From dc084ce1642cd01c8ba3fd0aa79d4f4119fb6a6c Mon Sep 17 00:00:00 2001
From: kaladinlight <35275952+kaladinlight@users.noreply.github.com>
Date: Tue, 12 May 2026 11:23:13 -0600
Subject: [PATCH] chore: allow shapeshift.com subdomains and any localhost in
 cors

Replace the hardcoded origin allowlist with regex matchers so any
shapeshift.com subdomain (including multi-level like
dashboard.revenue.shapeshift.com) and any localhost variant
(e.g. web.localhost:1335) are accepted without further config changes.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/agentic-server/src/server.ts | 23 +++++++++--------------
 1 file changed, 9 insertions(+), 14 deletions(-)

diff --git a/apps/agentic-server/src/server.ts b/apps/agentic-server/src/server.ts
index 5930f689..c468a373 100644
--- a/apps/agentic-server/src/server.ts
+++ b/apps/agentic-server/src/server.ts
@@ -25,23 +25,18 @@ try {
 
 const app = new Hono()
 
-// Enable CORS for all routes
+// Allow any localhost host with optional subdomains and port
+const LOCALHOST_ORIGIN_REGEX = /^https?:\/\/([\w-]+\.)*localhost(:\d+)?$/i
+
+// Allow shapeshift.com and any subdomain at arbitrary depth
+const SHAPESHIFT_ORIGIN_REGEX = /^https:\/\/([\w-]+\.)*shapeshift\.com$/i
+
+const isAllowedOrigin = (origin: string) => LOCALHOST_ORIGIN_REGEX.test(origin) || SHAPESHIFT_ORIGIN_REGEX.test(origin)
+
 app.use(
   '/*',
   cors({
-    origin: [
-      // Local development
-      'http://localhost:3000',
-      'http://localhost:4200',
-      'http://localhost:5173',
-      // ShapeShift Web deployments
-      'https://app.shapeshift.com',
-      'https://develop.shapeshift.com',
-      'https://private.shapeshift.com',
-      // Agentic Chat deployments
-      'https://shapeshift-agentic.vercel.app',
-      'https://agent.shapeshift.com',
-    ],
+    origin: origin => (isAllowedOrigin(origin) ? origin : null),
     credentials: true,
   })
 )