fix(daemon): add Access-Control-Allow-Private-Network for Chrome PNA

[Gradata]

Bug: dashboard Sync Now button silently failed in Chrome/Edge because the daemon CORS preflight did not include Access-Control-Allow-Private-Network. Chrome PNA blocks requests from https:// public origins to private IPs (127.0.0.1) unless this header is on the preflight. The fetch fails with 'TypeError: Failed to fetch' before the real POST is sent.

Fix: add the header to do_OPTIONS in daemon.py.

Verify:
curl -X OPTIONS http://127.0.0.1:8765/sync -H 'Origin: https://app.gradata.ai' -H 'Access-Control-Request-Private-Network: true' -i

Response now includes: Access-Control-Allow-Private-Network: true

Follow-up to #196.

[greptile-apps]

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: d03b6507-b48d-4993-90b9-de56654ac00b

📥 Commits

Reviewing files that changed from the base of the PR and between 2a00706 and 3714539.

📒 Files selected for processing (1)

• Gradata/src/gradata/daemon.py

---

📝 Walkthrough

Summary

• Bug Fix: Added Access-Control-Allow-Private-Network: true header to CORS preflight responses in the daemon's do_OPTIONS method
• Problem Solved: The dashboard "Sync Now" button failed silently in Chrome/Edge because Chrome's Private Network Access (PNA) blocks HTTPS public origins from accessing private IPs (127.0.0.1) without this header on the preflight response
• Impact: Enables cross-origin requests from the Gradata dashboard to the local daemon by satisfying Chrome's PNA preflight requirements
• Changes: Modified Gradata/src/gradata/daemon.py - added header and expanded docstring with PNA context (9 lines added, 1 line modified)
• No Breaking Changes: This is a backward-compatible header addition that only affects CORS preflight behavior
• Follow-up to PR #196: Complements the POST /sync endpoint added in the previous PR

Walkthrough

The CORS preflight handler in the daemon's HTTP server now declares support for Private Network Access by adding the Access-Control-Allow-Private-Network: true response header to OPTIONS responses, alongside existing CORS headers and allowlists for methods and headers.

Changes

Private Network Access CORS Header

Layer / File(s)	Summary
CORS preflight private network access Gradata/src/gradata/daemon.py	The do_OPTIONS handler now includes Access-Control-Allow-Private-Network: true in the response, enabling web dashboards to access the daemon through the Private Network Access API while preserving existing CORS origin/credentials headers and method/header allowlists.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Suggested labels

bug

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/daemon-pna-preflight

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 OpenGrep (1.20.0)

OpenGrep fatal error (exit code 2):
┌──────────────┐
│ Opengrep CLI │
└──────────────┘

�[32m✔�[39m �[1mOpengrep OSS�[0m
�[32m✔�[39m Basic security coverage for first-party code vulnerabilities.

�[1m Loading rules from local config...�[0m
[00.37][ERROR]: Error: exception Glob.Lexer.Syntax_error("malformed glob pattern: missing ']'")
Raised at Glob__Lexer.syntax_error in file "libs/glob/Lexer.mll", line 8, characters 2-26
Called from Glob__Lexer.__ocaml_lex_token_rec in file "libs/glob/Lexer.mll", line 29, characters 26-53
Cal

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}