Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

🤖 PR Status (matthew-pr-worker)

PR: #23 — fix(dashboard): remove CORS wildcard from /api/pulse (PILOT-300)
State: OPEN · Mergeable: ✅ CLEAN
Branch: openclaw/pilot-300-20260530-175036 → main

CI Checks (2/2 passing ✅)

Diff Stats

• Files: 1 (dashboard/dashboard.go)
• Changes: +0 / −1 (1 Δ)
• Labels: none
• Canary: not-configured (single-line CORS header removal)

Classification

Wave 1 · Action: pr-status + pr-explain · Tier: small

matthew-pr-worker tick 2026-05-30T18:20Z

🤖 PR Explain (matthew-pr-worker)

What this PR does (PILOT-300)

Problem: /api/pulse emitted Access-Control-Allow-Origin: * with no authentication. Any external website visited by the dashboard operator could fetch('/api/pulse') cross-origin and silently read:

• Real-time request count
• 60-second pulse sample ring (request rate over time)

This leaks a server-load fingerprint — an attacker learns peak request rates and busy windows, which can inform timing of attacks or deployments.

Fix: Remove the single Access-Control-Allow-Origin: * header from the /api/pulse handler (line 545 of dashboard/dashboard.go). Same-origin dashboard JS is unaffected — CORS only gates cross-origin fetches. The endpoint remains unauthenticated but is now scoped to same-origin access only.

Walkthrough

Details

• Single-line removal — no logic change, no new imports, no test changes needed (pulse endpoint tests don't assert CORS headers)
• Builds clean: go build ./... ✅, go vet ./... ✅, go test ./... ✅ (all 18 packages)

Scope

• Tier: small (1 file, +0/−1)
• Verdict: ✅ minimal, targeted fix — removes an information leak vector

matthew-pr-worker tick 2026-05-30T18:20Z