Egonex-AI · Lum1104 · Jun 20, 2026 · Jun 20, 2026 · chatgpt-codex-connector · Jun 20, 2026
diff --git a/.claude-plugin/plugin.json b/.claude-plugin/plugin.json
@@ -1,7 +1,7 @@
 {
   "name": "understand-anything",
   "description": "AI-powered codebase understanding — analyze, visualize, and explain any project",
-  "version": "2.8.1",
+  "version": "2.8.2",
   "author": {
     "name": "Egonex"
   },

diff --git a/.copilot-plugin/plugin.json b/.copilot-plugin/plugin.json
@@ -1,7 +1,7 @@
 {
   "name": "understand-anything",
   "description": "AI-powered codebase understanding — analyze, visualize, and explain any project",
-  "version": "2.8.1",
+  "version": "2.8.2",
   "author": {
     "name": "Egonex"
   },

diff --git a/.cursor-plugin/plugin.json b/.cursor-plugin/plugin.json
@@ -2,7 +2,7 @@
   "name": "understand-anything",
   "displayName": "Understand Anything",
   "description": "AI-powered codebase understanding — analyze, visualize, and explain any project",
-  "version": "2.8.1",
+  "version": "2.8.2",
   "author": {
     "name": "Egonex"
   },

diff --git a/understand-anything-plugin/.claude-plugin/plugin.json b/understand-anything-plugin/.claude-plugin/plugin.json
@@ -1,7 +1,7 @@
 {
   "name": "understand-anything",
   "description": "AI-powered codebase understanding — analyze, visualize, and explain any project",
-  "version": "2.8.1",
+  "version": "2.8.2",
   "author": {
     "name": "Egonex"
   },

diff --git a/understand-anything-plugin/package.json b/understand-anything-plugin/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@understand-anything/skill",
-  "version": "2.8.1",
+  "version": "2.8.2",
   "type": "module",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

diff --git a/understand-anything-plugin/packages/dashboard/vite.config.ts b/understand-anything-plugin/packages/dashboard/vite.config.ts
@@ -12,6 +12,24 @@ import crypto from "crypto";
 const ACCESS_TOKEN = process.env.UNDERSTAND_ACCESS_TOKEN || crypto.randomBytes(16).toString("hex");
 const MAX_SOURCE_FILE_BYTES = 1024 * 1024;
 
+// Allow users running the dashboard behind a domain / reverse proxy (e.g. on a
+// remote VM) to whitelist the hosting host(s). Vite blocks requests whose Host
+// header is not localhost/an IP unless the host is in `server.allowedHosts`,
+// which otherwise surfaces as "Blocked request. This host is not allowed." (#485).
+// Set UNDERSTAND_ALLOWED_HOSTS to a comma-separated list, or to `all`/`true`/`*`
+// to disable the check entirely. Unset (the default) keeps Vite's strict
+// localhost-only behaviour.
+function parseAllowedHosts(): true | string[] | undefined {
+  const raw = process.env.UNDERSTAND_ALLOWED_HOSTS?.trim();
+  if (!raw) return undefined;
+  if (raw === "all" || raw === "true" || raw === "*") return true;
+  const hosts = raw
+    .split(",")
+    .map((host) => host.trim())
+    .filter(Boolean);
+  return hosts.length > 0 ? hosts : undefined;
+}
+
 function graphFileCandidates(fileName: string): string[] {
   const graphDir = process.env.GRAPH_DIR;
   return [
@@ -184,9 +202,12 @@ export default defineConfig({
 
   // FIX 1 — bind only to localhost, not 0.0.0.0
   // This blocks access from any other device on the same LAN / WiFi.
+  // Override the bind address with UNDERSTAND_HOST (e.g. 0.0.0.0) when serving
+  // from a remote VM, and whitelist the public host via UNDERSTAND_ALLOWED_HOSTS.
   server: {
-    host: "127.0.0.1",
+    host: process.env.UNDERSTAND_HOST || "127.0.0.1",
     port: 5173,
+    allowedHosts: parseAllowedHosts(),
     open: `/?token=${ACCESS_TOKEN}`,
   },
 

diff --git a/understand-anything-plugin/skills/understand-dashboard/SKILL.md b/understand-anything-plugin/skills/understand-dashboard/SKILL.md
@@ -103,3 +103,19 @@ Start the Understand Anything dashboard to visualize the knowledge graph for the
 - The dashboard auto-opens in the default browser via `--open`
 - If port 5173 is already in use, Vite will pick the next available port
 - The `GRAPH_DIR` environment variable tells the dashboard where to find the knowledge graph
+
+### Serving from a remote VM
+
+By default the dev server binds to `127.0.0.1` and Vite rejects requests whose `Host` header is a domain name with `Blocked request. This host ("example.com") is not allowed.` To serve the dashboard from a remote machine accessed via a domain or public IP, set these environment variables before launching Vite:
+
+```bash
+GRAPH_DIR=<project-dir> \
+UNDERSTAND_HOST=0.0.0.0 \
+UNDERSTAND_ALLOWED_HOSTS=example.com,example1.com \
+npx vite
+```
+
+- `UNDERSTAND_HOST` — bind address (use `0.0.0.0` to accept connections from outside localhost). Equivalent to `--host`.
+- `UNDERSTAND_ALLOWED_HOSTS` — comma-separated list of allowed `Host` headers. Use `all` (or `true`/`*`) to disable the check entirely. Leave unset to keep the strict localhost-only default.
+
+The one-time access token is still required, so only people with the tokenized URL can read the knowledge graph.