Islandflow turn record

Fix local backend connectivity

api cors deployed dev:web verified dev:desktop verified native deployment path

Summary

Local web and desktop development were failing to reach the hosted Islandflow backend because browser CORS preflight requests were blocked by the native API edge. The API now reflects allowed local origins, answers OPTIONS preflight, and the local web surface connects cleanly to https://api.flow.deltaisland.io.

The terminal UI also now avoids oversized evidence URLs and stale request floods, which were showing up as noisy browser network warnings after the CORS fix landed.

Changes Made

API CORS layerAdded reusable CORS helpers, configured allowed origins, wrapped API responses, and handled OPTIONS globally.

Local dev originsNext dev now allows localhost, 127.0.0.1, detected local IPv4 addresses, and optional NEXT_ALLOWED_DEV_ORIGINS.

Terminal fetch stabilityChunked option evidence lookups, bounded flow packet fetch concurrency, and abort stale hydration requests.

Chart overlay capChanged the equity overlay range request from 2500 rows to the API-supported 1000-row maximum.

Context

The repo is using native deployment for the hosted API, not Docker compose. I deployed the API CORS fix through the native deploy path and validated the running islandflow-api.service directly after the deploy wrapper returned a nonzero verification-tail exit.

After CORS was fixed, the local browser could connect, but terminal helper fetches still produced warnings from oversized /option-prints/by-trace query strings and fast-changing live windows. Those were separate frontend request-shaping issues, not the main websocket/backend connection.

Important Implementation Details

API_CORS_ORIGINS defaults include the hosted web origin and local dev origins for ports 3000 and 3100.
Preflight responses reflect requested headers and allow GET, POST, PUT, and OPTIONS.
Terminal evidence lookups now chunk trace-id batches to avoid edge 414 Request-URI Too Large responses.
High-churn live hydration effects now use AbortController cleanup so stale requests do not masquerade as backend failures.
Classified option rows now use a focusable row container instead of nesting instrument buttons inside another button.

Relevant Diff Snippets

Rendered with @pierre/diffs/ssr from a representative diff covering the API CORS helper, API wiring, Next dev-origin config, and terminal fetch handling.

Expected Impact for End-Users

Developers can run bun run dev:web or bun run dev:desktop and see the local terminal connect to the hosted native backend without CORS failures. The live terminal should also stay calmer under evidence-heavy alert windows because it no longer emits oversized by-trace URLs or piles up stale support requests.

Validation

Ran bun test services/api/tests: 38 tests passed.
Ran bun run typecheck: passed across apps, packages, and services.
Ran bun --cwd=apps/web run build: passed Next production build.
Verified hosted API CORS with curl health, OPTIONS preflight, options REST, and websocket checks from local origins.
Verified bun run dev:web in the in-app browser at http://127.0.0.1:3000/: page showed LIVE: CONNECTED and fresh logs stayed clear of backend network warnings.
Verified bun run dev:desktop: Electron launched, the runner served the local web UI, and browser verification against its 127.0.0.1:3000 endpoint showed LIVE: CONNECTED.
Confirmed no dev server was left listening on port 3000 after validation.

Issues, Limitations, and Mitigations

The native deploy command returned a nonzero status during its verification tail, but the native user service was active and direct live API checks passed. I did not leave Docker deployment state running.
The web build temporarily flipped apps/web/next-env.d.ts from the dev routes file to the production routes file. That generated change was restored and excluded from the final commit.
The frontend request chunking fixes are validated locally. I did not deploy the hosted web frontend in this pass because the user-facing breakage was local dev access and the hosted API CORS fix is the deployed native change.

Follow-up Work

Add a POST batch endpoint for evidence lookups so the terminal never has to encode many trace IDs into a query string.
Add a scripted browser smoke test for local dev against https://api.flow.deltaisland.io.
Improve the native deploy script verification path so a successful service restart is reported cleanly.