add csp headers for decofile route

[guitavano]

No description provided.

[coderabbitai]

Walkthrough

Version references updated across configuration files to "1.132.4-beta". The release route handler now applies Content Security Policy headers to responses by invoking a CSP utility before returning.

Changes

Cohort / File(s)	Summary
Version Updates deno.json, dev/deno.json, scripts/deno.json	Version field incremented from "1.132.4" to "1.132.4-beta" in all three configuration files.
CSP Headers Implementation runtime/routes/release.ts	Imported setCSPHeaders utility. Modified handler to accept req parameter and wrap response with setCSPHeaders(req.raw, response) before returning.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

• Version updates are straightforward and repetitive.
• The CSP headers change is localized to one file with a simple wrapper pattern; verify that setCSPHeaders is correctly imported and that the response object is properly structured before wrapping.

Poem

🐰 A beta hop and security's call,
CSP headers wrapped, protecting all,
Three configs sync in versions so fine,
Headers in place—now requests align! ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'add csp headers for decofile route' accurately reflects the main change: adding CSP headers to the release route handler via setCSPHeaders integration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch csp-for-decofile

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Tagging Options

Should a new tag be published when this PR is merged?

• 👍 for Patch 1.132.5 update
• 🎉 for Minor 1.133.0 update
• 🚀 for Major 2.0.0 update

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d349bb7 and 6bdee21.

📒 Files selected for processing (4)

• deno.json (1 hunks)
• dev/deno.json (1 hunks)
• runtime/routes/release.ts (1 hunks)
• scripts/deno.json (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: publish

🔇 Additional comments (5)

dev/deno.json (1)

3-3: LGTM: Version bump for beta release.

The version update to 1.132.4-beta aligns with the corresponding changes in other configuration files.

scripts/deno.json (1)

3-3: LGTM: Version bump for beta release.

The version update to 1.132.4-beta is consistent with the other configuration files in this PR.

deno.json (1)

3-3: LGTM: Version bump for beta release.

The root configuration version update to 1.132.4-beta maintains consistency across all package configurations.

runtime/routes/release.ts (2)

1-1: The setCSPHeaders implementation is correctly defined with signature setCSPHeaders(request: Request, response: Response): Response and the import in release.ts is valid. No issues found.

---

5-5: The req.raw usage is correct. The destructured req property contains the raw field which holds the underlying Request object required by setCSPHeaders. This pattern is consistently used throughout the codebase for accessing the native Request object.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Search for decofile references
rg -nP --type=ts -C3 'decofile'

# Search for route registration or mapping that might clarify the relationship
rg -nP --type=ts -C3 'release.*route|decofile.*route'

Repository: deco-cx/deco

Length of output: 24629

---

Confirmed: release.ts is the decofile route. Consider applying CSP headers to reload.ts as well.

The release route is correctly mapped to handle the /.decofile path in runtime/handler.tsx. However, runtime/routes/reload.ts also handles decofile operations at /.decofile/reload. For consistency, it should also apply setCSPHeaders to its response.

🤖 Prompt for AI Agents

In runtime/routes/reload.ts around the corresponding response return (similar to
lines 7-15 in runtime/routes/release.ts), the handler currently returns a
Response directly without applying CSP headers; update the handler to wrap the
response with setCSPHeaders(req.raw, response) before returning, mirroring
release.ts, and ensure setCSPHeaders is imported from its module if not already.