.
+	WorkspaceMountCapabilities map[string]string
 }
 
 type authRuntimeConfigResponse struct {
@@ -355,7 +360,13 @@ func (a *AuthHandler) DeleteCurrentIdentity(ctx context.Context) error {
 
 func (a *AuthHandler) authenticate(r *http.Request) (*AuthIdentity, error) {
 	if bearer, ok := bearerTokenFromRequest(r); ok {
-		if isMCPTokenAuthPath(r.URL.Path) {
+		// Dispatch by token prefix so a single workspace-scoped key works for
+		// both the MCP server and the CLI HTTP API. afs_mcp_* and afs_cp_*
+		// are MCP/control-plane tokens; afs_cli_* is the legacy CLI token
+		// kept for onboarding bootstrap.
+		switch {
+		case strings.HasPrefix(bearer, mcpAccessTokenPrefix+"_"),
+			strings.HasPrefix(bearer, mcpControlPlaneTokenPrefix+"_"):
 			if a.mcpAuthenticate == nil {
 				return nil, ErrUnauthorized
 			}
@@ -364,13 +375,28 @@ func (a *AuthHandler) authenticate(r *http.Request) (*AuthIdentity, error) {
 				return nil, ErrUnauthorized
 			}
 			return identity, nil
-		}
-		if a.cliAuthenticate != nil {
+		case strings.HasPrefix(bearer, cliAccessTokenPrefix+"_"):
+			if a.cliAuthenticate == nil {
+				return nil, ErrUnauthorized
+			}
 			identity, err := a.cliAuthenticate(r.Context(), bearer)
 			if err != nil {
 				return nil, ErrUnauthorized
 			}
 			return identity, nil
+		default:
+			// Unknown prefix: try MCP first, then CLI as a fallback.
+			if a.mcpAuthenticate != nil {
+				if identity, err := a.mcpAuthenticate(r.Context(), bearer); err == nil {
+					return identity, nil
+				}
+			}
+			if a.cliAuthenticate != nil {
+				if identity, err := a.cliAuthenticate(r.Context(), bearer); err == nil {
+					return identity, nil
+				}
+			}
+			return nil, ErrUnauthorized
 		}
 	}
 	if a == nil || a.mode() == AuthModeNone {

internal/controlplane/catalog.go

@@ -174,6 +174,7 @@ func (c *workspaceCatalog) migrate(ctx context.Context) error {
 			profile TEXT NOT NULL DEFAULT '',
 			template_slug TEXT NOT NULL DEFAULT '',
 			readonly INTEGER NOT NULL DEFAULT 0,
+			mount_capabilities TEXT NOT NULL DEFAULT '',
 			secret_hash TEXT NOT NULL,
 			secret TEXT NOT NULL DEFAULT '',
 			created_at TEXT NOT NULL,
@@ -217,6 +218,7 @@ func (c *workspaceCatalog) migrate(ctx context.Context) error {
 			`ALTER TABLE mcp_access_tokens ADD COLUMN IF NOT EXISTS secret TEXT NOT NULL DEFAULT ''`,
 			`ALTER TABLE mcp_access_tokens ADD COLUMN IF NOT EXISTS scope TEXT NOT NULL DEFAULT ''`,
 			`ALTER TABLE mcp_access_tokens ADD COLUMN IF NOT EXISTS capability TEXT NOT NULL DEFAULT ''`,
+			`ALTER TABLE mcp_access_tokens ADD COLUMN IF NOT EXISTS mount_capabilities TEXT NOT NULL DEFAULT ''`,
 			`UPDATE cli_access_tokens SET scope = 'account' WHERE scope = ''`,
 			`UPDATE cli_access_tokens SET capability = 'account' WHERE capability = ''`,
 			`CREATE INDEX IF NOT EXISTS idx_cli_access_tokens_scope ON cli_access_tokens(scope)`,
@@ -255,6 +257,7 @@ func (c *workspaceCatalog) migrate(ctx context.Context) error {
 		`ALTER TABLE mcp_access_tokens ADD COLUMN secret TEXT NOT NULL DEFAULT ''`,
 		`ALTER TABLE mcp_access_tokens ADD COLUMN scope TEXT NOT NULL DEFAULT ''`,
 		`ALTER TABLE mcp_access_tokens ADD COLUMN capability TEXT NOT NULL DEFAULT ''`,
+		`ALTER TABLE mcp_access_tokens ADD COLUMN mount_capabilities TEXT NOT NULL DEFAULT ''`,
 	}
 	for _, statement := range sqliteAlterations {
 		if _, err := c.execContext(ctx, statement); err != nil && !strings.Contains(strings.ToLower(err.Error()), "duplicate column name") {

internal/controlplane/catalog_store.go

@@ -57,7 +57,9 @@ type catalogStore interface {
 
 	CreateCLIAccessToken(ctx context.Context, item cliAccessTokenRecord) error
 	GetCLIAccessToken(ctx context.Context, tokenID string) (cliAccessTokenRecord, error)
+	ListAllCLIAccessTokens(ctx context.Context) ([]cliAccessTokenRecord, error)
 	TouchCLIAccessToken(ctx context.Context, tokenID, lastUsedAt string) error
+	RevokeCLIAccessTokenByID(ctx context.Context, tokenID, revokedAt string) error
 	RevokeCLIAccessTokensByOwner(ctx context.Context, ownerSubject, revokedAt string) error
 
 	CreateMCPAccessToken(ctx context.Context, item mcpAccessTokenRecord) error

internal/controlplane/cli_token_catalog.go

@@ -88,13 +88,49 @@ func (c *workspaceCatalog) GetCLIAccessToken(ctx context.Context, tokenID string
 	return items[0], nil
 }
 
+func (c *workspaceCatalog) ListAllCLIAccessTokens(ctx context.Context) ([]cliAccessTokenRecord, error) {
+	rows, err := c.queryContext(ctx, c.rebind(`SELECT
+		id,
+		name,
+		owner_subject,
+		owner_label,
+		database_id,
+		workspace_id,
+		workspace_name,
+		scope,
+		capability,
+		secret_hash,
+		created_at,
+		last_used_at,
+		expires_at,
+		revoked_at
+	FROM cli_access_tokens
+	WHERE revoked_at = ''
+	ORDER BY created_at DESC`))
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	return scanCLIAccessTokenRows(rows)
+}
+
 func (c *workspaceCatalog) TouchCLIAccessToken(ctx context.Context, tokenID, lastUsedAt string) error {
 	_, err := c.execContext(ctx, c.rebind(`UPDATE cli_access_tokens
 		SET last_used_at = ?
 		WHERE id = ?`), strings.TrimSpace(lastUsedAt), strings.TrimSpace(tokenID))
 	return err
 }
 
+func (c *workspaceCatalog) RevokeCLIAccessTokenByID(ctx context.Context, tokenID, revokedAt string) error {
+	_, err := c.execContext(ctx, c.rebind(`UPDATE cli_access_tokens
+		SET revoked_at = ?
+		WHERE id = ? AND revoked_at = ''`),
+		strings.TrimSpace(revokedAt),
+		strings.TrimSpace(tokenID),
+	)
+	return err
+}
+
 func (c *workspaceCatalog) RevokeCLIAccessTokensByOwner(ctx context.Context, ownerSubject, revokedAt string) error {
 	_, err := c.execContext(ctx, c.rebind(`UPDATE cli_access_tokens
 		SET revoked_at = ?

internal/controlplane/cli_tokens.go

@@ -199,6 +199,58 @@ func (m *DatabaseManager) createCLIAccessTokenRecordWithOptions(ctx context.Cont
 	return response, nil
 }
 
+// ListAllCLIAccessTokens returns every active CLI access token owned by the
+// caller's subject. Mirrors the MCP token list shape so the dashboard can
+// merge both into one view.
+func (m *DatabaseManager) ListAllCLIAccessTokens(ctx context.Context) ([]cliAccessTokenResponse, error) {
+	if m == nil || m.catalog == nil {
+		return nil, fmt.Errorf("cli token storage is unavailable")
+	}
+	subject := authSubjectFromContext(ctx)
+	items, err := m.catalog.ListAllCLIAccessTokens(ctx)
+	if err != nil {
+		return nil, err
+	}
+	out := make([]cliAccessTokenResponse, 0, len(items))
+	for _, item := range items {
+		ownerSubject := strings.TrimSpace(item.OwnerSubject)
+		if subject != "" && ownerSubject != "" && ownerSubject != subject {
+			continue
+		}
+		// Bootstrap onboarding tokens (account scope, no workspace) are
+		// internal credentials; hide them from the dashboard list.
+		if isAccountCLIScope(item.Scope) {
+			continue
+		}
+		out = append(out, cliAccessTokenResponseFromRecord(item))
+	}
+	return out, nil
+}
+
+// RevokeCLIAccessToken marks a CLI token revoked. Scoped to the caller's
+// subject so users cannot revoke tokens belonging to others.
+func (m *DatabaseManager) RevokeCLIAccessToken(ctx context.Context, tokenID string) error {
+	if m == nil || m.catalog == nil {
+		return fmt.Errorf("cli token storage is unavailable")
+	}
+	tokenID = strings.TrimSpace(tokenID)
+	if tokenID == "" {
+		return os.ErrNotExist
+	}
+	record, err := m.catalog.GetCLIAccessToken(ctx, tokenID)
+	if err != nil {
+		return err
+	}
+	if strings.TrimSpace(record.RevokedAt) != "" {
+		return os.ErrNotExist
+	}
+	subject := authSubjectFromContext(ctx)
+	if subject != "" && strings.TrimSpace(record.OwnerSubject) != "" && strings.TrimSpace(record.OwnerSubject) != subject {
+		return os.ErrNotExist
+	}
+	return m.catalog.RevokeCLIAccessTokenByID(ctx, tokenID, time.Now().UTC().Format(timeRFC3339))
+}
+
 func (m *DatabaseManager) AuthenticateCLIAccessToken(ctx context.Context, rawToken string) (cliAccessTokenRecord, error) {
 	if m == nil || m.catalog == nil {
 		return cliAccessTokenRecord{}, ErrCLIAccessTokenInvalid