fix(web): disallow workspace-* roots without explicit localRoots

src/web/media.ts

@@ -52,6 +52,24 @@ async function assertLocalMediaAllowed(
   } catch {
     resolved = path.resolve(mediaPath);
   }
+
+  // Hardening: the default allowlist includes `os.tmpdir()`, and tests/CI may
+  // override the state dir into tmp. Avoid accidentally allowing per-agent
+  // `workspace-*` state roots via the tmpdir prefix match; require explicit
+  // localRoots for those.
+  if (localRoots === undefined) {
+    const workspaceRoot = roots.find((root) => path.basename(root) === "workspace");
+    if (workspaceRoot) {
+      const stateDir = path.dirname(workspaceRoot);
+      const rel = path.relative(stateDir, resolved);
+      if (rel && !rel.startsWith("..") && !path.isAbsolute(rel)) {
+        const firstSegment = rel.split(path.sep)[0] ?? "";
+        if (firstSegment.startsWith("workspace-")) {
+          throw new Error(`Local media path is not under an allowed directory: ${mediaPath}`);
+        }
+      }
+    }
+  }
   for (const root of roots) {
     let resolvedRoot: string;
     try {