Skip to content

fix(launcher): support local workspace endpoints#404

Merged
zomux merged 4 commits into
openagents-org:developfrom
Edison-A-N:fix/launcher-local-workspace-endpoint
May 24, 2026
Merged

fix(launcher): support local workspace endpoints#404
zomux merged 4 commits into
openagents-org:developfrom
Edison-A-N:fix/launcher-local-workspace-endpoint

Conversation

@Edison-A-N

@Edison-A-N Edison-A-N commented May 24, 2026

Copy link
Copy Markdown
Contributor

Summary

  • allow launcher to register non-hosted workspace URLs directly from origin/slug/token
  • pass configured workspace backend endpoint into the launcher connector and reload it after settings changes
  • generate workspace display/open URLs from each saved network endpoint

Test

  • npm run build (packages/launcher)

@vercel

vercel Bot commented May 24, 2026

Copy link
Copy Markdown

@Edison-A-N is attempting to deploy a commit to the Raphael's projects Team on Vercel.

A member of the Team first needs to authorize it.

zomux
zomux requested changes May 24, 2026
View reviewed changes

@zomux zomux left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review — Changes Requested

Well-structured PR that cleanly adds local workspace endpoint support. The settings-driven hot-reload and URL normalization approach are good. A few security items to address:

Blocking

1. normalizeWorkspaceEndpoint accepts malformed URLs
The catch block silently returns the raw input minus trailing slash. A non-URL string (e.g., javascript:alert(1)) would pass through. Should reject invalid URLs entirely or at minimum validate the scheme.

2. No URL scheme restriction
Custom workspace URLs accept any scheme. Should restrict to http:/https: to prevent protocol injection — these values flow into openExternal() which is especially dangerous in Electron.

Notes (non-blocking)

  • this._connector! non-null assertions — several places assume _connector exists. If core fails to load, these throw unhelpful errors. Consider a guard.
  • Token in URL query params — pre-existing pattern but this PR extends it to arbitrary endpoints, slightly increasing exposure surface.
  • Overlap with PR #358 — significant overlap in intent but no file-level conflicts. #358 targets old JS codebase while #404 targets the TypeScript rewrite. #404 is the cleaner, more focused implementation.

Positive

  • Good accessibility fixes (htmlFor/id, <button> instead of <a href="#">)
  • workspaceDisplayHost() utility replaces scattered hardcoded strings
  • Error re-throw in connectToWorkspace() is a good catch
  • No migration changes

@nebukaga
fix(security): validate URL scheme in workspace endpoint handling
7e7def1 
Reject non-http(s) URLs in normalizeWorkspaceEndpoint and
parseCustomWorkspaceUrl to prevent protocol injection — these values
flow into Electron's openExternal() which can execute arbitrary
protocols. Also reject malformed URLs entirely instead of passing
them through.
zomux
zomux approved these changes May 24, 2026
View reviewed changes

@zomux zomux left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pushed a security fix: URL scheme validation in normalizeWorkspaceEndpoint and parseCustomWorkspaceUrl — rejects non-http(s) URLs and malformed input. Original review concerns are now addressed. LGTM.

@zomux zomux merged commit 7dcd0e0 into openagents-org:develop May 24, 2026
1 of 2 checks passed
@Edison-A-N Edison-A-N deleted the fix/launcher-local-workspace-endpoint branch May 25, 2026 00:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zomux zomux zomux approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Edison-A-N @zomux @nebukaga