fix: add CORS headers to streaming chat response

[sweetmantech]

Summary

• Add CORS headers to createUIMessageStreamResponse call in handleChatStream.ts so streaming responses include proper CORS headers
• Add x-api-key to Access-Control-Allow-Headers in getCorsHeaders.ts since the /api/chat endpoint requires API key authentication
• Update handleChatStream.test.ts to expect CORS headers in the streaming response

Problem

Cross-origin requests to /api/chat from client interfaces (e.g., http://localhost:3000 to https://test-recoup-api.vercel.app/api/chat) were being blocked with:

Access to fetch at 'https://test-recoup-api.vercel.app/api/chat' from origin 'http://localhost:3000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

The OPTIONS handler and error responses already included CORS headers, but the successful streaming response did not.

Test plan

• Verify /api/chat requests from cross-origin clients no longer fail with CORS errors
• Verify streaming responses include Access-Control-Allow-Origin: * header
• Verify x-api-key header is allowed in preflight requests

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
recoup-api	Ready	Preview	Jan 20, 2026 4:35pm

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}