[Security] Deprecate query string token authentication #2148
Description
Issue
Hook endpoints accept auth tokens via URL query parameter (extractHookToken in hooks.js). This means tokens appear in:
- Server access logs
- Browser history
- Referrer headers
- Network monitoring tools
Impact
Token leakage via logs and caching.
Suggested Fix
- Log deprecation warning when tokens provided via query param
- Document header-only auth (Bearer/X-Clawdbot-Token) as the secure method
- Plan removal in future major version
Found by
Automated security review (Nova/Claude)