bug(extensions): BIND_ADDRESS sweep missed anythingllm + localai ports

[yasinBursali]

Severity: Low
Category: Security / Port binding
Platform: All
Confidence: Confirmed (discovered by PR 2D Critique Guardian)

Description

The recent BIND_ADDRESS sweep across community extensions (PR Light-Heart-Labs#1027) appears to
have missed two files. Both still use a bare 127.0.0.1: prefix for their host
port binding, breaking the BIND_ADDRESS=0.0.0.0 LAN opt-in pattern
established for the rest of the stack.

Affected file(s)

• resources/dev/extensions-library/services/anythingllm/compose.yaml:29 — bare 127.0.0.1:
• resources/dev/extensions-library/services/localai/compose.yaml:10 — bare 127.0.0.1:

Expected

ports:
  - "${BIND_ADDRESS:-127.0.0.1}:<host>:<container>"

Reproduction

Install either extension, set BIND_ADDRESS=0.0.0.0 in .env, dream restart
— the service is still bound to loopback only.

Impact

Operators who opt in to LAN exposure lose anythingllm and localai access from
other devices.

Suggested approach

Apply the same sweep that Light-Heart-Labs#1027 used to these two files. Verify no other file
was missed by grep -rE "^\s*-\s+\"127\.0\.0\.1:" resources/dev/extensions-library/.

Labels

bug, security, bind-address, community-extensions, sweep-miss

[yasinBursali]

Fixed by upstream PR Light-Heart-Labs#1027 (open).

Link: Light-Heart-Labs#1027

Closing as resolved by the merged work.