fix: Ollama 403 on Windows — explicit Origin override (v0.3.12-rc1)

A user packet capture on Windows confirmed plugin-http v2.5.8 was
auto-injecting `origin: http://tauri.localhost` into every outbound
request. Ollama's default OLLAMA_ORIGINS allowlist accepts
`tauri://*` (matches macOS/Linux webview origin) but NOT
`http://tauri.localhost`, so Windows users hit 403 even with a
correctly-installed Ollama.

Fix: in `src/lib/llm-providers.ts`, set `Origin` explicitly on
both the `ollama` and `custom` (OpenAI-compat) provider branches,
using the request's own host. Same-origin is always trusted by
Ollama regardless of OLLAMA_ORIGINS contents or version.

Why this works at all:
  - plugin-http v2.5.x JS shim only adds browser-default headers
    when the user did NOT already set them (verified against
    `node_modules/@tauri-apps/plugin-http/dist-js/index.js`,
    line 71-75 — the loop after `new Request(input, init)` skips
    `headers.set()` if the key is already present).
  - The `unsafe-headers` Cargo feature is already enabled, so
    Rust-side reqwest forwards `Origin` to the wire instead of
    stripping it.

Verification layers:
  - Layer 1 (source review of plugin-http): documented in code
    comment; high confidence the fix works.
  - Layer 2 (mocked unit tests, +6 in __tests__/llm-providers.test.ts):
    pin Origin = same-origin for ollama (localhost / LAN / trailing
    /v1), pin custom OpenAI-compat does the same, pin commercial
    providers DON'T get an Origin override, pin malformed URL
    falls back to no-Origin gracefully.
  - Layer 3 (real-TCP fake-server test, new file
    `src/lib/llm-client.real-llm.test.ts`): stands up a Node HTTP
    server mimicking Ollama's CORS check, drives `streamChat`,
    asserts Origin reaches the wire correctly. Includes a
    "trivially-green" sanity test that proves the server's check
    actually fires when Origin doesn't match.
  - Layer 4 (manual Windows packet recapture against this rc1
    build) — owner is doing this; will tag v0.3.12 if confirmed.

Test count: 651 mocked + 27 real-LLM, all green.

Author: nashsu

package.json

@@ -1,7 +1,7 @@
 {
   "name": "llm-wiki",
   "private": true,
-  "version": "0.3.11",
+  "version": "0.3.12-rc1",
   "type": "module",
   "scripts": {
     "dev": "vite",

src-tauri/Cargo.lock

@@ -1,6 +1,6 @@
 [package]
 name = "llm-wiki"
-version = "0.3.11"
+version = "0.3.12-rc1"
 description = "LLM Wiki - A personal knowledge base for LLM concepts"
 authors = []
 edition = "2021"

src-tauri/Cargo.toml

@@ -1,7 +1,7 @@
 {
   "$schema": "https://schema.tauri.app/config/2",
   "productName": "LLM Wiki",
-  "version": "0.3.11",
+  "version": "0.3.12-rc1",
   "identifier": "com.llmwiki.app",
   "build": {
     "beforeDevCommand": "npm run dev",

src-tauri/tauri.conf.json

@@ -303,3 +303,105 @@ describe("Sampling override translation across wires", () => {
     expect(body.max_tokens).toBe(8192)
   })
 })
+
+// ── Origin header for local LLM providers (Ollama + custom OpenAI) ──
+//
+// Pinned by a real packet capture from a Windows user (v0.3.11) where
+// plugin-http auto-injected `origin: http://tauri.localhost`,
+// triggering Ollama 403 because that origin isn't in the default
+// `OLLAMA_ORIGINS` allowlist. Setting Origin = same-origin makes
+// Ollama always trust the request.
+//
+// Plugin-http v2.5.x respects user-set headers (override behavior
+// confirmed by reading dist-js/index.js line 71-75), and the
+// `unsafe-headers` Cargo feature ensures Rust-side reqwest forwards
+// it. So this header surfacing here = bytes on the wire.
+
+describe("Origin header — local LLM CORS workaround", () => {
+  it("Ollama provider sets Origin to the request's own host (localhost)", () => {
+    const cfg = getProviderConfig({
+      provider: "ollama",
+      apiKey: "",
+      model: "llama3",
+      ollamaUrl: "http://localhost:11434",
+      customEndpoint: "",
+      maxContextSize: 8192,
+    })
+    expect(cfg.headers["Origin"]).toBe("http://localhost:11434")
+  })
+
+  it("Ollama provider Origin reflects remote LAN deployment (not localhost)", () => {
+    const cfg = getProviderConfig({
+      provider: "ollama",
+      apiKey: "",
+      model: "llama3",
+      ollamaUrl: "http://192.168.1.50:11434",
+      customEndpoint: "",
+      maxContextSize: 8192,
+    })
+    expect(cfg.headers["Origin"]).toBe("http://192.168.1.50:11434")
+  })
+
+  it("Ollama provider strips trailing /v1 before deriving Origin", () => {
+    // User pasted "http://localhost:11434/v1" as their Ollama URL. The
+    // URL the provider builds will be "http://localhost:11434/v1/chat/completions",
+    // so Origin must still be "http://localhost:11434" (URL.origin
+    // never includes a path anyway, but pinning this catches a
+    // regression where someone derives Origin from the full URL string
+    // by hand).
+    const cfg = getProviderConfig({
+      provider: "ollama",
+      apiKey: "",
+      model: "llama3",
+      ollamaUrl: "http://localhost:11434/v1",
+      customEndpoint: "",
+      maxContextSize: 8192,
+    })
+    expect(cfg.headers["Origin"]).toBe("http://localhost:11434")
+  })
+
+  it("custom OpenAI-compat endpoint also gets a same-origin Origin (LM Studio / llama.cpp / vLLM)", () => {
+    const cfg = getProviderConfig({
+      provider: "custom",
+      apiKey: "",
+      model: "qwen3",
+      ollamaUrl: "",
+      customEndpoint: "http://127.0.0.1:1234",
+      maxContextSize: 8192,
+      apiMode: "chat_completions",
+    } as RealLlmConfig)
+    expect(cfg.headers["Origin"]).toBe("http://127.0.0.1:1234")
+  })
+
+  it("commercial provider (OpenAI) does NOT get an explicit Origin override", () => {
+    // OpenAI's CORS doesn't care about Origin (auth is via API key).
+    // Setting Origin would just be noise. Pin that we DON'T touch
+    // commercial endpoints.
+    const cfg = getProviderConfig({
+      provider: "openai",
+      apiKey: "k",
+      model: "gpt-4o",
+      ollamaUrl: "",
+      customEndpoint: "",
+      maxContextSize: 128000,
+    })
+    expect(cfg.headers["Origin"]).toBeUndefined()
+  })
+
+  it("malformed ollamaUrl falls back gracefully (no Origin header) instead of crashing", () => {
+    // Settings UI normalizes URLs but a stale config from an older
+    // version could carry rubbish. Origin parsing must not throw.
+    const cfg = getProviderConfig({
+      provider: "ollama",
+      apiKey: "",
+      model: "llama3",
+      ollamaUrl: "not a url",
+      customEndpoint: "",
+      maxContextSize: 8192,
+    })
+    expect(cfg.headers["Origin"]).toBeUndefined()
+    // The URL itself will obviously be broken — but the provider
+    // builder shouldn't have thrown.
+    expect(typeof cfg.url).toBe("string")
+  })
+})