fix(webapp): scope RUNTIME_API_ORIGIN to managed (deployed) runs only

Dev (CLI) task runs typically execute on a developer's machine outside any
cluster, so forcing them onto the runner-bypass origin (which usually points
at an in-cluster service URL) would make the URL unreachable. Restore the
original API_ORIGIN/APP_ORIGIN chain for resolveBuiltInDevVariables and keep
RUNTIME_API_ORIGIN only in resolveBuiltInProdVariables, where managed runner
pods inside the cluster are the actual target.

Also clarify the scope in env.server.ts and .env.example so operators know
to expect dev CLI to keep using the public origin even when RUNTIME_API_ORIGIN
is set for prod runners.

Author: ThullyoCunha

apps/webapp/app/env.server.ts

@@ -127,14 +127,17 @@ const EnvironmentSchema = z
     LOGIN_RATE_LIMITS_ENABLED: BoolEnv.default(true),
     APP_ORIGIN: z.string().default("http://localhost:3030"),
     API_ORIGIN: z.string().optional(),
-    // Origin that the webapp publishes to runner pods as both `TRIGGER_API_URL`
-    // and (as the first fallback) `TRIGGER_STREAM_URL`. When self-hosting
-    // behind a tracing-enabled gateway (Envoy/Istio/etc.) that rewrites the
-    // W3C `traceparent` on egress, point this at an in-cluster service URL so
-    // runner-to-webapp traffic stays inside the cluster and the parent->child
-    // run link in the trace tree is preserved. Empty string is normalized to
-    // unset so blank `${RUNTIME_API_ORIGIN:-}` passthroughs in
-    // `docker-compose.yml` don't short-circuit the `??` fallback chain.
+    // Origin that the webapp publishes to MANAGED (deployed) runner pods as
+    // both `TRIGGER_API_URL` and (as the first fallback) `TRIGGER_STREAM_URL`.
+    // When self-hosting behind a tracing-enabled gateway (Envoy/Istio/etc.)
+    // that rewrites the W3C `traceparent` on egress, point this at an
+    // in-cluster service URL so runner-to-webapp traffic stays inside the
+    // cluster and the parent->child run link in the trace tree is preserved.
+    // Intentionally NOT used for dev (CLI) task runs, which usually run on a
+    // developer's machine outside the cluster and would lose connectivity if
+    // forced onto an in-cluster URL. Empty string is normalized to unset so
+    // blank `${RUNTIME_API_ORIGIN:-}` passthroughs from caller environments
+    // don't short-circuit the `??` fallback chain.
     RUNTIME_API_ORIGIN: z
       .string()
       .optional()

apps/webapp/app/v3/environmentVariables/environmentVariablesRepository.server.ts

@@ -963,11 +963,11 @@ async function resolveOverridableTriggerVariables(
 
 /**
  * Resolves built-in environment variables that are injected into dev (CLI) task
- * runs. `TRIGGER_API_URL` and `TRIGGER_STREAM_URL` prefer `RUNTIME_API_ORIGIN`
- * over `API_ORIGIN`/`STREAM_ORIGIN` so self-hosted deployments can keep
- * runner-to-webapp traffic on a cluster-internal hop (bypassing tracing-enabled
- * gateways that rewrite the W3C `traceparent` header on egress) without
- * affecting the public origins exposed to external clients.
+ * runs. Dev CLI typically runs on a developer's machine outside any cluster,
+ * so the runner-bypass `RUNTIME_API_ORIGIN` (which usually points at an
+ * in-cluster service URL) is intentionally NOT applied here -- using it would
+ * make the URL unreachable for the dev CLI. Dev keeps the original
+ * `API_ORIGIN`/`STREAM_ORIGIN`/`APP_ORIGIN` chain.
  */
 async function resolveBuiltInDevVariables(runtimeEnvironment: RuntimeEnvironmentForEnvRepo) {
   let result: Array<EnvironmentVariable> = [
@@ -977,11 +977,11 @@ async function resolveBuiltInDevVariables(runtimeEnvironment: RuntimeEnvironment
     },
     {
       key: "TRIGGER_API_URL",
-      value: env.RUNTIME_API_ORIGIN ?? env.API_ORIGIN ?? env.APP_ORIGIN,
+      value: env.API_ORIGIN ?? env.APP_ORIGIN,
     },
     {
       key: "TRIGGER_STREAM_URL",
-      value: env.RUNTIME_API_ORIGIN ?? env.STREAM_ORIGIN ?? env.API_ORIGIN ?? env.APP_ORIGIN,
+      value: env.STREAM_ORIGIN ?? env.API_ORIGIN ?? env.APP_ORIGIN,
     },
   ];
 

hosting/docker/.env.example

@@ -46,14 +46,15 @@ API_ORIGIN=http://localhost:8030
 DEV_OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:8030/otel
 # You may need to set this when testing locally or when using the combined setup
 # API_ORIGIN=http://webapp:3000
-# Optional: origin advertised to runner pods as both TRIGGER_API_URL and
-# TRIGGER_STREAM_URL (intentional: keeps all runner traffic on the same
-# bypass hop). When unset, runners fall back to STREAM_ORIGIN/API_ORIGIN/
-# APP_ORIGIN as before. Set this to an in-cluster service URL when running
-# behind a tracing-enabled gateway that rewrites the W3C `traceparent`
-# header on egress (e.g. Envoy/Istio with tracing on). If you need streams
-# on a dedicated endpoint (CDN, etc.), keep RUNTIME_API_ORIGIN unset and
-# use STREAM_ORIGIN instead.
+# Optional: origin advertised to MANAGED (deployed) runner pods as both
+# TRIGGER_API_URL and TRIGGER_STREAM_URL (intentional: keeps all managed
+# runner traffic on the same bypass hop). Dev (CLI) task runs are NOT
+# affected -- they keep using API_ORIGIN/APP_ORIGIN so a developer running
+# `trigger.dev dev` from outside the cluster doesn't lose connectivity.
+# Set this to an in-cluster service URL when running behind a tracing-enabled
+# gateway that rewrites the W3C `traceparent` header on egress (e.g. Envoy/
+# Istio with tracing on). If you need streams on a dedicated endpoint (CDN,
+# etc.), keep RUNTIME_API_ORIGIN unset and use STREAM_ORIGIN instead.
 # RUNTIME_API_ORIGIN=http://webapp:3000
 
 # Webapp - memory management