Address code review feedback on endpoint health status component

[Copilot]

Addresses four code review issues in the endpoint health status component: hardcoded localhost usage, incomplete cache key generation, missing cleanup handlers, and undocumented CORS security implications.

Backend-aware health checks

• Added getBaseUrl() to derive URLs from config backend type (local/vercel/postgres)
• Non-local backends return graceful "not supported" message instead of failing silently

Cache key uniqueness

• Include all backend-identifying fields (env, project, team, dataDir) in cache key
• Hash postgres URLs with djb2 to avoid credential exposure in session storage

React cleanup patterns

• AbortController cancels in-flight requests on unmount
• Check signal.aborted before state updates to prevent React warnings
• Finally block ensures setIsChecking(false) runs in all paths
• Default 5s timeout prevents indefinite hangs when signal is undefined

Security documentation

• Document CORS wildcard rationale: health checks expose no sensitive data or state-changing operations

// Before: Always localhost regardless of backend
const baseUrl = `http://localhost:${port}`;

// After: Backend-aware with null for unsupported types
const baseUrl = getBaseUrl(config);
if (!baseUrl) {
  return { message: 'Health checks not supported for this backend' };
}

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[changeset-bot]

🦋 Changeset detected

Latest commit: c6502f9

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 13 packages

Name	Type
@workflow/core	Patch
@workflow/web	Patch
@workflow/builders	Patch
@workflow/cli	Patch
@workflow/next	Patch
@workflow/nitro	Patch
@workflow/web-shared	Patch
workflow	Patch
@workflow/astro	Patch
@workflow/sveltekit	Patch
@workflow/world-testing	Patch
@workflow/nuxt	Patch
@workflow/ai	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
example-nextjs-workflow-turbopack	Ready	Preview, Comment	Dec 16, 2025 0:11am
example-nextjs-workflow-webpack	Ready	Preview, Comment	Dec 16, 2025 0:11am
example-workflow	Ready	Preview, Comment	Dec 16, 2025 0:11am
workbench-astro-workflow	Ready	Preview, Comment	Dec 16, 2025 0:11am
workbench-express-workflow	Ready	Preview, Comment	Dec 16, 2025 0:11am
workbench-fastify-workflow	Ready	Preview, Comment	Dec 16, 2025 0:11am
workbench-hono-workflow	Ready	Preview, Comment	Dec 16, 2025 0:11am
workbench-nitro-workflow	Ready	Preview, Comment	Dec 16, 2025 0:11am
workbench-nuxt-workflow	Ready	Preview, Comment	Dec 16, 2025 0:11am
workbench-sveltekit-workflow	Ready	Preview, Comment	Dec 16, 2025 0:11am
workbench-vite-workflow	Ready	Preview, Comment	Dec 16, 2025 0:11am
workflow-docs	Ready	Preview, Comment	Dec 16, 2025 0:11am

[vercel]

Suggested change

	const response = await fetch(url.toString(), {
	method: 'POST',
	// Short timeout for health checks
	signal: AbortSignal.timeout(5000),
	// Use provided signal or default to 5 second timeout
	signal: signal || AbortSignal.timeout(5000),
	// Compose the provided signal with a timeout so we get both behaviors:
	// - The component can abort the request via its controller
	// - The request also times out after 5 seconds if no response
	const timeoutSignal = AbortSignal.timeout(5000);
	const combinedSignal = signal
	? AbortSignal.any([signal, timeoutSignal])
	: timeoutSignal;
	const response = await fetch(url.toString(), {
	method: 'POST',
	signal: combinedSignal,

The health check requests now lack a timeout when called from the component because the abort signal provided is used instead of composing it with the timeout.

View Details

Analysis

Fetch timeout lost when AbortSignal provided to checkEndpointHealth()

What fails: The checkEndpointHealth() function in packages/web/src/components/display-utils/endpoints-health-status.tsx uses the pattern signal: signal || AbortSignal.timeout(5000) which removes the timeout guarantee when a signal is provided. When called from the component's useEffect with abortController.signal, the timeout is discarded, causing fetch requests to hang indefinitely if the server doesn't respond.

How to reproduce:

1. Open a page that uses EndpointsHealthStatus component
2. Start a local server that accepts health check requests but never responds (e.g., nc -l localhost:3000)
3. Observe that the health check request hangs indefinitely instead of timing out after 5 seconds
4. Component can only be freed by unmounting (triggering abortController.abort())

Result: The fetch hangs until component unmounts. With the buggy code using signal || AbortSignal.timeout(5000):

• signal parameter is the abortController.signal (truthy)
• Expression evaluates to signal, not AbortSignal.timeout(5000)
• No timeout is set on the fetch request

Expected: The fetch should timeout after 5 seconds OR when the component unmounts, whichever comes first.

Fix applied: Changed line 120-122 to compose the signals using AbortSignal.any():

const timeoutSignal = AbortSignal.timeout(5000);
const combinedSignal = signal
  ? AbortSignal.any([signal, timeoutSignal])
  : timeoutSignal;

This ensures:

• When no signal is provided: uses AbortSignal.timeout(5000) only
• When signal is provided: composes it with timeout so both behaviors are enforced
• Request aborts if either: (a) the timeout triggers (5 seconds), or (b) the controller aborts (component unmounts)

Verified with Node.js v22.14.0. AbortSignal.any() is available in Node.js 18.17.0+, matching project's minimum requirement of Node.js ^18.0.0.