finding_id: REV-2026-001
priority: P0
area: security
kind: security
paths:
- web-ui/server.js
blocked_by: []
automation: needs-design
Summary
Restrict the Web UI server to loopback by default so normal startup does not expose the application to the local network.
Evidence
Global review finding REV-2026-001 identified that web-ui/server.js can bind outside loopback and that host selection used for port probing can diverge from the host used by the server.
Impact
An unintended non-loopback bind can expose the Web UI and its bridge-backed operations to unauthenticated remote clients on reachable interfaces.
Scope
Update host defaults, keep port probing and server binding on the same effective host, add explicit external-host opt-in handling, and add regression coverage.
Out of scope
Authentication, authorization, TLS, and unrelated Web UI functionality.
Acceptance criteria
- 默认只绑定
127.0.0.1 或显式配置的 loopback host
- 端口探测和实际 server 使用同一 host
- 外部 host 必须显式 opt-in,并有启动警告
- 增加局域网不可达/host 配置回归验证
Verification
Run server startup tests and an end-to-end socket check for default loopback, configured loopback, and explicit external-host opt-in behavior.
Rollback
Revert the host-default and validation changes while retaining regression tests for a follow-up fix.
Dependencies
None. Keep this issue labeled automation:needs-design; do not add automation:ready until design review is complete.
finding_id: REV-2026-001
priority: P0
area: security
kind: security
paths:
blocked_by: []
automation: needs-design
Summary
Restrict the Web UI server to loopback by default so normal startup does not expose the application to the local network.
Evidence
Global review finding REV-2026-001 identified that
web-ui/server.jscan bind outside loopback and that host selection used for port probing can diverge from the host used by the server.Impact
An unintended non-loopback bind can expose the Web UI and its bridge-backed operations to unauthenticated remote clients on reachable interfaces.
Scope
Update host defaults, keep port probing and server binding on the same effective host, add explicit external-host opt-in handling, and add regression coverage.
Out of scope
Authentication, authorization, TLS, and unrelated Web UI functionality.
Acceptance criteria
127.0.0.1或显式配置的 loopback hostVerification
Run server startup tests and an end-to-end socket check for default loopback, configured loopback, and explicit external-host opt-in behavior.
Rollback
Revert the host-default and validation changes while retaining regression tests for a follow-up fix.
Dependencies
None. Keep this issue labeled
automation:needs-design; do not addautomation:readyuntil design review is complete.