docs(security): Linux host-agent fallback is 127.0.0.1 post-#988

yasinBursali · claude · yasinBursali · commit ce676b99b510 · 2026-04-29T04:11:38.000+03:00
fix/security-loopback (#988) changes the Linux Docker-bridge-gateway detection fallback in bin/dream-host-agent.py from 0.0.0.0 to 127.0.0.1 (security fix: prevents LAN exposure when bridge detection fails). docs/sync-documentation-with-codebase (#973) adds the Host Agent Network Binding table whose Linux row documented pre-#988 behavior — the 0.0.0.0 fallback language is now stale. Updates the Linux row to match the actual fallback. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/dream-server/SECURITY.md b/dream-server/SECURITY.md
@@ -84,7 +84,7 @@ The host agent (`bin/dream-host-agent.py`) has its own bind address, separate fr
 | Platform | Default | Behavior |
 |----------|---------|----------|
 | macOS / Windows | `127.0.0.1` | Docker Desktop routes container traffic via loopback — loopback is sufficient |
-| Linux | auto-detected | Detects the Docker bridge gateway IP (e.g. `172.17.0.1`) so containers can reach the agent; LAN devices cannot. Falls back to `0.0.0.0` if detection fails. |
+| Linux | auto-detected | Detects the Docker bridge gateway IP (e.g. `172.17.0.1`) so containers can reach the agent; LAN devices cannot. Falls back to `127.0.0.1` if detection fails. |
 
 To override the default, set `DREAM_AGENT_BIND` in `.env`:
 
