Critical Auth Bypass: Spoofable Loopback Check Grants Silent Admin Access to Any Local Caller

A critical authentication vulnerability in the backend identity layer allows any process or caller reaching the local interface to silently mint full administrative tokens. The flaw, present in `backend/identity.py:140-178`, stems from the `require_principal()` function trusting `request.client.host` without verifying that requests genuinely originated from loopback addresses. Any caller setting the host header to `127.0.0.1` or `::1` receives a synthetic `__loopback__` principal with `roles=["admin"]` and scope `"*"`, effectively granting unrestricted backend access.

The exposure creates multiple concrete attack paths. Any actor with shell access on the host—whether a CI pipeline, deployment runner, or dispatched agent—can directly invoke internal admin endpoints such as `/api/admin/principals/foo/token` and generate credentials with complete system privileges. The vulnerability grows more severe under common infrastructure configurations: if the dashboard is reverse-proxied, as with Tailscale Funnel currently exposing select endpoints, the proxy itself connects from localhost, elevating every upstream request to admin status. Additionally, any in-process server-side request forgery (SSRF) flaw—particularly via `proxy_to_hub` or outbound httpx calls that loop back to the service—automatically escalates to full privilege escalation rather than remaining contained.

The `csrf` middleware referenced in `backend/middleware.py:10-19` is listed as a related concern, suggesting the bypass may circumvent intended cross-site request forgery protections. Organizations running affected deployments should audit any exposed admin endpoints, review reverse-proxy configurations that route through localhost, and treat any server-side request-handling bug as a critical security boundary failure rather than a minor flaw. The absence of a genuine loopback interface verification means the current trust model is fundamentally broken.