Skip to content

Verify/fix PUBLIC_API_ORIGIN reachability on the self-hosted review instance and alert on regression #6325

Description

@JSONbored

Problem

The "after" placeholder cell in JSONbored/metagraphed#6036's Visual preview table pointed at https://<redacted>.ts.net/loopover/shot?placeholder=loading — a Tailscale MagicDNS (.ts.net) hostname, unreachable from GitHub's public image-fetching servers unless Tailscale Funnel is explicitly enabled for that exact route. This is exactly the failure mode src/selfhost/health.ts's publicOriginReachabilityAdvisory was built to catch (added after a prior documented incident, "JSONbored/loopover PR #4180's live bug") — it logs a boot-time warning when PUBLIC_API_ORIGIN/PUBLIC_SITE_ORIGIN looks like a private/Tailscale hostname, with a PUBLIC_ORIGIN_ACKNOWLEDGED=true opt-out for genuinely Funnel-exposed nodes.

Since the symptom is still live, either: (a) PUBLIC_API_ORIGIN on this self-hosted instance is actually set to the Tailscale hostname and the advisory is firing into logs nobody's watching, or (b) PUBLIC_ORIGIN_ACKNOWLEDGED=true was set without confirming Funnel genuinely publishes that route end-to-end.

This makes EVERY placeholder image (loading/failed/auth-wall) and every on-demand-fallback shot link permanently broken for anyone viewing the PR outside the tailnet — it's not a race condition, it's a structural misconfiguration.

Area

Live self-hosted instance config (redacted — see below) + src/selfhost/health.ts's advisory (visibility/alerting only — the detection logic itself already exists and is correct).

Proposal

  1. Verify the ACTUAL current value of PUBLIC_API_ORIGIN (and PUBLIC_SITE_ORIGIN) on the self-hosted instance reviewing JSONbored's own repos, and whether PUBLIC_ORIGIN_ACKNOWLEDGED is set.
  2. If it's genuinely the Tailscale hostname: either (a) put a real public domain / reverse proxy in front of the instance and point PUBLIC_API_ORIGIN at that, or (b) confirm Tailscale Funnel is actually enabled and serving /loopover/shot publicly end-to-end (a live curl from OUTSIDE the tailnet, not just a config check) before trusting the acknowledgment.
  3. Strengthen the advisory's visibility so this can't silently regress again: wire publicOriginReachabilityAdvisory's warning into whatever this instance's real alerting channel is (Sentry capture, not just a console.warn/log line) so a misconfigured origin surfaces as an actual alert, not something that only a human reading raw logs would notice.

Deliverables

Resources

Boundaries

The live-server verification piece is an infra check, not a code change, and should be done directly (SSH) rather than guessed at. The alerting-wiring piece is a small, scoped code change. Don't touch the capture pipeline's URL-building logic itself here (that's correct as designed — this issue is about the CONFIG VALUE and its observability). Maintainer-only — assigned JSONbored.

Metadata

Metadata

Assignees

Labels

maintainer-onlyOwner-only work — yields no Gittensor points.

Projects

No projects

Relationships

None yet

Development

No branches or pull requests

Issue actions