fix: resolve TrustedHostMiddleware rejecting all production requests

The api-worker was deleting the Host header, causing Cloud Run's hostname
to be used instead. TrustedHostMiddleware only allowed *.trycheatcode.com,
rejecting 100% of proxied requests with 400. Forward original host and
allow *.run.app for direct access (Inngest callbacks, monitoring).

Author: iamjr15

api-worker/src/index.ts

@@ -48,9 +48,9 @@ export default {
     // Build target URL
     const targetUrl = `${CLOUD_RUN_URL}${url.pathname}${url.search}`;
 
-    // Clone headers
+    // Clone headers, forwarding original host so TrustedHostMiddleware accepts it
     const headers = new Headers(request.headers);
-    headers.delete('host');
+    headers.set('host', url.host);
 
     // Proxy request
     const proxyRequest = new Request(targetUrl, {

backend/main.py

@@ -186,7 +186,13 @@ async def add_security_headers(request: Request, call_next):
 
     app.add_middleware(
         TrustedHostMiddleware,
-        allowed_hosts=["trycheatcode.com", "www.trycheatcode.com", "*.trycheatcode.com", "localhost"],
+        allowed_hosts=[
+            "trycheatcode.com",
+            "www.trycheatcode.com",
+            "*.trycheatcode.com",
+            "*.run.app",
+            "localhost",
+        ],
     )
 
 app.add_middleware(