feat(opencode): allow vscode-webview:// origins in cors allowlist

[weicheng59]

Issue for this PR

None — improves out-of-the-box behavior for VS Code webview integrations.

Type of change

• Bug fix
• New feature
• Refactor / code improvement
• Documentation

What does this PR do?

Adds vscode-webview://* to isAllowedCorsOrigin's built-in allowlist in packages/opencode/src/server/cors.ts, mirroring the existing tauri://localhost allowance.

Why this matters in practice. VS Code assigns every WebviewPanel a fresh vscode-webview://<random-guid> origin — the suffix is unguessable per-panel by design. An extension that embeds opencode and hosts UI in a webview has to:

1. Pass each panel's origin via repeated --cors flags at spawn time, and
2. Restart opencode every time the user opens a new panel — the allowlist is exact-match (opts?.cors?.includes(input), no wildcards), and there's no way to extend it without a respawn.

That restart kills any in-flight turn. Opening a new editor tab interrupts generation in the existing tab. We're shipping a VS Code extension that wraps opencode and hit this every time. With this patch, our extension stops needing --cors plumbing at all for the webview case.

vscode-webview:// is the same shape as the already-allowed tauri://localhost:

• Both wrap a local IDE host, not a remote site.
• Both talk to the loopback opencode server, which is bearer-token-auth'd separately.
• The CORS allowance is ceremony for what is architecturally same-origin traffic.

Relation to #28743. That PR adds explicit cors: ["*"] wildcard support — opt-in for users who want everything allowed. This PR is complementary: a hardcoded allowance for a specific safe scheme, so the common case of "wrap opencode in a VS Code webview" works without any --cors configuration. Both can land independently.

How did you verify your code works?

Added a regression test in packages/opencode/test/server/httpapi-cors.test.ts alongside the existing tauri / custom-cors cases, asserting a vscode-webview://<guid> preflight passes without any --cors argument.

$ bun test test/server/httpapi-cors.test.ts
 4 pass
 0 fail

Built v1.15.7 + this patch from source and verified end-to-end in our VS Code extension: opening multiple webview panels no longer requires restarting opencode, and no longer interrupts in-flight turns in sibling panels.

Screenshots / recordings

Not a UI change.

Checklist

• I have tested my changes locally
• I have not included unrelated changes in this PR

[github-actions]

Hey! Your PR title feat(server/cors): allow vscode-webview:// origins by default doesn't follow conventional commit format.

Please update it to start with one of:

• feat: or feat(scope): new feature
• fix: or fix(scope): bug fix
• docs: or docs(scope): documentation changes
• chore: or chore(scope): maintenance tasks
• refactor: or refactor(scope): code refactoring
• test: or test(scope): adding or updating tests

Where scope is the package name (e.g., app, desktop, opencode).

See CONTRIBUTING.md for details.

[github-actions]

The following comment was made by an LLM, it may be inaccurate:

I found a potentially related PR:

PR #28743: feat(server): add wildcard CORS origin support
#28743

This PR appears to be related as it also addresses CORS origin handling in the server. It may be exploring a broader wildcard approach to CORS origins, which could overlap with or complement the vscode-webview specific allowance in PR #28806. You may want to check if #28743 already handles the vscode-webview case or if there's overlap in approach.

[github-actions]

Thanks for updating your PR! It now meets our contributing guidelines. 👍