the last

web-server/server.js

@@ -22,7 +22,7 @@ const sessionMaxAgeMs = Number(process.env.SESSION_MAX_AGE_MS || 1000 * 60 * 60
 const authSecret = process.env.AUTH_SECRET || process.env.SESSION_SECRET || 'robot-installer-dev-secret';
 const secureSessionCookie = getBooleanEnv(process.env.SESSION_COOKIE_SECURE, process.env.NODE_ENV === 'production');
 const publicApiCorsOrigins = getCsvEnv(process.env.WEB_CLIENT_ORIGINS || process.env.PUBLIC_API_CORS_ORIGINS, [
-  'https://robot.installer',
+  'https://app.pnkr.cloud',
   'http://localhost:5173',
   'http://localhost:4173'
 ]);
@@ -225,6 +225,10 @@ function getBooleanEnv(value, fallback) {
   return ['1', 'true', 'yes', 'on'].includes(String(value).toLowerCase());
 }
 
+function escapeShellDoubleQuoted(value) {
+  return String(value || '').replace(/(["\\$`])/g, '\\$1');
+}
+
 function isPublicApiCorsPath(pathname) {
   return pathname === '/api/apps'
     || pathname.startsWith('/api/apps/')
@@ -1377,6 +1381,12 @@ app.get('/api/apps/:appCode/versions/:version/manifest', asyncRoute(async (req,
 app.get('/install-agent.sh', (req, res) => {
   const baseUrl = getBaseUrl(req);
   const agentUrl = `${baseUrl}/packages/agent/latest.deb`;
+  const agentAllowedOrigins = Array.from(new Set([
+    baseUrl,
+    ...publicApiCorsOrigins.filter((origin) => origin !== '*'),
+    'http://localhost:3000',
+    'http://127.0.0.1:3000'
+  ])).join(',');
   res.type('text/x-shellscript').send(`#!/usr/bin/env bash
 set -euo pipefail
 
@@ -1408,7 +1418,7 @@ echo "Configuring Local Installer Agent..."
 mkdir -p /etc/local-installer-agent
 touch "$AGENT_ENV"
 set_agent_env ROBOT_PACKAGE_BASE_URL "$PACKAGE_BASE_URL"
-set_agent_env ALLOWED_ORIGINS "$PACKAGE_BASE_URL,http://localhost:3000,http://127.0.0.1:3000"
+set_agent_env ALLOWED_ORIGINS "${escapeShellDoubleQuoted(agentAllowedOrigins)}"
 set_agent_env ALLOWED_DOWNLOAD_HOSTS "$PACKAGE_HOST,localhost,127.0.0.1"
 
 echo "Starting Local Installer Agent..."