feat(server): add wildcard CORS origin support

[ducng99]

Issue for this PR

None

Type of change

• Bug fix
• New feature
• Refactor / code improvement
• Documentation

What does this PR do?

Adds wildcard (*) origin support to isAllowedCorsOrigin in src/server/cors.ts. When the server is configured with cors: ["*"], any incoming Origin header is now accepted and reflected back in Access-Control-Allow-Origin.

How did you verify your code works?

I ran an opencode server with and without cors, then fetch from my website (has a different origin) to verify the request went through with Access-Control-Allow-Origin set.

Screenshots / recordings

If this is a UI change, please include a screenshot or recording.

Checklist

• I have tested my changes locally
• I have not included unrelated changes in this PR

If you do not follow this template your PR will be automatically rejected.

[ducng99]

Another way is setting empty array for allowedOrigins below, which sets the Access-Control-Allow-Origin to * instead of reflecting the origin from the request.

I'm not sure which way is preferred.

diff --git a/packages/opencode/src/server/routes/instance/httpapi/server.ts b/packages/opencode/src/server/routes/instance/httpapi/server.ts
index 6ccc995..2e027ed 100644
--- a/packages/opencode/src/server/routes/instance/httpapi/server.ts
+++ b/packages/opencode/src/server/routes/instance/httpapi/server.ts
@@ -94,7 +94,7 @@ export const context = Context.makeUnsafe<unknown>(new Map())
 const cors = (corsOptions?: CorsOptions) =>
   HttpRouter.middleware(
     HttpMiddleware.cors({
-      allowedOrigins: (origin) => isAllowedCorsOrigin(origin, corsOptions),
+      allowedOrigins: corsOptions?.cors?.includes("*") ? [] : (origin) => isAllowedCorsOrigin(origin, corsOptions),
       maxAge: 86_400,
     }),
     { global: true },