Harden review agent job launch endpoints

[Aeg1sx]

Summary

• require a per-session token for mutating review agent job requests before launching or killing jobs
• bind Bun and Pi review servers to loopback-only addresses to avoid direct LAN exposure
• thread the session token through /api/diff into the review UI and add Bun/Pi regression coverage

Why this patch

The vulnerable behavior is not just that review agent jobs can be reached over the network. The core issue is that the review server exposes a process-launching API to a browser client. Tightening bind addresses helps with remote reachability, but it does not stop other local processes or same-host browser contexts from hitting the endpoint.

I did not change this into a provider-wide command allowlist because that would be brittle for this product. The review flow intentionally supports provider-specific wrappers and future command shapes, so hard-coding a narrow set of accepted argv patterns would likely break valid review-agent integrations.

Instead, this patch makes job launch and kill operations session-bound:

• the review server now generates a fresh random token for each review session
• /api/diff returns that token only to the active review UI
• mutating /api/agents/jobs requests are rejected unless they include the matching token

That keeps the existing provider flexibility, while preventing blind unauthenticated requests from launching or killing jobs.

The loopback-only bind is kept as a second layer of defense. It removes direct LAN exposure by default while still allowing SSH/devcontainer port-forwarded workflows.

Testing

• /tmp/bun/bin/bun test packages/server/remote.test.ts packages/server/agent-jobs.test.ts apps/pi-extension/server/network.test.ts apps/pi-extension/server.test.ts