[loop-generated] [bug] CORS origins default to wildcard in production #462

New Issue

Closed

opened 2026-03-19 18:43:16 +00:00 by Timmy · 1 comment

Timmy commented 2026-03-19 18:43:16 +00:00

Owner

Copy Link

What

config.py line 141: cors_origins: list[str] = ["*"]

In production, wildcard CORS allows any origin to make authenticated requests to the dashboard API. This is a sovereignty violation — anyone can interact with Timmy's API from any website.

Why

SOUL.md: "I do not phone home." Wildcard CORS is the reverse — it lets anyone phone IN.

Acceptance criteria

• Default CORS origins should be restrictive (localhost only)
• Production should require explicit CORS_ORIGINS env var
• Add warning log if wildcard CORS is used
• Unit test verifying default is not wildcard

Files

• src/config.py
• src/dashboard/app.py
• tests/

## What `config.py` line 141: `cors_origins: list[str] = ["*"]` In production, wildcard CORS allows any origin to make authenticated requests to the dashboard API. This is a sovereignty violation — anyone can interact with Timmy's API from any website. ## Why SOUL.md: "I do not phone home." Wildcard CORS is the reverse — it lets anyone phone IN. ## Acceptance criteria - Default CORS origins should be restrictive (localhost only) - Production should require explicit CORS_ORIGINS env var - Add warning log if wildcard CORS is used - Unit test verifying default is not wildcard ## Files - src/config.py - src/dashboard/app.py - tests/

Timmy commented 2026-03-19 18:43:30 +00:00

Author

Owner

Copy Link

Implementation Guide

1. In src/config.py line 141: Change default cors_origins from ["*"] to ["http://localhost:8000", "http://localhost:3000", "http://127.0.0.1:8000", "http://127.0.0.1:3000"]

2. In src/dashboard/app.py in _get_cors_origins(): Add a warning log if "*" is in the origins list: logger.warning("CORS wildcard enabled — restrict in production via CORS_ORIGINS env var")

3. Add a unit test in tests/unit/test_config.py (or create if needed) that asserts "*" is NOT in the default cors_origins.

Verify:

• tox -e unit passes
• tox -e lint passes

## Implementation Guide 1. In `src/config.py` line 141: Change default `cors_origins` from `["*"]` to `["http://localhost:8000", "http://localhost:3000", "http://127.0.0.1:8000", "http://127.0.0.1:3000"]` 2. In `src/dashboard/app.py` in `_get_cors_origins()`: Add a warning log if `"*"` is in the origins list: `logger.warning("CORS wildcard enabled — restrict in production via CORS_ORIGINS env var")` 3. Add a unit test in `tests/unit/test_config.py` (or create if needed) that asserts `"*"` is NOT in the default `cors_origins`. ### Verify: - `tox -e unit` passes - `tox -e lint` passes

kimi was assigned by Timmy 2026-03-19 18:43:30 +00:00

kimi referenced this issue from a commit 2026-03-19 18:55:01 +00:00

fix: default CORS origins to localhost instead of wildcard

kimi referenced a pull request that will close this issue 2026-03-19 18:55:12 +00:00

fix: default CORS origins to localhost instead of wildcard #467

Timmy closed this issue 2026-03-19 18:57:38 +00:00

kimi referenced this issue from a commit 2026-03-19 19:00:06 +00:00

fix: replace wildcard CORS default with explicit localhost origins

kimi referenced a pull request that will close this issue 2026-03-19 19:00:19 +00:00

fix: replace wildcard CORS default with explicit localhost origins #468

Timmy referenced this issue from a commit 2026-03-19 19:05:13 +00:00

fix: strip CORS wildcards in production instead of just warning (#462)

Timmy referenced this issue 2026-03-19 19:05:25 +00:00

[loop-cycle-2] fix: strip CORS wildcards in production (#462) #469

Timmy referenced this issue from a commit 2026-03-19 19:05:30 +00:00

[loop-cycle-2] fix: strip CORS wildcards in production (#462) (#469)

Timmy referenced this issue 2026-03-19 19:16:36 +00:00

[loop-generated] [bug] validate_startup does not check CORS wildcard in production #472

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

gemini/issue-892

claude/issue-1342

claude/issue-1346

claude/issue-1351

claude/issue-1340

fix/test-llm-triage-syntax

gemini/issue-1014

gemini/issue-932

claude/issue-1277

claude/issue-1139

claude/issue-870

claude/issue-1285

claude/issue-1292

claude/issue-1281

claude/issue-917

claude/issue-1275

claude/issue-925

claude/issue-1019

claude/issue-1094

claude/issue-1019-v3

fix/flaky-vassal-xdist-tests

fix/test-config-env-isolation

claude/issue-1019-v2

claude/issue-957-v2

claude/issue-1218

claude/issue-1217

test/chat-store-unit-tests

claude/issue-1191

claude/issue-1186

claude/issue-957

gemini/issue-936

claude/issue-1065

gemini/issue-976

gemini/issue-1149

claude/issue-1135

claude/issue-1064

gemini/issue-1012

claude/issue-1095

claude/issue-1102

claude/issue-1114

gemini/issue-978

gemini/issue-971

claude/issue-1074

claude/issue-987

claude/issue-1011

feature/internal-monologue

feature/issue-1006

feature/issue-1007

feature/issue-1008

feature/issue-1009

feature/issue-1010

feature/issue-1011

feature/issue-1012

feature/issue-1013

feature/issue-1014

feature/issue-981

feature/issue-982

feature/issue-983

feature/issue-984

feature/issue-985

feature/issue-986

feature/issue-987

feature/issue-993

claude/issue-943

claude/issue-975

claude/issue-989

claude/issue-988

fix/loop-guard-gitea-api-and-queue-validation

feature/lhf-tech-debt-fixes

kimi/issue-753

kimi/issue-714

kimi/issue-716

fix/csrf-check-before-execute

chore/migrate-gitea-to-vps

kimi/issue-640

fix/utcnow-calm-py

kimi/issue-635

kimi/issue-625

fix/router-api-truncated-param

kimi/issue-604

kimi/issue-594

review-fixes

kimi/issue-570

kimi/issue-554

kimi/issue-539

kimi/issue-540

feature/ipad-v1-api

kimi/issue-506

kimi/issue-512

refactor/airllm-doc-cleanup

kimi/issue-513

kimi/issue-514

kimi/issue-500

kimi/issue-492

kimi/issue-490

kimi/issue-459

kimi/issue-472

kimi/issue-473

kimi/issue-462

kimi/issue-463

kimi/issue-454

kimi/issue-445

kimi/issue-446

kimi/issue-431

GoldenRockachopa

hermes/v0.1

Labels

Clear labels

222-epic

Workshop: Timmy as Presence (Epic #222)

actionable

Has a concrete code/config task extracted

assigned-claude

Issue currently assigned to Claude agent — do not assign to another agent

assigned-gemini

Issue currently assigned to Gemini agent — do not assign to another agent

assigned-groq

assigned-kimi

Issue currently assigned to Kimi agent — do not assign to another agent

assigned-manus

Issue currently assigned to Manus agent — do not assign to another agent

claude-ready

consolidation

Part of a consolidation epic

deprioritized

Keep open but not blocking P0 work

deprioritized

Keep open but not blocking P0 work

duplicate

Duplicate of another issue

gemini-review

Auto-generated by Gemini, needs relevance review

groq-ready

harness

Core product: agent framework, heartbeat, inference, memory

heartbeat

Harness: Agent heartbeat loop

inference

Harness: Inference and model routing

infrastructure

Supporting stage: dashboard, CI/CD, deployment, DNS

kimi-ready

Scoped and ready for Kimi to pick up

memory-session

Harness: Memory and session crystallization

morrowind

Harness: Morrowind embodiment

needs-design

Needs architectural design before implementation

needs-extraction

Philosophy with unextracted engineering work

p0-critical

Priority 0: Must fix now

p1-important

Priority 1: Important, next sprint

p2-backlog

Priority 2: Backlog, do when time permits

philosophy

Philosophical foundation — informs architecture decisions

rejected-direction

Closed: rejected or superseded direction

seed:know-purpose

Three Seeds: KNOW YOUR PURPOSE

seed:serve-real

Three Seeds: SERVE THE REAL

seed:tell-truth

Three Seeds: TELL THE TRUTH

sovereignty

Harness: Sovereignty stack

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

Timmy claude grok groq kimi manus perplexity Rockachopa

No Assignees kimi

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: Rockachopa/Timmy-time-dashboard#462