diff --git a/services/gastown/src/gastown.worker.ts b/services/gastown/src/gastown.worker.ts
index 86b6732a7e..d7bb8553c9 100644
--- a/services/gastown/src/gastown.worker.ts
+++ b/services/gastown/src/gastown.worker.ts
@@ -266,13 +266,14 @@ app.use('/api/mayor/:townId/tools/rigs/:rigId/agents/:agentId/*', async (c, next
 
 // ── CORS ────────────────────────────────────────────────────────────────
 // Allow browser requests from the main Kilo app. In development, allow
-// localhost origins for the Next.js dev server.
+// localhost and LAN origins for the Next.js dev server.
+
+const localIpPattern = /^https?:\/\/(localhost|127\.\d+\.\d+\.\d+|10\.\d+\.\d+\.\d+|172\.(1[6-9]|2[0-9]|3[0-1])\.\d+\.\d+|192\.168\.\d+\.\d+|\[(::1|fd[0-9a-f]{2}:[0-9a-f:]+|fe80:[0-9a-f:]+)\])(:\d+)?$/i;
 
 const corsMiddleware = cors({
   origin: (origin, c: Context<GastownEnv>) => {
     if (c.env.ENVIRONMENT === 'development') {
-      // Allow any localhost origin in dev
-      if (origin.startsWith('http://localhost:')) return origin;
+      if (localIpPattern.test(origin)) return origin;
     }
     // Production origins
     const allowed = ['https://app.kilo.ai', 'https://kilo.ai'];
diff --git a/services/wasteland/src/wasteland.worker.ts b/services/wasteland/src/wasteland.worker.ts
index 9c7d3dd98e..b081f0df3f 100644
--- a/services/wasteland/src/wasteland.worker.ts
+++ b/services/wasteland/src/wasteland.worker.ts
@@ -89,12 +89,14 @@ app.use('*', async (c, next) => {
 
 // ── CORS ────────────────────────────────────────────────────────────────
 // Allow browser requests from the main Kilo app. In development, allow
-// localhost origins for the Next.js dev server.
+// localhost and LAN origins for the Next.js dev server.
+
+const localIpPattern = /^https?:\/\/(localhost|127\.\d+\.\d+\.\d+|10\.\d+\.\d+\.\d+|172\.(1[6-9]|2[0-9]|3[0-1])\.\d+\.\d+|192\.168\.\d+\.\d+|\[(::1|fd[0-9a-f]{2}:[0-9a-f:]+|fe80:[0-9a-f:]+)\])(:\d+)?$/i;
 
 const corsMiddleware = cors({
   origin: (origin, c: Context<WastelandEnv>) => {
     if (c.env.ENVIRONMENT === 'development') {
-      if (origin.startsWith('http://localhost:')) return origin;
+      if (localIpPattern.test(origin)) return origin;
     }
     const allowed = ['https://app.kilo.ai', 'https://kilo.ai'];
     return allowed.includes(origin) ? origin : '';