chore(cors): broaden local origin matching for dev environments

IamCoder18 · IamCoder18 · commit 8eaa298d46c0 · 2026-06-14T08:29:32.000-06:00
The previous localhost-only prefix check caused CORS failures when
developers accessed the dev server via LAN IP (10.x, 172.16-31.x,
192.168.x), loopback (127.x), or IPv6 link-local/ULA addresses. This
was common when using mobile devices on the same LAN for testing or
when tunneling into the dev environment.

Both gastown and wasteland were updated to use the same regex so they
stay in sync.

## Summary

- services/gastown/src/gastown.worker.ts
- services/wasteland/src/wasteland.worker.ts
diff --git a/services/gastown/src/gastown.worker.ts b/services/gastown/src/gastown.worker.ts
@@ -266,13 +266,13 @@ app.use('/api/mayor/:townId/tools/rigs/:rigId/agents/:agentId/*', async (c, next
 
 // ── CORS ────────────────────────────────────────────────────────────────
 // Allow browser requests from the main Kilo app. In development, allow
-// localhost origins for the Next.js dev server.
+// localhost and LAN origins for the Next.js dev server.
 
 const corsMiddleware = cors({
   origin: (origin, c: Context<GastownEnv>) => {
     if (c.env.ENVIRONMENT === 'development') {
-      // Allow any localhost origin in dev
-      if (origin.startsWith('http://localhost:')) return origin;
+      const localIpPattern = /^https?:\/\/(localhost|127\.\d+\.\d+\.\d+|10\.\d+\.\d+\.\d+|172\.(1[6-9]|2[0-9]|3[0-1])\.\d+\.\d+|192\.168\.\d+\.\d+|\[(::1|fd[0-9a-f]{2}:[0-9a-f:]+|fe80:[0-9a-f:]+)\])(:\d+)?$/i;
+      if (localIpPattern.test(origin)) return origin;
     }
     // Production origins
     const allowed = ['https://app.kilo.ai', 'https://kilo.ai'];
diff --git a/services/wasteland/src/wasteland.worker.ts b/services/wasteland/src/wasteland.worker.ts
@@ -89,12 +89,13 @@ app.use('*', async (c, next) => {
 
 // ── CORS ────────────────────────────────────────────────────────────────
 // Allow browser requests from the main Kilo app. In development, allow
-// localhost origins for the Next.js dev server.
+// localhost and LAN origins for the Next.js dev server.
 
 const corsMiddleware = cors({
   origin: (origin, c: Context<WastelandEnv>) => {
     if (c.env.ENVIRONMENT === 'development') {
-      if (origin.startsWith('http://localhost:')) return origin;
+      const localIpPattern = /^https?:\/\/(localhost|127\.\d+\.\d+\.\d+|10\.\d+\.\d+\.\d+|172\.(1[6-9]|2[0-9]|3[0-1])\.\d+\.\d+|192\.168\.\d+\.\d+|\[(::1|fd[0-9a-f]{2}:[0-9a-f:]+|fe80:[0-9a-f:]+)\])(:\d+)?$/i;
+      if (localIpPattern.test(origin)) return origin;
     }
     const allowed = ['https://app.kilo.ai', 'https://kilo.ai'];
     return allowed.includes(origin) ? origin : '';
