Auth changes step 2

README.md

@@ -72,3 +72,8 @@ This repo also includes a **RoleMesh Node Agent** (`rolemesh-node-agent`) that c
 - Sample config: `configs/node_agent.example.yaml`
 - Docs: `docs/NODE_AGENT.md`
 
+
+
+## Safe-by-default binding
+
+Gateway and node-agent default to binding on `127.0.0.1` to avoid accidental exposure. Bind only to private/LAN or VPN interfaces and firewall ports if you need remote access.

configs/models.example.yaml

@@ -47,3 +47,7 @@ models:
     strategy: round_robin
     defaults:
       temperature: 0.2
+
+
+security_notes:
+  - "Default binds are localhost. If exposing gateway or node agent beyond localhost, bind to a private/LAN IP and firewall it (never expose to the public Internet)."

configs/node_agent.example.yaml

@@ -1,5 +1,5 @@
 node_id: "node-1"
-listen_host: "0.0.0.0"
+listen_host: "127.0.0.1"  # Set to a LAN/private IP (or 0.0.0.0) if dispatcher is on another machine
 listen_port: 8091
 
 # Set to the dispatcher gateway URL if you want auto-registration/heartbeat.

docs/DEPLOYMENT.md

@@ -1,5 +1,35 @@
 # Deployment
 
+
+## Network binding and exposure (Step 2 hardening)
+
+**Defaults are safe-by-default:** the gateway and node-agent CLIs default to binding on `127.0.0.1` (localhost).
+This prevents accidental public exposure during development.
+
+If you need remote access:
+
+- Bind **only** to a **LAN/private** interface (e.g. `192.168.x.y`, `10.x.y.z`) and restrict ingress with a firewall/VPN.
+- Do **not** bind to `0.0.0.0` on an Internet-routable host.
+
+### Recommended firewall policy (examples)
+
+Linux (UFW), allow only a private subnet to reach the gateway (8080) and node agents (8091):
+
+```bash
+sudo ufw allow from 192.168.0.0/16 to any port 8080 proto tcp
+sudo ufw allow from 192.168.0.0/16 to any port 8091 proto tcp
+sudo ufw deny 8080/tcp
+sudo ufw deny 8091/tcp
+```
+
+If you're using Tailscale/WireGuard, prefer binding to the VPN interface address and limiting rules to that interface/subnet.
+
+### Llama.cpp servers
+
+The node agent starts persistent `llama-server` processes bound to **localhost only** (`127.0.0.1`).
+This is intentional: the llama servers should never be reachable directly from the network; only the node agent should proxy to them.
+
+
 This scaffold supports two patterns.
 
 ## Pattern A: Single host, proxy to localhost backends

docs/NODE_AGENT.md

@@ -38,3 +38,10 @@ If `dispatcher_base_url` is set in the node-agent config, the node agent will pe
 - `POST <dispatcher>/v1/nodes/heartbeat` with latest device metrics.
 
 Registration is currently manual from the node side (or can be added as a startup step).
+
+### Binding
+
+By default the node agent listens on `127.0.0.1`. If the dispatcher is on another machine, set:
+
+- `listen_host` to a LAN/private IP (preferred), or `0.0.0.0` only when combined with strict firewalling.
+- Keep llama.cpp servers local-only (this is enforced by the CUDA adapter).

src/rolemesh_gateway/cli.py

@@ -11,7 +11,7 @@ from rolemesh_gateway.main import create_app
 def main() -> None:
     p = argparse.ArgumentParser(description="RoleMesh Gateway")
     p.add_argument("--config", required=True, help="Path to gateway YAML config.")
-    p.add_argument("--host", default="0.0.0.0")
+    p.add_argument("--host", default="127.0.0.1")
     p.add_argument("--port", type=int, default=8080)
     args = p.parse_args()
 

src/rolemesh_node_agent/config.py

@@ -16,7 +16,7 @@ class ModelEntry(BaseModel):
 
 class NodeAgentConfig(BaseModel):
     node_id: str = "node-1"
-    listen_host: str = "0.0.0.0"
+    listen_host: str = "127.0.0.1"
     listen_port: int = 8091
 
     # Where GGUF models live (used for inventory endpoints; not required if models are explicit)