wifi-densepose

History

ruv a771ab8aa4 fix(homecore-api/sec): close HC-05 — CORS allowlist instead of permissive Replaces `CorsLayer::permissive()` (which set Access-Control-Allow- Origin: *) with an explicit allowlist via `CorsLayer::new()`. Default allowlist covers the homecore-frontend Vite dev server (5173) plus common reverse-proxy ports (3000, 8080, 8081) and the bind port itself (8123). Production deployments override via HOMECORE_CORS_ORIGINS=https://app.example.com,https://hass.example.com (comma-separated). Method allowlist: GET, POST, OPTIONS, DELETE (no PUT/PATCH yet). Header allowlist: Authorization, Content-Type, Accept. Credentials: disabled (no cookies in HOMECORE-API path). Test count: 15 → 18 (+3 CORS allowlist tests). Closes audit finding HC-05 (High). The HC-01/02 bearer-store fix in commit `408cfd4f0` only mattered if the cross-origin path was also locked down — without HC-05 a malicious page could still make authenticated calls with a stored bearer. Refs: docs/security/HOMECORE-security-audit-iter10.md (HC-05) Refs: #800 Co-Authored-By: claude-flow <ruv@ruv.net>	2026-05-25 21:03:52 -04:00
..
src	fix(homecore-api/sec): close HC-05 — CORS allowlist instead of permissive	2026-05-25 21:03:52 -04:00
Cargo.toml	feat(homecore/p1 iter-2): API (ADR-130) + plugins (ADR-128) scaffolds in parallel	2026-05-25 18:14:14 -04:00

ruv a771ab8aa4 fix(homecore-api/sec): close HC-05 — CORS allowlist instead of permissive

Replaces `CorsLayer::permissive()` (which set Access-Control-Allow-
Origin: *) with an explicit allowlist via `CorsLayer::new()`.

Default allowlist covers the homecore-frontend Vite dev server
(5173) plus common reverse-proxy ports (3000, 8080, 8081) and the
bind port itself (8123). Production deployments override via
HOMECORE_CORS_ORIGINS=https://app.example.com,https://hass.example.com
(comma-separated).

Method allowlist: GET, POST, OPTIONS, DELETE (no PUT/PATCH yet).
Header allowlist: Authorization, Content-Type, Accept.
Credentials: disabled (no cookies in HOMECORE-API path).

Test count: 15 → 18 (+3 CORS allowlist tests).

Closes audit finding HC-05 (High). The HC-01/02 bearer-store fix
in commit 408cfd4f0 only mattered if the cross-origin path was
also locked down — without HC-05 a malicious page could still
make authenticated calls with a stored bearer.

Refs: docs/security/HOMECORE-security-audit-iter10.md (HC-05)
Refs: #800

Co-Authored-By: claude-flow <ruv@ruv.net>

2026-05-25 21:03:52 -04:00

src fix(homecore-api/sec): close HC-05 — CORS allowlist instead of permissive 2026-05-25 21:03:52 -04:00

Cargo.toml feat(homecore/p1 iter-2): API (ADR-130) + plugins (ADR-128) scaffolds in parallel 2026-05-25 18:14:14 -04:00