From fca7d17a0756939beed4992f4ce2a3b80b2bff7d Mon Sep 17 00:00:00 2001
From: Andrew Bierman <abbierman101@gmail.com>
Date: Tue, 12 May 2026 11:56:55 -0600
Subject: [PATCH] fix(cors): add admin.packratai.com + *.workers.dev to root
 cors allowlist

Root cors runs first and short-circuits OPTIONS preflights before the
admin-scoped cors plugin can set Access-Control-Allow-Origin. Admin origin
was only in the admin-scoped plugin, so preflights from admin.packratai.com
got no origin header. Non-preflight requests worked because the full
middleware chain ran and the admin cors added the header to the response.

Fix: add admin.packratai.com and *.workers.dev to root cors allowlist so
OPTIONS preflights get the origin header reflected back correctly.
---
 packages/api/src/index.ts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/packages/api/src/index.ts b/packages/api/src/index.ts
index 0ff3fa9edd..baeb3fd4b6 100644
--- a/packages/api/src/index.ts
+++ b/packages/api/src/index.ts
@@ -33,6 +33,8 @@ export const app = new Elysia({ adapter: CloudflareAdapter })
         const allowed = [
           /^https:\/\/(www\.)?packrat\.world$/,
           /^https:\/\/[\w-]+\.packrat\.world$/,
+          /^https:\/\/[\w-]+\.packratai\.com$/,
+          /^https?:\/\/[\w-]+\.workers\.dev$/,
           /^http:\/\/localhost:\d+$/,
           /^exp:\/\//,
         ];