Skip to content

fix(insight): keep the local API same-origin by default#294

Open
shaun0927 wants to merge 2 commits intomksglu:mainfrom
shaun0927:fix/insight-api-cors
Open

fix(insight): keep the local API same-origin by default#294
shaun0927 wants to merge 2 commits intomksglu:mainfrom
shaun0927:fix/insight-api-cors

Conversation

@shaun0927
Copy link
Copy Markdown

@shaun0927 shaun0927 commented Apr 16, 2026
edited
Loading

What / Why / How

Fixes #293

What: remove permissive cross-origin headers from Insight API responses and add a focused regression test for same-machine cross-origin access.

Why: the verified issue is not “remote internet access”, but a local trust-boundary problem: a different localhost origin can read Insight session data in both runtimes, and the Node runtime also permits DELETE preflight + DELETE requests. That conflicts with the README’s privacy-first / local-only framing for Insight.

How:

  • introduce a shared JSON header object for Insight API responses without Access-Control-Allow-*
  • stop the Node server branch from setting permissive CORS headers globally
  • add tests/analytics/insight-cors.test.ts, which boots Insight against fixture SQLite DBs and asserts that sensitive session endpoints and DELETE preflights no longer advertise cross-origin access headers
  • make the regression test hermetic by running the real insight/server.mjs against fixture DBs while temporarily stubbing insight/dist/index.html

Affected platforms

  • Claude Code
  • Cursor
  • VS Code Copilot (GitHub Copilot)
  • Gemini CLI
  • OpenCode
  • KiloCode
  • Codex CLI
  • OpenClaw (Pi Agent)
  • Kiro
  • Antigravity
  • Zed
  • All platforms

Test plan

  • npm run build
  • npm run typecheck
  • npx vitest run tests/analytics/insight-cors.test.ts
  • npm test

Local verification before the patch:

  • Bun runtime exposed session-event reads cross-origin
  • Node runtime exposed session-event reads cross-origin and accepted DELETE preflight + DELETE cross-origin

Local verification after the patch:

  • the new regression test passes
  • the full test suite passes locally after rebuilding bundles
  • Insight API no longer advertises permissive cross-origin headers

Checklist

  • Tests added/updated (TDD: red → green)
  • npm test passes
  • npm run typecheck passes
  • Docs updated if needed (README, platform-support.md)
  • No Windows path regressions (forward slashes only)
  • Targets next branch (unless hotfix)

Notes:

  • I am targeting main because that is the current default branch and the recent merged fixes around this area also landed there.
  • The follow-up commit keeps the regression test self-contained instead of depending on a copied server.mjs tree that would lose better-sqlite3 resolution.
Cross-platform notes

This patch only changes Insight API response headers and adds a Node-based regression test.

  • No filesystem path logic changed
  • No hook path logic changed
  • No stdin handling changed
  • No hardcoded path separators introduced
  • The Bun and Node runtime branches now align on same-origin-only API headers for API responses

@shaun0927
Protect Insight from same-machine cross-origin reads and deletes
82cb8f2 
Insight serves a same-origin local dashboard, but its API advertised\npermissive cross-origin headers. That allowed a different localhost\norigin to read session events in both runtimes and to preflight +\nissue DELETE requests in the Node runtime.\n\nThis change removes permissive CORS headers from Insight API responses\nwhile keeping the local dashboard behavior unchanged. A focused Node\nregression test boots Insight against fixture SQLite DBs and asserts\nthat sensitive endpoints and DELETE preflights no longer advertise\naccess-control headers.\n\nConstraint: Preserve same-origin Insight dashboard behavior\nRejected: Add a launch-time auth token now | broader product-policy decision\nRejected: Restrict only DELETE while keeping cross-origin GET | privacy-first README framing still conflicts\nConfidence: medium\nScope-risk: narrow\nDirective: Keep Insight same-origin by default unless an explicit sharing mode is designed\nTested: npm run build; npm run typecheck; npx vitest run tests/analytics/insight-cors.test.ts\nNot-tested: Full npm test in local env (unrelated existing failures in security/hook suites)
@shaun0927
Make the Insight CORS regression test hermetic
fa2617b 
The initial regression test verified the right behavior, but it rewrote\ninsight/dist inside the repository during execution. That adds avoidable\nshared-state risk under parallel test runs and creates noise unrelated to\nthe policy change itself.\n\nThis follow-up makes the test self-contained by copying the server entry\ninto a temporary insight directory, writing a stub dist/index.html there,\nand symlinking the repo node_modules for package resolution. The runtime\nbehavior under test stays the same while the fixture becomes isolated and\nless brittle.\n\nConstraint: Keep the PR scope limited to the Insight CORS fix and its regression test\nRejected: Leave the repo-mutation approach in place | unnecessary test brittleness\nRejected: Add a Bun-spawned test in this follow-up | wider CI/runtime assumption than needed here\nConfidence: high\nScope-risk: narrow\nDirective: Prefer temp-workspace fixtures over mutating checked-in runtime assets during tests\nTested: npm run typecheck; npx vitest run tests/analytics/insight-cors.test.ts\nNot-tested: Full npm test in local env (same unrelated failures noted in PR mksglu#294)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Insight API is cross-origin readable in both runtimes and DELETE-enabled in Node runtime

1 participant

@shaun0927