Handbook
Scenario — Enterprise network binding checklist
An operator verifies default loopback binds, inventories open ports, and only then widens LENSES_HOST/--bind-all-interfaces, pairing changes with firewall posture.
Updated
Scenario summary
An operator verifies default loopback binds, inventories open ports, and only then widens LENSES_HOST/--bind-all-interfaces, pairing changes with firewall posture.
User role
Platform operator or security reviewer.
Starting state
- Forge Lenses installed per Install and run.
- Shell access to
ssorlsofon the host.
Steps
- Record
ss -lptnwhile Lenses is stopped and while running on the default port. - Compare results with Enterprise — network binding.
- If widening binds, document the reverse proxy + TLS termination owner.
Example input
ss -lptn 'sport = :8080'
Example output or expected state
Only loopback (127.0.0.1) listeners until --bind-all-interfaces + proxy plan is logged.
Verification
- Matches the Verify table inside Enterprise — network binding.
- Alerts fire if unintended
0.0.0.0listeners appear before allowlists tighten.
Failure / recovery
- Roll back to loopback binds, revert env flags referencing Configuration reference, rerun Builders — auth and safety.
Related API/schema docs
REST narrative: Schemas and API for builders. JSON stub: sample-oauth-oidc-endpoint.json anchors OIDC appendix references.