From f0d5ba2128757cf46b5a66ae5b33a16bff8cf428 Mon Sep 17 00:00:00 2001
From: Till JS <tills95@gmail.com>
Date: Fri, 3 Apr 2026 12:37:13 +0200
Subject: [PATCH] fix: allow localhost in CSP connect-src during development

Dev env vars (_CLIENT suffixed) are empty, so localhost:3001 (auth),
localhost:3050 (sync), localhost:3060 (api) were blocked by CSP.

Added http://localhost:* and ws://localhost:* to connect-src when
NODE_ENV !== 'production'.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 apps/manacore/apps/web/src/hooks.server.ts | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/apps/manacore/apps/web/src/hooks.server.ts b/apps/manacore/apps/web/src/hooks.server.ts
index fdace0d5d..531778161 100644
--- a/apps/manacore/apps/web/src/hooks.server.ts
+++ b/apps/manacore/apps/web/src/hooks.server.ts
@@ -112,6 +112,7 @@ window.__PUBLIC_GLITCHTIP_DSN__ = ${JSON.stringify(PUBLIC_GLITCHTIP_DSN)};
 		},
 	});
 
+	const isDev = process.env.NODE_ENV !== 'production';
 	setSecurityHeaders(response, {
 		connectSrc: [
 			PUBLIC_MANA_CORE_AUTH_URL_CLIENT,
@@ -130,6 +131,8 @@ window.__PUBLIC_GLITCHTIP_DSN__ = ${JSON.stringify(PUBLIC_GLITCHTIP_DSN)};
 			PUBLIC_MANA_MEDIA_URL_CLIENT,
 			PUBLIC_MANA_LLM_URL_CLIENT,
 			'wss://sync.mana.how',
+			// Allow all localhost ports in development
+			...(isDev ? ['http://localhost:*', 'ws://localhost:*'] : []),
 		].filter(Boolean),
 	});