From 4570fd7491cbcfab1bbd7be4b847e388a972f340 Mon Sep 17 00:00:00 2001
From: Z User <z@container>
Date: Tue, 16 Jun 2026 00:43:18 +0000
Subject: [PATCH] fix: update CORS whitelist to mimo.xiaomi.com (#139), strip
 stack traces from error responses (#154), redact MCP access tokens (#156)

- CORS middleware: regex whitelist changed from opencode.ai to
  mimo.xiaomi.com so the web UI and desktop app can make
  cross-origin requests after the rebrand.

- Error handler: use err.message instead of err.stack in 500
  responses, preventing internal file paths, dependency versions,
  and code structure from leaking to clients.

- MCP auth status: replace partial access token display
  (first 20 chars) with 'present'/'missing' to prevent token
  leakage via screen recordings, terminal logs, or shoulder-surfing.
---
 packages/opencode/src/cli/cmd/mcp.ts       | 2 +-
 packages/opencode/src/server/middleware.ts | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/packages/opencode/src/cli/cmd/mcp.ts b/packages/opencode/src/cli/cmd/mcp.ts
index 6b59e5b7..01362ef8 100644
--- a/packages/opencode/src/cli/cmd/mcp.ts
+++ b/packages/opencode/src/cli/cmd/mcp.ts
@@ -678,7 +678,7 @@ export const McpDebugCommand = cmd({
         prompts.log.info(`Auth status: ${getAuthStatusIcon(authStatus)} ${getAuthStatusText(authStatus)}`)
 
         if (entry?.tokens) {
-          prompts.log.info(`  Access token: ${entry.tokens.accessToken.substring(0, 20)}...`)
+          prompts.log.info(`  Access token: ${entry.tokens.accessToken ? "present" : "missing"}`)
           if (entry.tokens.expiresAt) {
             const expiresDate = new Date(entry.tokens.expiresAt * 1000)
             const isExpired = entry.tokens.expiresAt < Date.now() / 1000
diff --git a/packages/opencode/src/server/middleware.ts b/packages/opencode/src/server/middleware.ts
index 92bb3acb..b396003f 100644
--- a/packages/opencode/src/server/middleware.ts
+++ b/packages/opencode/src/server/middleware.ts
@@ -31,7 +31,7 @@ export const ErrorMiddleware: ErrorHandler = (err, c) => {
     return c.json(new NamedError.Unknown({ message: err.message }).toObject(), { status: 409 })
   }
   if (err instanceof HTTPException) return err.getResponse()
-  const message = err instanceof Error && err.stack ? err.stack : err.toString()
+  const message = err instanceof Error ? err.message : err.toString()
   return c.json(new NamedError.Unknown({ message }).toObject(), {
     status: 500,
   })
@@ -80,7 +80,7 @@ export function CorsMiddleware(opts?: { cors?: string[] }): MiddlewareHandler {
       if (input === "tauri://localhost" || input === "http://tauri.localhost" || input === "https://tauri.localhost")
         return input
 
-      if (/^https:\/\/([a-z0-9-]+\.)*opencode\.ai$/.test(input)) return input
+      if (/^https:\/\/([a-z0-9-]+\.)*mimo\.xiaomi\.com$/.test(input)) return input
       if (opts?.cors?.includes(input)) return input
     },
   })