sync#2701
Conversation
Bun records the root package as a workspace dependency so the lockfile matches package.json after install. Made-with: Cursor
Include these in globalEnv so dev and web tasks invalidate when bind address or HTTP base URL overrides change. Made-with: Cursor
…OWSER Set HOST alongside T3CODE_HOST so apps/web/vite.config.ts sees the bind address. Stop deleting T3CODE_NO_BROWSER when the CLI omits --no-browser so extendEnv:false runs preserve a parent shell export. Made-with: Cursor
Replace wildcard CORS with credentials plus isAllowedBrowserApiCorsOrigin (loopback, .localhost, private CGNAT/LAN ranges) so credentialed fetches from LAN or Tailscale dev URLs succeed safely. Made-with: Cursor
Map wildcard bind hosts to true for server.host and omit HMR host so the client uses the page hostname instead of ws://0.0.0.0. Made-with: Cursor
When env points at localhost but the UI is opened from LAN or Tailscale, rewrite http/ws base URLs to the current page host so requests do not hit the browser machine loopback. Add Vitest coverage for rewrite behavior. Made-with: Cursor
|
Important Review skippedAuto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Tip 💬 Introducing Slack Agent: The best way for teams to turn conversations into code.Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.
Built for teams:
One agent for your entire SDLC. Right inside Slack. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
github-actions
Bot
added
vouch:unvouched
|
oops sorry just meant to sync |
|
:( |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit ea17fca. Configure here.
| if (!isLoopbackHostname(normalizeHostname(url.hostname))) { | ||
| return rawBaseUrl; | ||
| } | ||
| url.hostname = pageHostname; |
There was a problem hiding this comment.
IPv6 hostname rewrite silently fails due to missing brackets
Low Severity
When the page is accessed via an IPv6 address (e.g., http://[fd00::1]:5733/), pageHostname will be fd00::1 (the WHATWG URL getter strips brackets). Assigning this unbracketed IPv6 value via url.hostname = pageHostname is a silent no-op in the WHATWG URL API, because the colon is a forbidden domain code point and host parsing fails. The rewrite never actually takes effect for IPv6, leaving the URL pointing at localhost.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit ea17fca. Configure here.
1 participant
What Changed
Why
UI Changes
Checklist
Note
Medium Risk
Updates credentialed CORS handling for browser API routes and changes dev networking behavior, which could inadvertently block/allow origins or affect local connectivity if the allowlist/host logic is wrong.
Overview
Enables safer credentialed CORS for browser-facing API routes by switching
browserApiCorsLayertoHttpMiddleware.corswithcredentials: trueand a concrete origin allowlist (isAllowedBrowserApiCorsOrigin) covering loopback,.localhost, private LAN ranges, and Tailscale CGNAT, with new unit tests.Improves dev LAN/Tailscale usability by rewriting configured web targets away from loopback when the page is served from a non-loopback hostname, and by adjusting Vite dev-server/HMR host handling when binding to
0.0.0.0/::.Dev runner and tooling are updated to propagate
--hostto bothT3CODE_HOSTandHOST, preserveT3CODE_NO_BROWSERwhen not explicitly overridden, and ensure relevant env vars are included inturbo.jsonglobals.Reviewed by Cursor Bugbot for commit ea17fca. Bugbot is set up for automated code reviews on this repo. Configure here.
Note
Add LAN/Tailscale support for dev server by rewriting loopback API URLs and hardening CORS
isAllowedBrowserApiCorsOrigininhttp.tsto validate credentialed CORS origins, allowing loopback,*.localhost, private IPv4 ranges, IPv6 ULA, and Tailscale CGNAT (100.64.0.0/10); all other origins are rejected.browserApiCorsLayerto use credentialed CORS and delegate origin checks to the new validator.rewriteConfiguredTargetLoopbackHostForPageHostnameintarget.tsso that when the web UI is served from a non-loopback host,httpBaseUrlandwsBaseUrlare rewritten from loopback to the page hostname.vite.config.tsso that wildcard bind hosts (0.0.0.0 or ::) cause HMR to use the page hostname rather than the wildcard address.HOSTandT3CODE_HOSTthrough to child processes indev-runner.tsand adds both to Turbo'senvPassThroughinturbo.json.Macroscope summarized ea17fca.