Skip to content

fix(api): allow the gittensory-ui dev-server port in CORS#5248

Merged
JSONbored merged 1 commit into
mainfrom
fix/cors-dev-preview-port
Jul 12, 2026
Merged

fix(api): allow the gittensory-ui dev-server port in CORS#5248
JSONbored merged 1 commit into
mainfrom
fix/cors-dev-preview-port

Conversation

@JSONbored

Copy link
Copy Markdown
Owner

Summary

Root cause of the "API unreachable" banner appearing on every local/preview load of gittensory-ui: its dev server (@lovable.dev/vite-tanstack-config) binds port 8080, not Vite's 5173 default, but DEFAULT_CORS_ORIGINS in src/api/routes.ts only listed 3000/4173/5173 (+ their 127.0.0.1 equivalents). Every dev/preview build was CORS-blocked from /health, so ApiStatusBanner reported the API as unreachable regardless of whether it was actually healthy — verified the deployed API itself responds 200 in well under a second.

Fix: added http://localhost:8080 / http://127.0.0.1:8080 to DEFAULT_CORS_ORIGINS.

Validation

  • npx vitest run test/integration/api.test.ts — new regression assertions for the /health preflight from localhost:8080 and 127.0.0.1:8080 pass
  • npm run typecheck — clean
  • npm run test:coverage (unsharded) — full suite green
  • npm audit --audit-level=moderate — 0 vulnerabilities
  • npm run cf-typegen:check / npm run ui:openapi:check / npm run docs:drift-check — all clean, no drift
  • No generated artifacts needed regenerating (no wrangler binding/var, schema, or migration touched)

Safety

  • No secrets, no access-control changes — purely adds a known-safe localhost dev origin to an existing allowlist alongside the other standard local dev ports already there.

gittensory-ui's dev server (@lovable.dev/vite-tanstack-config) binds
port 8080, not Vite's 5173 default. DEFAULT_CORS_ORIGINS only listed
3000/4173/5173, so every local/preview dev server was CORS-blocked
from /health and the ApiStatusBanner falsely reported "API
unreachable" on every load, even with a healthy API.
@superagent-security

Copy link
Copy Markdown
Contributor

Superagent didn't find any vulnerabilities or security issues in this PR.

@JSONbored JSONbored self-assigned this Jul 12, 2026
@codecov

codecov Bot commented Jul 12, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.34%. Comparing base (d3b9707) to head (4104842).
⚠️ Report is 2 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #5248   +/-   ##
=======================================
  Coverage   94.34%   94.34%           
=======================================
  Files         473      473           
  Lines       39982    39982           
  Branches    14576    14576           
=======================================
  Hits        37722    37722           
  Misses       1585     1585           
  Partials      675      675           
Flag Coverage Δ
shard-1 46.29% <ø> (-0.15%) ⬇️
shard-2 34.60% <ø> (+0.01%) ⬆️
shard-3 32.10% <ø> (-0.05%) ⬇️
shard-4 31.82% <ø> (-0.27%) ⬇️
shard-5 33.72% <ø> (ø)
shard-6 45.07% <ø> (+0.21%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
src/api/routes.ts 94.30% <ø> (ø)
🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@loopover-orb loopover-orb Bot added the gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier. label Jul 12, 2026
@loopover-orb

loopover-orb Bot commented Jul 12, 2026

Copy link
Copy Markdown

Warning

🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨

⏸️ Gittensory review result - manual review recommended

Review updated: 2026-07-12 11:37:35 UTC

2 files · 2 AI reviewers · 3 blockers · readiness 93/100 · CI green · unstable

⏸️ Suggested Action - Manual Review

  • No linked issue detected — If this PR is intended to solve an issue, link it explicitly in the PR body.
  • Maintainer requires a linked issue — Link the relevant issue (for example Closes #123) before opening the PR.
  • AI reviewers agree on a likely critical defect: PR description: this PR does not close or clearly link an eligible open issue, so you need to add the issue link or explain the maintainer-authorized scope before this can proceed. — Resolve the flagged defect, or override if the AI reviewers are mistaken, then re-run the gate.

Review summary
This adds `http:​//localhost:8080` and `http:​//127.0.0.1:8080` to `DEFAULT_CORS_ORIGINS` in src/api/routes.ts to match gittensory-ui's dev server port, fixing false 'API unreachable' banners caused by CORS-blocked `/health` preflights. The fix is minimal, correctly targeted (matches the existing localhost/127.0.0.1 pairing pattern already in the array), and is backed by two new regression tests in test/integration/api.test.ts asserting 204 preflight responses with the correct `access-control-allow-origin` header for both origin variants. No schema, access-control logic, or generated artifacts are touched, consistent with the PR's stated scope.

Blockers

  • PR description: this PR does not close or clearly link an eligible open issue, so you need to add the issue link or explain the maintainer-authorized scope before this can proceed.
Nits — 5 non-blocking
  • The inline comment in src/api/routes.ts is fairly long (two lines) for a one-line allowlist addition; a shorter note referencing the issue/PR would be more idiomatic with the surrounding terse array.
  • The near-duplicate multi-line comment is repeated almost verbatim in test/integration/api.test.ts — consider trimming one of the two to avoid redundant prose in the diff.
  • Consider whether the dev-server port should eventually be sourced from a shared config/env constant if gittensory-ui's tooling changes ports again, to avoid future one-off allowlist edits.
  • src/api/routes.ts:5699: nit: the explanatory comment is useful, but it is more UI-specific than the surrounding allowlist entries and could age poorly if the UI dev-server package changes ports again.
  • PR description: add a closing or explicit linking reference to the eligible issue this fixes.

Concerns raised — review before merging

  • PR description: this PR does not close or clearly link an eligible open issue, so you need to add the issue link or explain the maintainer-authorized scope before this can proceed.
  • No linked issue detected — If this PR is intended to solve an issue, link it explicitly in the PR body.
  • Maintainer requires a linked issue — Link the relevant issue (for example Closes #123) before opening the PR.
Signal Result Evidence
Code review ❌ 3 blockers 2 reviewers, synthesized
Linked issue ⚠️ Missing No linked issue or no-issue rationale found.
Related work ✅ No active overlap found No same-issue or scoped active PR overlap found.
Change scope ✅ 20/20 Low review scope from cached public metadata (no linked issue context).
Validation posture ✅ 25/25 PR body includes validation/test evidence.
Contributor workload ✅ 10/10 Author activity: 44 registered-repo PR(s), 36 merged, 470 issue(s).
Contributor context ✅ Confirmed Gittensor contributor JSONbored; Gittensor profile; 44 PR(s), 470 issue(s).
Gate result ❌ Blocking Repo-configured hard blocker found.
Improvement ✅ Minor risk: clean · value: minor — Code changes are accompanied by test evidence. LLM value judgment: minor — It's a small, well-targeted one-line allowlist fix with regression tests that directly addresses the described dev-experience bug, but it's a narrow config tweak rather than a structural improvement.
Review context
  • Author: JSONbored
  • Role context: owner (maintainer lane)
  • Public audience mode: oss maintainer
  • Lane context: Repository is configured for direct PR review.
  • Public profile languages: Python, TypeScript, Ruby, Go, JavaScript, MDX, Shell, Solidity
  • Official Gittensor activity: 44 PR(s), 470 issue(s).
  • PR-specific overlap: none found.
Contributor next steps
  • Treat this as maintainer-lane context rather than normal contributor-lane activity.
  • Explain no-issue PR.
  • Link the issue being solved, or explicitly explain why this is a no-issue PR.
Signal definitions
  • Related work = same linked issue, overlapping active PRs, or title/path similarity.
  • Change scope = cached public metadata such as size labels, draft state, and review-burden hints.
  • Validation posture = whether the PR provides enough public validation/test evidence for maintainer review.
  • Contributor workload = public contributor activity and cleanup pressure, not a repo-wide quality failure.
  • Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.
[BETA] Chat with Gittensory

Ask Gittensory a question about this PR directly in a comment — grounded only in the same cached, public-safe facts shown above, never a new claim.

  • @gittensory ask &lt;question&gt; answers contribution-quality Q&A with source citations and freshness.
  • @gittensory chat &lt;question&gt; answers in natural prose from cached decision-pack facts via local inference (maintainer/collaborator; read-only).
  • A plain-language @gittensory mention with a real question is routed to the closest matching read-only command automatically -- no exact syntax required.

Full command reference: https://gittensory.aethereal.dev/docs/gittensory-commands

🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed


💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

  • Re-run Gittensory review

@loopover-orb loopover-orb Bot added the manual-review Gittensor contributor context label Jul 12, 2026
@JSONbored
JSONbored merged commit e3523a1 into main Jul 12, 2026
18 checks passed
@JSONbored
JSONbored deleted the fix/cors-dev-preview-port branch July 12, 2026 11:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier. manual-review Gittensor contributor context

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant