@combycode/llm-sdk 1.5.0 → 1.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md CHANGED
@@ -6,6 +6,14 @@ All notable changes to `@combycode/llm-sdk` are documented here. The format foll
6
6
 
7
7
  ## [Unreleased]
8
8
 
9
+ ## [1.5.1] - 2026-07-06
10
+
11
+ ### Fixed
12
+ - **Anthropic file retrieval from the browser** was blocked by CORS. `retrieveFile` /
13
+ `streamFile` now send Anthropic's `anthropic-dangerous-direct-browser-access: true` header
14
+ when running in a browser (matching the completion adapter), so hosted code-execution files
15
+ download directly. No effect on Node/Bun.
16
+
9
17
  ## [1.5.0] - 2026-07-06
10
18
 
11
19
  ### Added
@@ -22471,7 +22471,11 @@ function contentRequest(ctx, file) {
22471
22471
  "x-api-key": ctx.apiKey,
22472
22472
  "anthropic-version": "2023-06-01",
22473
22473
  "anthropic-beta": "files-api-2025-04-14",
22474
- accept: "application/binary"
22474
+ accept: "application/binary",
22475
+ // Enable CORS for direct browser requests (same header the completion
22476
+ // adapter sets); harmless on Node/Bun. Without it the browser blocks the
22477
+ // file download by CORS.
22478
+ ...isBrowser() ? { "anthropic-dangerous-direct-browser-access": "true" } : {}
22475
22479
  }
22476
22480
  };
22477
22481
  }
@@ -22492,7 +22496,11 @@ function providerAuth(ctx, url) {
22492
22496
  const base = ctx.baseURL ?? DEFAULT_BASE[ctx.provider];
22493
22497
  if (!url.startsWith(base)) return {};
22494
22498
  if (ctx.provider === "anthropic") {
22495
- return { "x-api-key": ctx.apiKey, "anthropic-version": "2023-06-01" };
22499
+ return {
22500
+ "x-api-key": ctx.apiKey,
22501
+ "anthropic-version": "2023-06-01",
22502
+ ...isBrowser() ? { "anthropic-dangerous-direct-browser-access": "true" } : {}
22503
+ };
22496
22504
  }
22497
22505
  if (ctx.provider === "google") return { "x-goog-api-key": ctx.apiKey };
22498
22506
  return { authorization: `Bearer ${ctx.apiKey}` };
package/dist/index.js CHANGED
@@ -22398,7 +22398,11 @@ function contentRequest(ctx, file) {
22398
22398
  "x-api-key": ctx.apiKey,
22399
22399
  "anthropic-version": "2023-06-01",
22400
22400
  "anthropic-beta": "files-api-2025-04-14",
22401
- accept: "application/binary"
22401
+ accept: "application/binary",
22402
+ // Enable CORS for direct browser requests (same header the completion
22403
+ // adapter sets); harmless on Node/Bun. Without it the browser blocks the
22404
+ // file download by CORS.
22405
+ ...isBrowser() ? { "anthropic-dangerous-direct-browser-access": "true" } : {}
22402
22406
  }
22403
22407
  };
22404
22408
  }
@@ -22419,7 +22423,11 @@ function providerAuth(ctx, url) {
22419
22423
  const base = ctx.baseURL ?? DEFAULT_BASE[ctx.provider];
22420
22424
  if (!url.startsWith(base)) return {};
22421
22425
  if (ctx.provider === "anthropic") {
22422
- return { "x-api-key": ctx.apiKey, "anthropic-version": "2023-06-01" };
22426
+ return {
22427
+ "x-api-key": ctx.apiKey,
22428
+ "anthropic-version": "2023-06-01",
22429
+ ...isBrowser() ? { "anthropic-dangerous-direct-browser-access": "true" } : {}
22430
+ };
22423
22431
  }
22424
22432
  if (ctx.provider === "google") return { "x-goog-api-key": ctx.apiKey };
22425
22433
  return { authorization: `Bearer ${ctx.apiKey}` };
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@combycode/llm-sdk",
3
- "version": "1.5.0",
3
+ "version": "1.5.1",
4
4
  "description": "Unified, pluggable AI SDK for accessing the LLMs of every major provider (Anthropic, OpenAI, Google, xAI, OpenRouter) through one API. Cross-environment: Node, Bun, and the browser.",
5
5
  "type": "module",
6
6
  "main": "./dist/index.js",