From 25d2958fe44ec151a7ade9c5b32939a62e0ce0f4 Mon Sep 17 00:00:00 2001
From: Jason Woltje <jason.woltje@uscllc.com>
Date: Fri, 6 Feb 2026 13:42:51 -0600
Subject: [PATCH] fix(SEC-ORCH-20): Bind orchestrator to 127.0.0.1 by default

Change default bind address from 0.0.0.0 to 127.0.0.1 to prevent
the orchestrator API from being exposed on all network interfaces.
The bind address is now configurable via HOST or BIND_ADDRESS env
vars for Docker/production deployments that need 0.0.0.0.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .../src/config/orchestrator.config.spec.ts    | 38 +++++++++++++++++++
 .../src/config/orchestrator.config.ts         |  1 +
 apps/orchestrator/src/main.ts                 |  5 ++-
 3 files changed, 42 insertions(+), 2 deletions(-)

diff --git a/apps/orchestrator/src/config/orchestrator.config.spec.ts b/apps/orchestrator/src/config/orchestrator.config.spec.ts
index c3f2263..fa2bfd2 100644
--- a/apps/orchestrator/src/config/orchestrator.config.spec.ts
+++ b/apps/orchestrator/src/config/orchestrator.config.spec.ts
@@ -54,6 +54,44 @@ describe("orchestratorConfig", () => {
     });
   });
 
+  describe("host binding", () => {
+    it("should default to 127.0.0.1 when no env vars are set", () => {
+      delete process.env.HOST;
+      delete process.env.BIND_ADDRESS;
+
+      const config = orchestratorConfig();
+
+      expect(config.host).toBe("127.0.0.1");
+    });
+
+    it("should use HOST env var when set", () => {
+      process.env.HOST = "0.0.0.0";
+      delete process.env.BIND_ADDRESS;
+
+      const config = orchestratorConfig();
+
+      expect(config.host).toBe("0.0.0.0");
+    });
+
+    it("should use BIND_ADDRESS env var when HOST is not set", () => {
+      delete process.env.HOST;
+      process.env.BIND_ADDRESS = "192.168.1.100";
+
+      const config = orchestratorConfig();
+
+      expect(config.host).toBe("192.168.1.100");
+    });
+
+    it("should prefer HOST over BIND_ADDRESS when both are set", () => {
+      process.env.HOST = "0.0.0.0";
+      process.env.BIND_ADDRESS = "192.168.1.100";
+
+      const config = orchestratorConfig();
+
+      expect(config.host).toBe("0.0.0.0");
+    });
+  });
+
   describe("other config values", () => {
     it("should use default port when ORCHESTRATOR_PORT is not set", () => {
       delete process.env.ORCHESTRATOR_PORT;
diff --git a/apps/orchestrator/src/config/orchestrator.config.ts b/apps/orchestrator/src/config/orchestrator.config.ts
index ead5fa2..8533a38 100644
--- a/apps/orchestrator/src/config/orchestrator.config.ts
+++ b/apps/orchestrator/src/config/orchestrator.config.ts
@@ -1,6 +1,7 @@
 import { registerAs } from "@nestjs/config";
 
 export const orchestratorConfig = registerAs("orchestrator", () => ({
+  host: process.env.HOST ?? process.env.BIND_ADDRESS ?? "127.0.0.1",
   port: parseInt(process.env.ORCHESTRATOR_PORT ?? "3001", 10),
   valkey: {
     host: process.env.VALKEY_HOST ?? "localhost",
diff --git a/apps/orchestrator/src/main.ts b/apps/orchestrator/src/main.ts
index 12a497f..146f973 100644
--- a/apps/orchestrator/src/main.ts
+++ b/apps/orchestrator/src/main.ts
@@ -10,10 +10,11 @@ async function bootstrap() {
   });
 
   const port = process.env.ORCHESTRATOR_PORT ?? 3001;
+  const host = process.env.HOST ?? process.env.BIND_ADDRESS ?? "127.0.0.1";
 
-  await app.listen(Number(port), "0.0.0.0");
+  await app.listen(Number(port), host);
 
-  logger.log(`🚀 Orchestrator running on http://0.0.0.0:${String(port)}`);
+  logger.log(`🚀 Orchestrator running on http://${host}:${String(port)}`);
 }
 
 void bootstrap();