fix(devserver): add x-bt-use-gateway to CORS allowed headers (#119)

The Braintrust Playground sends x-bt-use-gateway when gateway routing
is enabled. The api-ts CORS config already allows it, but the Python
devserver's ALLOWED_HEADERS list was missing it, causing browsers to
block preflight requests to remote eval servers with a CORS error.

Author: cjgalione

py/src/braintrust/devserver/cors.py

@@ -23,6 +23,7 @@
     "x-bt-project-id",
     "x-bt-stream-fmt",
     "x-bt-use-cache",
+    "x-bt-use-gateway",
     "x-stainless-os",
     "x-stainless-lang",
     "x-stainless-package-version",

py/src/braintrust/devserver/test_server_integration.py

@@ -87,6 +87,28 @@ def test_devserver_health_check(client):
     assert response.text == "Hello, world!"
 
 
+def test_cors_preflight_allows_gateway_header(client):
+    """Test that CORS preflight accepts x-bt-use-gateway header.
+
+    The Braintrust Playground sends this header when gateway routing is
+    enabled.  If it is missing from the devserver's allowed-headers list
+    the browser blocks the actual request with a CORS error.
+    """
+    response = client.options(
+        "/eval",
+        headers={
+            "origin": "https://www.braintrust.dev",
+            "access-control-request-method": "POST",
+            "access-control-request-headers": "x-bt-use-gateway",
+        },
+    )
+    assert response.status_code == 200
+    allowed = response.headers.get("access-control-allow-headers", "")
+    assert "x-bt-use-gateway" in allowed, (
+        f"x-bt-use-gateway not found in access-control-allow-headers: {allowed}"
+    )
+
+
 @pytest.mark.vcr
 def test_devserver_list_evaluators(client, api_key, org_name):
     """Test listing evaluators endpoint."""