fix(cors): allow eliewm team-scope Vercel previews across all CORS surfaces (#4248)

* fix(cors): allow eliewm team-scope Vercel previews

Preview deployments moved from the personal Vercel scope
(worldmonitor-*-elie-<hash>) to the "eliewm" team scope
(worldmonitor-git-<branch>-eliewm.vercel.app and
worldmonitor-<hash>-eliewm.vercel.app). Both CORS twins still pinned the
dead personal-scope pattern, so the browser's Origin header on
POST /api/wm-session was rejected by isDisallowedOrigin — the anonymous
session could never be minted and every session-authed call 401'd on
previews (dashboard + /welcome teasers stayed dark).

Replace the dead pattern with the eliewm team-scope pattern in
server/cors.ts and api/_cors.js, kept tight (no bare *.vercel.app, this
is a security allowlist). Add isAllowedOrigin tests covering the
git-branch alias URL, hash deployment URL, and non-worldmonitor
rejection against both twins, plus a source twin-parity guard, and
update the gateway CDN origin-policy preview origin to eliewm.

* fix(cors): extend eliewm preview scope to the Cloudflare Worker + guard the superset invariant

The api-cors-preflight Cloudflare Worker is the third CORS twin and short-
circuits OPTIONS preflights at the edge, so its allowlist must be a superset
of api/_cors.js. PR #4248 moved the functions to the eliewm team scope but
left the Worker pinned to the dead -elie- personal scope — making the Worker
strictly NARROWER than the functions. Result: eliewm preview preflights echo
the canonical worldmonitor.app fallback and the browser blocks the request
before it ever reaches Vercel, so previews stay dark even though the function
would accept the origin.

Worse, this was invisible to CI: the Worker's own test lives outside the
test:data glob (it only runs in deploy-worker.yml on workers/** changes), and
both the Worker and its test still pinned the old literal, so they were
internally consistent and green while drifting from the function.

- workers/api-cors-preflight/src/index.js: replace the dead -elie- pattern
  with the eliewm team-scope pattern (kept tight, no bare *.vercel.app).
- workers/api-cors-preflight/index.test.mjs: update the preview-deploy
  assertions to the eliewm shape (git-branch alias + hash), and assert foreign
  team / non-worldmonitor / retired personal scope stay rejected.
- tests/cors-fail-closed.test.mts: add the Worker to the source twin-parity
  guard (now a three-twin check) AND a gate-resident behavioral superset test
  that imports both the function and Worker predicates and asserts the Worker
  allows every origin the function allows. This always-run check is what
  catches function<->Worker drift (the gap that left this bug invisible).

* fix(widget): allow eliewm team-scope previews to mount PRO widgets

The widget postMessage sandbox (public/wm-widget-sandbox.html) gated parent
origins on a stale Vercel hostname shape — `worldmonitor-<branch>-<team>-<hash>`
with the team slug followed by a trailing hash — and slug `elie`. Real Vercel
preview URLs put the team scope as the LAST segment
(worldmonitor-git-<branch>-eliewm.vercel.app / worldmonitor-<hash>-eliewm.vercel.app),
so the regex could never match an eliewm preview regardless of the slug value.
Net effect: PRO widgets stayed dark on every preview deployment.

Fix the regex shape to treat the team slug as the final hostname segment and
set the slug to `eliewm`, matching the same tight shape now used by
server/cors.ts, api/_cors.js, and the api-cors-preflight Worker (still no bare
*.vercel.app — the team-slug gate remains the load-bearing invariant).

Update tests/widget-builder.test.mjs: the hand-mirrored matcher shape, the
slug assertion, the vm-driven sandbox behavior test, and the look-alike
rejections (foreign team, suffix spoof, xeliewm prefix collision, and the
retired personal scope worldmonitor-*-elie-<hash>).

---------

Co-authored-by: e <e@e.co>

Author: koala73

api/_cors.js

@@ -1,6 +1,10 @@
 const ALLOWED_ORIGIN_PATTERNS = [
   /^https:\/\/(.*\.)?worldmonitor\.app$/,
-  /^https:\/\/worldmonitor-[a-z0-9-]+-elie-[a-z0-9]+\.vercel\.app$/,
+  // Vercel preview deployments under the "eliewm" team scope, e.g.
+  //   worldmonitor-git-<branch>-eliewm.vercel.app  (git-branch alias)
+  //   worldmonitor-<hash>-eliewm.vercel.app        (deployment URL)
+  // Tight on purpose: never a bare *.vercel.app (this is a security allowlist).
+  /^https:\/\/worldmonitor-[a-z0-9-]+-eliewm\.vercel\.app$/,
   /^https?:\/\/tauri\.localhost(:\d+)?$/,
   /^https?:\/\/[a-z0-9-]+\.tauri\.localhost(:\d+)?$/i,
   /^tauri:\/\/localhost$/,

public/wm-widget-sandbox.html

@@ -11,20 +11,22 @@
   var handled = false;
 
   // Vercel preview hostnames have the shape
-  //   {project-slug}-{branch-slug}-{team-slug}-{hash}.vercel.app
-  // The team-slug segment is the URL-safe Vercel team identifier and is the
+  //   worldmonitor-git-{branch-slug}-{team-slug}.vercel.app   (git-branch alias)
+  //   worldmonitor-{hash}-{team-slug}.vercel.app              (deployment URL)
+  // The team-slug is the LAST segment before .vercel.app and is the
   // load-bearing security invariant: an attacker who registers a Vercel
   // project named `worldmonitor-...` under their OWN team account would get
   // a different team-slug, so gating on this list rejects look-alike previews.
-  // Add a teammate's Vercel team slug here when they need to mount PRO
-  // widgets in preview deployments; never widen this to a wildcard.
-  var ALLOWED_VERCEL_TEAM_SLUGS = ['elie'];
+  // The project deploys under the "eliewm" team scope. Add a teammate's Vercel
+  // team slug here when they need to mount PRO widgets in preview deployments;
+  // never widen this to a wildcard.
+  var ALLOWED_VERCEL_TEAM_SLUGS = ['eliewm'];
 
   function isAllowedVercelPreview(hostname) {
     for (var i = 0; i < ALLOWED_VERCEL_TEAM_SLUGS.length; i++) {
       var team = ALLOWED_VERCEL_TEAM_SLUGS[i];
       if (!/^[a-z0-9-]+$/.test(team)) continue;
-      var re = new RegExp('^worldmonitor-[a-z0-9-]+-' + team + '-[a-z0-9]+\\.vercel\\.app$');
+      var re = new RegExp('^worldmonitor-[a-z0-9-]+-' + team + '\\.vercel\\.app$');
       if (re.test(hostname)) return true;
     }
     return false;

server/cors.ts

@@ -7,7 +7,11 @@
 
 const PRODUCTION_PATTERNS: RegExp[] = [
   /^https:\/\/(.*\.)?worldmonitor\.app$/,
-  /^https:\/\/worldmonitor-[a-z0-9-]+-elie-[a-z0-9]+\.vercel\.app$/,
+  // Vercel preview deployments under the "eliewm" team scope, e.g.
+  //   worldmonitor-git-<branch>-eliewm.vercel.app  (git-branch alias)
+  //   worldmonitor-<hash>-eliewm.vercel.app        (deployment URL)
+  // Tight on purpose: never a bare *.vercel.app (this is a security allowlist).
+  /^https:\/\/worldmonitor-[a-z0-9-]+-eliewm\.vercel\.app$/,
   /^https?:\/\/tauri\.localhost(:\d+)?$/,
   /^https?:\/\/[a-z0-9-]+\.tauri\.localhost(:\d+)?$/i,
   /^tauri:\/\/localhost$/,

tests/cors-fail-closed.test.mts

@@ -2,7 +2,9 @@ import assert from 'node:assert/strict';
 import { readFile } from 'node:fs/promises';
 import { describe, it } from 'node:test';
 
-import { getCorsHeaders } from '../server/cors.ts';
+import { getCorsHeaders, isAllowedOrigin } from '../server/cors.ts';
+import { isDisallowedOrigin as isDisallowedOriginJs } from '../api/_cors.js';
+import { isAllowedOrigin as isAllowedOriginWorker } from '../workers/api-cors-preflight/src/index.js';
 
 // Regression coverage for issue #3705: CORS-header generation errors must
 // fail closed rather than fall back to a wildcard ACAO.
@@ -43,6 +45,122 @@ describe('cors helper', () => {
   });
 });
 
+// The Vercel project moved from the personal scope (worldmonitor-*-elie-<hash>)
+// to the "eliewm" team scope. Browsers send Origin on the POST to
+// /api/wm-session, so a stale allowlist 403s every preview deployment and the
+// anonymous session can never be minted (dashboard + /welcome teasers stay dark).
+describe('isAllowedOrigin — Vercel preview allowlist (eliewm team scope)', () => {
+  // Origin for the JS twin (api/_cors.js exports isDisallowedOrigin, not the
+  // bare predicate) — same allow/deny outcome proves both files stay in sync.
+  const allowedByJsTwin = (origin: string) =>
+    !isDisallowedOriginJs(new Request('https://worldmonitor.app/x', { headers: { Origin: origin } }));
+
+  const ALLOWED = [
+    ['git-branch alias URL', 'https://worldmonitor-git-feature-eliewm.vercel.app'],
+    ['hash deployment URL', 'https://worldmonitor-abc123def456-eliewm.vercel.app'],
+    ['apex production origin', 'https://worldmonitor.app'],
+    ['production subdomain', 'https://tech.worldmonitor.app'],
+  ];
+
+  const REJECTED = [
+    ['non-worldmonitor vercel.app origin', 'https://some-other-app-eliewm.vercel.app'],
+    ['foreign team scope', 'https://worldmonitor-git-feature-attacker.vercel.app'],
+    ['bare worldmonitor vercel.app (no scope segment)', 'https://worldmonitor.vercel.app'],
+    ['suffix-spoofed eliewm origin', 'https://worldmonitor-git-feature-eliewm.vercel.app.evil.com'],
+    ['dead personal-scope preview (post-migration)', 'https://worldmonitor-feature-elie-abc123.vercel.app'],
+  ];
+
+  for (const [label, origin] of ALLOWED) {
+    it(`allows ${label}`, () => {
+      assert.equal(isAllowedOrigin(origin), true, `server/cors.ts must allow ${origin}`);
+      assert.equal(allowedByJsTwin(origin), true, `api/_cors.js must allow ${origin}`);
+    });
+  }
+
+  for (const [label, origin] of REJECTED) {
+    it(`rejects ${label}`, () => {
+      assert.equal(isAllowedOrigin(origin), false, `server/cors.ts must reject ${origin}`);
+      assert.equal(allowedByJsTwin(origin), false, `api/_cors.js must reject ${origin}`);
+    });
+  }
+});
+
+describe('CORS triplet parity — eliewm preview pattern stays tight in all three twins', () => {
+  // Root cause of the original 403s was twins drifting. THREE surfaces gate
+  // Vercel-preview CORS and must move together; guard each for:
+  // (1) the eliewm-scoped preview pattern is present, and
+  // (2) no bare *.vercel.app wildcard sneaks in as a "fix".
+  // The Cloudflare Worker is the load-bearing one: it short-circuits OPTIONS at
+  // the edge, so if it drifts narrower the browser blocks the preflight before
+  // Vercel is ever consulted.
+  const TWINS = [
+    '../server/cors.ts',
+    '../api/_cors.js',
+    '../workers/api-cors-preflight/src/index.js',
+  ];
+
+  for (const rel of TWINS) {
+    it(`${rel} scopes Vercel previews to the eliewm team`, async () => {
+      const source = await readFile(new URL(rel, import.meta.url), 'utf8');
+      assert.ok(
+        source.includes('-eliewm\\.vercel\\.app'),
+        `${rel} must allow worldmonitor-*-eliewm.vercel.app previews`,
+      );
+      assert.ok(
+        !source.includes('worldmonitor-[a-z0-9-]+\\.vercel\\.app'),
+        `${rel} must not widen to a bare *.vercel.app wildcard (security allowlist)`,
+      );
+    });
+  }
+});
+
+describe('CORS Worker superset invariant — edge allowlist ⊇ function allowlist', () => {
+  // The api-cors-preflight Worker (workers/api-cors-preflight) short-circuits
+  // OPTIONS preflights at the edge, so its allowlist MUST be a superset of
+  // api/_cors.js. If the Worker rejects an origin the function would accept,
+  // the preflight echoes the canonical worldmonitor.app fallback and the
+  // browser blocks the request before it reaches Vercel.
+  //
+  // The Worker's own test (workers/api-cors-preflight/index.test.mjs) lives
+  // OUTSIDE the test:data glob and only runs in deploy-worker.yml on
+  // workers/** changes — so a function-only change can silently leave the
+  // Worker narrower. THIS gate-resident check is what actually catches
+  // function↔Worker drift (the bug that left eliewm previews dark).
+  //
+  // Localhost/127 are intentionally omitted: they are DEV-only on the function
+  // side (NODE_ENV-gated) and never reach the prod-only Worker.
+  const fnAllows = (origin: string) =>
+    !isDisallowedOriginJs(new Request('https://worldmonitor.app/x', { headers: { Origin: origin } }));
+
+  const PROD_ORIGINS = [
+    'https://worldmonitor.app',
+    'https://www.worldmonitor.app',
+    'https://tech.worldmonitor.app',
+    'https://worldmonitor-git-feature-eliewm.vercel.app',
+    'https://worldmonitor-abc123def456-eliewm.vercel.app',
+    'tauri://localhost',
+    'asset://localhost',
+    // Negatives — the function rejects these, so the superset assertion is a
+    // no-op for them; included to document the boundary.
+    'https://some-other-app-eliewm.vercel.app',
+    'https://worldmonitor-git-feature-attacker.vercel.app',
+    'https://worldmonitor-feature-elie-abc123.vercel.app',
+    'https://evil.com',
+  ];
+
+  for (const origin of PROD_ORIGINS) {
+    it(`Worker allows everything the function allows: ${origin}`, () => {
+      if (fnAllows(origin)) {
+        assert.equal(
+          isAllowedOriginWorker(origin),
+          true,
+          `Worker rejects ${origin} that api/_cors.js accepts — its OPTIONS preflight will echo the worldmonitor.app fallback and the browser will block it`,
+        );
+      }
+    });
+  }
+});
+
 describe('gateway CORS error path (issue #3705)', () => {
   it('does not contain a wildcard ACAO fallback in source (comments stripped)', async () => {
     const source = await readFile(

tests/gateway-cdn-origin-policy.test.mts

@@ -65,7 +65,7 @@ describe('gateway CDN origin policy', () => {
   });
 
   it('enables CDN caching for preview origins', async () => {
-    const origin = 'https://worldmonitor-feature-elie-abc123.vercel.app';
+    const origin = 'https://worldmonitor-git-feature-eliewm.vercel.app';
     const res = await requestPublicRoute(origin);
     assert.equal(res.status, 200);
     assert.equal(res.headers.get('Access-Control-Allow-Origin'), origin);

tests/widget-builder.test.mjs

@@ -1289,31 +1289,37 @@ describe('PRO widget — store and sanitizer', () => {
       .split(',')
       .map((s) => s.trim().replace(/^['"]|['"]$/g, ''))
       .filter(Boolean);
-    assert.ok(slugs.includes('elie'), 'project-owner team slug must remain in the allowlist');
+    assert.ok(slugs.includes('eliewm'), 'project-owner team slug must remain in the allowlist');
     for (const slug of slugs) {
       assert.match(slug, /^[a-z0-9-]+$/, `team slug "${slug}" must be url-safe`);
     }
     // Reconstruct the actual match function and exercise it against the
     // production slug list — this is what protects against regex drift
-    // when teammate slugs are added later.
+    // when teammate slugs are added later. The team slug is the LAST hostname
+    // segment before .vercel.app (eliewm team scope); keep this shape in lock-
+    // step with isAllowedVercelPreview in public/wm-widget-sandbox.html.
     const matchesAllowedTeam = (hostname) =>
       slugs.some((team) =>
-        new RegExp('^worldmonitor-[a-z0-9-]+-' + team + '-[a-z0-9]+\\.vercel\\.app$').test(hostname),
+        new RegExp('^worldmonitor-[a-z0-9-]+-' + team + '\\.vercel\\.app$').test(hostname),
       );
-    assert.equal(matchesAllowedTeam('worldmonitor-feature-elie-abc123.vercel.app'), true);
-    assert.equal(matchesAllowedTeam('worldmonitor-feature-attacker-abc123.vercel.app'), false);
-    assert.equal(matchesAllowedTeam('worldmonitor-feature-elie-abc123.vercel.app.evil.com'), false);
+    assert.equal(matchesAllowedTeam('worldmonitor-git-feature-eliewm.vercel.app'), true);
+    assert.equal(matchesAllowedTeam('worldmonitor-abc123-eliewm.vercel.app'), true);
+    assert.equal(matchesAllowedTeam('worldmonitor-feature-attacker.vercel.app'), false);
+    assert.equal(matchesAllowedTeam('worldmonitor-git-feature-eliewm.vercel.app.evil.com'), false);
+    assert.equal(matchesAllowedTeam('worldmonitor-feature-xeliewm.vercel.app'), false);
     assert.equal(matchesAllowedTeam('evilworldmonitor.app'), false);
+    // The retired personal scope (worldmonitor-*-elie-<hash>) must no longer match.
+    assert.equal(matchesAllowedTeam('worldmonitor-feature-elie-abc123.vercel.app'), false);
     // A teammate slug added to the list must extend coverage WITHOUT
     // matching look-alike teams whose slug merely starts with the same
     // letters.
-    const withTeammate = ['elie', 'kieran'];
+    const withTeammate = ['eliewm', 'kieran'];
     const matchesWithTeammate = (hostname) =>
       withTeammate.some((team) =>
-        new RegExp('^worldmonitor-[a-z0-9-]+-' + team + '-[a-z0-9]+\\.vercel\\.app$').test(hostname),
+        new RegExp('^worldmonitor-[a-z0-9-]+-' + team + '\\.vercel\\.app$').test(hostname),
       );
-    assert.equal(matchesWithTeammate('worldmonitor-feature-kieran-abc123.vercel.app'), true);
-    assert.equal(matchesWithTeammate('worldmonitor-feature-kieranfake-abc123.vercel.app'), false);
+    assert.equal(matchesWithTeammate('worldmonitor-feature-kieran.vercel.app'), true);
+    assert.equal(matchesWithTeammate('worldmonitor-feature-kieranfake.vercel.app'), false);
   });
 
   it('widget sandbox behavior accepts Vercel previews and blocks spoofed parents', () => {
@@ -1354,26 +1360,26 @@ describe('PRO widget — store and sanitizer', () => {
       return { parent, readyMessages, writes, message };
     }
 
-    const allowed = runSandbox('https://worldmonitor-feature-elie-abc123.vercel.app/dashboard');
+    const allowed = runSandbox('https://worldmonitor-git-feature-eliewm.vercel.app/dashboard');
     assert.equal(allowed.readyMessages.length, 1);
-    assert.equal(allowed.readyMessages[0].targetOrigin, 'https://worldmonitor-feature-elie-abc123.vercel.app');
+    assert.equal(allowed.readyMessages[0].targetOrigin, 'https://worldmonitor-git-feature-eliewm.vercel.app');
     assert.deepEqual(JSON.parse(JSON.stringify(allowed.readyMessages[0].payload)), {
       type: 'wm-widget-ready',
       id: 'wm-1',
       token: 'test-token',
     });
     allowed.message({
       data: { type: 'wm-html', id: 'wm-1', token: 'test-token', html: '<p>ok</p>' },
-      origin: 'https://worldmonitor-feature-elie-abc123.vercel.app',
+      origin: 'https://worldmonitor-git-feature-eliewm.vercel.app',
       source: allowed.parent,
     });
     assert.deepEqual(allowed.writes, ['<p>ok</p>']);
 
-    const spoofed = runSandbox('https://worldmonitor-feature-elie-abc123.vercel.app.evil.com/');
+    const spoofed = runSandbox('https://worldmonitor-git-feature-eliewm.vercel.app.evil.com/');
     assert.deepEqual(spoofed.readyMessages, []);
     spoofed.message({
       data: { type: 'wm-html', id: 'wm-1', token: 'test-token', html: '<p>bad</p>' },
-      origin: 'https://worldmonitor-feature-elie-abc123.vercel.app.evil.com',
+      origin: 'https://worldmonitor-git-feature-eliewm.vercel.app.evil.com',
       source: spoofed.parent,
     });
     assert.deepEqual(spoofed.writes, []);

workers/api-cors-preflight/index.test.mjs

@@ -46,22 +46,20 @@ test('isAllowedOrigin accepts apex worldmonitor.app and subdomains', () => {
   assert.equal(isAllowedOrigin('https://commodity.worldmonitor.app'), true);
 });
 
-test('isAllowedOrigin accepts Vercel preview deploys (mirroring api/_cors.js shape)', () => {
-  // The Worker mirrors api/_cors.js's preview regex EXACTLY. That regex
-  // requires [a-z0-9]+ (no hyphens) after `-elie-`, so `*-elie-habib.vercel.app`
-  // matches and `*-elie-habib-projects.vercel.app` does NOT. That looks like
-  // a latent bug in api/_cors.js for teams named `elie-habib-projects`, but
-  // tightening it is out of scope for this PR — the Worker must stay in lock-
-  // step with the function, not silently widen.
-  assert.equal(isAllowedOrigin('https://worldmonitor-r6q9o-elie-habib.vercel.app'), true);
-  assert.equal(isAllowedOrigin('https://worldmonitor-git-feat-x-elie-habib.vercel.app'), true);
-  // NOTE: assertion below documents the latent narrowness — flip to `true`
-  // ONLY after updating both the Worker AND api/_cors.js together.
-  assert.equal(
-    isAllowedOrigin('https://worldmonitor-abc-elie-habib-projects.vercel.app'),
-    false,
-    'Worker preview regex mirrors api/_cors.js; widen BOTH together if needed',
-  );
+test('isAllowedOrigin accepts Vercel preview deploys under the eliewm team scope (mirrors api/_cors.js)', () => {
+  // The project deploys previews under the "eliewm" Vercel team scope, so URLs
+  // end in `-eliewm.vercel.app` (git-branch alias AND hash deployment forms).
+  // The Worker MUST mirror api/_cors.js exactly — if it stays narrower, eliewm
+  // preview preflights echo the canonical worldmonitor.app fallback and the
+  // browser blocks them before the request ever reaches Vercel.
+  assert.equal(isAllowedOrigin('https://worldmonitor-git-feat-x-eliewm.vercel.app'), true);
+  assert.equal(isAllowedOrigin('https://worldmonitor-r6q9o-eliewm.vercel.app'), true);
+  // Tight allowlist: a foreign team scope, a non-worldmonitor app, and the
+  // retired personal scope (worldmonitor-*-elie-<hash>, migration complete)
+  // must all stay rejected. Never a bare *.vercel.app.
+  assert.equal(isAllowedOrigin('https://worldmonitor-feat-x-attacker.vercel.app'), false);
+  assert.equal(isAllowedOrigin('https://some-other-app-eliewm.vercel.app'), false);
+  assert.equal(isAllowedOrigin('https://worldmonitor-abc-elie-habib.vercel.app'), false);
 });
 
 test('isAllowedOrigin accepts Tauri desktop runtime origins', () => {

workers/api-cors-preflight/src/index.js

@@ -24,7 +24,10 @@
 // echoed back and fail CORS at the browser.
 const ALLOWED_ORIGIN_PATTERNS = [
   /^https:\/\/(.*\.)?worldmonitor\.app$/,
-  /^https:\/\/worldmonitor-[a-z0-9-]+-elie-[a-z0-9]+\.vercel\.app$/,
+  // Vercel previews under the "eliewm" team scope, e.g.
+  //   worldmonitor-git-<branch>-eliewm.vercel.app / worldmonitor-<hash>-eliewm.vercel.app
+  // Mirror of api/_cors.js + server/cors.ts (see superset note above).
+  /^https:\/\/worldmonitor-[a-z0-9-]+-eliewm\.vercel\.app$/,
   /^https?:\/\/tauri\.localhost(:\d+)?$/,
   /^https?:\/\/[a-z0-9-]+\.tauri\.localhost(:\d+)?$/i,
   /^tauri:\/\/localhost$/,