Fix CORS_ORIGIN wildcard patterns on Vercel deployments

[Copilot]

Setting CORS_ORIGIN="https://*.objectui.org,https://*.objectstack.ai,http://localhost:*" caused browser CORS errors on Vercel, even though the same value worked behind the Hono plugin's cors() middleware.

Root cause

apps/server/server/index.ts short-circuits OPTIONS preflight before the Hono app runs (so cold starts / bootstrap failures can't strip CORS headers). Its resolveAllowOrigin() matched with a literal Array.includes(requestOrigin) — * was treated as a plain character, so every preflight from a real subdomain returned 204 with no Access-Control-Allow-Origin, blocking all subsequent requests.

const allowed = ["https://*.objectui.org", ...];
allowed.includes("https://app.objectui.org"); // false → null → browser blocks

The Hono middleware already implemented wildcard matching correctly, but the Vercel bypass path had a divergent, exact-match-only implementation.

Changes

• Single source of truth for origin matching — extracted matchOriginPattern / createOriginMatcher / hasWildcardPattern / normalizeOriginPatterns into packages/plugins/plugin-hono-server/src/pattern-matcher.ts and exported from the package entry.
• hono-plugin.ts — removed inline copies, imports from the shared module.
• apps/server/server/index.ts — resolveAllowOrigin() now delegates to createOriginMatcher / hasWildcardPattern when CORS_ORIGIN contains *, so the Vercel preflight short-circuit and the Hono middleware have identical semantics.
• Tests — pattern-matcher.test.ts now imports the real module (no inline duplicate) and adds coverage for hasWildcardPattern, normalizeOriginPatterns, and empty-origin handling.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
objectstack-demo	Ready	Preview, Comment	Apr 17, 2026 9:43am
spec	Ready	Preview, Comment	Apr 17, 2026 9:43am