WF-038: Workstation Access URL Flow
Priority: P0 (Critical) | Phase: Phase 1C - Workstation Management | Effort: 8 hours
Overview
Generates signed access URL for running workstation with RBAC validation and audit logging.
Trigger: GET /workstation/{id}/access-url | Duration: ~500ms
Flow
- Validate RBAC (user owns workstation)
- Check workstation state = 'running'
- Generate signed URL (8h TTL, HMAC-SHA256)
- Audit log access attempt
- Return access URL
Testing
- RBAC enforced (user can only access own workstation)
- Signed URL works for 8 hours
- Expired URL rejected
- Not-running workstation returns 409
- Access logged in audit table
Status: ✅ Ready for Implementation