@standardagents/builder 0.11.0-next.5d2e71b → 0.11.0-next.730b472

package/dist/plugin.js

@@ -2246,6 +2246,32 @@ function corsHeaders(contentType) {
   };
 }
 
+// Helper to add CORS headers to any Response without touching the body
+function addCorsHeaders(response) {
+  // Skip WebSocket upgrade responses - they can't be wrapped
+  if (response.status === 101) {
+    return response;
+  }
+
+  // Skip if already has CORS headers
+  if (response.headers.has("Access-Control-Allow-Origin")) {
+    return response;
+  }
+
+  // Create new headers with CORS added
+  const newHeaders = new Headers(response.headers);
+  for (const [key, value] of Object.entries(CORS_HEADERS)) {
+    newHeaders.set(key, value);
+  }
+
+  // Return new Response with same body stream (not cloned, just transferred)
+  return new Response(response.body, {
+    status: response.status,
+    statusText: response.statusText,
+    headers: newHeaders,
+  });
+}
+
 export async function router(request, env) {
   const url = new URL(request.url);
   const pathname = url.pathname;
@@ -2297,7 +2323,7 @@ ${threadRouteCode}
 
       // If requireAuth returns a Response, it's an error (401)
       if (authResult instanceof Response) {
-        return authResult;
+        return addCorsHeaders(authResult);
       }
 
       authContext = authResult;
@@ -2316,11 +2342,7 @@ ${threadRouteCode}
     const result = await controller(context);
 
     if (result instanceof Response) {
-      // Return Response objects as-is - CORS headers can't be safely added
-      // to Response objects in the workerd environment without issues.
-      // Controllers that return streaming/binary responses should add
-      // CORS headers themselves if needed.
-      return result;
+      return addCorsHeaders(result);
     }
     if (typeof result === "string") {
       return new Response(result, {