Fix blank UI bootstrapping and production static delivery

[ChrisAdamsdevelopment]

Superseded by PR #8, which stabilized the root frontend build, React mount, Tailwind/global CSS, and backend static SPA serving from latest main.

[sourcery-ai]

Reviewer's Guide

Mounts the React frontend into the DOM, introduces a global Tailwind-based stylesheet for consistent dark-theme styling, and enhances the Node/Express server to support robust multi-origin CORS configuration and production static SPA delivery from the Vite dist bundle.

Sequence diagram for CORS handling and SPA static delivery

sequenceDiagram
    participant Browser
    participant ExpressApp
    participant CORSConfig
    participant StaticDist
    participant SPAFallback
    participant APIHandlers

    Browser->>ExpressApp: GET /
    ExpressApp->>StaticDist: Serve index.html from dist
    StaticDist-->>Browser: index.html + assets

    Browser->>Browser: Initialize JS bundle
    Browser->>Browser: createRoot(rootElement).render(App)

    Browser->>ExpressApp: GET /api/health
    ExpressApp->>CORSConfig: Validate origin against configuredOrigins
    CORSConfig-->>ExpressApp: Origin allowed or error
    alt Origin allowed
        ExpressApp->>APIHandlers: Handle /api/health
        APIHandlers-->>Browser: { status: ok, time: ... }
    else Origin blocked
        ExpressApp-->>Browser: CORS error response
    end

    Browser->>ExpressApp: GET /non_api_route
    ExpressApp->>SPAFallback: Route * (non /api)
    SPAFallback-->>Browser: dist/index.html

Loading

File-Level Changes

Change	Details	Files
Harden CORS configuration to support multiple allowed origins, wildcards, and explicit blocking of disallowed origins.	Parse ALLOWED_ORIGIN (or FRONTEND_URL fallback) into a trimmed, non-empty list of configured origins. Configure cors origin handler as a callback that allows requests with no origin, any origin when '*' is configured, or only origins explicitly listed. Return an explicit error via the CORS callback when the request origin is not allowed to avoid silent failures.	server.js
Serve built frontend assets from the backend and add SPA fallback routing so production deployments can deliver the Vite bundle.	Resolve a dist directory path relative to __dirname and check for its existence at startup. Register express.static middleware on the dist directory to serve built assets when present. Add a catch-all GET route that bypasses /api/* paths and otherwise serves dist/index.html to support client-side routing. Preserve existing API routes and error handling while inserting static serving logic near server startup.	server.js
Ensure the React application mounts into the DOM entry point using React 18 APIs.	Lookup the DOM element with id 'root' and throw a descriptive error if it is missing. Create a React 18 root via createRoot(rootElement). Render the App component inside React.StrictMode into the created root at module load time.	app.tsx
Introduce a global Tailwind-based stylesheet to provide consistent dark-theme baseline styling for the app.	Add a main.css file that imports Tailwind base, components, and utilities directives. Set a dark color-scheme and full-height layout for html, body, and #root, with zero margin. Define a default sans-serif font stack and dark background/light foreground colors for the body to ensure consistent UI presentation.	src/main.css

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 2 issues, and left some high level feedback:

• The global error-handling middleware currently appears before the new static file / SPA fallback routes, so any errors thrown in those handlers will bypass the centralized error handler; consider moving the error middleware to the very end of the middleware chain.
• The CORS origin callback now throws an Error for disallowed origins, which will surface as a generic 500 response via the global error handler; consider instead returning a controlled 4xx response (or using the cors package’s options callback style to signal rejection) so clients get a clearer CORS failure rather than an internal error.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The global error-handling middleware currently appears before the new static file / SPA fallback routes, so any errors thrown in those handlers will bypass the centralized error handler; consider moving the error middleware to the very end of the middleware chain.
- The CORS origin callback now throws an Error for disallowed origins, which will surface as a generic 500 response via the global error handler; consider instead returning a controlled 4xx response (or using the `cors` package’s options callback style to signal rejection) so clients get a clearer CORS failure rather than an internal error.

## Individual Comments

### Comment 1
<location path="server.js" line_range="128-132" />
<code_context>
+
 app.use(cors({
-  origin: ALLOWED_ORIGIN,
+  origin: (origin, cb) => {
+    if (!origin || configuredOrigins.includes('*') || configuredOrigins.includes(origin)) {
+      return cb(null, true);
+    }
+    return cb(new Error(`CORS blocked for origin: ${origin}`));
+  },
   methods: ['GET', 'POST'],
</code_context>
<issue_to_address>
**suggestion (bug_risk):** Consider returning `cb(null, false)` instead of an Error for disallowed CORS origins.

Using an Error here will likely produce a 500-style response and may hit the global error handler, instead of just denying the request. It can also expose internal error messages to clients depending on error serialization. Returning `cb(null, false)` ensures disallowed origins are treated as expected CORS denials rather than server errors.

Suggested implementation:

```javascript
app.use(cors({
  origin: (origin, cb) => {
    if (!origin || configuredOrigins.includes('*') || configuredOrigins.includes(origin)) {
      return cb(null, true);
    }
    return cb(null, false);
  },
  methods: ['GET', 'POST'],

```

If you want to log blocked origins for observability without turning them into server errors, you can add a logging call (e.g. `console.warn` or your logger) before `cb(null, false)` within the same `origin` function.
</issue_to_address>

### Comment 2
<location path="server.js" line_range="556" />
<code_context>
 app.use((err, req, res, _next) => {
</code_context>
<issue_to_address>
**issue (bug_risk):** New routes and static middleware are being registered after the global error handler, which can prevent errors from those routes from hitting this handler.

Express error handlers are order-dependent and should be registered last so any `next(err)` from routes or middleware reaches them. Please move this global error handler below the `dist` static middleware and `/api/health` route (including the catch‑all `app.get('*', ...)`) so those paths use the same centralized error handling.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

suggestion (bug_risk): Consider returning cb(null, false) instead of an Error for disallowed CORS origins.

Using an Error here will likely produce a 500-style response and may hit the global error handler, instead of just denying the request. It can also expose internal error messages to clients depending on error serialization. Returning cb(null, false) ensures disallowed origins are treated as expected CORS denials rather than server errors.

Suggested implementation:

app.use(cors({
  origin: (origin, cb) => {
    if (!origin || configuredOrigins.includes('*') || configuredOrigins.includes(origin)) {
      return cb(null, true);
    }
    return cb(null, false);
  },
  methods: ['GET', 'POST'],

If you want to log blocked origins for observability without turning them into server errors, you can add a logging call (e.g. console.warn or your logger) before cb(null, false) within the same origin function.

[sourcery-ai]

issue (bug_risk): New routes and static middleware are being registered after the global error handler, which can prevent errors from those routes from hitting this handler.

Express error handlers are order-dependent and should be registered last so any next(err) from routes or middleware reaches them. Please move this global error handler below the dist static middleware and /api/health route (including the catch‑all app.get('*', ...)) so those paths use the same centralized error handling.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4fa578c004

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Avoid throwing errors for non-whitelisted origins

Returning cb(new Error(...)) here turns a CORS mismatch into an application error, so requests from any origin not in configuredOrigins now fail with a 500 before reaching route handlers. This is a production regression for deployments that rely on defaults (e.g., serving dist from this same server while FRONTEND_URL remains http://localhost:5173), because browser POST calls include an Origin header and will be rejected as internal errors. CORS rejections should be handled as policy decisions (e.g., cb(null, false)) rather than server exceptions.

Useful? React with 👍 / 👎.