fix: DNS

[gocanto]

Summary by CodeRabbit

• Chores

  • Updated Node.js runtime to 25.8.2 across CI and local configs
  • Revised Docker build to improve platform compatibility and verify Node installation
  • Enhanced cross-origin handling and method restrictions for the /relay endpoint
  • Included a Node.js keyring file in the Docker build context

• Tests

  • Added tests validating relay routing, CORS/preflight behaviour and proxying
  • Added API client test covering signature request to the relay endpoint

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 4a86435b-e4a9-47fa-9e22-0f4831e455b7

📥 Commits

Reviewing files that changed from the base of the PR and between 02789ad and b96bbcb.

📒 Files selected for processing (6)

• .dockerignore
• caddy/WebCaddyfile.internal
• docker/Dockerfile
• docker/Dockerfile.caddy-watcher
• docker/nodejs-keyring.kbx
• tests/caddy/web-caddyfile.test.ts

---

Walkthrough

This PR upgrades Node.js to 25.8.2 in CI and local config, replaces Node-based builder images with manual Node installs in Debian-based Docker build stages, adds CORS preflight and method restrictions for /relay/* in the Caddy config (proxying only POST to the upstream), and adds tests validating the Caddy relay behaviour and ApiClient relay usage.

Changes

Build and Node Version

Layer / File(s)	Summary
Version Declaration .nvmrc, .github/workflows/linter.yml, .github/workflows/test.yml	Bump Node from 25.8.1 to 25.8.2 in local and CI configuration.
Builder Base / Install docker/Dockerfile, docker/Dockerfile.caddy-watcher	Switch builder base from node:25.8.1-alpine to debian:bookworm-slim; add ARG NODE_VERSION=25.8.2 and ARG TARGETARCH; install OS packages; download Node tarball for TARGETARCH; verify signature and SHA256; extract Node to /usr/local; cleanup.
Corepack / pnpm & Build Steps docker/Dockerfile, docker/Dockerfile.caddy-watcher	Retain corepack/pnpm activation and existing build steps (workdir, copy manifests, pnpm run build) and final runtime image assembly.

Caddy Relay, Tests and Client

Layer / File(s)	Summary
Caddy Relay Configuration caddy/WebCaddyfile.internal	Rework /relay/* handling: add CORS headers (Access-Control-Allow-Origin: https://oullin.io, Vary "Origin"), add OPTIONS /relay/* preflight handler returning 204 with Access-Control-Allow-Methods: POST, OPTIONS, allowed headers list, and Access-Control-Max-Age; restrict proxying to POST /relay/* only, strip /relay and rewrite to /api{path}, reverse proxy to https://proxy:8443 with header_up Host oullin_proxy_prod and mTLS transport; add final handle /relay/* { respond 405 } for other methods.
Caddyfile Tests tests/caddy/web-caddyfile.test.ts	New Vitest suite asserting relay GET blocked (405), OPTIONS preflight handling with expected CORS headers and 204, presence of CORS headers, POST handling rewrites and reverse_proxy to https://proxy:8443 with tls_server_name oullin_proxy_prod, pinned mTLS directives, and exclusion of /relay/* from SPA fallback via multiple not path /relay/*.
API Client Test tests/stores/api/client.test.ts	Adds test verifying ApiClient.get('profile') requests signature from ${window.location.origin}/relay/generate-signature by stubbing fetch.
Docker Context .dockerignore	Allow docker/nodejs-keyring.kbx into build context by adding !docker/nodejs-keyring.kbx.

Sequence Diagram(s)

sequenceDiagram
  participant Browser
  participant Caddy
  participant RelayBackend as Proxy (mTLS)
  participant API

  Browser->>Caddy: OPTIONS /relay/generate-signature (Origin: https://oullin.io)
  Caddy-->>Browser: 204 + Access-Control-Allow-* headers
  Browser->>Caddy: POST /relay/generate-signature (Origin: https://oullin.io)
  Caddy->>RelayBackend: reverse_proxy to https://proxy:8443 (Host: oullin_proxy_prod) with mTLS
  RelayBackend->>API: internal request to API
  API-->>RelayBackend: response
  RelayBackend-->>Caddy: proxied response
  Caddy-->>Browser: proxied response (with CORS headers)

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• hotfix: Fix DNS #50: Changes the relay reverse_proxy upstream in caddy/WebCaddyfile.internal (same upstream target change).
• chore: Tailwindcss + Dependencies #140: Also bumps Node.js versions across CI, .nvmrc, and Docker build files.
• Docker + Format #23: Related Docker build changes and inclusion of Node keyring in the build context.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title 'fix: DNS' is unrelated to the actual changeset, which updates Node.js versions, implements CORS for relay endpoints, and restructures Docker builds.	Revise the title to reflect the primary changes, such as 'chore: upgrade Node.js to 25.8.2 and implement relay CORS configuration' or similar.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Review rate limit: 3/5 reviews remaining, refill in 18 minutes and 10 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docker/Dockerfile`:
- Around line 26-36: The RUN step that downloads and verifies Node (the shell
block using set -eux and commands referencing TARGETARCH and NODE_VERSION,
including curl, grep and sha256sum) should enable pipefail so any piped command
failures are propagated; update that shell invocation to use set -euo pipefail
(or add a SHELL directive to enable pipefail) so failures in the grep |
sha256sum pipeline (or any other piped command) cause the build to fail fast and
produce clear errors.

In `@docker/Dockerfile.caddy-watcher`:
- Around line 12-22: Summary: The RUN block in Dockerfile.caddy-watcher lacks
pipefail, so failing commands in pipes (curl|grep|sha256sum) may be masked. Fix:
enable pipefail by adding a SHELL directive (e.g., SHELL
["/bin/bash","-o","pipefail","-c"]) near the top of the Dockerfile or prepend
"set -o pipefail;" to the existing RUN invocation that uses TARGETARCH,
NODE_VERSION, curl, grep and sha256sum; ensure the change affects the RUN that
downloads and verifies "node-v${NODE_VERSION}-linux-${node_arch}.tar.xz" so the
sha256sum check will fail the build on validation errors.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: aba9d46a-0509-4e58-9280-1b63daa75ba5

📥 Commits

Reviewing files that changed from the base of the PR and between ac0b593 and e958376.

📒 Files selected for processing (8)

• .github/workflows/linter.yml
• .github/workflows/test.yml
• .nvmrc
• caddy/WebCaddyfile.internal
• docker/Dockerfile
• docker/Dockerfile.caddy-watcher
• tests/caddy/web-caddyfile.test.ts
• tests/stores/api/client.test.ts

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a DNS-related issue by updating the Caddy server configuration to correctly resolve an internal proxy service, alongside enhancing its CORS handling for relay paths. It also includes an update to the Node.js version across the project's development environment and Docker builds. Comprehensive new tests have been added to validate both the Caddyfile's behavior and the API client's interaction with the updated relay configuration, ensuring the stability and correctness of these critical infrastructure changes.

Highlights

• Node.js Version Update: The .nvmrc file and Dockerfiles were updated to Node.js 25.8.2. The Dockerfiles now explicitly download and install Node.js from nodejs.org as official Docker images for this specific version are not yet available, switching the base image to debian:bookworm-slim for this process.
• Caddy DNS Resolution and CORS Handling: The caddy/WebCaddyfile.internal was updated to address a potential DNS issue by changing the reverse_proxy target from oullin_proxy_prod:8443 to proxy:8443, while maintaining the Host header for the upstream service. Additionally, it now includes robust CORS preflight OPTIONS request handling for /relay/* paths, responding with 204 and appropriate Access-Control-* headers.
• Comprehensive Caddyfile Testing: A new test file tests/caddy/web-caddyfile.test.ts was added to thoroughly verify the Caddyfile's behavior, covering aspects like blocking GET requests, correct preflight OPTIONS handling, proper proxying of POST requests, mTLS configuration, and relay exclusions.
• API Client Signature Request Validation: A new test case was introduced in tests/stores/api/client.test.ts to confirm that the API client correctly requests signatures from the browser-facing relay on the current origin.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Ignored Files

• Ignored by pattern: .github/workflows/** (2)
  • .github/workflows/linter.yml
  • .github/workflows/test.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates the Node.js version to 25.8.2 and adjusts the Dockerfiles to install the runtime manually on Debian Slim. It also introduces a CORS preflight handler in the Caddy configuration and updates the reverse proxy target. A review comment identifies that CORS headers should be applied to both preflight and actual requests to ensure cross-origin compatibility.

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

docker/Dockerfile (1)

47-47: ⚠️ Potential issue | 🟠 Major

Avoid a floating Corepack in the build.

corepack@latest creates a non-deterministic dependency that can break the pnpm bootstrap without any repo change. Node 22.13.0 bundles Corepack, so remove the explicit install and use it directly. Apply the same fix to docker/Dockerfile.caddy-watcher line 26.

Deterministic approach

-RUN npm install -g corepack@latest --force &&     corepack enable &&     corepack prepare pnpm@${PNPM_VERSION} --activate &&     pnpm install --frozen-lockfile
+RUN corepack enable \
+    && corepack prepare pnpm@${PNPM_VERSION} --activate \
+    && pnpm install --frozen-lockfile

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker/Dockerfile` at line 47, The RUN which installs corepack globally
introduces nondeterminism; remove the "npm install -g corepack@latest --force
&&" prefix and leave "corepack enable && corepack prepare pnpm@${PNPM_VERSION}
--activate && pnpm install --frozen-lockfile" so the image uses the bundled
Corepack from Node 22.13.0; apply the same change to the other Dockerfile's
analogous RUN line that currently calls corepack prepare pnpm@${PNPM_VERSION}.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@caddy/WebCaddyfile.internal`:
- Around line 24-35: The /relay/* proxy block (handle_path /relay/* with rewrite
and reverse_proxy) currently allows any method; restrict it to only POST by
adding a method matcher (e.g., handle `@relay_post` or handle_path with methods
POST) so the reverse_proxy and rewrite apply only for POST requests, and add a
complementary handler for /relay/* that responds 405 Method Not Allowed for all
other methods (non-POST, excluding existing OPTIONS/ preflight handling). Update
the configuration references around handle_path /relay/*, rewrite * /api{path},
and the reverse_proxy block to ensure only POST reaches oullin_proxy_prod and
all other methods return 405.

In `@docker/Dockerfile.caddy-watcher`:
- Around line 14-24: The RUN step currently verifies the Node binary against an
unsigned SHASUMS256.txt; change it to download SHASUMS256.txt.asc and verify its
GPG signature before checksum verification: fetch SHASUMS256.txt.asc (in the
same place you currently fetch SHASUMS256.txt), import or provide the Node.js
public keyring (use a nodejs-keyring.kbx), run gpgv --keyring nodejs-keyring.kbx
--output SHASUMS256.txt SHASUMS256.txt.asc to produce the verified
SHASUMS256.txt, then proceed to grep/sha256sum and tar extraction as before;
apply the same hardening to the identical block used in the other Dockerfile
(same TARGETARCH/TAR download flow that sets node_arch and uses NODE_VERSION).

In `@tests/caddy/web-caddyfile.test.ts`:
- Around line 15-17: The current assertion on the caddyfile variable uses a
loose regex that only ensures Access-Control-Allow-Headers is non-empty; tighten
the test by asserting the exact expected header list (or at minimum the required
header tokens) instead of “[^"]+”. Update the expect(caddyfile).toMatch(...)
assertion that checks Access-Control-Allow-Headers so it matches the concrete
header string you require (or replace it with separate expect checks for each
required token such as Content-Type, Authorization, etc.) to prevent contract
drift.

---

Outside diff comments:
In `@docker/Dockerfile`:
- Line 47: The RUN which installs corepack globally introduces nondeterminism;
remove the "npm install -g corepack@latest --force &&" prefix and leave
"corepack enable && corepack prepare pnpm@${PNPM_VERSION} --activate && pnpm
install --frozen-lockfile" so the image uses the bundled Corepack from Node
22.13.0; apply the same change to the other Dockerfile's analogous RUN line that
currently calls corepack prepare pnpm@${PNPM_VERSION}.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 0cade410-0e8e-4c61-8075-26d9810507b7

📥 Commits

Reviewing files that changed from the base of the PR and between e958376 and 02789ad.

📒 Files selected for processing (4)

• caddy/WebCaddyfile.internal
• docker/Dockerfile
• docker/Dockerfile.caddy-watcher
• tests/caddy/web-caddyfile.test.ts