Add DevMode runtime safeguards: loopback enforcement, remote-addr filter, and warning banner

[Copilot]

dev_mode: true enables /auth/test-login (unauthenticated session creation for any username/role) with no runtime guard beyond the config flag itself — trivially enabled in prod via GHP_DEV_MODE=true.

Changes

Startup loopback check (internal/server/server.go, cmd/ghp/serve.go)

• Run() now refuses to start in dev mode when the listen address is not a loopback (127.0.0.1, ::1, localhost); all-interfaces binds (:8080, 0.0.0.0:*) are rejected
• --force-dev-mode flag added to ghp serve to explicitly override the check (e.g. for integration test environments)

Remote-addr gate on /auth/test-login (internal/auth/auth.go)

• handleTestLogin rejects with 403 Forbidden any request whose RemoteAddr is not a loopback IP, independent of the startup check — defense in depth if --force-dev-mode is used

Dev mode warning banner (web templates + internal/web/handler.go)

• DevMode is now passed into every template render context
• All pages (login, dashboard, admin) render a prominent red banner when active:

  ⚠ DEV MODE ACTIVE — test-login endpoint is enabled; do not use in production

Tests

• TestHandleTestLogin_{BodyTooLarge,InvalidJSON} updated to set a loopback RemoteAddr
• New: TestHandleTestLogin_NonLoopbackRejected, TestIsLoopbackRemoteAddr, TestIsLoopbackListenAddr
• TestHelpOutput_Serve extended to assert --force-dev-mode appears in help output

Original prompt

---

This section details on the original issue you should resolve

<issue_title>DevMode has no runtime safeguard beyond a config flag</issue_title>
<issue_description>Severity: Medium
Location: internal/auth/auth.go:98-102, internal/config/config.go:32

When dev_mode: true is set, the /auth/test-login endpoint is enabled, which allows creating sessions for any username with any role (including admin) without any authentication. There is no safeguard to prevent this from being accidentally enabled in a deployment:

• No warning is emitted at startup beyond a slog.Warn (which may be missed in production log noise).
• The config can be set via the GHP_DEV_MODE environment variable.
• There is no check that the server is listening only on localhost when dev mode is enabled.

Recommendation

1. Refuse to start in dev mode if the listen address is not loopback (127.0.0.1, ::1, localhost). Add a --force-dev-mode flag to override this check explicitly.
2. Reject /auth/test-login requests where r.RemoteAddr is not a loopback IP.
3. Pass DevMode to the web UI template context and render a prominent red warning banner on all pages when active.</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes DevMode has no runtime safeguard beyond a config flag #26

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.