docs(security): Linux host-agent fallback is 127.0.0.1 post-#988

[yasinBursali]

⚠️ Draft — depends on #988 AND #973 merging first

• fix(security): bind llama-server and host agent to loopback #988 (fix/security-loopback) changes the Linux Docker-bridge-gateway detection fallback in bin/dream-host-agent.py from 0.0.0.0 to 127.0.0.1.
• docs: sync documentation with codebase after 50+ merged PRs #973 (docs/sync-documentation-with-codebase) introduces the "Host Agent Network Binding" table in SECURITY.md whose Linux row documents pre-fix(security): bind llama-server and host agent to loopback #988 behavior.

Once both merge, I'll rebase and the PR diff will show exactly the 1-line change below.

What

One-cell docs edit in the "Host Agent Network Binding" table in dream-server/SECURITY.md, Linux row:

- | Linux | auto-detected | Detects the Docker bridge gateway IP (e.g. `172.17.0.1`) so containers can reach the agent; LAN devices cannot. Falls back to `0.0.0.0` if detection fails. |
+ | Linux | auto-detected | Detects the Docker bridge gateway IP (e.g. `172.17.0.1`) so containers can reach the agent; LAN devices cannot. Falls back to `127.0.0.1` if detection fails. |

Why

#973's Linux row was accurate when written but becomes stale the moment #988 merges. Actual runtime behavior per bin/dream-host-agent.py:2241: bind_addr = _detect_docker_bridge_gateway() or "127.0.0.1". Docs should match.

Testing

• Verified against fix(security): bind llama-server and host agent to loopback #988's code change in bin/dream-host-agent.py
• No other "Falls back to 0.0.0.0" phrase remains in SECURITY.md (the remaining 0.0.0.0 mentions are legitimate user-opt-in override examples)
• Pre-commit hooks clean

Platform Impact

• All three: docs read identically. Linux row describes Linux-specific behavior.

[yasinBursali]

Re-marking as draft as a mechanical merge-order safeguard.

This branch contains commits ba556a9f and a6350e45 from #973 (docs-sync). Merging this PR before #973 lands would bring #973's content in as a side-effect rather than on its own merit.

Merge order: #973 first, then this PR rebases clean and gets re-marked ready.

[Lightheartdevs]

Audit follow-up: keep draft and rebase to a docs-only delta.

#988 has now landed, so the security-doc direction is right, but this branch is currently draft/conflicting and still carries part of the old code/docs stack. Please rebase on current main and keep only the documentation changes that remain necessary after #988.

[yasinBursali]

Pushed audit follow-up — rebased onto current upstream/main.

The audit ("rebase to a docs-only delta after #988") needed clarification because of an interaction with the still-open #973: SECURITY.md on current upstream/main does not yet contain the "Host Agent Network Binding" table at all (#973 introduces it). So a "docs-only delta" rebase resolves to one of two paths:

• Path A (current): this PR introduces the corrected table directly (with 127.0.0.1 in the Linux row, the post-fix(security): bind llama-server and host agent to loopback #988 fallback). 3 commits, all yasinBursali, all docs-only after rebase. Diff: ~24 lines added to SECURITY.md.
• Path B: wait for docs: sync documentation with codebase after 50+ merged PRs #973 to merge first; rebase reduces this PR to a 1-line cell correction.

If #973 merges before this PR, the rebase will trivially collapse the first two commits (their SECURITY.md additions are already on main) and leave just the 1-line correction on the third commit (ce676b99). If this PR merges first, #973's later rebase will need a small SECURITY.md hunk reconciliation (it would otherwise re-add the table with the stale 0.0.0.0 value).

Suggested merge order to minimise rebase friction: #973 first, then #1017. I will update #973 in this same session to use 127.0.0.1 directly, so the 0.0.0.0-stale-cell mismatch never reaches main. After that, #1017 may simply be closed as redundant — happy to close it with a one-line note pointing at the #973 update if you'd prefer that path.