fix: CSRF 403 — probe port accepts 403 + fuzzy workspace_id matching#2
Open
daocoding wants to merge 1 commit intoprofessional-ALFIE:mainfrom
Open
Conversation
Two fixes for cascade creation failures (403 Invalid CSRF token):
1. SDK _probePort: Accept 403 in addition to 401 during port discovery
- The Language Server returns 403 (not 401) for missing/invalid CSRF tokens
- Without this fix, _probePort rejects all valid LS ports, causing
the SDK to fall back to extension_server_port (wrong endpoint)
2. Extension workspace_id matching: Add fuzzy fallback via path segments
- The LS encodes workspace_id using URI-component encoding (: → _3A_)
- createWorkspaceId_func uses simple regex replacement
- This encoding mismatch causes exact matching to fail silently
- fixLsConnection returns without overriding, leaving stale SDK values
- New behavior: try exact match first, fall back to last-2-segment
fuzzy match when exact fails
Both issues compound: if SDK auto-discovery picks the wrong port AND
fixLsConnection fails to correct it, every RPC call gets 403.
Tested on macOS with multiple Antigravity windows and workspaces.
daocoding
force-pushed
the
fix/csrf-probe-and-workspace-matching
branch
from
036c55b to
8672792
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Cascade creation via the CLI fails with
403 Invalid CSRF tokenin multi-workspace setups, particularly on macOS with paths containing special characters.Root Cause
Two compounding issues:
1.
_probePortrejects valid Language Server ports_probePort()inls-bridge.tschecks forstatusCode === 401 || statusCode === 200, but the Language Server returns 403 (not 401) for missing/invalid CSRF tokens. This causes all valid ports to be rejected during auto-discovery, forcing a fallback toextension_server_port(wrong endpoint).2.
fixLsConnectionworkspace_id matching fails silentlycreateWorkspaceId_func()encodes workspace paths with simple regex (/[^a-zA-Z0-9]/g → '_'), but the Language Server's--workspace_idflag uses URI-component encoding (:→_3A_, etc.). The exact-match comparison infindMatchingLanguageServerLine_funcfails,fixLsConnectionreturns silently without overriding, and the SDK keeps its stale/wrong connection values.When both issues compound: SDK picks wrong port + fixLsConnection fails to correct → every RPC call gets 403.
Fix
ls-bridge.ts: Accept 403 in_probePort(line 588) — the LS uses 403 for CSRF rejectionls-process-match.ts: Add fuzzy fallback matching using last 2 path segments when exactworkspace_idmatching failsTesting
node --test packages/extension/test/ls-process-match.test.ts)Files Changed
packages/sdk/src/transport/ls-bridge.ts— accept 403 in port probepackages/extension/src/ls-process-match.ts— fuzzy workspace matching fallbackpackages/extension/test/ls-process-match.test.ts— 2 new test cases