🤖 fix: harden path-app shell loading#3195
Conversation
|
@codex review
|
|
Codex Review: Didn't find any major issues. 🚀 ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
ibetitsmike
force-pushed
the
mike/path-app-hardening
branch
from
286c78a to
0953181
Compare
|
@codex review
|
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 09531819d5
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Add relative base href fallback for request paths without a detected public prefix, inject a slashless app-root redirect before the base tag, and bump the service worker cache to clear stale root-cached shells. Validation: - bun test src/node/orpc/server.test.ts - bun test src/common/appProxyBasePath.test.ts src/browser/utils/backendBaseUrl.test.ts - make static-check --- _Generated with `mux` • Model: `openai:gpt-5.5` • Thinking: `xhigh` • Cost: `8.40`_ <!-- mux-attribution: model=openai:gpt-5.5 thinking=xhigh costs=78.40 -->
ibetitsmike
force-pushed
the
mike/path-app-hardening
branch
from
0953181 to
0e41674
Compare
|
@codex review
|
|
Codex Review: Didn't find any major issues. Swish! ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
The new helper added in #3195 was a 1-line shim around `getPathnameFromRequestUrl(req.url)` used in only two adjacent functions (`shouldInjectSlashlessRootRedirect` and `getPublicBaseHref`). The existing `getPathnameFromRequestUrl` already conveys the intent, and the two callsites read clearly without the extra layer. Behavior-preserving: each callsite continues to compute the same pathname (or null) it did before. All 52 tests in src/node/orpc/server.test.ts continue to pass.
1 participant
Summary
Absorbs the small path-app hardening pieces from #3184 on top of the merged #3194 implementation. This keeps the existing server-side prefix detection, direct prefixed route handling, Scalar rewriting, and terminal popout path support intact.
Background
#3194 made mux work under Coder path-app iframe URLs. #3184 had a few defensive ideas worth keeping as a focused follow-up: tolerate slashless app-root URLs, avoid stale service worker caches, and keep static shell assets resolving when a proxy strips the app prefix without sending forwarding headers.
Implementation
mux-v2and precaches relative shell URLs./@admin/<workspace>.main/apps/mux/?token=..., plus a double-slash redirect guard.Validation
bun test src/node/orpc/server.test.tsbun test src/common/appProxyBasePath.test.ts src/browser/utils/backendBaseUrl.test.tsmake static-checkRisks
Low to moderate. This touches SPA shell HTML generation, but keeps detected Coder path-app base href behavior unchanged and adds tests for relative deep-route fallback, slashless app-root handling, direct prefixed requests, double-slash paths, and false-positive
/apps/paths.Generated with
mux• Model:openai:gpt-5.5• Thinking:xhigh• Cost:$78.40