Skip to content

feat(miner-extension): grant loopback host permissions for local miner-ui access (#4860)#5578

Merged
loopover-orb[bot] merged 2 commits into
JSONbored:mainfrom
andriypolanski:feat/miner-extension-localhost-permission
Jul 13, 2026
Merged

feat(miner-extension): grant loopback host permissions for local miner-ui access (#4860)#5578
loopover-orb[bot] merged 2 commits into
JSONbored:mainfrom
andriypolanski:feat/miner-extension-localhost-permission

Conversation

@andriypolanski

Copy link
Copy Markdown
Contributor

Closes #4860

Summary

The miner extension's manifest.json host_permissions only covered https://github.com/*, so the extension
architecturally could not reach localhost — which blocks any live-fetch integration with the operator's local
miner-ui. This adds the loopback host permissions that enable localhost access, scoped as narrowly as the platform
allows.

Change

  • apps/gittensory-miner-extension/manifest.jsonhost_permissions now also grants http://localhost/*
    and http://127.0.0.1/* (additive; https://github.com/* stays).

Scoping rationale:

  • Narrowest the platform allows: Chrome MV3 match patterns cannot pin a port, so http://localhost/* is the
    tightest grant possible for a loopback dev server (a http://localhost:5174/* pattern is invalid).
  • HTTP only, loopback only: https is intentionally omitted because the local miner-ui dev server is plain
    HTTP; no broad or non-loopback host is granted.

Scope note: this issue's deliverable is narrowly "updated manifest permissions enabling localhost access." The
live-fetch consumer that will use this permission (pulling ranked candidates from the local miner-ui) is a
separate integration; this PR unblocks it by resolving the reachability gap.

Testing

  • test/unit/miner-extension-content.test.ts — a new case asserts the manifest grants both loopback patterns,
    keeps the github.com grant, and that every entry matches only https://github.com/* or
    http://{localhost,127.0.0.1}/* (so a future edit can't silently widen the grant to an arbitrary host).
  • Verified locally (Node 18 sandbox): the manifest is valid JSON and the new assertions pass via a standalone
    driver; no linter errors.

Note for CI

npm run test:ci / npm run test:coverage must be run under Node >= 22.13 (this sandbox is Node 18, so vitest
could not be executed here). The changed files live under apps/**, outside the Codecov-measured src/** /
lib/** surface, so they add no patch-coverage burden; the manifest assertion runs as part of the existing unit
suite.

@andriypolanski andriypolanski marked this pull request as draft July 13, 2026 06:52
@superagent-security

Copy link
Copy Markdown
Contributor

Superagent didn't find any vulnerabilities or security issues in this PR.

@loopover-orb loopover-orb Bot added the gittensor:feature Gittensor-scored feature linked to a feature issue — scores a 0.25x multiplier. label Jul 13, 2026
@loopover-orb

loopover-orb Bot commented Jul 13, 2026

Copy link
Copy Markdown

Tip

🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩

✅ Gittensory review result - approve/merge recommended

Review updated: 2026-07-13 06:57:28 UTC

3 files · 2 AI reviewers · no blockers · readiness 100/100 · CI green · clean

✅ Suggested Action - Approve/Merge

  • safe to merge

Review summary
This is a small, well-scoped manifest change adding http:​//localhost/* and http:​//127.0.0.1/* to host_permissions so the extension can reach a local miner-ui dev server, with a matching test asserting the exact set of granted patterns and documentation explaining the port-pinning limitation of Chrome MV3 match patterns. The change is additive (github.com permission retained), correctly reasoned (localhost/127.0.0.1 over broad host or https since the dev server is HTTP-only), and the test guards against future silent widening of the permission set. This closes the linked issue #4860 as a narrow, reviewable permission fix without bundling the live-fetch consumer that will use it.

Nits — 5 non-blocking
  • The test regex in test/unit/miner-extension-content.test.ts allows any pattern matching localhost or 127.0.0.1 with exact '/*' suffix, which is correct, but relies on manifest.host_permissions already being loaded/parsed elsewhere in the test file — verify that setup is present and correct.
  • README addition documents the rationale well but doesn't mention that a future live-fetch feature will need this permission at a specific port; readers may wonder why the loopback grant exists before any consumer uses it (though the PR does explain this in its description).
  • Consider adding a one-line comment in manifest.json itself (if supported via a sibling doc or code comment convention) pointing to README.md's 'Host permissions' section for context, since JSON doesn't support comments natively.
  • No changes needed to the content script's `matches` array since it remains scoped to github.com issue pages — worth confirming in a follow-up PR that the live-fetch consumer doesn't need `matches` broadened as well, since `host_permissions` and `content_scripts.matches` are independent grants.
  • nit: test/unit/miner-extension-content.test.ts:49 has a very long test name; consider shortening it while keeping the issue reference so failures stay readable in reporter output.
Signal Result Evidence
Code review ✅ No blockers 2 reviewers, synthesized
Linked issue ✅ Linked #4860
Related work ✅ No active overlap found No same-issue or scoped active PR overlap found.
Change scope ✅ 20/20 Low review scope from cached public metadata (1 linked issue).
Validation posture ✅ 25/25 PR body includes validation/test evidence.
Contributor workload ✅ 10/10 Author activity: 162 registered-repo PR(s), 105 merged, 29 issue(s).
Contributor context ✅ Confirmed Gittensor contributor andriypolanski; Gittensor profile; 162 PR(s), 29 issue(s).
Gate result ✅ Passing No configured blocker found.
Improvement ⚠️ ℹ️ Insufficient signal risk: clean · value: insufficient-signal — Nothing measurable for the structural-improvement analyzers on this PR (e.g. no code files changed). LLM value judgment: minor — The change is a narrowly-scoped, correctly-reasoned permission grant with test and doc coverage that unblocks a future integration but does not itself add functional capability.
Review context
  • Author: andriypolanski
  • Role context: outside_contributor
  • Public audience mode: oss maintainer
  • Lane context: Repository is configured for direct PR review.
  • Public profile languages: not available
  • Official Gittensor activity: 162 PR(s), 29 issue(s).
  • PR-specific overlap: none found.
Contributor next steps
  • Keep the PR focused and include validation evidence before maintainer review.
Signal definitions
  • Related work = same linked issue, overlapping active PRs, or title/path similarity.
  • Change scope = cached public metadata such as size labels, draft state, and review-burden hints.
  • Validation posture = whether the PR provides enough public validation/test evidence for maintainer review.
  • Contributor workload = public contributor activity and cleanup pressure, not a repo-wide quality failure.
  • Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.
[BETA] Chat with Gittensory

Ask Gittensory a question about this PR directly in a comment — grounded only in the same cached, public-safe facts shown above, never a new claim.

  • @gittensory ask <question> answers contribution-quality Q&A with source citations and freshness.
  • @gittensory chat <question> answers in natural prose from cached decision-pack facts via local inference (maintainer/collaborator; read-only).
  • A plain-language @gittensory mention with a real question is routed to the closest matching read-only command automatically -- no exact syntax required.

Full command reference: https://gittensory.aethereal.dev/docs/gittensory-commands

Visual preview
Route Viewport Before (production) After (this PR's preview) Diff
/ desktop before / after /
/ mobile before / (mobile) after / (mobile)

Click any thumbnail to open the full-size screenshot. Before = production · After = this PR's preview deploy.

🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed


💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

  • Re-run Gittensory review

@codecov

codecov Bot commented Jul 13, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.98%. Comparing base (246e7ec) to head (98dee32).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #5578   +/-   ##
=======================================
  Coverage   94.98%   94.98%           
=======================================
  Files         573      573           
  Lines       45469    45469           
  Branches    14680    14680           
=======================================
  Hits        43187    43187           
  Misses       1531     1531           
  Partials      751      751           
Flag Coverage Δ
shard-1 44.03% <ø> (-0.01%) ⬇️
shard-2 35.68% <ø> (+0.01%) ⬆️
shard-3 32.12% <ø> (+<0.01%) ⬆️
shard-4 30.99% <ø> (-1.89%) ⬇️
shard-5 32.82% <ø> (+0.94%) ⬆️
shard-6 44.38% <ø> (+0.20%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@andriypolanski andriypolanski marked this pull request as ready for review July 13, 2026 06:56

@loopover-orb loopover-orb Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gittensory approves — the gate is satisfied and CI is green.

@loopover-orb loopover-orb Bot merged commit 4cc380d into JSONbored:main Jul 13, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

gittensor:feature Gittensor-scored feature linked to a feature issue — scores a 0.25x multiplier.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Resolve the extension's localhost-reachability gap

2 participants