AIRI Gateway WebSocket Security Overhaul: Zero-Trust Authentication Patches Critical RCE, Hijacking Risks

A critical security overhaul of the AIRI Gateway's WebSocket interface has been implemented, shifting the system to a 'Secure by Default' posture to neutralize severe attack vectors. The patch enforces strict zero-trust authentication and connection traceability, directly addressing an open architecture that previously left the application exposed to immediate exploitation upon installation. This backport brings the development workspace into complete security parity with a stable fork, closing a dangerous gap.

The core vulnerability stemmed from the gateway's lack of identity tracking and open authentication, which created a direct path for malicious local processes or unrelated scripts to connect to the open `0.0.0.0` WebSocket port. This flaw presented a clear risk of local Remote Code Execution (RCE) hijacking, allowing arbitrary command execution. The fix comprehensively resolves major type ambiguities related to dependencies like `[email protected]`, generic response mismatches, and missing workspace exports, with the workspace now reporting a 100% green type check status.

The remediation signals a significant hardening of the AIRI infrastructure's real-time communication layer, a common target for intrusion. By mandating authentication and traceability for all WebSocket connections, the update erects a fundamental barrier against lateral movement and privilege escalation attempts originating from compromised local environments. This proactive mitigation is essential for any deployment relying on the gateway for sensitive or critical operations, effectively locking down a previously open door.