​

CORS OPTIONS Preflight Fix - COMPLETE

​

Root Cause Analysis

​

Initial Problem

• OPTIONS /api/v1/admin/agents/resolver → 404
• OPTIONS /api/v1/admin/hierarchy/* → 404

​

Deployment Failure

RuntimeError: project contains dangerous character ' ': payroll-bi-gauntlet GIT_COMMIT_SHA=7cd7f2848f6077e3abcf4ca7a5c4f451a94d2144

• Incorrect: --set-env-vars GCP_PROJECT_ID=payroll-bi-gauntlet,GIT_COMMIT_SHA=...
• Problem: PowerShell interpreted comma as part of the value, setting GCP_PROJECT_ID to entire string
• Fix: Used PowerShell variable to properly quote the comma-separated list

​

Solution Implemented

​

Code Changes

1. /api/v1/admin/agents/resolver → options_agent_resolver()
2. /api/v1/admin/hierarchy/reparent → options_hierarchy_reparent()
3. /api/v1/admin/hierarchy/batch_reparent → options_hierarchy_batch_reparent()
4. /api/v1/admin/hierarchy/bootstrap → options_hierarchy_bootstrap()
5. /api/v1/admin/hierarchy/tree → options_hierarchy_tree()
6. /api/v1/admin/hierarchy/history → options_hierarchy_history()

• Returns 204 No Content (standard for OPTIONS)
• CORSMiddleware automatically adds CORS headers
• No auth dependencies (OPTIONS requests don’t include auth headers)

​

Deployment Fix

$envVars = "GCP_PROJECT_ID=payroll-bi-gauntlet,GIT_COMMIT_SHA=7cd7f2848f6077e3abcf4ca7a5c4f451a94d2144"
gcloud run deploy payroll-backend-prod --source . \
  --region us-central1 \
  --project payroll-bi-gauntlet \
  --service-account 238826317621-compute@developer.gserviceaccount.com \
  --set-env-vars $envVars \
  --memory 1Gi --cpu 1 --timeout 300 \
  --concurrency 80 --max-instances 10 --min-instances 0 \
  --allow-unauthenticated --clear-base-image

​

Deployment Status

• Revision: payroll-backend-prod-00164-khb
• Service URL: https://payroll-backend-prod-238826317621.us-central1.run.app
• Deployment Time: ~3 minutes
• Status: Serving 100% of traffic

​

Post-Deploy Verification

​

OPTIONS Preflight Test

curl -i -X OPTIONS \
  "https://payroll-backend-prod-238826317621.us-central1.run.app/api/v1/admin/agents/resolver?include_inactive=true" \
  -H "Origin: https://payroll-pipeline-cbs.vercel.app" \
  -H "Access-Control-Request-Method: GET" \
  -H "Access-Control-Request-Headers: authorization,x-org-id"

• Access-Control-Allow-Origin: https://payroll-pipeline-cbs.vercel.app
• Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS, PATCH
• Access-Control-Allow-Headers: *
• Access-Control-Allow-Credentials: true

​

Verification Checklist

• OPTIONS /api/v1/admin/agents/resolver returns 200 (not 404)
• CORS headers present: Access-Control-Allow-Origin, Access-Control-Allow-Methods, Access-Control-Allow-Headers
• Deployment successful: revision payroll-backend-prod-00164-khb is healthy
• Browser DevTools: No CORS errors when calling resolver endpoint (manual verification needed)
• Export Agent IDs (CSV) works in browser (manual verification needed)
• Hierarchy tools load without resolver errors (manual verification needed)

​

Files Modified

• api/routes/admin_hierarchy.py - Added 6 OPTIONS handlers (46 lines)
• docs/CORS_OPTIONS_FIX.md - Initial deployment summary
• docs/CORS_OPTIONS_FIX_COMPLETE.md - This file

​

Notes

• OPTIONS handlers are minimal and safe - they don’t change business logic
• CORSMiddleware configuration remains unchanged (already correct)
• This fix is compatible with existing CORS setup
• No RBAC/auth changes - OPTIONS handlers have no dependencies
• Environment variable parsing issue was deployment-specific, not code-related

​

Next Steps

1. Manual Browser Verification:
   • Navigate to /admin/identity-overrides?tab=hierarchy
   • Click “Export Agent IDs”
   • Verify no CORS errors in DevTools
   • Confirm CSV downloads successfully
2. Monitor Production:
   • Check Cloud Run logs for any OPTIONS-related errors
   • Verify resolver endpoint calls succeed from frontend