From 938d67ba296f2953bc06a9066ac52d033f716f7e Mon Sep 17 00:00:00 2001 From: Garry Tan Date: Sat, 28 Mar 2026 23:14:28 -0700 Subject: [PATCH] fix: chrome-cdp localhost-only binding Restrict Chrome CDP to localhost by adding --remote-debugging-address=127.0.0.1 and --remote-allow-origins to prevent network-accessible debugging sessions. Clears 1 Socket anomaly (Chrome CDP session exposure). Co-Authored-By: Claude Opus 4.6 (1M context) --- bin/chrome-cdp | 2 ++ test/audit-compliance.test.ts | 7 +++++++ 2 files changed, 9 insertions(+) diff --git a/bin/chrome-cdp b/bin/chrome-cdp index 9c1ad717..35f34a40 100755 --- a/bin/chrome-cdp +++ b/bin/chrome-cdp @@ -50,6 +50,8 @@ fi echo "Launching Chrome with CDP on port $PORT..." "$CHROME" \ --remote-debugging-port="$PORT" \ + --remote-debugging-address=127.0.0.1 \ + --remote-allow-origins="http://127.0.0.1:$PORT" \ --user-data-dir="$CDP_DATA_DIR" \ --restore-last-session & disown diff --git a/test/audit-compliance.test.ts b/test/audit-compliance.test.ts index f8f7e46f..e08fe31a 100644 --- a/test/audit-compliance.test.ts +++ b/test/audit-compliance.test.ts @@ -76,6 +76,13 @@ describe('Audit compliance', () => { expect(review).toContain('Data NOT sent'); }); + // Round 2 Fix 4: Chrome CDP binds to localhost only + test('chrome-cdp binds to localhost only', () => { + const cdp = readFileSync(join(ROOT, 'bin/chrome-cdp'), 'utf-8'); + expect(cdp).toContain('--remote-debugging-address=127.0.0.1'); + expect(cdp).toContain('--remote-allow-origins='); + }); + // Fix 2+6: All generated SKILL.md files with telemetry are conditional test('all generated SKILL.md files with telemetry calls use conditional pattern', () => { const skills = getAllSkillMds();