chore: allow shapeshift.com subdomains and any localhost in cors

[kaladinlight]

Summary

• Replace the hardcoded CORS origin allowlist in apps/agentic-server/src/server.ts with regex matchers
• Any shapeshift.com subdomain at arbitrary depth is now accepted (e.g. app.shapeshift.com, dashboard.revenue.shapeshift.com, dev-dashboard.revenue.shapeshift.com)
• Any localhost host with optional subdomains/port is now accepted (e.g. http://localhost:3000, http://web.localhost:1335)
• Drops the now-unused Vercel preview origin

Test plan

• Hit /api/chat from https://app.shapeshift.com and confirm Access-Control-Allow-Origin echoes back
• Hit /api/chat from a multi-level subdomain (e.g. https://dashboard.revenue.shapeshift.com) and confirm it's allowed
• Hit /api/chat from http://web.localhost:1335 and confirm it's allowed
• Hit /api/chat from a spoof origin like https://evil-shapeshift.com and confirm the CORS header is not set

🤖 Generated with Claude Code

Summary by CodeRabbit

Release Notes

• Chores
  • Enhanced server origin configuration to improve compatibility with development environments and support for application subdomains while maintaining security standards.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
shapeshift-agentic	Ready	Preview, Comment	May 12, 2026 5:25pm

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: fbed2995-95ca-45de-9a22-e739e2f06719

📥 Commits

Reviewing files that changed from the base of the PR and between dd13142 and dc084ce.

📒 Files selected for processing (1)

• apps/agentic-server/src/server.ts

---

📝 Walkthrough

Walkthrough

CORS configuration in the agentic server replaces a hardcoded allowlist with regex-based origin validation. Two patterns permit localhost origins (any protocol, subdomains, ports) and shapeshift.com subdomains over HTTPS, enforced via a CORS middleware callback.

Changes

CORS Configuration

Layer / File(s)	Summary
CORS origin regex matchers apps/agentic-server/src/server.ts	Hardcoded CORS allowlist replaced with LOCALHOST_ORIGIN_REGEX and SHAPESHIFT_ORIGIN_REGEX patterns. CORS middleware uses an origin callback to permit matching origins or block CORS for non-matching requests.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

🐰 Regex patterns guard the gate,
Localhost may pass, and shapeshift's state,
No hardcoded list to burden the way,
Flexible CORS for a modern day! 🎉

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main change: updating CORS configuration to allow shapeshift.com subdomains and localhost origins, which aligns perfectly with the changeset modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/cors-allow-subdomains

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}