fix: v0.2.35 — bind to localhost by default, auto-detect Tailscale#117
Merged
fix: v0.2.35 — bind to localhost by default, auto-detect Tailscale#117
Conversation
Default bind address changed from 0.0.0.0 to 127.0.0.1 to prevent unintentional network exposure. When using the default localhost binding, the server automatically detects Tailscale and binds to the Tailscale IP as well, so remote access over tailnet works without configuration. Set HOSTNAME=0.0.0.0 to restore the old behavior.
gbasin
added a commit
that referenced
this pull request
Apr 1, 2026
…ssure (#117) Three-layer fix for slow terminal painting after kill → auto-select, plus WebSocket backpressure handling for remote browsers. **Terminal attach (31s → 100ms):** - Use queueMicrotask for session-switch attach instead of 50ms debounce that could be cancelled by React effect re-runs, permanently losing terminal history - Keep 50ms debounce only for reconnection/epoch-change dedup - Add diagnostic logging: terminal_output_dropped, attach_debounce_cancelled **Kill responsiveness:** - flushSync in handleKillSession forces immediate DOM update so the session card disappears before React defers to WebSocket processing - Yield after history send to flush WebSocket buffers before subsequent synchronous work can delay delivery **WebSocket backpressure (20MB → 500KB):** - Truncate lastUserMessage to 250 chars in agent-sessions broadcast (client already truncates to 200 for display). Drops payload from 20.9MB to ~1.3MB for 4,869 inactive sessions - Drop live terminal-output frames when getBufferedAmount() > 512KB to prevent buffer growing to 15-20MB on slow connections - Yield in log poller and session refresh before blocking SQLite work so pending WebSocket frames flush first
gbasin
added a commit
that referenced
this pull request
Apr 1, 2026
…ssure (#117) Three-layer fix for slow terminal painting after kill → auto-select, plus WebSocket backpressure handling for remote browsers. **Terminal attach (31s → 100ms):** - Use queueMicrotask for session-switch attach instead of 50ms debounce that could be cancelled by React effect re-runs, permanently losing terminal history - Keep 50ms debounce only for reconnection/epoch-change dedup - Add diagnostic logging: terminal_output_dropped, attach_debounce_cancelled **Kill responsiveness:** - flushSync in handleKillSession forces immediate DOM update so the session card disappears before React defers to WebSocket processing - Yield after history send to flush WebSocket buffers before subsequent synchronous work can delay delivery **WebSocket backpressure (20MB → 500KB):** - Truncate lastUserMessage to 250 chars in agent-sessions broadcast (client already truncates to 200 for display). Drops payload from 20.9MB to ~1.3MB for 4,869 inactive sessions - Drop live terminal-output frames when getBufferedAmount() > 512KB to prevent buffer growing to 15-20MB on slow connections - Yield in log poller and session refresh before blocking SQLite work so pending WebSocket frames flush first
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
0.0.0.0to127.0.0.1— prevents unintentional network exposure on untrusted networks (coffee shop WiFi, corporate LAN, cloud VMs)/api/server-infoand startup log won't show a Tailscale URL that isn't actually reachableHOSTNAME=0.0.0.0to restore the old behaviorBreaking change
Users who relied on the previous
0.0.0.0default for LAN access (without Tailscale) will need to explicitly setHOSTNAME=0.0.0.0.Test plan
bun run lint && bun run typecheckcleanbun run devbinds to127.0.0.1+ Tailscale IP, not LAN192.168.x:4040is connection refused100.x.y.z:4040works over TailscaleHOSTNAME=0.0.0.0 agentboardrestores old behavior