fix(serve): bind 127.0.0.1 by default + warn on insecure public binds#234
Open
rylinjames wants to merge 1 commit into
Open
fix(serve): bind 127.0.0.1 by default + warn on insecure public binds#234rylinjames wants to merge 1 commit into
rylinjames wants to merge 1 commit into
Conversation
Audit §3.2 / Part 1 #5 (highest serve-security item). `tether serve` and `tether go` defaulted to host 0.0.0.0 with an empty api_key, so out of the box the robot's /act endpoint was drivable by anyone on the network — no auth, all interfaces. lerobot's CVE-2026-25874 (unauth RCE on its PolicyServer) makes secure-by-default serving both a real risk and a positioning advantage. BREAKING (intentional): the default host is now 127.0.0.1 (localhost only). Operators who need network exposure pass --host 0.0.0.0 explicitly. When they do so WITHOUT --api-key, a prominent security warning prints (shared _warn_insecure_bind helper, wired into both serve transports and go). Tests (tests/test_serve_bind_security.py, 5): serve+go default host is 127.0.0.1; warns on 0.0.0.0 / arbitrary public IP without a key; silent on loopback (127.0.0.1/localhost/::1) and when an api_key is set. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Audit §3.2 / Part 1 #5 — the highest serve-security item.
Problem
tether serveandtether godefaulted to host0.0.0.0with an emptyapi_key. Out of the box, the robot's/actendpoint was drivable by anyone on the network — no auth, all interfaces. (lerobot's CVE-2026-25874, an unauth RCE on its PolicyServer, makes secure-by-default robot serving both a real risk and a positioning advantage.)Change —⚠️ breaking, intentional
127.0.0.1(localhost only).--host 0.0.0.0explicitly.--api-key, a prominent security warning prints (shared_warn_insecure_bindhelper, wired into both serve transports andgo).Migration: existing setups that relied on remote access must add
--host 0.0.0.0(and ideally--api-key).Tests
tests/test_serve_bind_security.py(5): serve+go default host is127.0.0.1; warns on0.0.0.0/ arbitrary public IP without a key; silent on loopback and when an api_key is set.This is the serve-security default flip; the related auth gaps (
/guard/resetunauthenticated, ZMQ unauthenticated kill) are separate runtime changes.🤖 Generated with Claude Code