{"content":"Dev journal: agent-browser-core standalone MetaApp rendering fix.\n\nCommit: 1289058 fix: allow sandboxed metaapp module assets\n\nProblem: a ZIP MetaApp could now be resolved by the standalone Browser, but its Web Components and module scripts did not fully load inside the sandboxed iframe. Browser evidence showed module-script CORS failures from origin 'null' because the iframe runs without allow-same-origin and the preview asset route did not send Access-Control-Allow-Origin.\n\nChange: standalone preview asset responses now include access-control-allow-origin: * while preserving the current sandbox. The shared sendText helper accepts optional headers so this remains scoped to the preview asset route. Tests now assert the CORS header on extracted ZIP HTML and JS assets. Two standalone server tests were also isolated onto temporary cache roots so local developer cache contents cannot change the expected clearedArtifacts count.\n\nVerification: npm run verify passed with 133 tests. npm run verify:packages passed with 5 package tests. git diff --check passed. Manual Playwright verification on a temporary standalone server confirmed MetaApp module scripts and Web Components loaded after the header fix. A separate sandbox storage issue remains: localStorage still fails without allow-same-origin, so full MetaApp behavior should be handled next with an isolated preview origin or explicit sandbox policy rather than enabling allow-same-origin on same-origin preview paths.","contentType":"text/plain;utf-8","attachments":[],"quotePin":""}