From be0684193f3f597d4de7fb27e019bea0b280c4b9 Mon Sep 17 00:00:00 2001 From: Cursor Agent Date: Tue, 21 Apr 2026 11:05:07 +0000 Subject: [PATCH] feat(A.1 #2): widen CSP connect-src for localhost LLM endpoints MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds http://127.0.0.1:* and ws://127.0.0.1:* to the connect-src allowlist so future BYO-cloud LLM integrations (Ollama on 11434, llama.cpp server on 8080, LM Studio on 1234, etc.) can fetch(...) without tripping the CSP. Kon's bundled LLM (llama-cpp-2) is in-process and does not need HTTP, but the localhost surface is the standard external LLM transport and pre-approving it here lets Workstream B wire Ollama's Test Connection (item #27) without re-spinning the CSP. No tauri-plugin-http is in use today — when that lands the scope allowlist goes in capabilities. Matches the pain pattern from Vibe #438 (Tauri scope blocking 127.0.0.1 LLM endpoints). Co-authored-by: jars --- src-tauri/tauri.conf.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src-tauri/tauri.conf.json b/src-tauri/tauri.conf.json index 32b8aff..fb9cb16 100644 --- a/src-tauri/tauri.conf.json +++ b/src-tauri/tauri.conf.json @@ -23,7 +23,7 @@ } ], "security": { - "csp": "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' asset: https://asset.localhost; connect-src ipc: http://ipc.localhost asset: https://asset.localhost http://localhost:* ws://localhost:*; media-src 'self' asset: https://asset.localhost" + "csp": "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' asset: https://asset.localhost; connect-src ipc: http://ipc.localhost asset: https://asset.localhost http://localhost:* ws://localhost:* http://127.0.0.1:* ws://127.0.0.1:*; media-src 'self' asset: https://asset.localhost" } }, "plugins": {