Problem
The "after" placeholder cell in JSONbored/metagraphed#6036's Visual preview table pointed at https://<redacted>.ts.net/loopover/shot?placeholder=loading — a Tailscale MagicDNS (.ts.net) hostname, unreachable from GitHub's public image-fetching servers unless Tailscale Funnel is explicitly enabled for that exact route. This is exactly the failure mode src/selfhost/health.ts's publicOriginReachabilityAdvisory was built to catch (added after a prior documented incident, "JSONbored/loopover PR #4180's live bug") — it logs a boot-time warning when PUBLIC_API_ORIGIN/PUBLIC_SITE_ORIGIN looks like a private/Tailscale hostname, with a PUBLIC_ORIGIN_ACKNOWLEDGED=true opt-out for genuinely Funnel-exposed nodes.
Since the symptom is still live, either: (a) PUBLIC_API_ORIGIN on this self-hosted instance is actually set to the Tailscale hostname and the advisory is firing into logs nobody's watching, or (b) PUBLIC_ORIGIN_ACKNOWLEDGED=true was set without confirming Funnel genuinely publishes that route end-to-end.
This makes EVERY placeholder image (loading/failed/auth-wall) and every on-demand-fallback shot link permanently broken for anyone viewing the PR outside the tailnet — it's not a race condition, it's a structural misconfiguration.
Area
Live self-hosted instance config (redacted — see below) + src/selfhost/health.ts's advisory (visibility/alerting only — the detection logic itself already exists and is correct).
Proposal
- Verify the ACTUAL current value of
PUBLIC_API_ORIGIN (and PUBLIC_SITE_ORIGIN) on the self-hosted instance reviewing JSONbored's own repos, and whether PUBLIC_ORIGIN_ACKNOWLEDGED is set.
- If it's genuinely the Tailscale hostname: either (a) put a real public domain / reverse proxy in front of the instance and point
PUBLIC_API_ORIGIN at that, or (b) confirm Tailscale Funnel is actually enabled and serving /loopover/shot publicly end-to-end (a live curl from OUTSIDE the tailnet, not just a config check) before trusting the acknowledgment.
- Strengthen the advisory's visibility so this can't silently regress again: wire
publicOriginReachabilityAdvisory's warning into whatever this instance's real alerting channel is (Sentry capture, not just a console.warn/log line) so a misconfigured origin surfaces as an actual alert, not something that only a human reading raw logs would notice.
Deliverables
Resources
Boundaries
The live-server verification piece is an infra check, not a code change, and should be done directly (SSH) rather than guessed at. The alerting-wiring piece is a small, scoped code change. Don't touch the capture pipeline's URL-building logic itself here (that's correct as designed — this issue is about the CONFIG VALUE and its observability). Maintainer-only — assigned JSONbored.
Problem
The "after" placeholder cell in JSONbored/metagraphed#6036's Visual preview table pointed at
https://<redacted>.ts.net/loopover/shot?placeholder=loading— a Tailscale MagicDNS (.ts.net) hostname, unreachable from GitHub's public image-fetching servers unless Tailscale Funnel is explicitly enabled for that exact route. This is exactly the failure modesrc/selfhost/health.ts'spublicOriginReachabilityAdvisorywas built to catch (added after a prior documented incident, "JSONbored/loopover PR #4180's live bug") — it logs a boot-time warning whenPUBLIC_API_ORIGIN/PUBLIC_SITE_ORIGINlooks like a private/Tailscale hostname, with aPUBLIC_ORIGIN_ACKNOWLEDGED=trueopt-out for genuinely Funnel-exposed nodes.Since the symptom is still live, either: (a)
PUBLIC_API_ORIGINon this self-hosted instance is actually set to the Tailscale hostname and the advisory is firing into logs nobody's watching, or (b)PUBLIC_ORIGIN_ACKNOWLEDGED=truewas set without confirming Funnel genuinely publishes that route end-to-end.This makes EVERY placeholder image (loading/failed/auth-wall) and every on-demand-fallback shot link permanently broken for anyone viewing the PR outside the tailnet — it's not a race condition, it's a structural misconfiguration.
Area
Live self-hosted instance config (redacted — see below) +
src/selfhost/health.ts's advisory (visibility/alerting only — the detection logic itself already exists and is correct).Proposal
PUBLIC_API_ORIGIN(andPUBLIC_SITE_ORIGIN) on the self-hosted instance reviewing JSONbored's own repos, and whetherPUBLIC_ORIGIN_ACKNOWLEDGEDis set.PUBLIC_API_ORIGINat that, or (b) confirm Tailscale Funnel is actually enabled and serving/loopover/shotpublicly end-to-end (a livecurlfrom OUTSIDE the tailnet, not just a config check) before trusting the acknowledgment.publicOriginReachabilityAdvisory's warning into whatever this instance's real alerting channel is (Sentry capture, not just aconsole.warn/log line) so a misconfigured origin surfaces as an actual alert, not something that only a human reading raw logs would notice.Deliverables
PUBLIC_API_ORIGIN/PUBLIC_SITE_ORIGINvalue on the self-hosted instance — genuinely publicly reachable by GitHub's servers, verified by an external fetch, not just config inspectionPUBLIC_ORIGIN_ACKNOWLEDGED=trueis set, it reflects a VERIFIED-reachable origin, not an assumptionpublicOriginReachabilityAdvisory's warning is wired to a real alert (Sentry or equivalent), not just a log line, so this can't silently regress again without anyone noticingResources
src/selfhost/health.ts—publicOriginReachabilityAdvisory,looksNonPublic,publicOriginAcknowledgedGaugeValue(existing detection logic, already correct)src/review/visual/capture.ts— wherePUBLIC_API_ORIGINgets embedded into placeholder/on-demand URLsBoundaries
The live-server verification piece is an infra check, not a code change, and should be done directly (SSH) rather than guessed at. The alerting-wiring piece is a small, scoped code change. Don't touch the capture pipeline's URL-building logic itself here (that's correct as designed — this issue is about the CONFIG VALUE and its observability). Maintainer-only — assigned JSONbored.