[pitboss/grind] cleanup session-0028 (20260522T043516Z-29b8)

docs/serve.md

@@ -25,10 +25,10 @@ There is **no** account, no telemetry, no remote logging, no auto-update ping. T
 
 ## Security model
 
-`nyx serve` enforces three things at the HTTP layer ([`src/server/security.rs`](https://github.com/elicpeter/nyx/blob/master/src/server/security.rs)):
+`nyx serve` enforces three things:
 
-1. **Loopback bind only.** `--host` and `[server].host` are clamped to `127.0.0.1`, `localhost`, or `::1`. Any other value is refused at startup with `Nyx serve only binds to loopback addresses; refused host '<value>'`.
+1. **Loopback bind only.** `--host` and `[server].host` are clamped to `127.0.0.1`, `localhost`, or `::1`. Any other value is refused at startup with `Nyx serve only binds to loopback addresses; refused host '<value>'` ([`src/commands/serve.rs`](https://github.com/elicpeter/nyx/blob/master/src/commands/serve.rs)).
-2. **Host-header check.** Every request must carry a `Host` header that matches the bound address and port. Missing or mismatched headers get a `400 invalid Host header`. Defends against DNS rebinding.
+2. **Host-header check.** Every request must carry a `Host` header that matches the bound address and port. Missing or mismatched headers get a `400 invalid Host header`. Defends against DNS rebinding ([`src/server/security.rs`](https://github.com/elicpeter/nyx/blob/master/src/server/security.rs)).
 3. **CSRF on mutations.** `POST` / `PUT` / `PATCH` / `DELETE` requests must carry a per-process CSRF token in the `x-nyx-csrf` header. The token is generated once when the server starts and exposed at `GET /api/health` so the embedded SPA can read it. Cross-origin mutations are rejected before the CSRF check via the `Origin` header.
 
 If you forward the port over SSH or expose it through a reverse proxy, the host-header check will reject the request because the `Host` won't match `localhost:9700`. That's the intended behaviour. Don't do this without a deliberate reason; the loopback bind is part of the security model.

src/cfg/mod.rs

@@ -791,10 +791,7 @@ impl NodeInfo {
 /// lose information.
 #[derive(Debug, Clone)]
 pub struct LocalFuncSummary {
-    #[allow(dead_code)] // used for future intra-file graph traversal
     pub entry: NodeIndex,
-    #[allow(dead_code)] // used for future intra-file graph traversal
-    pub exit: NodeIndex,
     pub source_caps: Cap,
     pub sanitizer_caps: Cap,
     pub sink_caps: Cap,
@@ -901,7 +898,6 @@ pub struct BodyCfg {
     pub meta: BodyMeta,
     pub graph: Cfg,
     pub entry: NodeIndex,
-    pub exit: NodeIndex,
 }
 
 /// A single import alias binding: local alias → original exported name + module.
@@ -5789,7 +5785,6 @@ pub(super) fn build_sub<'a>(
                 key,
                 LocalFuncSummary {
                     entry: fn_entry,
-                    exit: fn_exit,
                     source_caps: fn_src_bits,
                     sanitizer_caps: fn_sani_bits,
                     sink_caps: fn_sink_bits,
@@ -5839,7 +5834,6 @@ pub(super) fn build_sub<'a>(
                 },
                 graph: fn_graph,
                 entry: fn_entry,
-                exit: fn_exit,
             });
 
             // ── 7) Insert placeholder in parent graph ─────────────────────────
@@ -6428,7 +6422,6 @@ pub(crate) fn build_cfg<'a>(
         },
         graph: g,
         entry,
-        exit,
     };
     bodies.insert(0, toplevel);
     // Sort by BodyId so that bodies[i].meta.id == BodyId(i).