diff --git a/app/auth.py b/app/auth.py
index 0cee009..d18884b 100644
--- a/app/auth.py
+++ b/app/auth.py
@@ -72,6 +72,14 @@ class User:
     is_admin: bool
 
 
+def LoopbackUser(username: str = "monitor", full_name: str = "Autonomous Monitor") -> User:
+    """Synthetic admin used by the loopback bypass in _AuthGateMiddleware.
+    id=0 (no real DB row) and is_admin=True so admin-gated routes work.
+    Only reachable when request.client.host is 127.0.0.1 / ::1 —
+    a process inside the container's network namespace (docker exec)."""
+    return User(id=0, username=username, full_name=full_name, is_admin=True)
+
+
 def _now() -> str:
     return datetime.now(timezone.utc).isoformat()
 
diff --git a/app/config.py b/app/config.py
index f7dec05..40f6e93 100644
--- a/app/config.py
+++ b/app/config.py
@@ -86,7 +86,7 @@ class Settings(BaseSettings):
     ssh_key: str = ""             # PEM private key content (paste full key including headers)
 
     # Application version — used by the /api/v1/updates/check endpoint
-    app_version: str = "1.0.0-54"
+    app_version: str = "1.0.0-56"
 
     # ---- Authentication (1.0.0-22) ----
     # session_secret: HMAC key for signing session cookies. Empty = generate
diff --git a/app/main.py b/app/main.py
index 85b4465..31e9670 100644
--- a/app/main.py
+++ b/app/main.py
@@ -189,6 +189,21 @@ class _AuthGateMiddleware(BaseHTTPMiddleware):
             await auth.get_user_by_id(int(user_id)) if user_id else None
         )
 
+        # Loopback bypass (1.0.0-56): requests from 127.0.0.1 / ::1
+        # inside the container skip the auth gate. The only way to hit
+        # that source IP is a process in the container's network
+        # namespace — `docker exec` from the host. External traffic
+        # comes through the docker bridge with a non-loopback source,
+        # so it still goes through full auth. We read request.client.host
+        # directly (raw TCP socket), NOT X-Forwarded-For, so external
+        # attackers can't spoof loopback via headers. This unlocks the
+        # autonomous monitor's ability to POST /api/v1/burnin/start
+        # without provisioning a session cookie.
+        if request.client and request.client.host in ("127.0.0.1", "::1"):
+            if request.state.current_user is None:
+                request.state.current_user = auth.LoopbackUser()
+            return await call_next(request)
+
         if path in _PUBLIC_PATHS or path.startswith(_PUBLIC_PREFIXES):
             return await call_next(request)
         if request.state.current_user is not None: