1. Critical Auth Bypass: Spoofable Loopback Check Grants Silent Admin Access to Any Local Caller
A critical authentication vulnerability in the backend identity layer allows any process or caller reaching the local interface to silently mint full administrative tokens. The flaw, present in `backend/identity.py:140-178`, stems from the `require_principal()` function trusting `request.client.host` without verifying ...