From aac6d97a143759731431ade9a098b4baa55fc53d Mon Sep 17 00:00:00 2001
From: teknium1 <127238744+teknium1@users.noreply.github.com>
Date: Fri, 15 May 2026 12:11:08 -0700
Subject: [PATCH] chore(xai-oauth): trim CORS allowlist to xAI auth origins
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Drop accounts.mouseion.dev and localhost:20000 / 127.0.0.1:20000 from
the loopback callback CORS allowlist — leftover dev origins. The
redirect_uri is bound to 127.0.0.1 and gated by PKCE + state, so only
xAI's own auth origins are needed.

Co-Authored-By: Jaaneek <Jaaneek@users.noreply.github.com>
---
 hermes_cli/auth.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/hermes_cli/auth.py b/hermes_cli/auth.py
index 8749cd9461c..c6dce709384 100644
--- a/hermes_cli/auth.py
+++ b/hermes_cli/auth.py
@@ -2081,12 +2081,12 @@ def _xai_validate_loopback_redirect_uri(redirect_uri: str) -> tuple[str, int, st
 
 
 def _xai_callback_cors_origin(origin: Optional[str]) -> str:
+    # CORS allowlist for the loopback callback.  Only xAI's own auth origins
+    # are accepted; the redirect_uri itself is bound to 127.0.0.1 and gated by
+    # PKCE+state, so additional dev/3p origins are not needed here.
     allowed = {
         "https://accounts.x.ai",
         "https://auth.x.ai",
-        "https://accounts.mouseion.dev",
-        "http://localhost:20000",
-        "http://127.0.0.1:20000",
     }
     return origin if origin in allowed else ""