@standardagents/builder 0.18.2 → 0.19.0

package/dist/index.js

@@ -19824,15 +19824,22 @@ function addCorsHeaders(response) {
     return response;
   }
 
-  // Preserve Set-Cookie exactly. Rebuilding a Response from response.headers can
-  // drop cookie headers in Worker runtimes because Set-Cookie is special.
-  if (response.headers.has("Set-Cookie")) {
+  // Skip if already has CORS headers
+  if (response.headers.has("Access-Control-Allow-Origin")) {
     return response;
   }
 
-  // Skip if already has CORS headers
-  if (response.headers.has("Access-Control-Allow-Origin")) {
+  // Prefer mutating the original Response headers. Rebuilding a Response from
+  // response.headers can drop special headers such as Set-Cookie in Worker
+  // runtimes, even when the header is not visible through Headers.has().
+  try {
+    for (const [key, value] of Object.entries(CORS_HEADERS)) {
+      response.headers.set(key, value);
+    }
     return response;
+  } catch {
+    // Some Responses, especially fetched upstream responses, have immutable
+    // headers. Fall back to wrapping those responses.
   }
 
   // Create new headers with CORS added
@@ -29044,6 +29051,13 @@ ${result ?? error ?? "No result content."}${attachmentSummary}`;
     for (const replicaUser of snapshot.users) {
       const user = await this.upsertPlatformReplicaUser(replicaUser);
       activeUserIds.add(user.id);
+      if (typeof replicaUser.session_revoked_at === "number" && Number.isFinite(replicaUser.session_revoked_at)) {
+        await this.ctx.storage.sql.exec(
+          `DELETE FROM sessions WHERE user_id = ? AND created_at <= ?`,
+          user.id,
+          Math.floor(replicaUser.session_revoked_at)
+        );
+      }
     }
     const activeList = Array.from(activeUserIds);
     if (activeList.length > 0) {