Harden Every Code app-server websocket transport

## Objective
Harden the existing Every Code app-server websocket transport before it becomes a trusted desktop or remote-control path.

## Finish Line

Every Code app-server websocket transport refuses browser-origin handshakes and cannot expose command-capable app-server access beyond loopback without an explicit authenticated transport design.

## Current Status

State: PR #228 opened with implementation.
Next action: Watch CI/review, then merge if clean.
Blocked by: None.
Waiting for: PR #228 checks/review.
Last verified: 2026-05-30.

Implementation in PR #228:
- Restricts `code app-server --listen ws://...` to loopback IP addresses.
- Rejects websocket upgrade requests carrying a browser `Origin` header with 403.
- Keeps stdio and ordinary no-Origin localhost websocket clients working.

Validation:
- `cargo test -p code-app-server --test websocket_parity websocket_` passed.
- `./build-fast.sh` passed cleanly.

## Scope
- Reject websocket upgrade requests that include browser `Origin` headers, adapting the intent of OpenAI Codex commit `a027135bc6` to Every Code's app-server transport.
- Prevent accidental raw websocket exposure on non-loopback binds unless there is an explicit authenticated transport decision.
- Keep current stdio app-server behavior unchanged.
- Audit `ExecOneOffCommand` and other command-capable app-server methods while making the transport decision.

## Acceptance Criteria
- [ ] App-server websocket handshakes with browser `Origin` headers are rejected.
- [ ] Non-loopback websocket binds are either refused or gated by a deliberately documented/authenticated path.
- [ ] Existing localhost websocket parity tests are updated or extended.
- [ ] `./build-fast.sh` passes cleanly.

## Evidence
- Current Every Code `code-rs/app-server/src/transport.rs` accepts raw websocket connections with `accept_async(stream)` and prints a warning for non-loopback binds.
- Current Every Code app-server exposes command-capable v1 requests including `ExecOneOffCommand`, so transport hardening is product hardening, not parity work.
- Related upstream commits: `a027135bc6` (`exec-server` Origin rejection), `51bfb5f3b1` (app-server websocket listener with auth guard), `1509ae6d8d` (local-only app-server gating through processors).

## Relationships
- Parent audit: #216.
- Broader remote/desktop compatibility: #217 and #37.

## Validation
- Run `./build-fast.sh` from repo root.
- Add or update app-server websocket tests so origin rejection and allowed localhost behavior are covered.


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Harden Every Code app-server websocket transport #225

Objective

Finish Line

Current Status

Scope

Acceptance Criteria

Evidence

Relationships

Validation

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Harden Every Code app-server websocket transport #225

Description

Objective

Finish Line

Current Status

Scope

Acceptance Criteria

Evidence

Relationships

Validation

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions