fix(#1514): Bind WebSocket gateway to localhost by default

SECURITY: server.py was binding to 0.0.0.0:8765, making the
WebSocket gateway accessible from any network interface without
authentication.

Changes:
  - HOST defaults to 127.0.0.1 (localhost only)
  - Configurable via NEXUS_WS_HOST env var
  - PORT configurable via NEXUS_WS_PORT env var
  - Warning logged when binding to 0.0.0.0

For network access: NEXUS_WS_HOST=0.0.0.0 python3 server.py

Fixes #1514

docs/timmy-home-backlog-triage-2026-04-15.md

@@ -1,140 +0,0 @@
-# timmy-home Backlog Triage Report
-
-**Generated:** 2026-04-15
-**Issue:** the-nexus #1459
-**Source:** Timmy_Foundation/timmy-home
-
----
-
-## Summary
-
-| Metric | Count |
-|--------|-------|
-| Total open items | 231 |
-| Open issues | 228 |
-| Open PRs | 3 |
-| Issues older than 30 days | 0 |
-
-The backlog has grown from 220 (per #1127 triage) to 228. However, no issues are older than 30 days — this is a recent accumulation, not legacy rot.
-
----
-
-## Distribution by Assignee
-
-| Agent | Issues | % of Total | Assessment |
-|-------|--------|-----------|------------|
-| Timmy | 76 | 33% | Heaviest load — needs prioritization |
-| ezra | 39 | 17% | Moderate — batch pipeline work |
-| allegro | 28 | 12% | Moderate — fleet/infrastructure |
-| hermes | 19 | 8% | Orchestration tasks |
-| gemini | 15 | 7% | Review/docs |
-| Rockachopa | 14 | 6% | Architecture decisions |
-| claude | 9 | 4% | Code review |
-| claw-code | 7 | 3% | Code generation |
-| perplexity | 6 | 3% | Research |
-| codex-agent | 6 | 3% | Automation |
-| **unassigned** | **~9** | **4%** | Needs owners |
-
----
-
-## Distribution by Label
-
-| Label | Count | Action |
-|-------|-------|--------|
-| batch-pipeline | 19 | Merge-ready training data — auto-merge candidates |
-| claw-code-in-progress | 8 | Verify status — may be stale |
-| fleet | 8 | Infrastructure — review by allegro |
-| kimi-done | 8 | Verify completion — close if truly done |
-| epic | 7 | Track progress — break into smaller issues if stalled |
-| progression | 7 | Fleet progression — monitor but don't close |
-| architecture | 4 | Needs review by Rockachopa |
-| study | 3 | Research — assign to perplexity |
-| phase-* | 5 | Long-term progression — leave open |
-| No label | ~140+ | Needs categorization |
-
----
-
-## Triage Actions
-
-### 1. Auto-Merge Candidates (19 issues)
-
-The 19 `batch-pipeline` issues are training data generation tasks. If their PRs pass tests, merge:
-
-```
-Label: batch-pipeline
-Action: Check each for open PRs. Merge if green.
-Risk: Low — data-only changes
-```
-
-### 2. Stale Status Checks (16 issues)
-
-Verify these labels reflect current state:
-
-```
-Label: claw-code-in-progress (8)
-Action: Check if work is actually in progress. Close stale ones.
-
-Label: kimi-done (8)
-Action: Verify completion. Close if truly done or re-assign if not.
-```
-
-### 3. Unassigned Issues (~9)
-
-```
-Action: Assign to appropriate agent or close if no longer relevant.
-Priority: High — unassigned issues accumulate fastest.
-```
-
-### 4. Epic Tracking (7 issues)
-
-```
-Label: epic
-Action: Review progress. Break stalled epics into smaller actionable items.
-```
-
-### 5. No-Label Issues (~140+)
-
-```
-Action: Apply labels for categorization.
-Priority: Medium — improves searchability and routing.
-```
-
----
-
-## Recommendations
-
-### Immediate (this week)
-
-1. **Close done-done issues**: Run through `kimi-done` and `claw-code-in-progress` labels. Close anything completed.
-2. **Assign unassigned**: Route ~9 unassigned issues to agents.
-3. **Auto-merge training data**: The 19 `batch-pipeline` PRs are low-risk merges.
-
-### Short-term (this month)
-
-4. **Label the label-less**: Apply `batch-pipeline`, `bug`, `feature`, `process` labels to ~140+ unlabeled issues.
-5. **Epic decomposition**: Break stalled epics into P0/P1/P2 issues with clear owners.
-6. **Stale PR cleanup**: The 3 open PRs should be reviewed or closed.
-
-### Long-term
-
-7. **Backlog cap**: Set a soft cap (e.g., 150 open issues). When exceeded, mandatory triage before new issues.
-8. **Triage cadence**: Weekly automated triage via cron job.
-9. **Agent load balancing**: Timmy has 76 issues (33% of total). Redistribute.
-
----
-
-## Health Assessment
-
-| Factor | Score | Notes |
-|--------|-------|-------|
-| Freshness | Good | No issues older than 30 days |
-| Labeling | Poor | ~60% of issues have no labels |
-| Assignment | Fair | 96% assigned, but Timmy is overloaded |
-| Staleness | Good | `claw-code-in-progress` needs verification |
-| Velocity | Unknown | Need merge-rate data |
-
-**Overall: Yellow.** The backlog is fresh but growing. Label hygiene and load balancing are the biggest gaps.
-
----
-
-*Generated by backlog triage. Ref: the-nexus #1459.*

server.py

@@ -7,6 +7,7 @@ the body (Evennia/Morrowind), and the visualization surface.
 import asyncio
 import json
 import logging
+import os
 import signal
 import sys
 from typing import Set
@@ -15,8 +16,8 @@ from typing import Set
 import websockets
 
 # Configuration
-PORT = 8765
-HOST = "0.0.0.0"  # Allow external connections if needed
+PORT = int(os.environ.get('NEXUS_WS_PORT', 8765))
+HOST = os.environ.get('NEXUS_WS_HOST', '127.0.0.1')  # Localhost by default. Set NEXUS_WS_HOST=0.0.0.0 for network access.
 
 # Logging setup
 logging.basicConfig(
@@ -81,6 +82,9 @@ async def broadcast_handler(websocket: websockets.WebSocketServerProtocol):
 
 async def main():
     """Main server loop with graceful shutdown."""
+    if HOST == '0.0.0.0':
+        logger.warning(f"Gateway binding to ALL interfaces (NEXUS_WS_HOST=0.0.0.0). "
+                       f"Accessible from network. Ensure firewall rules are in place.")
     logger.info(f"Starting Nexus WS gateway on ws://{HOST}:{PORT}")
     
     # Set up signal handlers for graceful shutdown