Route desktop remote bootstrap auth through Electron main process

[r1sk01]

What Changed

Routes desktop remote bootstrap/auth JSON requests through Electron main-process IPC instead of issuing them from the renderer.

Adds the preload bridge, main-process handler, shared IPC contract updates, and tests covering the desktop path while leaving the normal web flow unchanged.

Why

Fixes #1928.

Desktop remote pairing was failing when the remote server did not allow the desktop renderer origin via CORS, because the environment bootstrap/auth flow was being performed directly from the renderer.

Handling those requests in the Electron main process removes the renderer CORS dependency without widening the change into the regular browser path.

Checklist

• This PR is small and focused
• I explained what changed and why
• I included before/after screenshots for any UI changes
• I included a video for animation/interaction changes

---

Note

Medium Risk
Introduces a new IPC surface that can issue arbitrary http(s) GET/POST requests from the Electron main process, which increases SSRF/network-access risk if misused despite basic validation.

Overview
Remote environment bootstrap/auth JSON requests in Electron are now proxied through the main process instead of using renderer fetch, avoiding CORS failures against remote servers.

This adds a new desktop:request-json-http IPC endpoint (exposed as desktopBridge.requestJsonHttp) with request validation in the main process and updates fetchRemoteJson to prefer this bridge when present, plus associated contract/type updates and test stubs/coverage for the Electron path.

^{Reviewed by Cursor Bugbot for commit ae72c23. Bugbot is set up for automated code reviews on this repo. Configure here.}

Note

Route remote bootstrap auth requests through the Electron main process

• Adds a requestJsonHttp IPC channel (desktop:request-json-http) handled in the Electron main process, supporting GET/POST with optional headers and body, returning status, ok, and body text.
• Extends DesktopBridge in packages/contracts/src/ipc.ts with DesktopJsonHttpRequest and DesktopJsonHttpResponse types, and exposes desktopBridge.requestJsonHttp to the renderer via the preload context bridge.
• Modifies fetchRemoteJson in apps/web/src/environments/remote/api.ts to route through desktopBridge.requestJsonHttp when running in Electron, falling back to window.fetch in browser contexts.
• Behavioral Change: error handling in fetchRemoteJson now reads body text and HTTP status from the bridge response rather than from the fetch Response object directly.

^{Macroscope summarized ae72c23.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 5721fbaa-9d11-4888-83a4-bdfe7c673013

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[macroscopeapp]

Approvability

Verdict: Needs human review

This PR adds a new IPC channel for routing HTTP requests through Electron's main process, directly affecting authentication flows (bearer session bootstrap, session state, WS tokens). Changes that add network capabilities and touch auth code paths require human review regardless of diff size.

^{You can customize Macroscope's approvability policy. Learn more.}