cors-test-safety-2026-05-20
CORS allowlist test helper accepts any origin when test-origin header is absent — coverage gap
The CORS test helper in the MCP server validates the allowlist only when a test-origin header is present in the request. If the header is absent the check is skipped entirely, so the test suite passes even with a misconfigured allowlist. Real clients do not send this header, so the coverage gap is invisible in CI.
Evidence
crates/mcp-server/src/jsonrpc_cors_tests.rs — guard condition on test-origin header means absent header == no validation. Identified in review of leighstillard:fix/cors-allowlist (PR #2266).
config-assistant-rollback-2026-05-20
ConfigAssistant panel drops user message and clears input on API error — no rollback
In ConfigAssistantPanel.tsx the outgoing message is appended to chat and the input field is cleared before the API call is awaited. When the call throws, the catch block sets an error banner but never reverts those mutations — leaving the message "sent" with no way to retry without retyping. On subsequent sends the component snapshot is also stale, compounding the state drift.
Evidence
app/src/components/channels/mcp/ConfigAssistantPanel.tsx — setMessages(updatedHistory) and setInput('') run unconditionally before await fetch(...); the catch block never calls setMessages(messages) or setInput(text) to restore pre-send state.