Lab: Better Auth rejects requests on hostnames not in hardcoded trustedOrigins (signup/signin broken on non-canonical hosts)

Summary

After PR #470 (multi-hostname feature), Better Auth rejects every state-changing request with ERR: Invalid origin when the inbound Origin header is anything other than the four hardcoded entries:

https://swamp.club
https://swamp-club.com
http://localhost:8000
http://127.0.0.1:8000

This breaks signup, signin, password reset, and email verification on any deployment running on a different host:

UAT (Playwright suite in web-deploy.yml): the harness picks a free port via findFreePort() and runs the app at e.g. http://localhost:40669. Every signup-touching test fails. With workers: 1 and retries: 2, all 29 specs hit the failure path × 3 attempts × ~40s of compose-up/teardown per cycle ≈ ~58 min worst case (the "Web: Deploy" step appears stuck in a loop). Confirmed locally — captured ERR: Invalid origin in the Playwright error-context.md from tests/club/flows/email_signup.spec.ts.
Any preview/staging/tunnel deployment that doesn't set TRUSTED_ORIGINS.

Steps to reproduce

Check out main at 6042191 (or any commit after #470).
cd swamp-uat && SWAMP_CLUB_SOURCE_DIR=/path/to/swamp-club CI=true deno run -A npm:playwright test --project=club --workers=1 tests/club/flows/email_signup.spec.ts --reporter=line
Test fails: expect(page).toHaveURL(/\/check-email/) — page stays on /signup.
Inspect test-results/.../error-context.md — DOM contains <alert>ERR: Invalid origin</alert>.

Root cause

lib/auth.ts:48-56 hardcodes the trustedOrigins list. The previous version included ...(authURL ? [authURL] : []) to add BETTER_AUTH_URL to the allowlist; that line was dropped in 0f8842c when the multi-hostname code landed.

Suggested fix (one line)

const authURL = Deno.env.get("BETTER_AUTH_URL");
const trustedOrigins = Array.from(
  new Set([
    "https://swamp.club",
    "https://swamp-club.com",
    "http://localhost:8000",
    "http://127.0.0.1:8000",
    ...(authURL ? [authURL] : []),
    ...extraTrustedOrigins,
  ]),
);

UAT compose already sets BETTER_AUTH_URL: http://localhost:${HOST_PORT} (the random port), so this restores the previous behavior without affecting production multi-hostname routing.

Environment

swamp-club: 6042191 (main)
swamp-uat: 1096f53 (main)
Node/Deno: pinned per workflow (deno 2.7.11)
Playwright: 1.59.1 / 1.58.2

Add swamp data delete command to remove a data artifact by model and name

add `swamp doctor extensions` subcommand for on-demand extension load diagnostics

AI agent skipped adversarial review step before smoke testing extension code

Better Auth rejects requests on hostnames not in hardcoded trustedOrigins (signup/signin broken on non-canonical hosts)

Local extension models in extensions/models are not discovered in fresh repo tutorial flow

ticket 1138 not clear - can we still use github?

Drag Windows into the Swamp

Add `swamp extension test` command to run built-in extension tests with coverage

swamp repo init --tool kiro does not create .kiro/settings/cli.json

Support multi-agent repo initialization (multiple --tool targets)

CLI dumps 300-line Cliffy Command object on unknown flags / subcommands

Docs: repository-configuration.md missing defaultDriver / defaultDriverConfig

Server-side parse query params on /lab/all so refresh preserves multi-filter URLs

fast-path sidecar TOCTOU: post-op HEAD can record generation from a concurrent writer's push, masking their data on next sync

Scorer should honour files/deno.json imports so bare specifiers resolve

@swamp/gcs-datastore: same minutes-slow zero-diff sync cliff as lab/164; mirror fingerprint fast path

cleanup for repoDriver

swamp datastore sync is minutes-slow at 4k-file scale even with zero-diff; outer 300s timeout fires

swamp-extension-publish skill: add quality rubric check before push

New @swamp extension: extension quality rubric checker for CI

swamp-extension-quality and swamp-extension-publish skills don't guide zod import map resolution for scorer

swamp repo upgrade deletes extension model source files

Add repo-level `defaultDriver` to `.swamp.yaml`

User report extensions registered lazily are silently skipped during method execution

swamp extension install: datastore push hangs ~8.5m then crashes with Deno TLS panic (tls_wrap.rs:1918 unwrap on None)

Add a preflight diagnostic for AI-tool audit integrations (so upstream CLI changes stop breaking us silently)

audit record --from-hook silently drops input from kiro-cli postToolUse hooks

codegen pipelines don't detect _lib/*.ts changes so manifest CalVer never bumps

Link to namespace extensions listing from profile pages

Trailing slash on /extensions/@<namespace>/ returns 404

No way to browse all extensions belonging to a collective by URL

DatastoreProvider.resolveCachePath declared optional but silently required at runtime

Accept-invite link returns HTML instead of JSON, breaking collective join

additionalFiles flatten to basenames on push and lack a runtime access API, creating a source-vs-pulled layout mismatch

Extension search returns inflated results for quoted phrase queries

Docs: document jsr:/https: imports and non-local pinning convention in user-facing manual

First-class jsr: specifier support in extension bundler

Cross-extension code sharing via manifest exports field

Extension models: document/resolve implicit-any in execute parameters when imported by test files

extension yank: allow unyank and version-specific yanks

extension source add does not discover brand new types — only overrides already-pulled types

Add light mode to swamp.club and swamp open UI

Add 'swamp open' command to open the swamp.club web UI

Add light mode to swamp.club website

Datastore sync surfaces opaque errors from extensions verbatim — no status code or body preview

@swamp/s3-datastore: first-attempt 403 masked as "UnknownError" from AWS SDK deserializer

Extension auto-resolve reports "already_installed" for truncated pulled-extension trees

Email delivery for mention notifications

Auto-update WARN is silent in --json mode (logger suppresses non-fatal)

open.ts web UI uses force:true pullExtension, same data-loss family as #126

Port bundle_freshness (content-fingerprint cache invalidation) to reports / drivers / datastores / vaults loaders

Mentions and notifications system for issues

Datastore auto-update in resolve_datastore.ts uses force:true, risking silent overwrite of local edits

Per-repo user-extension bundle cache doesn't invalidate on source changes

Adding methods to in-body `methods:{}` on `export const model` doesn't re-register

User extensions silently dropped when base type not yet registered at scan time

Footer floats when page content is shorter than viewport

workflow validate can silently overwrite local edits to pulled extensions via force-pull in auto-resolver

Extension pull should namespace files by extension to prevent filename collisions

Update CLAUDE.md co-author instructions to use swamp-club issue author lookup

Add swamp issue get CLI command to fetch issue details

swamp-club API: include issue author in GET /api/v1/lab/issues/{number} response

Install command curl-pipe-sh overflows the component on swamp.club homepage

'Assigned to me' overlaps 'Privacy policy' on short viewports

Collapsible left rail and repositionable right rail in Lab

Usernames aren't linked to their profile pages

Filter lab issues by author (opened by user)

Add skills extension type for bundling agent/human guidance documents

Remove traffic lights in column 2 of /lab

Multi-select combo filtering on /lab

data gc skips version-count GC when no lifetime-expired data exists

Content filter should identify the flagged word or phrase

Bog flow: text rendering and layout issues

Flow modal: text rendering issues

Normalize text sizing across issue list and detail views

Description 'Show more' button appears even when text fits

Inline editing: click-to-edit fields instead of pencil icons

Persist lab filter selection in localStorage

Update how-to guide with swamp-extension-publish skill

Fix incorrect favicon in Google search results