feat(miner-extension): grant loopback host permissions for local miner-ui access (#4860)#5578
Conversation
|
Superagent didn't find any vulnerabilities or security issues in this PR. |
|
Tip 🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩 ✅ Gittensory review result - approve/merge recommendedReview updated: 2026-07-13 06:57:28 UTC
✅ Suggested Action - Approve/Merge
Review summary Nits — 5 non-blocking
Review context
Contributor next steps
Signal definitions
[BETA] Chat with GittensoryAsk Gittensory a question about this PR directly in a comment — grounded only in the same cached, public-safe facts shown above, never a new claim.
Full command reference: https://gittensory.aethereal.dev/docs/gittensory-commands Visual preview
Click any thumbnail to open the full-size screenshot. Before = production · After = this PR's preview deploy. 🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed 💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →. Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #5578 +/- ##
=======================================
Coverage 94.98% 94.98%
=======================================
Files 573 573
Lines 45469 45469
Branches 14680 14680
=======================================
Hits 43187 43187
Misses 1531 1531
Partials 751 751
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
Closes #4860
Summary
The miner extension's
manifest.jsonhost_permissionsonly coveredhttps://github.com/*, so the extensionarchitecturally could not reach
localhost— which blocks any live-fetch integration with the operator's localminer-ui. This adds the loopback host permissions that enable localhost access, scoped as narrowly as the platform
allows.
Change
apps/gittensory-miner-extension/manifest.json—host_permissionsnow also grantshttp://localhost/*and
http://127.0.0.1/*(additive;https://github.com/*stays).Scoping rationale:
http://localhost/*is thetightest grant possible for a loopback dev server (a
http://localhost:5174/*pattern is invalid).httpsis intentionally omitted because the local miner-ui dev server is plainHTTP; no broad or non-loopback host is granted.
Scope note: this issue's deliverable is narrowly "updated manifest permissions enabling localhost access." The
live-fetch consumer that will use this permission (pulling ranked candidates from the local miner-ui) is a
separate integration; this PR unblocks it by resolving the reachability gap.
Testing
test/unit/miner-extension-content.test.ts— a new case asserts the manifest grants both loopback patterns,keeps the
github.comgrant, and that every entry matches onlyhttps://github.com/*orhttp://{localhost,127.0.0.1}/*(so a future edit can't silently widen the grant to an arbitrary host).driver; no linter errors.
Note for CI
npm run test:ci/npm run test:coveragemust be run under Node >= 22.13 (this sandbox is Node 18, so vitestcould not be executed here). The changed files live under
apps/**, outside the Codecov-measuredsrc/**/lib/**surface, so they add no patch-coverage burden; the manifest assertion runs as part of the existing unitsuite.