fix: x-stainless-timeout allowed header

[qwerty-dvorak]

Summary

Add support for the X-Stainless-Timeout header in CORS configuration to allow clients to specify custom timeout values.

Changes

• Added X-Stainless-Timeout to the list of allowed headers in the CORS middleware
• This enables clients to set custom timeout values for their requests through this header

Type of change

• Transports (HTTP)

Affected areas

• Core (Go)
• Transports (HTTP)
• Providers/Integrations
• Plugins
• UI (Next.js)
• Docs

How to test

Test that the CORS middleware properly allows the X-Stainless-Timeout header:

make dev &&
curl http://localhost:8080/v1/chat/completions \
-H "Content-Type: application/json" \
-H "x-stainless-timeout: 60000" \
-d '{
  "model": "anthropic/claude-sonnet-4-5",
  "messages": [{"role": "user", "content": "Hello, Bifrost!"}]
}'

Breaking changes

• No

Related issues

#1074

Security considerations

None

Checklist

• I read docs/contributing/README.md and followed the guidelines
• I added/updated tests where appropriate
• I updated documentation where needed
• I verified builds succeed (Go and UI)
• I verified the CI pipeline passes locally if applicable

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Updated CORS configuration to support additional request headers.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Walkthrough

A CORS middleware configuration update adds X-Stainless-Timeout to the Access-Control-Allow-Headers response header, expanding the set of allowed headers for preflight requests alongside existing values.

Changes

Cohort / File(s)	Summary
CORS header configuration transports/bifrost-http/handlers/middlewares.go	Added X-Stainless-Timeout to the Access-Control-Allow-Headers value in the CORS middleware response

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

• Single-file configuration change with no logic or control flow modifications
• Straightforward header value addition to existing CORS policy

Poem

🐰 A rabbit hops through headers fair,
Adding timeout to the air,
CORS now broader, cross-domain delight,
One little string makes preflight right! 🎯

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: adding the X-Stainless-Timeout header to CORS allowed headers.
Description check	✅ Passed	The description includes all required template sections with appropriate content: summary, changes, type of change, affected areas, testing instructions, breaking changes, related issues, security considerations, and completed checklist.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch 12-15-fix_x-stainless-timeout_allowed_header

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[qwerty-dvorak]

• fix: x-stainless-timeout allowed header #1094 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[github-actions]

🧪 Test Suite Available

This PR can be tested by a repository admin.

Run tests for PR #1094

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

transports/bifrost-http/handlers/middlewares.go (1)

31-31: CORS header update correctly permits X-Stainless-Timeout

Adding X-Stainless-Timeout to Access-Control-Allow-Headers is the right way to allow this custom header in browser requests; no functional or security issues stand out. If you anticipate more custom headers, consider centralizing the allowed-header list (e.g., a shared constant or config-driven slice) to avoid future drift across sites using this middleware.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 44f4efd and d40ea2a.

📒 Files selected for processing (1)

• transports/bifrost-http/handlers/middlewares.go (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

always check the stack if there is one for the current PR. do not give localized reviews for the PR, always see all changes in the light of the whole stack of PRs (if there is a stack, if there is no stack you can continue to make localized suggestions/reviews)

Files:

• transports/bifrost-http/handlers/middlewares.go

🧠 Learnings (2)

📚 Learning: 2025-12-09T17:07:42.007Z

Learnt from: qwerty-dvorak
Repo: maximhq/bifrost PR: 1006
File: core/schemas/account.go:9-18
Timestamp: 2025-12-09T17:07:42.007Z
Learning: In core/schemas/account.go, the HuggingFaceKeyConfig field within the Key struct is currently unused and reserved for future Hugging Face inference endpoint deployments. Do not flag this field as missing from OpenAPI documentation or require its presence in the API spec until the feature is actively implemented and used. When the feature is added, update the OpenAPI docs accordingly; otherwise, treat this field as non-breaking and not part of the current API surface.

Applied to files:

• transports/bifrost-http/handlers/middlewares.go

📚 Learning: 2025-12-12T08:25:02.629Z

Learnt from: Pratham-Mishra04
Repo: maximhq/bifrost PR: 1000
File: transports/bifrost-http/integrations/router.go:709-712
Timestamp: 2025-12-12T08:25:02.629Z
Learning: In transports/bifrost-http/**/*.go, update streaming response handling to align with OpenAI Responses API: use typed SSE events such as response.created, response.output_text.delta, response.done, etc., and do not rely on the legacy data: [DONE] termination marker. Note that data: [DONE] is only used by the older Chat Completions and Text Completions streaming APIs. Ensure parsers, writers, and tests distinguish SSE events from the [DONE] sentinel and handle each event type accordingly for correct stream termination and progress updates.

Applied to files:

• transports/bifrost-http/handlers/middlewares.go

[JadeGeek]

great response! you guys are so quick! after test the newest version, still got the similar problem, and got the bug fixed as follow:

				ctx.Response.Header.Set(
					"Access-Control-Allow-Headers",
					"Content-Type, Authorization, X-Requested-With, X-Stainless-Timeout, x-stainless-os, x-stainless-runtime-version, x-stainless-package-version, x-stainless-runtime, x-stainless-arch, x-stainless-retry-count, x-stainless-lang",
				)

will you guys make another patch into next release?