fix: add CORS middleware for Vercel temporary/preview domain deployments

Add hono/cors middleware to the outer Hono app in server/index.ts so the
serverless function returns proper Access-Control-Allow-Origin headers for
cross-origin requests from Vercel preview/temporary domains.

Allowed origins:
- All Vercel deployment URLs from VERCEL_URL, VERCEL_BRANCH_URL,
  VERCEL_PROJECT_PRODUCTION_URL env vars
- Any *.vercel.app subdomain (covers all preview deployments)
- localhost for local development

The CORS middleware is placed before the catch-all route so OPTIONS
preflight requests are handled immediately without kernel boot latency.

Agent-Logs-Url: https://github.com/objectstack-ai/framework/sessions/324fd769-65e6-430a-aab8-06ad343e75f2

Co-authored-by: xuyushun441-sys <255036401+xuyushun441-sys@users.noreply.github.com>

Author: Copilot

CHANGELOG.md

@@ -14,6 +14,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   correct directory, declared `api/index.js` in the `functions` block so Vercel
   recognises it as a serverless function, and changed the API rewrite destination
   from `/api` to `/api/index.js` to route requests to the bundled handler.
+- **Studio CORS error on Vercel temporary/preview domains** — Added Hono CORS
+  middleware to `apps/studio/server/index.ts` so the serverless function returns
+  correct `Access-Control-Allow-Origin` headers for cross-origin requests.
+  Dynamically allows all `*.vercel.app` subdomains, explicitly listed Vercel
+  deployment URLs (`VERCEL_URL`, `VERCEL_BRANCH_URL`,
+  `VERCEL_PROJECT_PRODUCTION_URL`), and localhost for development.  Preflight
+  (OPTIONS) requests are answered immediately without waiting for kernel boot.
 - **Client test aligned with removed `ai.chat` method** — Updated
   `@objectstack/client` test suite to match the current API surface where
   `ai.chat()` was removed in favour of the Vercel AI SDK `useChat()` hook.

apps/studio/server/index.ts

@@ -36,6 +36,7 @@ import { MetadataPlugin } from '@objectstack/metadata';
 import { AIServicePlugin } from '@objectstack/service-ai';
 import { handle } from '@hono/node-server/vercel';
 import { Hono } from 'hono';
+import { cors } from 'hono/cors';
 import { createBrokerShim } from '../src/lib/create-broker-shim.js';
 import studioConfig from '../objectstack.config.js';
 
@@ -218,6 +219,50 @@ async function ensureApp(): Promise<Hono> {
  */
 const app = new Hono();
 
+// ---------------------------------------------------------------------------
+// CORS middleware
+// ---------------------------------------------------------------------------
+// Placed on the outer app so preflight (OPTIONS) requests are answered
+// immediately, without waiting for the kernel cold-start.  This is essential
+// when the SPA is loaded from a Vercel temporary/preview domain but the
+// API base URL points to a different deployment (cross-origin).
+//
+// Allowed origins:
+//   1. All Vercel deployment URLs exposed via env vars (current deployment)
+//   2. Any *.vercel.app subdomain (covers all preview/branch deployments)
+//   3. localhost (local development)
+// ---------------------------------------------------------------------------
+
+const vercelOrigins: string[] = [];
+if (process.env.VERCEL_URL) {
+    vercelOrigins.push(`https://${process.env.VERCEL_URL}`);
+}
+if (process.env.VERCEL_BRANCH_URL) {
+    vercelOrigins.push(`https://${process.env.VERCEL_BRANCH_URL}`);
+}
+if (process.env.VERCEL_PROJECT_PRODUCTION_URL) {
+    vercelOrigins.push(`https://${process.env.VERCEL_PROJECT_PRODUCTION_URL}`);
+}
+
+app.use('*', cors({
+    origin: (origin) => {
+        // Same-origin or non-browser requests (no Origin header)
+        if (!origin) return origin;
+        // Explicitly listed Vercel deployment origins
+        if (vercelOrigins.includes(origin)) return origin;
+        // Any *.vercel.app subdomain (preview / temp deployments)
+        if (origin.endsWith('.vercel.app') && origin.startsWith('https://')) return origin;
+        // Localhost for development
+        if (/^https?:\/\/localhost(:\d+)?$/.test(origin)) return origin;
+        // Deny — return empty string so no Access-Control-Allow-Origin is set
+        return '';
+    },
+    credentials: true,
+    allowMethods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'],
+    allowHeaders: ['Content-Type', 'Authorization', 'X-Requested-With'],
+    maxAge: 86400,
+}));
+
 app.all('*', async (c) => {
     console.log(`[Vercel] ${c.req.method} ${c.req.url}`);