infra: CORS regex for Vercel preview deploys (OPE-56)

[DevanshuNEU]

Adds ALLOW_ORIGIN_REGEX env var so Vercel preview deploy URLs can call the Railway backend without CORS errors.

Set on Railway: ALLOW_ORIGIN_REGEX=https://.*.vercel.app

Partial progress on OPE-56.

Summary by CodeRabbit

• New Features

  • Configurable CORS origin regex to support dynamic origin validation for preview and staging deployments.
  • Optional GitHub API token integration for improved repository analysis.

• Configuration

  • New environment variables for CORS customization and GitHub authentication, with graceful fallbacks and warnings when not configured.

[vercel]

@DevanshuNEU is attempting to deploy a commit to the Dev's projects Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds optional environment-driven CORS regex support and a GitHub token option: updates .env.example with commented guidance, registers ALLOW_ORIGIN_REGEX and GITHUB_TOKEN as optional startup vars, and wires ALLOW_ORIGIN_REGEX into the CORSMiddleware as allow_origin_regex.

Changes

Cohort / File(s)	Summary
Configuration Guidance .env.example	Added three commented lines describing a dynamic CORS origins regex (example for preview URLs) and guidance for ALLOW_ORIGIN_REGEX.
Startup Configuration backend/config/startup_checks.py	Registered two optional env vars: ALLOW_ORIGIN_REGEX (CORS regex for preview deploys) and GITHUB_TOKEN (GitHub API token); added to OPTIONAL_VARS with fallback messages; no required-var logic changed.
CORS Middleware Integration backend/main.py	Reads ALLOW_ORIGIN_REGEX and passes it to CORSMiddleware as allow_origin_regex (uses None when empty) while preserving existing allow_origins behavior.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A little regex nibbles the gate,
Preview origins hop in — neat and straight.
A token tucked in, quiet and small,
Configs align and stand up tall.
Hooray for tiny changes that help us all!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately describes the main change: adding CORS regex support for Vercel preview deploys, which is the core purpose of this pull request.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

backend/main.py (1)

78-84: Consider restricting CORS regex to your specific Vercel project.

The documented default pattern https://.*\.vercel\.app allows any Vercel-hosted app to make cross-origin requests to your backend. While this enables all PR preview deploys to function, it's broader than necessary.

For additional security, use a project-specific pattern:

https://opencodeintel-.*\.vercel\.app

This still supports dynamic branch/PR URLs while restricting access to your specific Vercel project.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@backend/main.py` around lines 78 - 84, The ALLOW_ORIGIN_REGEX default is too
permissive; set ALLOW_ORIGIN_REGEX (used when calling app.add_middleware with
CORSMiddleware and parameter allow_origin_regex) to a project-scoped pattern
instead of the broad https://.*\.vercel\.app; update the environment default or
validation so it uses something like https://opencodeintel-.*\.vercel\.app when
empty, and ensure the add_middleware call still passes ALLOW_ORIGIN_REGEX or
None (tied to the existing ALLOWED_ORIGINS variable) so only your Vercel project
previews can access the backend.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@backend/main.py`:
- Around line 78-84: The ALLOW_ORIGIN_REGEX default is too permissive; set
ALLOW_ORIGIN_REGEX (used when calling app.add_middleware with CORSMiddleware and
parameter allow_origin_regex) to a project-scoped pattern instead of the broad
https://.*\.vercel\.app; update the environment default or validation so it uses
something like https://opencodeintel-.*\.vercel\.app when empty, and ensure the
add_middleware call still passes ALLOW_ORIGIN_REGEX or None (tied to the
existing ALLOWED_ORIGINS variable) so only your Vercel project previews can
access the backend.

---

ℹ️ Review info

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ef30258 and 8b97d27.

📒 Files selected for processing (3)

• .env.example
• backend/config/startup_checks.py
• backend/main.py

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
opencodeintel	Ignored	Preview	Mar 1, 2026 4:31pm

[coderabbitai]

🧹 Nitpick comments (1)

.env.example (1)

43-45: Refine the CORS regex to match actual Vercel preview URL formats.

The current pattern https://opencodeintel.*\.vercel\.app is overly permissive. However, the recommended pattern https://opencodeintel-[a-z0-9-]+\.vercel\.app is too restrictive and would reject legitimate Vercel preview URLs with dots or underscores in branch names (e.g., opencodeintel-git-feature.new-staging.vercel.app).

According to Vercel's documentation, preview URLs follow these formats:

• Per-commit: <project>-<hash>-<scope>.vercel.app
• Per-branch: <project>-git-<branch>-<scope>.vercel.app

Consider a more balanced pattern:

https://opencodeintel(-git-[a-z0-9._\/-]+)?-[a-z0-9._-]+\.vercel\.app

This accepts the actual structure while being more restrictive than .*. Alternatively, document that the security model relies on Vercel's domain control and the uniqueness of the project name within the team's account, which naturally constrains which URLs can be assigned.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.env.example around lines 43 - 45, The ALLOW_ORIGIN_REGEX example is too
permissive; replace the commented value for ALLOW_ORIGIN_REGEX with a balanced
regex that matches Vercel preview URL formats (per-commit and per-branch) such
as the suggested pattern accepting optional "-git-<branch>" segments and
allowing dots/underscores in branch names, or update the comment to document
that Vercel's domain control and the project name uniqueness are relied upon for
security; ensure the variable name ALLOW_ORIGIN_REGEX is updated in the
.env.example and the new pattern is shown as the recommended value.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.env.example:
- Around line 43-45: The ALLOW_ORIGIN_REGEX example is too permissive; replace
the commented value for ALLOW_ORIGIN_REGEX with a balanced regex that matches
Vercel preview URL formats (per-commit and per-branch) such as the suggested
pattern accepting optional "-git-<branch>" segments and allowing
dots/underscores in branch names, or update the comment to document that
Vercel's domain control and the project name uniqueness are relied upon for
security; ensure the variable name ALLOW_ORIGIN_REGEX is updated in the
.env.example and the new pattern is shown as the recommended value.

---

ℹ️ Review info

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8b97d27 and afa7755.

📒 Files selected for processing (2)

• .env.example
• backend/main.py

🚧 Files skipped from review as they are similar to previous changes (1)

• backend/main.py