Skip to content

Scope just server bindings by execution context

Problem

All just server recipes (playground, cloud, docs) bind to 0.0.0.0 regardless of execution context, exposing development servers to the local network when running on a developer's machine. This is unnecessary for local development and has been flagged as a security policy concern during code reviews. The 0.0.0.0 binding is only needed inside cbox containers where the host needs to reach the container's server. Without context-aware binding, developers must manually override the host or accept the blanket exposure, and reviewers repeatedly flag the same issue without resolution.

Context

Possible Solutions

Plan

Implementation Progress

  • Audit justfile recipes for host-binding behavior and intended consumers.
  • Split local-default vs container-default host bindings with explicit commands.

  • Document binding policy and security tradeoffs in command help/docs.

  • Local dev recipes bind to localhost by default unless explicitly overridden.

  • cbox/container recipes still work with host-reachable bindings.

  • Review tooling no longer flags blanket 0.0.0.0 usage as unresolved policy drift.

  • Validate against cbox serve/start workflows and docs references.

Review Feedback

  • Review cleared