mirror of
https://github.com/NanmiCoder/cc-haha
synced 2026-07-16 13:03:31 +08:00
The H5 LAN release made the desktop sidecar bind broadly and require auth for non-localhost hosts. The Tauri WebView still talks to the loopback control URL without an H5 bearer token, so startup requests were rejected before the app could load. Constraint: Desktop WebView control requests must stay tokenless for the local sidecar. Rejected: Reuse H5 token bootstrap for Tauri | would add remote-access state to the native app startup path. Confidence: high Scope-risk: narrow Directive: Tauri WebView bypass is limited to loopback control hosts; do not extend it to LAN or public hosts without re-reviewing H5 auth boundaries. Tested: bun test src/server/__tests__/h5-access-auth.test.ts Tested: bun run check:server