Why Web IDE Stacks Are Not a ChatGPT Domain List

A single-vendor playbook—route openai.com and call it a day—does not describe how modern AI coding surfaces work. The editor chrome might talk to one API, while the generated app deploys to Vercel-style preview URLs, the runtime loads modules from a registry or CDN, and collaboration features bounce through the vendor’s own control plane. Miss any leg and you get the familiar “everything worked yesterday” feeling: the marketing page loads, the Web IDE shell paints, then the preview never finishes handshake, npm install crawls, or the agent reports a timeout even though “the VPN is on.”

This guide is intentionally not another recycled list of chat endpoints. It is about split routing for builder traffic: keep domestic or corporate paths DIRECT where required, send the Vercel, Replit, registry, and shared CDN names you actually see in traces through one coherent policy group, and verify with logs. The ordering discipline in Clash rule routing best practices still applies: LAN shortcuts, enterprise VPN exceptions, and blocklists belong before your catch rules so you do not create accidental loops. For a parallel “many hosts, one product” story with different names, read Notion and AWS split routing—the shape matches even though the host list does not.

Spinners, Preview Iframes, and “Agent Stuck” in Network Terms

Users describe the failure modes in product language: “Lovable preview spins,” “Replit Agent never finishes,” “dependencies hang.” Under HTTPS, that usually means concurrent connections to several families succeeded partially: HTML and JS arrived from one cluster, but a websocket, iframe, or long poll to another host is on DIRECT into a path that resets, or through a proxy node region that adds seconds per round trip. Package managers amplify the pain because they open dozens of TCP sessions to registry mirrors and tarballs; one missing DOMAIN-SUFFIX line can serialize the whole install behind timeout retries.

Clash evaluates the first matching rule. A profile that tags the marketing site but not the preview subdomain is a textbook split routing bug, not mysterious “AI slowness.” Treat every spinner as a request journal: which host, which phase (TCP, TLS, HTTP), which policy group. If you also use VS Code–class tools with different vendors, compare with Windsurf and Codeium split routing so you do not merge unrelated lists blindly.

Concurrent domain mental model: assume at least three lanes—(1) the vendor control plane / IDE shell, (2) deployment previews (Vercel-like), (3) packages and static assets (npm, GitHub, broad CDN names). If only lane (2) or (3) fails, your domain rules are incomplete, not necessarily your chat API list.

Traffic Families: Vercel, Replit, Registries, and CDNs

Vercel and preview deployments

Many AI coding flows publish static or serverless previews under vercel.app, project-specific subdomains, and occasionally custom domains that still terminate on Vercel edges. The IDE shell for tools such as Lovable often lives on the vendor’s own domain (commonly lovable.dev), while the generated site still opens on *.vercel.app—both need the same policy group during testing or you will see “editor OK, preview blank.” The marketing site at vercel.com may work while a preview hash under *.vercel.app does not if your rules stop at the parent brand. Log the exact preview hostname from devtools; add DOMAIN-SUFFIX baselines you can defend, then tighten with DOMAIN lines for odd one-offs. Remember that preview URLs rotate as you redeploy—your profile must track patterns, not a single static string.

Replit IDE, workspaces, and agent callbacks

Replit combines an in-browser editor, container runtime, and orchestration. Hostnames typically cluster around replit.com and related infrastructure; some flows also use distinct domains for firewalled or dedicated runtimes (names change—verify in your own traces rather than cargo-culting a stranger’s YAML). Agent features may open additional legs to model providers; those may overlap with generic AI lists, but the Replit control plane is still the spine. Route the whole family through one policy group during testing so you eliminate split-brain between shell and runner.

Package registries, GitHub, and artifact CDNs

Installing dependencies is the loudest part of the stack. registry.npmjs.org, npmjs.com, GitHub releases, raw.githubusercontent.com, and various blob hostnames often appear together. If you already maintain GitHub-centric rules for Copilot, reconcile them with your builder group so you do not send half of GitHub direct and half through a different node. For terminal or CI-style pulls that share the same machine, the same map should cover CLI traffic—see Docker and CLI proxy notes when shells do not inherit the browser’s path.

Shared CDNs and “helpful” wildcards

Static assets may load from Fastly, Cloudflare, or other shared edges. A blunt DOMAIN-SUFFIX that covers an entire CDN can fix previews—and break unrelated sites. Prefer observation first, then surgical rules or curated rule sets you review. The trade-offs mirror Hugging Face and large-file CDN routing: breadth is convenient until it captures your bank or internal dashboard.

Observing Hostnames: Devtools, HAR, and Clash Logs

Open devtools in the Web IDE, reproduce the stall, and export the failing host list. Pay attention to websockets, third-party iframes, and blocked mixed content. For CLI actions inside the workspace, use the platform’s network panel or copy connection lines from Clash logs with timestamps aligned to your click. If the log shows the correct policy but the TCP phase never completes, suspect node quality or uplink, not YAML—rotate after you confirm the match.

Pick a client that surfaces policy decisions clearly; choosing the right Clash client matters when you iterate on domain lists weekly.

A Dedicated Policy Group for Web Builders

Name a group such as WEB_BUILDER or AI_IDE and route proven Vercel, Replit, registry, and traced CDN suffixes through it. Keep domestic GEOIP shortcuts, LAN IP-CIDR bypasses, and corporate VPN DIRECT lines ahead of this block. Pair the group with a url-test or fallback upstream if you need automatic node rotation—conceptually the same as other latency-sensitive stacks described in project guides on policy groups. The goal is one stable exit for all concurrent legs so previews and package installs do not race through different regions.

Illustrative DOMAIN-SUFFIX Rules and Match Order

The fragment below is illustrative only. Verify every suffix against your own traces; remove lines you cannot justify. Replace WEB_BUILDER, domestic rules, and MATCH with your policy.

Example rules fragment (illustrative)

rules:
  # Lovable / similar builders — verify in your traces (names evolve)
  - DOMAIN-SUFFIX,lovable.dev,WEB_BUILDER

  # Vercel — previews often live under vercel.app
  - DOMAIN-SUFFIX,vercel.app,WEB_BUILDER
  - DOMAIN-SUFFIX,vercel.com,WEB_BUILDER

  # Replit — confirm current hostnames in your logs
  - DOMAIN-SUFFIX,replit.com,WEB_BUILDER
  - DOMAIN-SUFFIX,repl.co,WEB_BUILDER

  # npm / GitHub commonly involved in installs (tighten as needed)
  - DOMAIN-SUFFIX,npmjs.org,WEB_BUILDER
  - DOMAIN-SUFFIX,npmjs.com,WEB_BUILDER
  - DOMAIN-SUFFIX,github.com,WEB_BUILDER
  - DOMAIN-SUFFIX,githubusercontent.com,WEB_BUILDER

  # Add only CDN suffixes you observed, e.g.:
  # - DOMAIN-SUFFIX,example-cdn.net,WEB_BUILDER

  - GEOIP,CN,DIRECT
  - MATCH,DIRECT

Avoid DOMAIN-KEYWORD unless necessary; short tokens create false positives. Prefer suffix baselines for brands you trust, then DOMAIN for one-off hosts surfaced by logs.

Rule Sets, Shared CDNs, and Over-Capture

Remote rule providers help track moving endpoints, but they also refresh while you sleep. Diff updates when a preview breaks overnight—sometimes the rule set narrowed, sometimes your node region shifted. If a provider is tuned for “maximum proxy,” it may steal traffic you wanted on DIRECT. Maintain a short hand-reviewed list for Vercel + Replit + registries, then layer automation around it instead of replacing it.

DNS, fake-ip, and Parallel Resolvers

Under fake-ip, applications can appear to “resolve instantly” while the real path still depends on Clash policy. If devtools shows a fake address but the socket never connects, align fake-ip-filter and nameserver logic with the same suffixes you route to WEB_BUILDER. Walk through Clash Meta DNS, fallback, and fake-ip-filter when multiple resolvers disagree; parallel DoH in the browser plus OS DNS plus Clash is a common source of “randomly fast, randomly slow” previews.

System Proxy vs TUN for Browser IDEs

Browser-only workflows often work with system proxy if the OS and browser agree. Embedded runtimes, helper binaries, or desktop sidecars may ignore those settings. TUN mode pushes routing to the stack so more processes share one split routing story, at the cost of permissions and occasional conflicts with other VPN clients. Read Clash TUN mode in depth before enabling it on a locked-down laptop. The decisive test: if the browser tab works but the integrated terminal install fails, you are usually comparing proxy visibility, not missing magic AI domains.

Node Region, Latency, and Preview Cold Starts

Even perfect domain rules feel broken on a high-latency or congested exit. Vercel previews and Replit workspaces are chatty; doubling RTT across the Pacific shows up as “spinners.” Point WEB_BUILDER at a regionally appropriate node, then re-test. This is operational tuning, not YAML theology—but you must know which hosts hit which policy first; otherwise you optimize the wrong hop.

TLS Stalls vs Wrong Policy in Logs

Interpret logs with care: stalls before TCP completes differ from TLS alert failures after connect. Use the vocabulary in Clash connection logs: timeouts and TLS so you do not delete a good ruleset because the exit node was tired.

Subscriptions, Rule Providers, and Moving Endpoints

Airport subscriptions and remote rule sets must refresh on schedule. A stale node list manifests as sudden preview failures that correlate with maintenance windows, not code changes. Follow the hygiene in Clash subscription and node maintenance before you assume Lovable or Replit changed their infrastructure.

Checklist Before You Swap Nodes or Reinstall

  1. Confirm you are permitted to run Clash and to use these services on this network.
  2. Capture failing hosts and phases from devtools or HAR exports.
  3. Map each host to a log line: does it hit WEB_BUILDER (or your chosen group)?
  4. Fill DOMAIN-SUFFIX / DOMAIN gaps; re-test preview, agent, and package install together.
  5. Align DNS / fake-ip with those suffixes.
  6. Audit rule order for LAN, corporate VPN, and block rules that might starve required hosts.
  7. Choose system proxy vs TUN deliberately; retest both browser and integrated terminal.
  8. Only then rotate nodes or blame the vendor—note timestamps for each change.
Compliance: Respect local law, terms of service for Vercel, Replit, Lovable, and other vendors, and your employer’s security policy. This article documents network hygiene for permitted use—not bypassing access controls or acceptable-use rules.

Wrap-Up: One Observable Map for Vercel + Replit + Friends

AI coding surfaces in 2025–2026 behave like micro-SaaS bundles: Web IDE chrome, deployment previews, registries, shared CDN edges, and optional model APIs. Clash shines when you make that bundle observable—explicit policy groups, ordered rules, curated rule sets, and DNS that matches the same story. Recycling a chat-only list will keep letting previews spin because the failing hostname was never part of that list.

Keep refining with the same habits as the rest of your profile: read match order in Clash rules best practices, diff remote providers, and treat every new spinner as a hostname receipt—not a mystery curse on AI tools.

Download Clash for free and experience the difference—so your next Vercel preview and Replit session share one coherent split routing map instead of a pile of half-matched domains.