chore(cors): broaden local origin matching for dev environments

IamCoder18 · IamCoder18 · commit 9c7074d561cc · 2026-06-14T08:39:38.000-06:00
The previous localhost-only prefix check caused CORS failures when
developers accessed the dev server via LAN IP (10.x, 172.16-31.x,
192.168.x), loopback (127.x), or IPv6 link-local/ULA addresses. This
was common when using mobile devices on the same LAN for testing or
when tunneling into the dev environment.

Both gastown and wasteland were updated to use the same regex so they
stay in sync.

## Summary

- services/gastown/src/gastown.worker.ts
- services/wasteland/src/wasteland.worker.ts
diff --git a/services/gastown/src/gastown.worker.ts b/services/gastown/src/gastown.worker.ts
@@ -266,13 +266,14 @@ app.use('/api/mayor/:townId/tools/rigs/:rigId/agents/:agentId/*', async (c, next
 
 // ── CORS ────────────────────────────────────────────────────────────────
 // Allow browser requests from the main Kilo app. In development, allow
-// localhost origins for the Next.js dev server.
+// localhost and LAN origins for the Next.js dev server.
+
+const localIpPattern = /^https?:\/\/(localhost|127\.\d+\.\d+\.\d+|10\.\d+\.\d+\.\d+|172\.(1[6-9]|2[0-9]|3[0-1])\.\d+\.\d+|192\.168\.\d+\.\d+|\[(::1|fd[0-9a-f]{2}:[0-9a-f:]+|fe80:[0-9a-f:]+)\])(:\d+)?$/i;
 
 const corsMiddleware = cors({
   origin: (origin, c: Context<GastownEnv>) => {
     if (c.env.ENVIRONMENT === 'development') {
-      // Allow any localhost origin in dev
-      if (origin.startsWith('http://localhost:')) return origin;
+      if (localIpPattern.test(origin)) return origin;
     }
     // Production origins
     const allowed = ['https://app.kilo.ai', 'https://kilo.ai'];
diff --git a/services/wasteland/src/wasteland.worker.ts b/services/wasteland/src/wasteland.worker.ts
@@ -89,12 +89,14 @@ app.use('*', async (c, next) => {
 
 // ── CORS ────────────────────────────────────────────────────────────────
 // Allow browser requests from the main Kilo app. In development, allow
-// localhost origins for the Next.js dev server.
+// localhost and LAN origins for the Next.js dev server.
+
+const localIpPattern = /^https?:\/\/(localhost|127\.\d+\.\d+\.\d+|10\.\d+\.\d+\.\d+|172\.(1[6-9]|2[0-9]|3[0-1])\.\d+\.\d+|192\.168\.\d+\.\d+|\[(::1|fd[0-9a-f]{2}:[0-9a-f:]+|fe80:[0-9a-f:]+)\])(:\d+)?$/i;
 
 const corsMiddleware = cors({
   origin: (origin, c: Context<WastelandEnv>) => {
     if (c.env.ENVIRONMENT === 'development') {
-      if (origin.startsWith('http://localhost:')) return origin;
+      if (localIpPattern.test(origin)) return origin;
     }
     const allowed = ['https://app.kilo.ai', 'https://kilo.ai'];
     return allowed.includes(origin) ? origin : '';
