From 542637c0dc13ab14f4aec925a5736364ca28ee6d Mon Sep 17 00:00:00 2001
From: anti <samuel@securejump.cl>
Date: Tue, 21 Apr 2026 10:23:55 -0400
Subject: [PATCH] feat(web/api): support PATCH on proxy and CORS

The web bundle proxy handled GET/POST/PUT/DELETE but not PATCH or
preflight OPTIONS, which broke browser calls to PATCH endpoints behind
the static-bundle server. CORS middleware had the same gap.
---
 decnet/cli/web.py | 12 ++++++++++++
 decnet/web/api.py |  2 +-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/decnet/cli/web.py b/decnet/cli/web.py
index a7abb7b4..edc21e5e 100644
--- a/decnet/cli/web.py
+++ b/decnet/cli/web.py
@@ -67,6 +67,18 @@ def register(app: typer.Typer) -> None:
                     return
                 self.send_error(405)
 
+            def do_PATCH(self):
+                if self.path.startswith("/api/"):
+                    self._proxy("PATCH")
+                    return
+                self.send_error(405)
+
+            def do_OPTIONS(self):
+                if self.path.startswith("/api/"):
+                    self._proxy("OPTIONS")
+                    return
+                self.send_error(405)
+
             def _proxy(self, method: str) -> None:
                 content_length = int(self.headers.get("Content-Length", 0))
                 body = self.rfile.read(content_length) if content_length else None
diff --git a/decnet/web/api.py b/decnet/web/api.py
index f33b9de9..d861b570 100644
--- a/decnet/web/api.py
+++ b/decnet/web/api.py
@@ -146,7 +146,7 @@ app.add_middleware(
     CORSMiddleware,
     allow_origins=DECNET_CORS_ORIGINS,
     allow_credentials=False,
-    allow_methods=["GET", "POST", "PUT", "DELETE", "OPTIONS"],
+    allow_methods=["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
     allow_headers=["Authorization", "Content-Type", "Last-Event-ID"],
 )