feat: surface security audit + docs

2026-01-26 19:58:54 +00:00
parent f5c90f0e5c
commit 97248a2885
6 changed files with 56 additions and 4 deletions
--- a/docs/web/dashboard.md
+++ b/docs/web/dashboard.md
@@ -19,6 +19,10 @@ Key references:
 Authentication is enforced at the WebSocket handshake via `connect.params.auth`
 (token or password). See `gateway.auth` in [Gateway configuration](/gateway/configuration).

+Security note: the Control UI is an **admin surface** (chat, config, exec approvals).
+Do not expose it publicly. The UI stores the token in `localStorage` after first load.
+Prefer localhost, Tailscale Serve, or an SSH tunnel.
+
 ## Fast path (recommended)

 - After onboarding, the CLI now auto-opens the dashboard with your token and prints the same tokenized link.