security-auditor f3187ea0c1 fix(workspace-server): default-bind to 127.0.0.1 in dev-mode fail-open ... In dev mode (`MOLECULE_ENV=dev|development`, `ADMIN_TOKEN` unset) the AdminAuth chain fails open by design so canvas at :3000 can call workspace-server at :8080 without a bearer token. Combined with the existing wildcard bind on `:8080`, that exposed unauthenticated `POST /workspaces` to any same-LAN peer (S-8 in the audit RFC v1). Couple the bind narrowness to the same signal that drives the auth fail-open: when `middleware.IsDevModeFailOpen()` returns true, default the listener to `127.0.0.1`. Production (`ADMIN_TOKEN` set) keeps binding to all interfaces — its auth chain is doing the work. Operators who need LAN exposure set `BIND_ADDR=<host>` explicitly. * `cmd/server/main.go` — `resolveBindHost()` precedence: BIND_ADDR explicit > IsDevModeFailOpen() loopback > "" (all interfaces). Startup log line now includes the resolved bind + dev-mode-fail-open state for post-deploy auditing. * `cmd/server/bind_test.go` — 8 t.Setenv table cases covering precedence, explicit overrides, dev/prod env words. Mutation-tested: removing the `IsDevModeFailOpen()` branch makes the dev-mode cases fail with "" vs "127.0.0.1". Refs: molecule-core#7 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>		2026-05-06 22:29:24 -07:00
..
bind_test.go	fix(workspace-server): default-bind to 127.0.0.1 in dev-mode fail-open	2026-05-06 22:29:24 -07:00
cp_config_test.go	feat(ws-server): pull env from CP on startup	2026-04-19 02:41:15 -07:00
cp_config.go	fix(go): replace $1 literal with resp.Body.Close() in 7 files (#1247)	2026-04-21 03:18:21 +00:00
dotenv_test.go	fix(dotenv): empty value with inline comment was returning the comment	2026-04-24 21:17:21 -07:00
dotenv.go	fix(canvas,dotenv): review-driven hardening of fit gate + parser parity	2026-04-24 22:23:51 -07:00
main.go	fix(workspace-server): default-bind to 127.0.0.1 in dev-mode fail-open	2026-05-06 22:29:24 -07:00