fix(cors): add Access-Control-Allow-Origin headers to API and downloads

[Grenghis-Khan]

Description

This PR resolves "Server Error" / CORS failures in the Web UI and "Skill not found" errors in the CLI for newly published skills.
Fixes #143

Context

1. Web UI (CORS): The frontend was blocked from accessing backend API endpoints (downloads, raw files) due to missing Access-Control-Allow-Origin headers. This caused failures in "GitHub Import" verification and skill downloading.
2. CLI (Auth): The clawhub install command was making anonymous requests. This caused "Skill not found" errors for skills that were "pending scan" or otherwise not yet fully public, even for the owner.

Changes

• Convex (Backend):
  • Added Access-Control-Allow-Origin: * to json() and text() helpers in convex/httpApiV1.ts.
  • Added Access-Control-Allow-Origin: * to downloadZip success AND error responses (400/404/410) in convex/downloads.ts.
  • Added Access-Control-Allow-Origin: * to raw file endpoints (skill/soul files) in convex/httpApiV1.ts.
• CLI (clawhub ):
  • Updated cmdInstall to retrieve the authenticated user's token.
  • Updated downloadZip and fetchBinaryViaCurl to pass the Authorization: Bearer <token> header if present.

Verification Results

• Verified CORS headers are present on success, error, and raw file responses.
• Verified clawhub install uses authentication, allowing owners to install pending skills.
• Ensured minimal diff and adherence to code style.

[vercel]

@Grenghis-Khan is attempting to deploy a commit to the Amantus Machina Team on Vercel.

A member of the Team first needs to authorize it.

[greptile-apps]

_{2 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Additional Comments (2)

convex/downloads.ts
CORS missing on errors

downloadZip only sets Access-Control-Allow-Origin on the 200 response (convex/downloads.ts:61-69). All early error returns (400/404/410) omit it (e.g. convex/downloads.ts:13-20, 37-42), which will present browser clients with an opaque CORS failure whenever an error happens. Add the CORS header consistently to all responses from this action (including error paths).

Prompt To Fix With AI

This is a comment left during a code review.
Path: convex/downloads.ts
Line: 13:20

Comment:
**CORS missing on errors**

`downloadZip` only sets `Access-Control-Allow-Origin` on the 200 response (`convex/downloads.ts:61-69`). All early error returns (400/404/410) omit it (e.g. `convex/downloads.ts:13-20`, `37-42`), which will present browser clients with an opaque CORS failure whenever an error happens. Add the CORS header consistently to *all* responses from this action (including error paths).

How can I resolve this? If you propose a fix, please make it concise.

---

convex/httpApiV1.ts
Bypassing CORS helpers

The PR adds Access-Control-Allow-Origin only via json()/text() (convex/httpApiV1.ts:860-885), but this raw file endpoint returns a Response directly (convex/httpApiV1.ts:398) using headers built from rate.headers + file headers (convex/httpApiV1.ts:381-397). Since that header set doesn’t include the new CORS header, cross-origin reads to /api/v1/skills/*/file will still be blocked. Add the CORS header to the headers used here (same issue also appears in the souls file endpoint at convex/httpApiV1.ts:1136-1154).

Prompt To Fix With AI

This is a comment left during a code review.
Path: convex/httpApiV1.ts
Line: 381:398

Comment:
**Bypassing CORS helpers**

The PR adds `Access-Control-Allow-Origin` only via `json()`/`text()` (`convex/httpApiV1.ts:860-885`), but this raw file endpoint returns a `Response` directly (`convex/httpApiV1.ts:398`) using headers built from `rate.headers` + file headers (`convex/httpApiV1.ts:381-397`). Since that header set doesn’t include the new CORS header, cross-origin reads to `/api/v1/skills/*/file` will still be blocked. Add the CORS header to the `headers` used here (same issue also appears in the souls file endpoint at `convex/httpApiV1.ts:1136-1154`).

How can I resolve this? If you propose a fix, please make it concise.

[vercel]

Additional Suggestion:

Missing OPTIONS handlers for CORS preflight requests causes cross-origin POST/DELETE requests with Authorization headers to fail

[Grenghis-Khan]

Additional Comments (2)

I addressed these in commit 5fc3d0c

[Grenghis-Khan]

Additional Suggestion:

Missing OPTIONS handlers for CORS preflight requests causes cross-origin POST/DELETE requests with Authorization headers to fail

Addressed in commit 8f20a72

[kiliantyler]

Partially a duplicate of #94

[Bluecraft-AI]

This should fix #131 too. Ready to test once it's deployed.