Severity: medium | Category: infra | Phase: P1.20
Problem
Frontend next start -H 0.0.0.0 and backend default host=0.0.0.0 with plaintext http:///ws:// URLs; remote-setup.sh installs no nginx/TLS/reverse proxy. On the shared VPS, JWT bearer tokens and API keys travel in cleartext on all interfaces.
Evidence
ecosystem.staging.config.js:34, codeframe/ui/server.py:783, .env.staging.example:23
Acceptance criteria
- A TLS-terminating reverse proxy (nginx/caddy) fronts the services; app processes bind
127.0.0.1.
- Provisioning sets up the proxy; documented origins are
https:///wss://.
Dependencies
None
Filed from the SaaS launch-readiness audit. Atomic: one developer, one session. Work order: strictly P0.1 → P3.12 (no forward dependencies).
Severity: medium | Category: infra | Phase: P1.20
Problem
Frontend
next start -H 0.0.0.0and backend defaulthost=0.0.0.0with plaintexthttp:///ws://URLs;remote-setup.shinstalls no nginx/TLS/reverse proxy. On the shared VPS, JWT bearer tokens and API keys travel in cleartext on all interfaces.Evidence
ecosystem.staging.config.js:34,codeframe/ui/server.py:783,.env.staging.example:23Acceptance criteria
127.0.0.1.https:///wss://.Dependencies
None
Filed from the SaaS launch-readiness audit. Atomic: one developer, one session. Work order: strictly P0.1 → P3.12 (no forward dependencies).