chore: egress via pre-configured target urls#49
Merged
maxy-shpfy merged 1 commit intoJul 1, 2026
Conversation
Collaborator
Author
This stack of pull requests is managed by Graphite. Learn more about stacking. |
This was referenced Jul 1, 2026
148a241 to
abb0c23
Compare
2762e47 to
185fda2
Compare
abb0c23 to
706e5bd
Compare
185fda2 to
1d61c69
Compare
Collaborator
Author
Merge activity
|
1d61c69 to
2d4c6c1
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.

TL;DR
Bundle UI components now reference Tangle API endpoints via logical target objects (
{ target: "tangle", path: "..." }) instead of hardcoded absolute URLs. The server resolves the actual base URL fromTANGLE_API_URLat runtime, and a newopenTargetUrlUI command lets components open deployment-configured URLs without ever knowing the origin.What changed?
host.fetchnow acceptsHostFetchInput, a union ofstring | { target: "tangle"; path: string }. Components should use the logical target form; absolute URLs remain accepted only as a compatibility path for trusted internal tooling.resolveTargetUrlfunction builds the full URL fromTANGLE_API_URLand validates that the path starts with/and is not protocol-relative.UICommandvariant{ type: "openTargetUrl", target: "tangle", path }lets components request that the host resolve and open a target URL in a new tab. The host calls the newPOST /api/agent-bundles/ui-target-urlendpoint to resolve the URL server-side before opening it.oasis.shopify.ioorigin rule has been removed from the egress allowlist; all Tangle egress now goes through the configurableTANGLE_API_URL.PI_PROXY_URLandTANGLE_API_URLare now validated as absolute URLs at startup viareadAbsoluteUrl, throwing on misconfiguration rather than silently using a bad value.https://oasis.shopify.io,https://proxy.shopify.ai,https://tangle.example.com) have been replaced with generichttps://api.example.com/https://proxy.example.comexamples throughout config, docs, and examples..env.examplenow documents server runtime variables (TANGLE_API_URL,TANGLE_TOKEN,PI_PROXY_URL,PI_PROXY_API_KEY,AUTH_JWT_TOKEN_COOKIE_NAME,INSTANCE_PROXY_URL), and the README clarifies that these should be injected via a process manager or secret manager rather than committed.AUTH_JWT_TOKEN_COOKIE_NAMEis added to the Turbo env passthrough list.TANGLE_TOKENas a deployment secret.pipeline-progress.tsx,pipeline-url-input.tsx,sample.js) have been updated to use the logical target form andopenTargetUrlinstead of hardcoded base URLs andopenUrl.How to test?
pnpm testinapps/server. The newegressAllowlist.test.tscovers logical target resolution, credential injection, allowlist rejection of non-allowlisted paths, and rejection of malformed paths (missing leading slash, protocol-relative).tangleortangle-ml-pipeline-optimizerexample bundle. Confirm thathost.fetch({ target: "tangle", path: "/api/executions/<id>/state" })proxies correctly and that clicking the pipeline title button resolves and opens the correct URL viaopenTargetUrl.TANGLE_API_URLto an invalid value and confirm the server throws on startup rather than silently using a bad URL.POST /api/agent-bundles/ui-target-urlwith a valid target returns{ url }and with an invalid path returns a 400.Why make this change?
Hardcoding absolute API origins in bundle UI components couples them to a specific deployment environment and leaks internal hostnames into client-side code. By routing through logical targets resolved server-side from
TANGLE_API_URL, the same bundle works across environments without modification, credentials and origins stay server-side, and the egress allowlist can enforce path patterns against a single configurable origin rather than a mix of hardcoded ones.