fix(security): default standalone servers to loopback bind

[davidrudduck]

Summary

• Default standalone HTTP servers (canvas-host, webhook listener) to bind on 127.0.0.1 instead of 0.0.0.0.
• Prevents unintended network exposure when running on machines with public interfaces.
• Users who need external access can still override via configuration.

Supersedes #12370 (accidentally closed during fork maintenance).

Test plan

• Verify canvas host binds to localhost by default
• Verify telegram webhook listener binds to localhost by default
• Verify explicit bind address config still works when overridden

Greptile Overview

Greptile Summary

This PR hardens the default networking posture of the standalone HTTP servers by changing the default bind address from 0.0.0.0 to 127.0.0.1 in:

• src/canvas-host/server.ts (canvas host)
• src/telegram/webhook.ts (Telegram webhook listener)

The change reduces accidental exposure on machines with public interfaces while still allowing explicit overrides via config (listenHost / host).

One functional issue remains in the Telegram webhook server: when port: 0 is used (ephemeral port), the code constructs the webhook publicUrl using the requested port before the server is actually listening, resulting in http://…:0/... being registered with Telegram.

Confidence Score: 3/5

• This PR is not safe to merge until the Telegram webhook URL/port handling is fixed for ephemeral ports.
• Binding to loopback by default is a straightforward security hardening, but startTelegramWebhook currently registers a webhook URL using port prior to listen(). With port: 0, this deterministically produces an invalid :0 webhook URL and will break webhook delivery in any environment using an ephemeral port (including the existing unit test setup).
• src/telegram/webhook.ts

Context used:

• Context from dashboard - CLAUDE.md (source)
• Context from dashboard - AGENTS.md (source)

[greptile-apps]

_{1 file reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Port 0 breaks webhook URL

startTelegramWebhook uses const port = opts.port ?? 8787; and then builds publicUrl from that port before calling server.listen(port, host, ...). When callers pass port: 0 (tests do this, and other callers may for ephemeral ports), the server binds to a random port but publicUrl becomes http://127.0.0.1:0/..., so bot.api.setWebhook(publicUrl, ...) registers an unusable URL. Compute the URL after listen() using server.address().port (or require a non-zero port when publicUrl isn’t explicitly provided).

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/telegram/webhook.ts
Line: 33:37

Comment:
**Port 0 breaks webhook URL**

`startTelegramWebhook` uses `const port = opts.port ?? 8787;` and then builds `publicUrl` from that `port` before calling `server.listen(port, host, ...)`. When callers pass `port: 0` (tests do this, and other callers may for ephemeral ports), the server binds to a random port but `publicUrl` becomes `http://127.0.0.1:0/...`, so `bot.api.setWebhook(publicUrl, ...)` registers an unusable URL. Compute the URL after `listen()` using `server.address().port` (or require a non-zero port when `publicUrl` isn’t explicitly provided).


How can I resolve this? If you propose a fix, please make it concise.

[davidrudduck]

This is a pre-existing issue in the telegram webhook setup, not introduced by our change. Our PR only changes the default bind host from 0.0.0.0 to 127.0.0.1 — the port resolution logic is unchanged.