fix: allow Origin: null for /api/asset-cache in sandboxed plugin previews

[daltonnyx]

Why

When running Open Design in Docker, plugin preview HTML is served inside a sandboxed iframe. The iframe loads external media assets (images/videos) through the same-origin proxy route /api/asset-cache?url=<encoded>. Because the iframe is sandboxed, the browser sends Origin: null with the request. The daemon origin-validation middleware rejected Origin: null for /api/asset-cache because it was not in the safe read-only GET allowlist, returning a 403. This worked fine in dev mode (pnpm tools-dev run web) because the dev path often uses srcDoc or raw project file routes that were already allowed.

What users will see

Plugin preview cards and detail pages in Docker/production now correctly load external media assets (Cloudinary images, Higgs videos, etc.) instead of showing broken images with a CSP img-src violation.

Surface area

• UI — new page / dialog / panel / menu item / setting / empty state in apps/web or apps/desktop (including Electron menu bar)
• Keyboard shortcut — new or changed
• CLI / env var — new od subcommand or flag, new tools-dev / tools-pack / tools-pr flag, or new OD_* env var
• API / contract — new /api/* endpoint, new SSE event, or changed shape in packages/contracts
• Extension point — new entry under skills/, design-systems/, design-templates/, or craft/, or change to the skills protocol
• i18n keys — added new translation keys (see TRANSLATIONS.md for the locale workflow)
• New top-level dependency — adding any new entry to the root package.json (dependencies or devDependencies); workspace-package package.json files are out of scope. Include a paragraph on what we get vs. what bytes we ship (see CONTRIBUTING.md → Code style)
• Default behavior change — changes what existing users experience without opting in (default model, default setting, file/SQLite schema, auto-network on startup, auto-install)
• None — internal refactor, docs, tests, or translation update only

Screenshots

Before

After

Bug fix verification

• Test path that reproduces the bug: apps/daemon/tests/origin-validation.test.ts — new test case allows Origin: null for GET asset-cache routes
• Did the test go red on main and green on this branch? (yes / no) yes — added a fake /api/asset-cache route to the test app, asserted GET /api/asset-cache?... with Origin: null returns 200; would fail on main where _NULL_ORIGIN_SAFE_GET_RE does not include /asset-cache
• The production scenario was also verified manually: Docker build + run → open plugin preview → images now load instead of returning 403

Validation

• pnpm --filter @open-design/daemon exec tsc -p tsconfig.tests.json --noEmit --pretty false — passed
• Manual verification: built Docker image, ran container, opened plugin preview page, confirmed external media assets load correctly via /api/asset-cache route without CSP errors

[lefarcen]

Thanks for the clear repro and test seam here, @daltonnyx.

@mrcfps this PR's current head e4daebcf is waiting on your review.

[PerishCode]

@daltonnyx I reviewed the origin-validation middleware change and the regression coverage for /api/asset-cache with Origin: null. The diff stays scoped to the sandboxed read-only GET allowlist while preserving rejection for mutating and non-allowlisted API routes, and the current PR checks are green. Nice work keeping this fix tight and tied to the Docker preview failure.

_{🔁 Powered by Looper · runner=reviewer · agent=codex · An autonomous AI dev team for your GitHub repos.}

[kokisanai]

Hi @daltonnyx!

Your first Open Design PR has been merged! Huge thanks for jumping in and improving the project!

You contributed:

Merged PR: #4487 fix: allow Origin: null for /api/asset-cache in sandboxed plugin previews
#4487

This landed in the daemon/server path around sandboxed preview behavior, so you already have context on backend request handling and edge-case validation in this codebase.

For your next contribution, we picked two issues that look like a good follow-up:

1. [Bug]: Hermes agent fails with 'json-rpc id 2: Internal error' when HERMES_HOME uses non-standard path #4407 [Bug]: Hermes agent fails with 'json-rpc id 2: Internal error' when HERMES_HOME uses non-standard path
   [Bug]: Hermes agent fails with 'json-rpc id 2: Internal error' when HERMES_HOME uses non-standard path #4407

This is a good fit because it stays close to runtime/server edge cases and debugging environment-specific behavior.

2. wix-ja-slide / google-slides daemon: silent private-Drive fallback breaks image insertion under Workspace DLP #569 wix-ja-slide / google-slides daemon: silent private-Drive fallback breaks image insertion under Workspace DLP
   wix-ja-slide / google-slides daemon: silent private-Drive fallback breaks image insertion under Workspace DLP #569

This is a good fit because it also lives in the daemon/backend surface and benefits from careful request-path and failure-mode reasoning.

If one of these looks interesting, feel free to comment /claim on the issue and we will help you get started!

Once your second PR gets merged, you will move into our Continuous Contributor tier. We are also starting to highlight repeat contributors more actively in the community, so this is a great time to keep going!

Thanks again for the first PR, and welcome to the Open Design contributor community!

The Open Design team

P.S. We hang out in Discord — come say hi: https://discord.gg/3C6EWXbdQQ
There's a #contributors channel where folks share what they're working on.