fix(cli): bind studio preview server to loopback by default#1210
Merged
vanceingalls merged 1 commit intoJun 5, 2026
Merged
Conversation
Collaborator
Author
Collaborator
miguel-heygen
left a comment
miguel-heygen
left a comment
There was a problem hiding this comment.
Review: #1210 — bind studio preview server to loopback by default
Correct fix. A few notes:
- was previously exported, now de-exported. If any external consumer imports it, this is a breaking change. Quick grep to confirm it's internal-only would be prudent.
- — correct precedence: explicit arg wins, then env var, then default loopback.
- Passing as an optional parameter at the end of the signature is backward-compatible. ✓
Tests
- refactor is a nice cleanup.
- helper correctly distinguishes from string/null. ✓
- Both the default-loopback and explicit-0.0.0.0 cases are covered. ✓
No blocking issues. LGTM.
Collaborator
miguel-heygen
left a comment
miguel-heygen
left a comment
There was a problem hiding this comment.
Review: #1210 — bind studio preview server to loopback by default
Correct fix. A few notes:
portUtils.ts
getProcessOnPortwas previously exported, now de-exported. If any external consumer imports it, that's a breaking change — quick grep to confirm it's internal-only is worth doing.bindHost ?? (process.env.HYPERFRAMES_PREVIEW_HOST?.trim() || "127.0.0.1")— correct precedence: explicit arg wins, then env var, then default loopback. ✓- Adding
bindHostas an optional param at the end of the signature is backward-compatible. ✓
Tests
closeAllrefactor is a nice cleanup.boundAddresshelper correctly distinguishesAddressInfofrom string/null. ✓- Both the default-loopback and explicit
0.0.0.0cases are covered. ✓
No blocking issues. LGTM.
miguel-heygen
approved these changes
Jun 5, 2026
Collaborator
miguel-heygen
left a comment
miguel-heygen
left a comment
There was a problem hiding this comment.
LGTM. Minor: confirm is internal-only since it was de-exported.
miguel-heygen
approved these changes
Jun 5, 2026
Collaborator
miguel-heygen
left a comment
miguel-heygen
left a comment
There was a problem hiding this comment.
LGTM. Minor: confirm getProcessOnPort is internal-only since it was de-exported.
The studio preview server bound the unspecified address (0.0.0.0 / ::) via a bare listen(port), exposing the unauthenticated studio API -- project file read/write/delete and render-spawn endpoints -- to anyone on the same LAN. Default the bind host to 127.0.0.1 and add an explicit "preview --host" opt-in (with a warning) for intentional LAN exposure. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
vanceingalls
force-pushed
the
06-04-fix_cli_bind_studio_preview_server_to_loopback_by_default
branch
from
488f5e3 to
74fb9d2
Compare
Collaborator
Author
|
Confirmed: |
vanceingalls
deleted the
06-04-fix_cli_bind_studio_preview_server_to_loopback_by_default
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
packages/cli) to127.0.0.1instead of0.0.0.0so it is only reachable from localhost.--hostflag for callers that genuinely need to expose the server on a wider interface (e.g. Docker, remote dev boxes).Security
F-001 HIGH — Studio preview server was binding on all interfaces, making it reachable from any network the developer's machine was on (including shared Wi-Fi, corp LAN). Because the server serves the project filesystem under no auth, any peer on the same network could read arbitrary project files. Restricting to loopback closes this exposure for the default case.
Test plan
hyperframes previewstarts — server reachable onlocalhost:<port>, not on LAN IPhyperframes preview --host 0.0.0.0still binds on all interfaces for Docker / remote-dev use cases