feat: Allow dynamic CORS origin for contributor dev environments

Co-authored-by: aider (vertex_ai/gemini-2.5-flash) <aider@aider.chat>

Author: danielcampagnolitg

src/cli/startLocal.ts

@@ -56,6 +56,7 @@ async function main(): Promise<void> {
 	const repoRoot = path.resolve(process.cwd());
 	const typedAiHome = process.env.TYPEDAI_HOME ? path.resolve(process.env.TYPEDAI_HOME) : null;
 	const isDefaultRepo = typedAiHome ? repoRoot === typedAiHome : false;
+	process.env.TYPEDAI_PORT_MODE = isDefaultRepo ? 'fixed' : 'dynamic';
 
 	// 2. Determine and set the backend server port.
 	const parsedPort = process.env.PORT ? Number.parseInt(process.env.PORT, 10) : undefined;

src/fastify/fastifyApp.ts

@@ -311,8 +311,21 @@ async function loadPlugins(config: FastifyConfig) {
 	await fastifyInstance.register(import('@fastify/jwt'), {
 		secret: process.env.JWT_SECRET || 'your-secret-key',
 	});
+	// Determine CORS origin policy based on the port mode set during startup.
+	let corsOrigin: string | boolean = new URL(process.env.UI_URL!).origin;
+
+	// In a contributor's local development setup, ports are dynamic to avoid conflicts.
+	// In this "dynamic" mode, we cannot know the frontend's port at backend startup.
+	// To avoid CORS issues that block development, we relax the policy.
+	// `origin: true` reflects the request's origin, which is a safe way to allow any
+	// origin for credentialed requests in a development context.
+	// The 'fixed' mode is used for the default repository setup where ports are known and fixed.
+	if (process.env.TYPEDAI_PORT_MODE === 'dynamic') {
+		corsOrigin = true;
+	}
+
 	await fastifyInstance.register(import('@fastify/cors'), {
-		origin: [new URL(process.env.UI_URL!).origin],
+		origin: corsOrigin,
 		methods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'],
 		allowedHeaders: ['Content-Type', 'Authorization', 'X-Goog-Iap-Jwt-Assertion', 'Enctype', 'Accept'],
 		credentials: true,