fix(mcp): adds production origin to defaults

Adds https://gh.gordoncode.dev to ALLOWED_ORIGINS_DEFAULT so the
WebSocket relay works out of the box for deployed SPA users.
MCP_RELAY_ALLOWED_ORIGINS env var remains for custom domains/forks.

Author: wgordon17

DEPLOY.md

@@ -22,7 +22,7 @@ building.
 
 5. **Cloudflare Turnstile** — Create a widget and set `VITE_TURNSTILE_SITE_KEY` in `.env`. Only needed for the planned Jira/GitLab token sealing feature.
 6. **Sentry error reporting** — Set `VITE_SENTRY_DSN` (build-time, via GitHub Actions variable) and `SENTRY_DSN` (Worker secret, via `wrangler secret put`) to the **same** DSN value. The Worker tunnel (`/api/error-reporting`) validates the incoming envelope DSN against `env.SENTRY_DSN` — different values cause all Sentry events to silently return 403. Leave both empty to disable.
-7. **MCP relay** — Set `MCP_RELAY_ALLOWED_ORIGINS=https://YOUR-DOMAIN` when running the MCP server
+7. **MCP relay** — If deploying to a custom domain, set `MCP_RELAY_ALLOWED_ORIGINS=https://YOUR-DOMAIN` when running the MCP server (`https://gh.gordoncode.dev` is allowed by default)
 8. **WAF smoke tests** — Set `DEPLOY_DOMAIN` as a GitHub Actions variable (e.g., `your-domain.example.com`). CI runs `pnpm test:waf https://$DEPLOY_DOMAIN` automatically. If `DEPLOY_DOMAIN` is not set, the WAF test is skipped. Run locally with: `pnpm test:waf https://YOUR-DOMAIN`.
 9. **Social metadata** — Update `og:image` and `og:url` in `index.html` to your domain
 10. **Security contact** — Update the email and scope domain in `SECURITY.md`

mcp/README.md

@@ -18,7 +18,7 @@ npm install -g github-tracker-mcp
 |----------|----------|---------|-------------|
 | `GITHUB_TOKEN` | No | — | Classic PAT with `repo` and `read:org` scopes (recommended), or fine-grained PAT with Actions (read), Contents (read), Issues (read), and Pull requests (read) permissions. Fine-grained PATs skip scope validation at startup. |
 | `MCP_WS_PORT` | No | `9876` | WebSocket relay port for receiving live data from the dashboard SPA. |
-| `MCP_RELAY_ALLOWED_ORIGINS` | No | — | Comma-separated additional origins for WebSocket connections (e.g., `https://your-domain.example.com`). Localhost origins are always allowed. |
+| `MCP_RELAY_ALLOWED_ORIGINS` | No | — | Comma-separated additional origins for WebSocket connections. Only needed if you deploy to a custom domain (the default `https://gh.gordoncode.dev` and localhost origins are always allowed). |
 
 `GITHUB_TOKEN` is required for standalone (direct API) mode. In relay mode the server receives data from the dashboard and works without a token. If you set `GITHUB_TOKEN` alongside the relay, the server uses it as a fallback when the relay disconnects.
 

mcp/src/ws-relay.ts

@@ -44,6 +44,7 @@ const ALLOWED_ORIGINS_DEFAULT = new Set([
   "https://localhost",
   "http://127.0.0.1",
   "https://127.0.0.1",
+  "https://gh.gordoncode.dev",
 ]);
 
 function buildAllowedOrigins(): Set<string> {
@@ -60,9 +61,9 @@ function buildAllowedOrigins(): Set<string> {
 // Computed once at module scope — origins don't change at runtime
 const ALLOWED_ORIGINS = buildAllowedOrigins();
 
-// Warn if only localhost origins are configured — production domains need MCP_RELAY_ALLOWED_ORIGINS
-if (!process.env.MCP_RELAY_ALLOWED_ORIGINS) {
-  console.warn("[mcp/ws] Warning: No MCP_RELAY_ALLOWED_ORIGINS set — only localhost connections allowed. Set this to your production domain to allow WebSocket relay from the deployed SPA.");
+// Log extra origins if configured (useful for custom deployments / forks)
+if (process.env.MCP_RELAY_ALLOWED_ORIGINS) {
+  console.error("[mcp/ws] Additional allowed origins:", process.env.MCP_RELAY_ALLOWED_ORIGINS);
 }
 
 function isOriginAllowed(origin: string | undefined): boolean {

mcp/tests/ws-relay.test.ts

@@ -407,6 +407,22 @@ describe("WebSocket relay server — origin validation", () => {
     expect(opened).toBe(true);
   });
 
+  it("allows connections from the production domain", async () => {
+    const ws = new WebSocket(`ws://127.0.0.1:${port}`, {
+      headers: { origin: "https://gh.gordoncode.dev" },
+    });
+
+    const opened = await new Promise<boolean>((resolve) => {
+      ws.once("open", () => { ws.close(); resolve(true); });
+      ws.once("error", () => resolve(false));
+      ws.once("close", (code) => {
+        if (code !== 1000 && code !== 1001) resolve(false);
+      });
+    });
+
+    expect(opened).toBe(true);
+  });
+
   it("rejects connections from disallowed origins", async () => {
     // The server calls verifyClient with callback(false, 403, "Origin not allowed").
     // The ws library sends an HTTP 403 response, which the client sees as an error.