@wopr-network/defcon 1.2.1 → 1.3.0

package/dist/src/api/server.d.ts

@@ -7,7 +7,7 @@ export interface HttpServerDeps {
     mcpDeps: McpServerDeps;
     adminToken?: string;
     workerToken?: string;
-    corsOrigin?: string;
+    corsOrigins?: string[];
     logger?: Logger;
 }
 export declare function createHttpServer(deps: HttpServerDeps): http.Server;

package/dist/src/api/server.js

@@ -282,8 +282,8 @@ export function createHttpServer(deps) {
             const isLoopbackOrigin = /^https?:\/\/localhost(:\d+)?$/.test(origin) ||
                 /^https?:\/\/127\.0\.0\.1(:\d+)?$/.test(origin) ||
                 /^https?:\/\/\[::1\](:\d+)?$/.test(origin);
-            const corsAllowed = deps.corsOrigin
-                ? origin === deps.corsOrigin // explicit origin: exact match only
+            const corsAllowed = deps.corsOrigins
+                ? deps.corsOrigins.includes(origin) // explicit origins: set membership check
                 : isLoopbackOrigin; // loopback mode: only reflect loopback origins
             if (corsAllowed) {
                 res.setHeader("Vary", "Origin");

package/dist/src/cors.d.ts

@@ -1,6 +1,6 @@
 export interface CorsOriginResult {
-    /** Explicit allowed origin, or null meaning "loopback-only default pattern" */
-    origin: string | null;
+    /** Explicit allowed origins, or null meaning "loopback-only default pattern" */
+    origins: string[] | null;
 }
 export declare function resolveCorsOrigin(opts: {
     host: string;

package/dist/src/cors.js

@@ -2,20 +2,27 @@ const LOOPBACK_HOSTS = new Set(["127.0.0.1", "localhost", "::1"]);
 export function resolveCorsOrigin(opts) {
     const corsValue = opts.corsEnv?.trim() || undefined;
     const isLoopback = LOOPBACK_HOSTS.has(opts.host);
-    // If explicit origin provided, validate and use it
+    // If explicit origins provided, validate each and use them
     if (corsValue) {
-        if (!/^https?:\/\/[^/]+$/.test(corsValue)) {
-            throw new Error(`DEFCON_CORS_ORIGIN must be a bare origin like https://app.example.com, not ${corsValue}. ` +
-                "Remove any path component or trailing slash.");
+        const entries = corsValue
+            .split(",")
+            .map((s) => s.trim())
+            .filter(Boolean);
+        for (const entry of entries) {
+            if (!/^https?:\/\/[^/]+$/.test(entry)) {
+                throw new Error(`DEFCON_CORS_ORIGIN must be bare origins like https://app.example.com (comma-separated for multiple), not ${entry}. ` +
+                    "Remove any path component or trailing slash.");
+            }
         }
-        return { origin: corsValue };
+        return { origins: entries };
     }
     // Non-loopback without explicit origin — refuse to start
     if (!isLoopback) {
         throw new Error(`DEFCON_CORS_ORIGIN must be set when binding to non-loopback address "${opts.host}". ` +
             "Without an explicit CORS origin, any website on the network can make cross-origin requests to this server. " +
-            'Set DEFCON_CORS_ORIGIN to the allowed origin (e.g. "https://my-app.example.com") or use a loopback address.');
+            'Set DEFCON_CORS_ORIGIN to the allowed origin (e.g. "https://my-app.example.com") or use a loopback address. ' +
+            "Multiple origins can be separated by commas.");
     }
     // Loopback without explicit origin — use default pattern
-    return { origin: null };
+    return { origins: null };
 }

package/dist/src/execution/cli.js

@@ -243,7 +243,7 @@ program
             mcpDeps: deps,
             adminToken,
             workerToken,
-            corsOrigin: restCorsResult.origin ?? undefined,
+            corsOrigins: restCorsResult.origins ?? undefined,
         });
         if (adminToken) {
             const wsBroadcaster = new WebSocketBroadcaster({
@@ -278,16 +278,13 @@ program
             sqlite.close();
             process.exit(1);
         }
-        const allowedOriginPattern = corsResult.origin
-            ? corsResult.origin // exact string match
-            : /^https?:\/\/(localhost|127\.0\.0\.1|\[::1\])(:\d+)?$/; // loopback default
+        const allowedOriginSet = corsResult.origins ? new Set(corsResult.origins) : null;
+        const loopbackPattern = /^https?:\/\/(localhost|127\.0\.0\.1|\[::1\])(:\d+)?$/;
         const httpServer = http.createServer(async (req, res) => {
             // CORS: restrict to localhost origins when bound to loopback; require DEFCON_CORS_ORIGIN when bound to non-loopback
             const origin = req.headers.origin;
             if (origin) {
-                const originAllowed = typeof allowedOriginPattern === "string"
-                    ? origin === allowedOriginPattern
-                    : allowedOriginPattern.test(origin);
+                const originAllowed = allowedOriginSet ? allowedOriginSet.has(origin) : loopbackPattern.test(origin);
                 if (originAllowed) {
                     res.setHeader("Vary", "Origin");
                     res.setHeader("Access-Control-Allow-Origin", origin);

package/dist/src/execution/mcp-server.js

@@ -777,7 +777,7 @@ async function handleAdminFlowPause(deps, args) {
     return jsonResult({ paused: true, flow: v.data.flow_name });
 }
 async function handleAdminFlowResume(deps, args) {
-    const v = validateInput(AdminFlowPauseSchema, args);
+    const v = validateInput(AdminFlowRestoreSchema, args);
     if (!v.ok)
         return v.result;
     const flow = await deps.flows.getByName(v.data.flow_name);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wopr-network/defcon",
-  "version": "1.2.1",
+  "version": "1.3.0",
   "type": "module",
   "packageManager": "pnpm@9.15.4",
   "engines": {