feat(desktop): allow relay-backup.superset.sh in renderer CSP

[saddlepaddle]

Summary

• Adds https://relay-backup.superset.sh as a pre-allowed connect-src entry in the desktop renderer's CSP, alongside the existing %RELAY_URL% (which is replaced with https://relay.superset.sh at build time).
• This is a stable secondary relay URL we can repoint via DNS (CNAME) or via the existing relay-url-override PostHog flag payload, so we can route a user's host-service / desktop renderer at a non-prod relay (staging, failover) without cutting a new desktop release each time the override target changes.
• Today's CSP only allows %RELAY_URL% substituted at build time, so any override URL gets blocked by connect-src for HTTPS requests (the wss: scheme-only entry already lets WS through, which is why CLI tunneling works against any host).

Test plan

• Build the desktop renderer; confirm the resulting index.html contains https://relay-backup.superset.sh in the connect-src directive.
• With the relay-url-override flag set to {"url": "https://relay-backup.superset.sh"} for a test user, the desktop renderer can issue HTTPS trpc requests to the relay (workspace creates, port queries) without CSP violations in DevTools console.
• Without the flag (or for users outside the cohort), behavior is unchanged — renderer still uses relay.superset.sh.

Notes

• relay-backup.superset.sh resolves via CNAME to the staging Fly app today; we can re-CNAME it elsewhere (failover, new staging env) without redeploying desktop.
• No change to the host-service (main process) — it has no CSP, so any override URL has always worked there. This PR closes the renderer-side gap.

---

Summary by cubic

Adds https://relay-backup.superset.sh to the desktop renderer CSP (connect-src) so the relay-url-override flag can route HTTPS requests to a staging/failover relay without shipping a new desktop build. %RELAY_URL% remains the primary host; behavior is unchanged for users not in the flag cohort.

^{Written for commit f55aea8. Summary will update on new commits.}

Summary by CodeRabbit

• Chores
  • Updated security connectivity configuration to allow connections to an additional backup relay endpoint.

[capy-ai]

Capy auto-review is paused for this organization because the monthly auto-review limit has been reached. Increase the limit or turn it off in billing settings to resume automatic reviews.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0ae06e9d-038a-47d1-859a-27b0f4d973db

📥 Commits

Reviewing files that changed from the base of the PR and between c06266c and f55aea8.

📒 Files selected for processing (1)

• apps/desktop/src/renderer/index.html

---

📝 Walkthrough

Walkthrough

The PR updates the desktop renderer's Content Security Policy to authorize outbound connections to a backup relay endpoint. The connect-src directive in the HTML meta tag now explicitly permits https://relay-backup.superset.sh, expanding relay-related connectivity allowances beyond the existing configuration.

Changes

Backup Relay Connectivity

Layer / File(s)	Summary
CSP connect-src directive update apps/desktop/src/renderer/index.html	The Content Security Policy meta tag's connect-src directive expanded to permit https://relay-backup.superset.sh as an allowed connection endpoint; CSP documentation comment updated to reflect the expanded relay allowances.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

Poem

🐰 A relay stands ready, backup in hand,
CSP blessed it across the land,
relay-backup.superset.sh now plays its part,
Connectivity blooms with a trustful heart! 🌟

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding relay-backup.superset.sh to the CSP, which is the primary modification in this PR.
Description check	✅ Passed	The PR description is comprehensive and well-structured, covering the change rationale, implementation details, and a detailed test plan, though the description template sections are not formally followed.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch csp-relay-backup-allowlist

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR adds https://relay-backup.superset.sh as a static connect-src entry in the desktop renderer's Content Security Policy, allowing HTTPS tRPC requests to the backup relay without a new desktop build. WebSocket traffic to the same host was already permitted by the existing scheme-only wss: directive.

• CSP entry added: https://relay-backup.superset.sh is appended after %RELAY_URL% in both the CSP <meta> tag and the human-readable comment block.
• Scope limited to renderer: The host-service (main process) has no CSP, so this change is strictly renderer-side and does not affect CLI tunneling or any other process.
• DNS/CNAME flexibility retained: Because the hostname is stable while its DNS target can be re-CNAME'd, the team can redirect the backup relay to staging or a failover environment without cutting a new desktop release.

Confidence Score: 5/5

Single-line CSP addition to a controlled superset.sh subdomain; no logic, no runtime code, no new dependencies.

The change is a one-token addition to a meta tag — adding one explicit HTTPS origin to connect-src. The origin is a superset.sh subdomain, fully controlled by the team. The comment is updated to match. No other code is touched, and the rest of the CSP is unchanged. Nothing here can regress existing behavior for users who are not opted into the PostHog flag.

No files require special attention.

Important Files Changed

Filename	Overview
apps/desktop/src/renderer/index.html	Adds https://relay-backup.superset.sh to the connect-src CSP directive alongside the existing build-time %RELAY_URL% placeholder; comment updated to document the rationale.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Desktop Renderer] -->|connect-src check| B{CSP allows host?}
    B -->|self / 127.0.0.1 / posthog / sentry| C[Allowed ✓]
    B -->|%RELAY_URL% → relay.superset.sh HTTPS| C
    B -->|relay-backup.superset.sh HTTPS — NEW| C
    B -->|ws: or wss: — any host WebSocket| C
    B -->|other origin| D[Blocked ✗]
    C --> E[Request proceeds]
    D --> F[CSP violation in DevTools]

Loading

_{Reviews (1): Last reviewed commit: "feat(desktop): allow relay-backup.supers..." | Re-trigger Greptile}

[cubic-dev-ai]

No issues found across 1 file

[github-actions]

🧹 Preview Cleanup Complete

The following preview resources have been cleaned up:

• ⚠️ Neon database branch

Thank you for your contribution! 🎉