From d108879b48d73261bc4c5466fe6ba32bd71a21f5 Mon Sep 17 00:00:00 2001
From: Xubin Ren <xubinrencs@gmail.com>
Date: Mon, 6 Apr 2026 08:16:13 +0000
Subject: [PATCH] security: bind api port to localhost by default

Prevents accidental exposure to the public internet. Users who need
external access can change to 0.0.0.0:8900:8900 explicitly.

Made-with: Cursor
---
 docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 662d2f0d6..21beb1c6f 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -36,7 +36,7 @@ services:
       ["serve", "--host", "0.0.0.0", "-w", "/home/nanobot/.nanobot/api-workspace"]
     restart: unless-stopped
     ports:
-      - 8900:8900
+      - 127.0.0.1:8900:8900
     deploy:
       resources:
         limits: