Address comments

Author: minggangw

lib/runtime/index.d.ts

@@ -108,6 +108,9 @@ export interface HttpTransportOptions {
   port?: number;
   host?: string;
   basePath?: string;
+  sse?: boolean;
+  sseKeepAliveMs?: number;
+  cors?: boolean | string | string[];
   verifyRequest?: (req: import('http').IncomingMessage) => boolean;
 }
 

lib/runtime/transports/http.js

@@ -466,8 +466,28 @@ class HttpTransport extends TransportAdapter {
     // errors alike. setHeader persists through later writeHead() calls.
     this._applyCors(req, res);
 
+    let pathname;
+    try {
+      pathname = new URL(req.url || '/', 'http://localhost').pathname;
+    } catch {
+      return _writeJson(res, 400, {
+        ok: false,
+        error: 'invalid request URL',
+        code: 'invalid_url',
+      });
+    }
+
+    if (!pathname.startsWith(this.basePath + '/')) {
+      return _writeJson(res, 404, {
+        ok: false,
+        error: `not a capability route: ${pathname}`,
+        code: 'not_found',
+      });
+    }
+
     // Preflight: browsers send OPTIONS before a cross-origin POST with a
-    // JSON content-type. Answer it directly (no auth, no body).
+    // JSON content-type. Answer it directly (no auth, no body) — but only
+    // for capability routes, so unrelated paths still 404 above.
     if (req.method === 'OPTIONS' && this.cors) {
       res.writeHead(204).end();
       return;
@@ -494,25 +514,6 @@ class HttpTransport extends TransportAdapter {
       }
     }
 
-    let pathname;
-    try {
-      pathname = new URL(req.url || '/', 'http://localhost').pathname;
-    } catch {
-      return _writeJson(res, 400, {
-        ok: false,
-        error: 'invalid request URL',
-        code: 'invalid_url',
-      });
-    }
-
-    if (!pathname.startsWith(this.basePath + '/')) {
-      return _writeJson(res, 404, {
-        ok: false,
-        error: `not a capability route: ${pathname}`,
-        code: 'not_found',
-      });
-    }
-
     const tail = pathname.slice(this.basePath.length + 1); // strip basePath + '/'
     // tail = "<kind>/<rest...>"; first segment is the kind, rest is the
     // ROS name (which itself can contain slashes).
@@ -716,18 +717,23 @@ function _normaliseBasePath(value) {
 
 /**
  * Normalise the `cors` option into either `false`, `true` (any origin),
- * or a `Set<string>` of allowed origins.
+ * or a `Set<string>` of allowed origins. A `"*"` value (or an array that
+ * contains `"*"`) means "any origin" and is treated as `true`, matching
+ * the CLI's `--http-cors *` shorthand.
  */
 function _normaliseCors(value) {
   if (value === undefined || value === null || value === false) return false;
   if (value === true) return true;
-  if (typeof value === 'string') return new Set([value]);
+  if (typeof value === 'string') {
+    return value === '*' ? true : new Set([value]);
+  }
   if (Array.isArray(value)) {
     if (!value.every((v) => typeof v === 'string')) {
       throw new TypeError(
         'HttpTransport: cors array must contain only origin strings'
       );
     }
+    if (value.includes('*')) return true;
     return new Set(value);
   }
   throw new TypeError(