fix(dashboard): allow configuring Vite host + allowedHosts for remote serving

Users serving the dashboard from a remote VM accessed via a domain hit Vite's
host check: "Blocked request. This host ("example.com") is not allowed." (#485).
The server config hardcoded host 127.0.0.1 and set no allowedHosts, so the only
workaround was hand-editing vite.config.ts.

Add two env vars, keeping the strict localhost-only default:
- UNDERSTAND_HOST overrides the bind address (e.g. 0.0.0.0)
- UNDERSTAND_ALLOWED_HOSTS is a comma-separated allowedHosts list; `all`/`true`/`*`
  disables the check entirely

Document both in the understand-dashboard skill. The one-time access token still
gates the data endpoints. Bump version to 2.8.2.
This commit is contained in:
Lum1104
2026-06-20 19:04:30 +08:00
Unverified
parent 7f5a717694
commit 0a6bd10e6c
7 changed files with 43 additions and 6 deletions
+1 -1
View File
@@ -1,7 +1,7 @@
{
"name": "understand-anything",
"description": "AI-powered codebase understanding — analyze, visualize, and explain any project",
"version": "2.8.1",
"version": "2.8.2",
"author": {
"name": "Egonex"
},
+1 -1
View File
@@ -1,7 +1,7 @@
{
"name": "understand-anything",
"description": "AI-powered codebase understanding — analyze, visualize, and explain any project",
"version": "2.8.1",
"version": "2.8.2",
"author": {
"name": "Egonex"
},
+1 -1
View File
@@ -2,7 +2,7 @@
"name": "understand-anything",
"displayName": "Understand Anything",
"description": "AI-powered codebase understanding — analyze, visualize, and explain any project",
"version": "2.8.1",
"version": "2.8.2",
"author": {
"name": "Egonex"
},
@@ -1,7 +1,7 @@
{
"name": "understand-anything",
"description": "AI-powered codebase understanding — analyze, visualize, and explain any project",
"version": "2.8.1",
"version": "2.8.2",
"author": {
"name": "Egonex"
},
+1 -1
View File
@@ -1,6 +1,6 @@
{
"name": "@understand-anything/skill",
"version": "2.8.1",
"version": "2.8.2",
"type": "module",
"main": "dist/index.js",
"types": "dist/index.d.ts",
@@ -12,6 +12,24 @@ import crypto from "crypto";
const ACCESS_TOKEN = process.env.UNDERSTAND_ACCESS_TOKEN || crypto.randomBytes(16).toString("hex");
const MAX_SOURCE_FILE_BYTES = 1024 * 1024;
// Allow users running the dashboard behind a domain / reverse proxy (e.g. on a
// remote VM) to whitelist the hosting host(s). Vite blocks requests whose Host
// header is not localhost/an IP unless the host is in `server.allowedHosts`,
// which otherwise surfaces as "Blocked request. This host is not allowed." (#485).
// Set UNDERSTAND_ALLOWED_HOSTS to a comma-separated list, or to `all`/`true`/`*`
// to disable the check entirely. Unset (the default) keeps Vite's strict
// localhost-only behaviour.
function parseAllowedHosts(): true | string[] | undefined {
const raw = process.env.UNDERSTAND_ALLOWED_HOSTS?.trim();
if (!raw) return undefined;
if (raw === "all" || raw === "true" || raw === "*") return true;
const hosts = raw
.split(",")
.map((host) => host.trim())
.filter(Boolean);
return hosts.length > 0 ? hosts : undefined;
}
function graphFileCandidates(fileName: string): string[] {
const graphDir = process.env.GRAPH_DIR;
return [
@@ -184,9 +202,12 @@ export default defineConfig({
// FIX 1 — bind only to localhost, not 0.0.0.0
// This blocks access from any other device on the same LAN / WiFi.
// Override the bind address with UNDERSTAND_HOST (e.g. 0.0.0.0) when serving
// from a remote VM, and whitelist the public host via UNDERSTAND_ALLOWED_HOSTS.
server: {
host: "127.0.0.1",
host: process.env.UNDERSTAND_HOST || "127.0.0.1",
port: 5173,
allowedHosts: parseAllowedHosts(),
open: `/?token=${ACCESS_TOKEN}`,
},
@@ -103,3 +103,19 @@ Start the Understand Anything dashboard to visualize the knowledge graph for the
- The dashboard auto-opens in the default browser via `--open`
- If port 5173 is already in use, Vite will pick the next available port
- The `GRAPH_DIR` environment variable tells the dashboard where to find the knowledge graph
### Serving from a remote VM
By default the dev server binds to `127.0.0.1` and Vite rejects requests whose `Host` header is a domain name with `Blocked request. This host ("example.com") is not allowed.` To serve the dashboard from a remote machine accessed via a domain or public IP, set these environment variables before launching Vite:
```bash
GRAPH_DIR=<project-dir> \
UNDERSTAND_HOST=0.0.0.0 \
UNDERSTAND_ALLOWED_HOSTS=example.com,example1.com \
npx vite
```
- `UNDERSTAND_HOST` — bind address (use `0.0.0.0` to accept connections from outside localhost). Equivalent to `--host`.
- `UNDERSTAND_ALLOWED_HOSTS` — comma-separated list of allowed `Host` headers. Use `all` (or `true`/`*`) to disable the check entirely. Leave unset to keep the strict localhost-only default.
The one-time access token is still required, so only people with the tokenized URL can read the knowledge graph.