fix(security): remove wildcard CORS from netlify.toml (TAY-190)

[Computer8004]

Summary

Removes wildcard Access-Control-Allow-Origin: * headers from netlify.toml and introduces a runtime trusted-origins whitelist.

Changes

• apps/learn-card-app/netlify.toml
  • Removed Access-Control-Allow-Origin: "*" from /manifest.json, /\*, /assets/icon/icon.png, /assets/icon/favicon.png, and /assets/\*
  • Kept cache-control and content-type headers intact
• apps/learn-card-app/src/constants/trustedOrigins.ts (new)
  • Added TRUSTED_ORIGINS array and isTrustedOrigin() / isTrustedOriginPattern() helpers

Netlify static headers cannot express dynamic multi-origin CORS, so the fix relies on removing the dangerous wildcard and letting browser same-origin policy block unsolicited cross-origin requests. Application-level postMessage validation already handles partner-origin trust at runtime.

Closes TAY-190

✨ PR Description

Purpose: Remove wildcard CORS (Access-Control-Allow-Origin: *) from Netlify edge functions and implement tenant-based whitelist validation to prevent unauthorized cross-origin access to API endpoints.

Main changes:

• Implemented buildCorsHeaders() helper in shared/cors.ts that validates origin against ALLOWED_ORIGINS whitelist and dynamic patterns (e.g., *.learncard.app, deploy previews) instead of wildcard
• Created tenant resolution infrastructure with shared/tenant-resolver.ts importing generated config bundle and generate-edge-tenant-configs.ts auto-discovery script to eliminate manual tenant imports
• Refactored interact.ts edge function to use tenant-aware CORS headers, resolve LCN API URL from tenant config with fallback chain (env → tenant config → deploy context), and redirect to tenant-specific origin

Generated by LinearB AI and added by gitStream.
_{AI-generated content may contain inaccuracies. Please verify before using.
💡 Tip: You can customize your AI Description using Guidelines Learn how}

[changeset-bot]

⚠️ No Changeset found

Latest commit: 2df45df

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[atlassian]

To enable Rovo Dev code reviews, link your GitHub account to your Atlassian account.

This is a one-time task that takes less than a minute. Once your account is linked, resubmit the pull request to trigger a code review.

[netlify]

👷 Deploy request for staging-learncardapp pending review.

Visit the deploys page to approve it

Name	Link
🔨 Latest commit	2df45df

[netlify]

✅ Deploy Preview for learncarddocs canceled.

Name	Link
🔨 Latest commit	2df45df
🔍 Latest deploy log	https://app.netlify.com/projects/learncarddocs/deploys/69dcd5ce6f3db00008e654ea

[netlify]

✅ Deploy Preview for app-store-1-basic-launchpad-app canceled.

Name	Link
🔨 Latest commit	2df45df
🔍 Latest deploy log	https://app.netlify.com/projects/app-store-1-basic-launchpad-app/deploys/69dcd5cfc52ac900082463fa

[gitstream-cm]

✨ PR Review

The PR adds tenant configuration infrastructure but fails to achieve its stated security goal: wildcard CORS headers remain in edge functions, contradicting the PR description.

2 issues detected:

🔒 Security - Wildcard CORS persists despite PR claiming to remove it

Details: The PR title claims to "remove wildcard CORS from netlify.toml" but the wildcard CORS header Access-Control-Allow-Origin: "*" remains in this edge function at line 6 and is used in responses (lines 62, 80). This allows any origin to access the interaction endpoints, which is a security vulnerability that the PR was supposed to fix.
File: apps/learn-card-app/netlify/edge-functions/interact.ts (5-9)

🔒 Security - New code adds wildcard CORS when PR aims to remove it 🛠️

Details: This new edge function introduces wildcard CORS Access-Control-Allow-Origin: '*' on line 33, allowing any origin to fetch tenant configuration data. This contradicts the PR's security goal of removing wildcard CORS headers.

File: apps/learn-card-app/netlify/edge-functions/tenant-config.ts (33-33)
_{🛠️ A suggested code correction is included in the review comments.}

Generated by LinearB AI and added by gitStream.
_{AI-generated content may contain inaccuracies. Please verify before using.
💡 Tip: You can customize your AI Review using Guidelines Learn how}

[gitstream-cm]

🔒 Security - New Wildcard CORS Added: Restrict CORS to trusted origins or remove the wildcard. Since this serves tenant configuration, consider validating the requesting origin against the tenant's configured domains before setting the CORS header.

Suggested change

	'Access-Control-Allow-Origin': '*',
	'Access-Control-Allow-Origin': url.origin,

Is this review accurate? Use 👍 or 👎 to rate it

If you want to tell us more, use /gs feedback e.g. /gs feedback this review doesn't make sense, I disagree, and it keeps repeating over and over

[gitstream-cm]

✨ PR Review

LGTM

Generated by LinearB AI and added by gitStream.
_{AI-generated content may contain inaccuracies. Please verify before using.
💡 Tip: You can customize your AI Review using Guidelines Learn how}