fix(cors): proxy devv-app.js via server and reference same-origin to avoid CORS

index.html

@@ -9,8 +9,8 @@
   </head>
   <body>
     <div id="root"></div>
-    <!-- IMPORTANT: Never remove the following script reference, otherwise advanced features like element editing will not work -->
+    <!-- IMPORTANT: Keep this script for advanced features; proxied via server to avoid CORS -->
-    <script src="https://static.devv.ai/devv-app.js" type="module"></script>
+    <script src="/devv-app.js" type="module"></script>
     <script type="module" src="/src/main.tsx"></script>
   </body>
 </html>

server/src/index.ts

@@ -61,6 +61,23 @@ app.get('/health', (_req, res) => {
   res.json({ ok: true });
 });
 
+// Proxy external devv-app.js to avoid browser CORS for module scripts
+app.get('/devv-app.js', async (_req, res) => {
+  try {
+    const response = await fetch('https://static.devv.ai/devv-app.js');
+    if (!response.ok) {
+      res.status(response.status).type('text/plain').send('');
+      return;
+    }
+    res.setHeader('Content-Type', 'application/javascript; charset=utf-8');
+    res.setHeader('Cache-Control', 'public, max-age=3600');
+    const bodyText = await response.text();
+    res.send(bodyText);
+  } catch (error) {
+    res.status(502).type('application/javascript').send('// proxy error');
+  }
+});
+
 type DbRow = {
   id: string;
   product_code: string | null;