fix(connect): replace shared URL tokens with one-time grants

[src-opn]

Summary

• replace token-bearing remote connect links with single-use grants for both Den-issued handoffs and shared OpenWork workers
• redeem grants before storing connection settings, and reject legacy invite links that still embed raw tokens in the URL
• add a share-modal flow for creating one-time connect links while shifting the default shared access path to owner-scoped redemption

Testing

• pnpm install
• pnpm --filter @openwork/app typecheck
• pnpm --filter openwork-server build && pnpm --filter openwork-server test
• pnpm --filter @openwork-ee/den-web exec tsc --noEmit
• pnpm --filter @openwork-ee/den-controller build
• pnpm install --force && pnpm --filter @openwork/app build
• pnpm --filter @openwork-ee/den-web build
• pnpm --filter openwork-server build:bin
• packaging/docker/dev-up.sh
• HTTP smoke test for local OpenWork grant issue, exchange, mounted access, and single-use rejection
• Chrome DevTools MCP: open Share -> Access workspace remotely, create a one-time link, then redeem it in an isolated browser context and verify the app lands on a clean /session URL with the redeemed workspace connection

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
openwork-app	Ready	Preview, Comment	Mar 31, 2026 0:41am
openwork-den	Ready	Preview, Comment	Mar 31, 2026 0:41am
openwork-den-worker-proxy	Ready	Preview, Comment	Mar 31, 2026 0:41am
openwork-landing	Ready	Preview, Comment, Open in v0	Mar 31, 2026 0:41am
openwork-share	Ready	Preview, Comment	Mar 31, 2026 0:41am

[github-actions]

The following comment was made by an LLM, it may be inaccurate: