fix(web): allow relay WSS origin in CSP for canary/prod

[AviPeltz]

Summary

• Remote-control terminals were broken in canary because the CSP connect-src directive didn't include the relay WSS origin. Root cause: RELAY_URL wasn't plumbed into the deploy-web build env, so process.env.RELAY_URL was undefined when next.config.ts computed the CSP, and the browser blocked wss://relay.superset.sh.
• Add RELAY_URL to the deploy-web env in both deploy-preview.yml and deploy-production.yml.
• Add a wss://relay.superset.sh production fallback in apps/web/next.config.ts so the header stays correct even if the env isn't plumbed in the future.

Test plan

• Wait for preview deploy and inspect the response Content-Security-Policy header on the web app — connect-src should include wss://relay.superset.sh.
• Open a remote-control terminal session against the preview/canary web build and confirm the WSS connection opens (no CSP violation in the browser console).
• Sanity-check production CSP after the next prod deploy.

---

Summary by cubic

Fixes CSP to allow the relay WebSocket origin in canary and production, restoring remote-control terminals. Adds env wiring and a safe production fallback so the header stays correct.

• Bug Fixes
  • Pass RELAY_URL into deploy-web for preview and production builds in .github/workflows/deploy-preview.yml and .github/workflows/deploy-production.yml.
  • In apps/web/next.config.ts, set relayWsOrigin with a production fallback to wss://relay.superset.sh so connect-src always allows the relay.

^{Written for commit f390b17. Summary will update on new commits.}

Summary by CodeRabbit

• Chores
  • Updated deployment and application configuration to support configurable relay server endpoints. Production deployments now include a default relay server fallback.

[capy-ai]

Capy auto-review is paused for this organization because the monthly auto-review limit has been reached. Increase the limit or turn it off in billing settings to resume automatic reviews.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c208c531-e0c7-4913-a109-ba44364088db

📥 Commits

Reviewing files that changed from the base of the PR and between caefe8d and f390b17.

📒 Files selected for processing (3)

• .github/workflows/deploy-preview.yml
• .github/workflows/deploy-production.yml
• apps/web/next.config.ts

---

📝 Walkthrough

Walkthrough

This PR adds environment variable support for configurable relay WebSocket origins. GitHub Actions workflows now pass RELAY_URL from secrets to deployments, and the Next.js configuration uses this variable with smart fallbacks for different environments and CSP directives.

Changes

Relay URL Configuration

Layer / File(s)	Summary
Deployment environment provisioning .github/workflows/deploy-preview.yml, .github/workflows/deploy-production.yml	Both preview and production deployment jobs now receive RELAY_URL from secrets.RELAY_URL in their environment.
Relay origin configuration with fallback apps/web/next.config.ts	relayWsOrigin computes the relay WebSocket URL from process.env.RELAY_URL (converting HTTP schemes to WebSocket), falls back to wss://relay.superset.sh in production if unset, and remains null otherwise.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• superset-sh/superset#4473: Both PRs update the app's connect-src CSP to permit alternate relay endpoints by wiring in RELAY_URL/relay hostnames for WebSocket/HTTP connectivity.

Poem

🐰 A secret flows through the cloud so bright,
RELAY_URL carries WebSocket light,
With fallbacks wise for production's way,
The relay connects for night and day! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main fix: allowing the relay WSS origin in Content-Security-Policy for canary and production environments.
Description check	✅ Passed	The description includes a clear summary of the issue and solution, explains the root cause, details the files changed, and provides a comprehensive test plan covering verification steps.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-csp-relay-wss-origin

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

Fixes broken remote-control WebSocket connections in canary/prod by plumbing RELAY_URL into the Vercel build env and adding a hard-coded wss://relay.superset.sh production fallback for when the env var is absent.

• Workflow changes (deploy-preview.yml, deploy-production.yml): adds RELAY_URL: ${{ secrets.RELAY_URL }} to the deploy-web build step so process.env.RELAY_URL is available to next.config.ts at build time.
• CSP fallback (apps/web/next.config.ts): when RELAY_URL is not set and NODE_ENV === \"production\", relayWsOrigin now falls back to the literal wss://relay.superset.sh instead of null, keeping connect-src correct even if the secret is ever missing.

Confidence Score: 5/5

Safe to merge — a minimal, targeted fix that adds a missing build-time secret and a self-documenting fallback with no side effects on other headers or routes.

The change is small and well-scoped: two one-line workflow additions and a three-line ternary in next.config.ts. The fallback value is the same origin the env var would resolve to, so it cannot produce a looser CSP than intended. An absent or empty RELAY_URL secret degrades gracefully to the hard-coded fallback rather than crashing the build or silently omitting the origin.

No files require special attention. The only file with non-trivial logic is apps/web/next.config.ts, and the change there is straightforward.

Important Files Changed

Filename	Overview
.github/workflows/deploy-preview.yml	Adds RELAY_URL secret as a build-time env var for the deploy-web Vercel step so next.config.ts can include the relay WSS origin in the CSP header.
.github/workflows/deploy-production.yml	Same RELAY_URL secret addition as deploy-preview.yml, applied to the production Vercel build step.
apps/web/next.config.ts	Adds a hard-coded wss://relay.superset.sh production fallback for relayWsOrigin so the CSP connect-src stays correct even if RELAY_URL is missing from the build environment.

Sequence Diagram

sequenceDiagram
    participant GHA as GitHub Actions
    participant Vercel as Vercel Build
    participant Config as next.config.ts
    participant CSP as HTTP Header (CSP)
    participant Browser as Browser

    GHA->>Vercel: vercel build (env: RELAY_URL from secret)
    Vercel->>Config: process.env.RELAY_URL available
    alt RELAY_URL is set
        Config->>CSP: "relayWsOrigin = new URL(RELAY_URL).origin replaced to wss://relay.superset.sh"
    else RELAY_URL is empty and isProduction
        Config->>CSP: "relayWsOrigin = wss://relay.superset.sh (hard-coded fallback)"
    else dev non-production
        Config->>CSP: "relayWsOrigin = null, ws:/wss: blanket rules cover it"
    end
    CSP-->>Browser: connect-src includes wss://relay.superset.sh
    Browser->>Browser: WSS connection to relay allowed, no CSP violation

Loading

_{Reviews (1): Last reviewed commit: "fix(web): allow relay WSS origin in CSP ..." | Re-trigger Greptile}

[github-actions]

🧹 Preview Cleanup Complete

The following preview resources have been cleaned up:

• ✅ Neon database branch

Thank you for your contribution! 🎉