@cerefox/memory 0.7.2 → 0.8.0

package/dist/server-assets/supabase/functions/cerefox-list-projects/index.ts

@@ -0,0 +1,96 @@
+import "jsr:@supabase/functions-js/edge-runtime.d.ts";
+import { createClient } from "jsr:@supabase/supabase-js@2";
+import { isVersionRequest, versionResponse } from "../../../_shared/ef-meta/index.ts";
+
+/**
+ * cerefox-list-projects -- Supabase Edge Function
+ *
+ * Lists all projects with names, IDs, and descriptions.
+ * Calls the cerefox_list_projects() RPC via the service-role key.
+ *
+ * Called by:
+ *   - GPT Custom Actions (direct HTTP POST via OpenAPI schema)
+ *   - Any authenticated HTTP client
+ *
+ * Note: cerefox-mcp calls the RPC directly (not this Edge Function).
+ *
+ * Request body (JSON): {} or { requestor?: string }
+ * Response (200): Array of { id, name, description }
+ */
+
+const CORS_HEADERS = {
+  "Access-Control-Allow-Origin": "*",
+  "Access-Control-Allow-Methods": "POST, OPTIONS",
+  "Access-Control-Allow-Headers": "Content-Type, Authorization, apikey",
+};
+
+Deno.serve(async (req: Request): Promise<Response> => {
+  if (req.method === "OPTIONS") {
+    return new Response(null, { status: 200, headers: CORS_HEADERS });
+  }
+
+  if (isVersionRequest(req)) {
+    return versionResponse("cerefox-list-projects", { ...CORS_HEADERS, "Content-Type": "application/json" });
+  }
+
+  if (req.method !== "POST") {
+    return new Response("Method Not Allowed", { status: 405, headers: CORS_HEADERS });
+  }
+
+  try {
+    const body = await req.json().catch(() => ({}));
+    const supabaseUrl = Deno.env.get("SUPABASE_URL")!;
+    const supabaseKey = Deno.env.get("SUPABASE_SERVICE_ROLE_KEY")!;
+    const supabase = createClient(supabaseUrl, supabaseKey);
+
+    // Configurable requestor enforcement
+    const identityField = "requestor";
+    const identityValue = body[identityField];
+    const { data: reqConfig } = await supabase.rpc("cerefox_get_config", { p_key: "require_requestor_identity" });
+    if (reqConfig === "true") {
+      if (!identityValue || (typeof identityValue === "string" && identityValue.trim() === "")) {
+        return new Response(
+          JSON.stringify({ error: `Missing required parameter "${identityField}". Server requires caller identity.` }),
+          { status: 400, headers: { ...CORS_HEADERS, "Content-Type": "application/json" } },
+        );
+      }
+      const { data: fmtConfig } = await supabase.rpc("cerefox_get_config", { p_key: "requestor_identity_format" });
+      if (fmtConfig && typeof fmtConfig === "string" && fmtConfig.trim() !== "") {
+        if (!new RegExp(fmtConfig).test(identityValue)) {
+          return new Response(
+            JSON.stringify({ error: `Invalid "${identityField}" format. Does not match pattern: ${fmtConfig}` }),
+            { status: 400, headers: { ...CORS_HEADERS, "Content-Type": "application/json" } },
+          );
+        }
+      }
+    }
+
+    const { data, error } = await supabase.rpc("cerefox_list_projects");
+
+    if (error) {
+      return new Response(JSON.stringify({ error: error.message }), {
+        status: 500,
+        headers: { ...CORS_HEADERS, "Content-Type": "application/json" },
+      });
+    }
+
+    // Fire-and-forget usage logging
+    Promise.resolve(supabase.rpc("cerefox_log_usage", {
+      p_operation: "list_projects",
+      p_access_path: "edge-function",
+      p_requestor: body.requestor ?? null,
+      p_result_count: (data ?? []).length,
+    })).catch(() => {});
+
+    return new Response(JSON.stringify(data ?? []), {
+      status: 200,
+      headers: { ...CORS_HEADERS, "Content-Type": "application/json" },
+    });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return new Response(JSON.stringify({ error: message }), {
+      status: 500,
+      headers: { ...CORS_HEADERS, "Content-Type": "application/json" },
+    });
+  }
+});

package/dist/server-assets/supabase/functions/cerefox-list-versions/index.ts

@@ -0,0 +1,113 @@
+import "jsr:@supabase/functions-js/edge-runtime.d.ts";
+import { createClient } from "jsr:@supabase/supabase-js@2";
+import { isVersionRequest, versionResponse } from "../../../_shared/ef-meta/index.ts";
+
+/**
+ * cerefox-list-versions — Supabase Edge Function
+ *
+ * Lists all archived versions of a document, newest first.
+ * Calls the cerefox_list_document_versions RPC via the service-role key.
+ *
+ * Called by:
+ *   - cerefox-mcp Edge Function (MCP tools/call for cerefox_list_versions)
+ *   - GPT Custom Actions (direct HTTP POST via OpenAPI schema)
+ *   - Any authenticated HTTP client
+ *
+ * Request body (JSON):
+ *   { document_id: string }
+ *
+ * Response (200):
+ *   Array of { version_id, version_number, source, chunk_count, total_chars, created_at }
+ *   Empty array [] when no versions exist.
+ * Response (400):
+ *   { error: "document_id is required" }
+ */
+
+const CORS_HEADERS = {
+  "Access-Control-Allow-Origin": "*",
+  "Access-Control-Allow-Methods": "POST, OPTIONS",
+  "Access-Control-Allow-Headers": "Content-Type, Authorization, apikey",
+};
+
+Deno.serve(async (req: Request): Promise<Response> => {
+  if (req.method === "OPTIONS") {
+    return new Response(null, { status: 200, headers: CORS_HEADERS });
+  }
+
+  if (isVersionRequest(req)) {
+    return versionResponse("cerefox-list-versions", { ...CORS_HEADERS, "Content-Type": "application/json" });
+  }
+
+  if (req.method !== "POST") {
+    return new Response("Method Not Allowed", { status: 405, headers: CORS_HEADERS });
+  }
+
+  try {
+    const body = await req.json();
+    const document_id = body.document_id as string | undefined;
+
+    if (!document_id) {
+      return new Response(JSON.stringify({ error: "document_id is required" }), {
+        status: 400,
+        headers: { ...CORS_HEADERS, "Content-Type": "application/json" },
+      });
+    }
+
+    const supabaseUrl = Deno.env.get("SUPABASE_URL")!;
+    const supabaseKey = Deno.env.get("SUPABASE_SERVICE_ROLE_KEY")!;
+    const supabase = createClient(supabaseUrl, supabaseKey);
+
+    // Configurable requestor enforcement
+    const identityField = "requestor";
+    const identityValue = body[identityField];
+    const { data: reqConfig } = await supabase.rpc("cerefox_get_config", { p_key: "require_requestor_identity" });
+    if (reqConfig === "true") {
+      if (!identityValue || (typeof identityValue === "string" && identityValue.trim() === "")) {
+        return new Response(
+          JSON.stringify({ error: `Missing required parameter "${identityField}". Server requires caller identity.` }),
+          { status: 400, headers: { ...CORS_HEADERS, "Content-Type": "application/json" } },
+        );
+      }
+      const { data: fmtConfig } = await supabase.rpc("cerefox_get_config", { p_key: "requestor_identity_format" });
+      if (fmtConfig && typeof fmtConfig === "string" && fmtConfig.trim() !== "") {
+        if (!new RegExp(fmtConfig).test(identityValue)) {
+          return new Response(
+            JSON.stringify({ error: `Invalid "${identityField}" format. Does not match pattern: ${fmtConfig}` }),
+            { status: 400, headers: { ...CORS_HEADERS, "Content-Type": "application/json" } },
+          );
+        }
+      }
+    }
+
+    const { data, error } = await supabase.rpc("cerefox_list_document_versions", {
+      p_document_id: document_id,
+    });
+
+    if (error) {
+      return new Response(JSON.stringify({ error: error.message }), {
+        status: 500,
+        headers: { ...CORS_HEADERS, "Content-Type": "application/json" },
+      });
+    }
+
+    // Fire-and-forget usage logging
+    Promise.resolve(supabase.rpc("cerefox_log_usage", {
+      p_operation: "list_versions",
+      p_access_path: "edge-function",
+      p_requestor: body.requestor ?? null,
+      p_document_id: document_id,
+      p_result_count: (data ?? []).length,
+    })).catch(() => {});
+
+    return new Response(JSON.stringify(data ?? []), {
+      status: 200,
+      headers: { ...CORS_HEADERS, "Content-Type": "application/json" },
+    });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return new Response(JSON.stringify({ error: message }), {
+      status: 500,
+      headers: { ...CORS_HEADERS, "Content-Type": "application/json" },
+    });
+  }
+});

package/dist/server-assets/supabase/functions/cerefox-mcp/index.ts

@@ -0,0 +1,294 @@
+import "jsr:@supabase/functions-js/edge-runtime.d.ts";
+
+/**
+ * cerefox-mcp — Supabase Edge Function
+ *
+ * MCP Streamable HTTP server (spec 2025-03-26). Exposes all Cerefox tools
+ * over HTTPS — no Python install, no local process, works from any
+ * remote-capable MCP client.
+ *
+ * As of v0.4.0 (iter-22): the per-tool handlers live in `_shared/mcp-tools/`
+ * (relative to the repo root) and are imported here verbatim. The new local
+ * TS MCP server (`@cerefox/memory`, `packages/memory/`) uses the same
+ * modules — single source of truth for tool behaviour across the two
+ * transports. This file's only responsibility is the MCP protocol surface
+ * (JSON-RPC over HTTP) + Cerefox's identity-enforcement wrapper.
+ *
+ * Supported clients:
+ *   Claude Code    -- claude mcp add --transport http cerefox <url> --header "Authorization: Bearer <anon-key>"
+ *   Cursor         -- url + headers.Authorization in mcp.json
+ *   Claude Desktop -- npx supergateway --streamableHttp <url> --header "Authorization: Bearer <anon-key>"
+ */
+
+import {
+  CORS_HEADERS,
+  errorResponse,
+  jsonResponse,
+  makeSupabaseClient,
+  notificationResponse,
+} from "./shared.ts";
+import {
+  ALL_TOOLS,
+  McpInvalidParams,
+  TOOLS_BY_NAME,
+  type ToolContext,
+} from "../../../_shared/mcp-tools/index.ts";
+import {
+  type AggregatedVersions,
+  EF_VERSION,
+  isVersionRequest,
+  PEER_EF_NAMES,
+  peerVersionUrl,
+  versionResponse,
+  wantsPeers,
+} from "../../../_shared/ef-meta/index.ts";
+
+const MCP_VERSION = "2025-03-26";
+const SERVER_NAME = "cerefox";
+const SERVER_VERSION = "0.4.0";
+
+// ── Tool list (derived from _shared/mcp-tools/) ─────────────────────────────
+
+const TOOLS = ALL_TOOLS.map((t) => ({
+  name: t.name,
+  description: t.description,
+  inputSchema: t.inputSchema,
+}));
+
+// ── Method handlers ──────────────────────────────────────────────────────────
+
+function handleInitialize(id: unknown): Response {
+  return jsonResponse({
+    jsonrpc: "2.0",
+    id,
+    result: {
+      protocolVersion: MCP_VERSION,
+      capabilities: { tools: {} },
+      serverInfo: { name: SERVER_NAME, version: SERVER_VERSION },
+    },
+  });
+}
+
+function handleToolsList(id: unknown): Response {
+  return jsonResponse({ jsonrpc: "2.0", id, result: { tools: TOOLS } });
+}
+
+async function handleToolsCall(
+  id: unknown,
+  params: { name?: string; arguments?: Record<string, unknown> } | undefined,
+): Promise<Response> {
+  const toolName = params?.name;
+  const args = params?.arguments ?? {};
+
+  if (!toolName) return errorResponse(id, -32602, "Invalid params: missing tool name");
+
+  const tool = TOOLS_BY_NAME[toolName];
+  if (!tool) return errorResponse(id, -32602, `Unknown tool: ${toolName}`);
+
+  // Configurable caller identity enforcement.
+  // When require_requestor_identity is "true" in cerefox_config, all tool calls
+  // must include a requestor (reads) or author (writes) parameter.
+  // When requestor_identity_format is set, the value must match the regex.
+  const identityParam = toolName === "cerefox_ingest" || toolName === "cerefox_set_document_projects"
+    ? "author"
+    : "requestor";
+  const identityValue = args[identityParam] as string | undefined;
+
+  // deno-lint-ignore no-explicit-any
+  const supabase: any = makeSupabaseClient();
+
+  try {
+    const { data: requireConfig } = await supabase.rpc("cerefox_get_config", {
+      p_key: "require_requestor_identity",
+    });
+    const requireIdentity = requireConfig === "true";
+
+    if (requireIdentity) {
+      if (!identityValue || identityValue.trim() === "") {
+        return errorResponse(
+          id,
+          -32602,
+          `Missing required parameter "${identityParam}". Server requires caller identity. ` +
+            `Pass "${identityParam}" with your agent name (e.g., "Claude Code", "archiver").`,
+        );
+      }
+      const { data: formatConfig } = await supabase.rpc("cerefox_get_config", {
+        p_key: "requestor_identity_format",
+      });
+      if (formatConfig && typeof formatConfig === "string" && formatConfig.trim() !== "") {
+        const formatRegex = new RegExp(formatConfig);
+        if (!formatRegex.test(identityValue)) {
+          return errorResponse(
+            id,
+            -32602,
+            `Invalid "${identityParam}" format. Value "${identityValue}" does not match ` +
+              `required pattern: ${formatConfig}`,
+          );
+        }
+      }
+    }
+  } catch {
+    // Config check failed -- don't block the tool call
+  }
+
+  const openaiKey = Deno.env.get("OPENAI_API_KEY");
+  const needsOpenAI = toolName === "cerefox_search" || toolName === "cerefox_ingest";
+  if (needsOpenAI && !openaiKey) {
+    return errorResponse(id, -32603, "OPENAI_API_KEY secret not set on this project");
+  }
+
+  const ctx: ToolContext = {
+    accessPath: "remote-mcp",
+    openaiApiKey: openaiKey,
+  };
+
+  try {
+    const text = await tool.handler(supabase, args, ctx);
+    return jsonResponse({
+      jsonrpc: "2.0",
+      id,
+      result: { content: [{ type: "text", text }] },
+    });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    const code = err instanceof McpInvalidParams ? -32602 : -32603;
+    return errorResponse(id, code, message);
+  }
+}
+
+// ── Version surface (iter-26 Part 26B) ───────────────────────────────────────
+
+const JSON_HEADERS = { ...CORS_HEADERS, "Content-Type": "application/json" };
+
+/** Overall budget for the peer-version aggregator. */
+const AGGREGATOR_BUDGET_MS = 5_000;
+/** Per-peer request timeout (so one slow peer can't eat the whole budget). */
+const PEER_TIMEOUT_MS = 2_000;
+
+async function handleVersion(req: Request): Promise<Response> {
+  // Single-EF version unless ?peers=true requests the aggregator.
+  if (!wantsPeers(req)) {
+    return versionResponse("cerefox-mcp", JSON_HEADERS);
+  }
+
+  const result: AggregatedVersions = {
+    name: "cerefox-mcp",
+    version: EF_VERSION,
+    schema: null,
+    efs: [],
+    errors: [],
+  };
+
+  // Deployed Postgres schema version (best-effort; null on failure).
+  try {
+    // deno-lint-ignore no-explicit-any
+    const supabase: any = makeSupabaseClient();
+    const { data } = await supabase.rpc("cerefox_schema_version");
+    if (typeof data === "string") result.schema = data;
+  } catch {
+    // leave schema null
+  }
+
+  // Probe peers sequentially within an overall budget. Forward the caller's
+  // auth so the gateway lets each peer request through.
+  const authHeader = req.headers.get("Authorization") ?? "";
+  const apikeyHeader = req.headers.get("apikey") ?? "";
+  const deadline = Date.now() + AGGREGATOR_BUDGET_MS;
+
+  for (const peer of PEER_EF_NAMES) {
+    const remaining = deadline - Date.now();
+    if (remaining <= 0) {
+      result.errors.push({ name: peer, error: "skipped (5s budget exhausted)" });
+      continue;
+    }
+    try {
+      const ctrl = new AbortController();
+      const timer = setTimeout(() => ctrl.abort(), Math.min(remaining, PEER_TIMEOUT_MS));
+      let resp: Response;
+      try {
+        resp = await fetch(peerVersionUrl(req.url, peer), {
+          method: "GET",
+          headers: { Authorization: authHeader, apikey: apikeyHeader },
+          signal: ctrl.signal,
+        });
+      } finally {
+        clearTimeout(timer);
+      }
+      if (!resp.ok) {
+        result.errors.push({ name: peer, error: `HTTP ${resp.status}` });
+        continue;
+      }
+      const payload = (await resp.json()) as { version?: string };
+      result.efs.push({ name: peer, version: payload.version ?? "unknown" });
+    } catch (err) {
+      result.errors.push({
+        name: peer,
+        error: err instanceof Error ? err.message : String(err),
+      });
+    }
+  }
+
+  return new Response(JSON.stringify(result), { status: 200, headers: JSON_HEADERS });
+}
+
+// ── Main handler ─────────────────────────────────────────────────────────────
+
+Deno.serve(async (req: Request): Promise<Response> => {
+  if (req.method === "OPTIONS") {
+    return new Response(null, { status: 200, headers: CORS_HEADERS });
+  }
+
+  // GET — the only supported GET is the /version surface (iter-26). Per MCP
+  // spec (2025-03-26) this server otherwise returns 405 on GET to signal it
+  // does not support SSE notifications (prevents MCP clients from holding a
+  // persistent ~1/sec polling connection).
+  if (req.method === "GET") {
+    if (isVersionRequest(req)) {
+      return await handleVersion(req);
+    }
+    return new Response("Method Not Allowed", { status: 405, headers: CORS_HEADERS });
+  }
+  if (req.method !== "POST") {
+    return new Response("Method Not Allowed", { status: 405, headers: CORS_HEADERS });
+  }
+
+  let body: unknown;
+  try {
+    body = await req.json();
+  } catch {
+    return errorResponse(null, -32700, "Parse error: invalid JSON");
+  }
+
+  const { jsonrpc, id, method, params } = body as {
+    jsonrpc?: string;
+    id?: unknown;
+    method?: string;
+    params?: unknown;
+  };
+
+  if (jsonrpc !== "2.0") {
+    return errorResponse(id ?? null, -32600, "Invalid Request: jsonrpc must be '2.0'");
+  }
+  if (!method) {
+    return errorResponse(id ?? null, -32600, "Invalid Request: missing method");
+  }
+
+  switch (method) {
+    case "initialize":
+      return handleInitialize(id);
+    case "initialized":
+    case "notifications/initialized":
+      return notificationResponse();
+    case "ping":
+      return jsonResponse({ jsonrpc: "2.0", id, result: {} });
+    case "tools/list":
+      return handleToolsList(id);
+    case "tools/call":
+      return await handleToolsCall(
+        id,
+        params as { name?: string; arguments?: Record<string, unknown> } | undefined,
+      );
+    default:
+      return errorResponse(id ?? null, -32601, `Method not found: ${method}`);
+  }
+});

package/dist/server-assets/supabase/functions/cerefox-mcp/shared.ts

@@ -0,0 +1,42 @@
+import "jsr:@supabase/functions-js/edge-runtime.d.ts";
+import { createClient } from "jsr:@supabase/supabase-js@2";
+
+// ── CORS ─────────────────────────────────────────────────────────────────────
+
+export const CORS_HEADERS = {
+  "Access-Control-Allow-Origin": "*",
+  "Access-Control-Allow-Methods": "GET, POST, OPTIONS",
+  "Access-Control-Allow-Headers": "Content-Type, Authorization, Mcp-Session-Id",
+};
+
+// ── Supabase client (service-role key, bypasses RLS) ─────────────────────────
+
+export function makeSupabaseClient() {
+  const url = Deno.env.get("SUPABASE_URL")!;
+  const key = Deno.env.get("SUPABASE_SERVICE_ROLE_KEY")!;
+  return createClient(url, key);
+}
+
+// ── JSON-RPC response helpers ─────────────────────────────────────────────────
+
+export function jsonResponse(body: unknown, status = 200): Response {
+  return new Response(JSON.stringify(body), {
+    status,
+    headers: { ...CORS_HEADERS, "Content-Type": "application/json" },
+  });
+}
+
+export function errorResponse(id: unknown, code: number, message: string): Response {
+  return jsonResponse(
+    {
+      jsonrpc: "2.0",
+      id: id ?? null,
+      error: { code, message },
+    },
+    200, // MCP errors are still HTTP 200 per spec; the error is in the payload
+  );
+}
+
+export function notificationResponse(): Response {
+  return new Response(null, { status: 202, headers: CORS_HEADERS });
+}

package/dist/server-assets/supabase/functions/cerefox-metadata/index.ts

@@ -0,0 +1,99 @@
+import "jsr:@supabase/functions-js/edge-runtime.d.ts";
+import { createClient } from "jsr:@supabase/supabase-js@2";
+import { isVersionRequest, versionResponse } from "../../../_shared/ef-meta/index.ts";
+
+/**
+ * cerefox-metadata — Supabase Edge Function
+ *
+ * Returns all metadata keys currently in use across documents in the
+ * Cerefox knowledge base. Calls the cerefox_list_metadata_keys() RPC
+ * which derives keys from actual doc_metadata JSONB — no registry table.
+ *
+ * Called by the cerefox-mcp Edge Function (MCP tool), GPT Actions
+ * (direct HTTP POST), or any HTTP client.
+ *
+ * Request body (JSON): {} (no parameters)
+ *
+ * Response: Array of { key, doc_count, example_values }
+ */
+
+const CORS_HEADERS = {
+  "Access-Control-Allow-Origin": "*",
+  "Access-Control-Allow-Methods": "POST, OPTIONS",
+  "Access-Control-Allow-Headers": "Content-Type, Authorization, apikey",
+};
+
+Deno.serve(async (req: Request): Promise<Response> => {
+  // CORS preflight
+  if (req.method === "OPTIONS") {
+    return new Response(null, { status: 200, headers: CORS_HEADERS });
+  }
+
+  if (isVersionRequest(req)) {
+    return versionResponse("cerefox-metadata", { ...CORS_HEADERS, "Content-Type": "application/json" });
+  }
+
+  if (req.method !== "POST") {
+    return new Response("Method Not Allowed", {
+      status: 405,
+      headers: CORS_HEADERS,
+    });
+  }
+
+  try {
+    const body = await req.json().catch(() => ({}));
+    const supabaseUrl = Deno.env.get("SUPABASE_URL")!;
+    const supabaseKey = Deno.env.get("SUPABASE_SERVICE_ROLE_KEY")!;
+    const supabase = createClient(supabaseUrl, supabaseKey);
+
+    // Configurable requestor enforcement
+    const identityField = "requestor";
+    const identityValue = body[identityField];
+    const { data: reqConfig } = await supabase.rpc("cerefox_get_config", { p_key: "require_requestor_identity" });
+    if (reqConfig === "true") {
+      if (!identityValue || (typeof identityValue === "string" && identityValue.trim() === "")) {
+        return new Response(
+          JSON.stringify({ error: `Missing required parameter "${identityField}". Server requires caller identity.` }),
+          { status: 400, headers: { ...CORS_HEADERS, "Content-Type": "application/json" } },
+        );
+      }
+      const { data: fmtConfig } = await supabase.rpc("cerefox_get_config", { p_key: "requestor_identity_format" });
+      if (fmtConfig && typeof fmtConfig === "string" && fmtConfig.trim() !== "") {
+        if (!new RegExp(fmtConfig).test(identityValue)) {
+          return new Response(
+            JSON.stringify({ error: `Invalid "${identityField}" format. Does not match pattern: ${fmtConfig}` }),
+            { status: 400, headers: { ...CORS_HEADERS, "Content-Type": "application/json" } },
+          );
+        }
+      }
+    }
+
+    const { data, error } = await supabase.rpc("cerefox_list_metadata_keys");
+
+    if (error) {
+      return new Response(JSON.stringify({ error: error.message }), {
+        status: 500,
+        headers: { ...CORS_HEADERS, "Content-Type": "application/json" },
+      });
+    }
+
+    // Fire-and-forget usage logging
+    Promise.resolve(supabase.rpc("cerefox_log_usage", {
+      p_operation: "list_metadata_keys",
+      p_access_path: "edge-function",
+      p_requestor: body.requestor ?? null,
+      p_result_count: (data ?? []).length,
+    })).catch(() => {});
+
+    return new Response(JSON.stringify(data ?? []), {
+      status: 200,
+      headers: { ...CORS_HEADERS, "Content-Type": "application/json" },
+    });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return new Response(JSON.stringify({ error: message }), {
+      status: 500,
+      headers: { ...CORS_HEADERS, "Content-Type": "application/json" },
+    });
+  }
+});