fix(multitenant): remove dead alias, duplicate origin, and tenant-scoped platform hosts (Sam & zAI)

Remove duplicate trusted origin in auth.ts where PLATFORM_INTERNAL_DOMAIN and ai.${PLATFORM_INTERNAL_BASE} resolve to the same string. Switch worker/browser/GUI/docs local hostnames from tenant-scoped AGENT_INTERNAL_DOMAIN to PLATFORM_INTERNAL_BASE — these are platform infrastructure, not tenant content. Remove AGENT_PID_FILE dead alias — zero consumers, PLATFORM_PID_FILE is canonical. --- Build: pass | Tests: pass — 1812 passed (115 files)
2026-04-24 19:37:51 +02:00 · 2026-04-24 19:37:51 +02:00 · c2d340155a
commit c2d340155a
parent 9ed3ce607c
3 changed files with 14 additions and 25 deletions
--- a/src/auth.ts
+++ b/src/auth.ts
@ -6,7 +6,6 @@ import {
  CONTROLPLANE_API_PORT,
  BETTER_AUTH_SECRET,
  BETTER_AUTH_URL,
-  PLATFORM_INTERNAL_BASE,
  PLATFORM_INTERNAL_DOMAIN,
 } from './config.js';
 import { logger } from './logger.js';
@ -14,12 +13,13 @@ import { logger } from './logger.js';
 export type AuthMode = 'local_trusted' | 'authenticated';

 export function createAuth(pool: Pool) {
-  const trustedOrigins = Array.from(new Set([
-    `http://localhost:${CONTROLPLANE_API_PORT}`,
-    `http://${PLATFORM_INTERNAL_DOMAIN}:${CONTROLPLANE_API_PORT}`,
-    `http://10.0.0.2:${CONTROLPLANE_API_PORT}`,
-    `http://ai.${PLATFORM_INTERNAL_BASE}:${CONTROLPLANE_API_PORT}`,
-  ]));
+  const trustedOrigins = Array.from(
+    new Set([
+      `http://localhost:${CONTROLPLANE_API_PORT}`,
+      `http://${PLATFORM_INTERNAL_DOMAIN}:${CONTROLPLANE_API_PORT}`,
+      `http://10.0.0.2:${CONTROLPLANE_API_PORT}`,
+    ]),
+  );

  const auth = betterAuth({
    baseURL: BETTER_AUTH_URL,
@ -58,10 +58,7 @@ export function createAuth(pool: Pool) {
    },
  });

-  logger.info(
-    { mode: CONTROLPLANE_AUTH_MODE },
-    'Better Auth initialized',
-  );
+  logger.info({ mode: CONTROLPLANE_AUTH_MODE }, 'Better Auth initialized');

  return auth;
 }
--- a/src/config.ts
+++ b/src/config.ts
@ -244,15 +244,8 @@ export const CODE_ADMIN_EXPOSURE =
 export const PUBLISHING_MODE =
  registryDefaults?.platform.publishingMode || 'disabled';

-export const RESERVED_HOST_LABELS =
-  registryDefaults?.platform.reservedHostLabels || [
-    'ai',
-    'cms',
-    'git',
-    'web',
-    'www',
-    'mail',
-  ];
+export const RESERVED_HOST_LABELS = registryDefaults?.platform
+  .reservedHostLabels || ['ai', 'cms', 'git', 'web', 'www', 'mail'];

 // ── Agent identity ───────────────────────────────────────────────────────────

@ -375,7 +368,6 @@ export const SYSTEM_LOCALE = normalizeSystemLocale(
 // ── Service naming ──

 export const PLATFORM_PID_FILE = `${PLATFORM_SERVICE_NAME}.pid`;
-export const AGENT_PID_FILE = PLATFORM_PID_FILE;

 // ── Engine & provider ──

--- a/src/local-hosts.ts
+++ b/src/local-hosts.ts
@ -28,10 +28,10 @@ export const GIT_LOCAL_HOST = CODE_SERVICE_INTERNAL_DOMAIN;
 export const OLLAMA_LOCAL_HOST = OLLAMA_INTERNAL_DOMAIN;
 export const LLAMA_CPP_LOCAL_HOST = LLAMA_CPP_INTERNAL_DOMAIN;
 export const CMS_LOCAL_HOST = CMS_INTERNAL_DOMAIN;
-export const WORKER_LOCAL_HOST = `worker.${AGENT_INTERNAL_DOMAIN}`;
-export const BROWSER_LOCAL_HOST = `browser.${AGENT_INTERNAL_DOMAIN}`;
-export const GUI_LOCAL_HOST = `gui.${AGENT_INTERNAL_DOMAIN}`;
-export const DOCS_LOCAL_HOST = `docs.${AGENT_INTERNAL_DOMAIN}`;
+export const WORKER_LOCAL_HOST = `worker.${PLATFORM_INTERNAL_BASE}`;
+export const BROWSER_LOCAL_HOST = `browser.${PLATFORM_INTERNAL_BASE}`;
+export const GUI_LOCAL_HOST = `gui.${PLATFORM_INTERNAL_BASE}`;
+export const DOCS_LOCAL_HOST = `docs.${PLATFORM_INTERNAL_BASE}`;
 export const AGENT_LOCAL_SITE_HOST = AGENT_INTERNAL_DOMAIN;

 function uniqueNames(names: string[]): string[] {