+1 -1

convey/auth.py

reviewed

··· 68 68 if not _is_setup_complete(): 69 69 return False 70 70 config = get_config() 71 71 - if not config.get("convey", {}).get("trust_localhost", False): 71 71 + if not config.get("convey", {}).get("trust_localhost", True): 72 72 return False 73 73 remote_addr = request.remote_addr 74 74 is_localhost = remote_addr in ("127.0.0.1", "::1", "localhost")

+17 -3

convey/cli.py

reviewed

··· 30 30 return "" 31 31 32 32 33 33 + def _resolve_bind_host() -> str: 34 34 + """Return the configured bind host for Convey.""" 35 35 + from think.utils import get_config 36 36 + 37 37 + try: 38 38 + allow_network_access = ( 39 39 + get_config().get("convey", {}).get("allow_network_access", False) 40 40 + ) 41 41 + except Exception: 42 42 + allow_network_access = False 43 43 + return "0.0.0.0" if allow_network_access else "127.0.0.1" 44 44 + 45 45 + 33 46 def run_service( 34 47 app: Flask, 35 48 *, 36 36 - host: str = "0.0.0.0", 49 49 + host: str = "127.0.0.1", 37 50 port: int, 38 51 debug: bool = False, 39 52 start_watcher: bool = True, ··· 97 110 98 111 # Write port to health directory for discovery by other tools 99 112 write_service_port("convey", args.port) 100 100 - logger.info(f"Convey starting on port {args.port}") 113 113 + bind_host = _resolve_bind_host() 114 114 + logger.info("Convey starting on %s:%s", bind_host, args.port) 101 115 102 102 - run_service(app, host="0.0.0.0", port=args.port, debug=args.debug) 116 116 + run_service(app, host=bind_host, port=args.port, debug=args.debug)

+5 -1

convey/root.py

reviewed

··· 127 127 # Opt-in localhost bypass (requires completed setup + trust_localhost flag) 128 128 if setup_complete: 129 129 config = get_config() 130 130 - if config.get("convey", {}).get("trust_localhost", False): 130 130 + if config.get("convey", {}).get("trust_localhost", True): 131 131 remote_addr = request.remote_addr 132 132 is_localhost = remote_addr in ("127.0.0.1", "::1", "localhost") 133 133 proxy_headers = ( ··· 169 169 if _is_setup_complete(): 170 170 return redirect(url_for("root.index")) 171 171 172 172 + from convey.copy import INIT_PASSWORD_HINT 173 173 + 172 174 config_path = str(Path(get_journal()) / "config" / "journal.json") 173 175 repo_path = str(Path(__file__).resolve().parent.parent) 174 176 return render_template( 175 177 "init.html", 176 178 config_path=config_path, 179 179 + init_password_hint=INIT_PASSWORD_HINT, 177 180 repo_path=repo_path, 178 181 ) 179 182 ··· 234 237 config = get_config() 235 238 config.setdefault("convey", {}).update( 236 239 { 240 240 + "allow_network_access": False, 237 241 "password_hash": hashed, 238 242 "trust_localhost": True, 239 243 }

+1 -1

convey/templates/init.html

reviewed

··· 111 111 112 112 <section class="init-section" id="section-password"> 113 113 <h3>1. set a password</h3> 114 114 - <p class="section-hint">protects your solstone web interface. minimum 8 characters. you can reset it anytime by using a terminal and running the command: <code>sol password set</code>.</p> 114 114 + <p class="section-hint">{{ init_password_hint | safe }}</p> 115 115 <p class="trust-note">this hash is stored in your journal and never transmitted</p> 116 116 <div class="field-group"> 117 117 <label for="password">password</label>

+1

tests/fixtures/journal/config/journal.json

reviewed

··· 14 14 "timezone": "America/Denver" 15 15 }, 16 16 "convey": { 17 17 + "allow_network_access": false, 17 18 "password_hash": "scrypt:32768:8:1$ceTJLGRcxYTqVQ4n$74a88b364046ab7ca627df875f27b1fb50994d4311ff8c86393bd7d32eaac303c81f165e79a99164931457846b4e702ac6cb38b877871cb4fadf1f70937bbfba", 18 19 "secret": "test-fixture-secret-do-not-use-in-production", 19 20 "trust_localhost": true

+4

think/journal_default.json

reviewed

··· 44 44 "bundle_id": null, 45 45 "environment": "development" 46 46 }, 47 47 + "convey": { 48 48 + "allow_network_access": false, 49 49 + "trust_localhost": true 50 50 + }, 47 51 "pairing": { 48 52 "host_url": null, 49 53 "token_ttl_seconds": 600