fix(edge): migrate inline CORS to buildPublicCorsHeaders helper (#126…#133
Closed
adm01-debug wants to merge 2 commits into
Closed
fix(edge): migrate inline CORS to buildPublicCorsHeaders helper (#126…#133adm01-debug wants to merge 2 commits into
adm01-debug wants to merge 2 commits into
Conversation
…B-2) Both edge functions declared corsHeaders inline (without x-request-id), violating the project's CORS gate (check:edge-cors + check:no-inline-cors). Migration: - simulation-orchestrator: corsHeaders inline → buildPublicCorsHeaders() - sync-external-db: corsHeaders inline → buildPublicCorsHeaders() This restores observability: x-request-id can now be cross-referenced between browser logs and Sentry/server logs across preflight. Substitutes PR #126 B-2 (audit finding). Other items of #126: - B-1 validateUrlFormat: ✅ already merged via #124 - B-3 toast leaks: rejected (baseline 176→179 would be regression) - useGlobalShortcuts hooks fix: ✅ already merged via #124 - T-FIX-3 GH Actions bump: ✅ already merged via #124 - AdminStandardRules PascalCase: ✅ already merged via #124 Helper used (verified existing in main): - supabase/functions/_shared/cors.ts:204 exports buildPublicCorsHeaders()
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Warning Review limit reached
Your plan currently allows 2 reviews/hour. Refill in 27 minutes and 14 seconds. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more review capacity refills, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than trial, open-source, and free plans. In all cases, review capacity refills continuously over time. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
This pull request has been ignored for the connected project Preview Branches by Supabase. |
3 tasks
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes the edge CORS compliance issue by migrating two Supabase Edge Functions away from inline corsHeaders objects to the shared _shared/cors.ts helper, restoring the expected x-request-id behavior and satisfying the repository’s edge CORS gates.
Changes:
- Replaced inline
corsHeadersinsync-external-dbwithbuildPublicCorsHeaders(). - Replaced inline
corsHeadersinsimulation-orchestratorwithbuildPublicCorsHeaders().
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
supabase/functions/sync-external-db/index.ts |
Removes inline CORS header object and uses shared buildPublicCorsHeaders() helper. |
supabase/functions/simulation-orchestrator/index.ts |
Removes inline CORS header object and uses shared buildPublicCorsHeaders() helper. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Adds AUDITORIA_BUGS_2026-05-23.md (922 lines) reconciling findings from 4 prior audits against current code state. Different focus from AUDITORIA-EXAUSTIVA-2026-05-23.md (#124, which is a 20-step plan) — this one is a P0/P1 forensic inventory with 7-pass analysis. Key findings documented: - 13 critical security issues from prior audits: 13/13 CLOSED - 9 currently-open bugs identified (B-1 through B-9) - 103 it.skip in P0/E2E tests (test coverage gap) - 1333 TS + 473 ESLint + 73 toast.error leaks in baselines - 0 npm audit vulnerabilities Resolution status of B-1 through B-3 in companion PRs: - B-1 (validateUrlFormat): ✅ already fixed in #124 - B-2 (CORS inline simulation-orchestrator + sync-external-db): ✅ fixed in companion commit fa4ccc7 of this branch - B-3 through B-9: documented for follow-up Substitutes PR #126 docs delivery.
4 tasks
adm01-debug
added a commit
that referenced
this pull request
May 23, 2026
* fix(edge): migrate inline CORS to buildPublicCorsHeaders helper (#126 B-2) Both edge functions declared corsHeaders inline (without x-request-id), violating the project's CORS gate (check:edge-cors + check:no-inline-cors). Migration: - simulation-orchestrator: corsHeaders inline → buildPublicCorsHeaders() - sync-external-db: corsHeaders inline → buildPublicCorsHeaders() This restores observability: x-request-id can now be cross-referenced between browser logs and Sentry/server logs across preflight. Substitutes PR #126 B-2 finding. Other items of #126: - B-1 validateUrlFormat: ✅ already merged via #124 - B-3 toast leaks: rejected (baseline 176→179 would be regression) - useGlobalShortcuts hooks fix: ✅ already merged via #124 - T-FIX-3 GH Actions bump: ✅ already merged via #124 - AdminStandardRules PascalCase: ✅ already merged via #124 Helper used (verified existing in main): - supabase/functions/_shared/cors.ts:204 exports buildPublicCorsHeaders() * docs(audit): forensic bug audit reconciling 4 prior audits (#126) Adds AUDITORIA_BUGS_2026-05-23.md reconciling findings from 4 prior audits (2026-04-29, 05-07, 05-12, 05-13) against the current code state. Different focus from AUDITORIA-EXAUSTIVA-2026-05-23.md (#124, which is a 20-step plan) — this one is a P0/P1 forensic inventory with 7-pass analysis. Key findings documented: - 13 critical security issues from prior audits: 13/13 CLOSED - 9 currently-open bugs identified (B-1 through B-9) - 103 it.skip in P0/E2E tests (test coverage gap) - 1333 TS + 473 ESLint + 73 toast.error leaks in baselines - 0 npm audit vulnerabilities Resolution status of B-1 through B-3: - B-1 (validateUrlFormat): ✅ already fixed in #124 - B-2 (CORS inline simulation-orchestrator + sync-external-db): ✅ fixed in companion commit 507692b of this branch - B-3 through B-9: documented for follow-up Substitutes PR #126 docs delivery. * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Update docs/AUDITORIA_BUGS_2026-05-23.md Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
… B-2)
Both edge functions declared corsHeaders inline (without x-request-id), violating the project's CORS gate (check:edge-cors + check:no-inline-cors).
Migration:
This restores observability: x-request-id can now be cross-referenced between browser logs and Sentry/server logs across preflight.
Substitutes PR #126 B-2 (audit finding). Other items of #126:
Helper used (verified existing in main):
📋 Descrição
🎯 Tipo de mudança
🔗 Issues relacionadas
Closes #
Refs #
🌐 Sistemas afetados
🧪 Como testar
✅ Checklist pré-merge
Qualidade
npx tsc --noEmitpassa sem errosnpm run test)Segurança
console.logcom payloads sensíveis (usarlogger.*)Documentação
mem://) se a mudança afetar arquitetura/regras_backup_*_YYYYMMDDse destrutivasUI
📸 Screenshots (se UI)
🔄 Plano de rollback
Summary by cubic
Migrated inline CORS in two edge functions to
buildPublicCorsHeaders()to meet the CORS gate and includex-request-id. Added a forensic audit doc to track open issues and confirm critical fixes.simulation-orchestratorandsync-external-dbnow usebuildPublicCorsHeaders(); inline headers removed.x-request-id; passescheck:edge-corsandcheck:no-inline-cors.docs/AUDITORIA_BUGS_2026-05-23.mdreconciling prior audits and listing open bugs and test gaps.Written for commit af8cedb. Summary will update on new commits. Review in cubic