fix(security): restrict OAuth redirect_uri localhost bypass to local mode

[0xcucumbersalad]

Summary

The OAuth authorize endpoint at app.ts:425-428 allowed redirect_uri to any localhost URL regardless of environment:

const isAllowed =
  redirectUrl.origin === allowedOriginObj.origin ||
  redirectUrl.hostname === "localhost";  // ← always allowed, even in production

In production (cloud/container deployments), an attacker could set redirect_uri=http://localhost:8080/steal and intercept OAuth authorization codes if they can bind that port — possible on shared hosts, cloud VMs, or via browser extensions.

Fix

Gate the localhost exception behind localMode:

- redirectUrl.hostname === "localhost";
+ (getSettings().localMode && redirectUrl.hostname === "localhost");

Production only allows redirect_uri matching the configured baseUrl origin. Local dev (bun run dev / --local-mode) continues to allow localhost.

Test plan

• bun run fmt — passes
• bun run lint — passes (0 errors)
• Verify OAuth flow works in production with redirect_uri matching baseUrl
• Verify redirect_uri=http://localhost:8080/steal is rejected in production
• Verify localhost redirect_uri still works in local mode

🤖 Generated with Claude Code

---

Summary by cubic

Restricts OAuth redirect_uri localhost allowance to local mode to close a production security gap. Prevents leaking authorization codes via http://localhost/... in cloud or container deployments.

• Bug Fixes
  • Gate localhost redirects behind getSettings().localMode; production now requires origin to match baseUrl.
  • Updated validation in apps/mesh/src/api/app.ts and added clear comments on the risk and behavior.

^{Written for commit 798c8f1. Summary will update on new commits.}