Bind Workshop control plane to loopback

[haasonsaas]

Summary

Workshop presents itself as a localhost-only daemon, but the backend listener was created with server.listen(port), which can bind on all interfaces. The existing protection then relied on Host / Origin headers for non-ingest routes, so a non-browser LAN client could connect to the machine IP while sending Host: localhost:<port>. Ingest routes skipped that guard entirely.

This is higher impact than the earlier WebSocket origin issue because the exposed surface includes the HTTP control plane: agent chat endpoints, workspace selection, trace deletion/import/replay, status, and the local ingestion APIs. On the Codex/Claude paths, successful control-plane access can drive local agent sessions in the configured workspace.

Fix

• Add a shared local-access helper for loopback binding and loopback peer checks.
• Bind the Workshop daemon and dev:examples daemon to 127.0.0.1.
• Reject non-loopback HTTP peers before CORS/ingest handling, so ingest routes no longer bypass the local-only boundary.
• Reject non-loopback WebSocket upgrade peers as defense in depth if another caller ever binds broadly.
• Make the port-free probe match the new loopback listener behavior.
• Add focused tests for loopback address recognition and daemon bind host.

Validation

• bun test tests/server-security.test.ts
• bun test tests/
• bun x tsc --noEmit
• bun run build
• bun run lint (passes with 3 existing React hook warnings in app UI files)

Related

Separate from #23, which covers same-machine browser cross-origin access to /ws. This PR closes LAN exposure by enforcing loopback at the socket/listener boundary.

[rsd-raindrop]

This was fixed in latest release. Thank you for the contribution and great find!