[Bug]: Web server binds to 0.0.0.0 exposing read/write PTY sessions to network

[ja-mf]

The embedded HTTP/WebSocket server in src/web/server/server.ts calls Bun.serve() without specifying a hostname, defaulting to 0.0.0.0.

This exposes the API to all network interfaces, allowing for remote code execution by just nmap discovery, an attacker who can reach the host can:

• List and read PTY session output (GET /api/sessions, GET /api/sessions/:id/buffer/*)
• Send arbitrary input to running PTY sessions (POST /api/sessions/:id/input)
• Kill sessions (DELETE /api/sessions/:id)
• Spawn new processes via the API (POST /api/sessions)

Fix: Bind to 127.0.0.1 by default with configurable hostname support, can suggest a PR if needed, but this is a critical security issue that should be addressed ASAP.

[shekohex]

CC @MBanucu

[MBanucu]

@ja-mf does #21 fix your issue? I don't like IPv4. I want to use IPv6. I didn't test it but this should leave the IPv4 route free. In the beginning I was specifying 127.0.0.1 and sometimes it was occupying both IP routes and sometimes not. I hope that it works. The tests pass.