feat: implement auto-injection of insertr.js with site-specific configuration

• Add /insertr.js endpoint to serve JavaScript library from API server
• Implement demo gate auto-injection for sites without existing gates
• Add dynamic site ID injection using per-demo configuration files
• Fix CORS middleware to support localhost origins on any port
• Update demo commands to use individual insertr.yaml configs
• Resolve content persistence issues by matching site IDs between injection and enhancement
• Enable complete edit/save workflow for demo sites with proper namespace isolation

internal/api/handlers.go

@@ -5,8 +5,10 @@ import (
 	"database/sql"
 	"encoding/json"
 	"fmt"
+	"io"
 	"log"
 	"net/http"
+	"os"
 	"strconv"
 	"strings"
 	"time"
@@ -717,3 +719,30 @@ func (h *ContentHandler) generateContentID(ctx *ElementContext) string {
 	idGenerator := parser.NewIDGenerator()
 	return idGenerator.Generate(virtualNode, "api-generated")
 }
+
+// ServeInsertrJS handles GET /insertr.js - serves the insertr JavaScript library
+func (h *ContentHandler) ServeInsertrJS(w http.ResponseWriter, r *http.Request) {
+	// Path to the built insertr.js file
+	jsPath := "lib/dist/insertr.js"
+
+	// Check if file exists
+	if _, err := os.Stat(jsPath); os.IsNotExist(err) {
+		http.Error(w, "insertr.js not found - run 'just build-lib' to build the library", http.StatusNotFound)
+		return
+	}
+
+	// Open and serve the file
+	file, err := os.Open(jsPath)
+	if err != nil {
+		http.Error(w, fmt.Sprintf("Failed to open insertr.js: %v", err), http.StatusInternalServerError)
+		return
+	}
+	defer file.Close()
+
+	// Set appropriate headers
+	w.Header().Set("Content-Type", "application/javascript")
+	w.Header().Set("Cache-Control", "no-cache") // For development
+
+	// Copy file contents to response
+	io.Copy(w, file)
+}

internal/api/middleware.go

@@ -3,6 +3,7 @@ package api
 import (
 	"log"
 	"net/http"
+	"strings"
 	"time"
 )
 
@@ -11,24 +12,8 @@ func CORSMiddleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		origin := r.Header.Get("Origin")
 
-		// Allow localhost and 127.0.0.1 on common development ports
-		allowedOrigins := []string{
-			"http://localhost:3000",
-			"http://127.0.0.1:3000",
-			"http://localhost:8080",
-			"http://127.0.0.1:8080",
-		}
-
-		// Check if origin is allowed
-		originAllowed := false
-		for _, allowed := range allowedOrigins {
-			if origin == allowed {
-				originAllowed = true
-				break
-			}
-		}
-
-		if originAllowed {
+		// In development mode, allow all localhost origins including demo sites
+		if isLocalhostOrigin(origin) {
 			w.Header().Set("Access-Control-Allow-Origin", origin)
 		} else {
 			// Fallback to wildcard for development (can be restricted in production)
@@ -97,8 +82,8 @@ func CORSPreflightHandler(w http.ResponseWriter, r *http.Request) {
 	// Allow localhost and 127.0.0.1 on common development ports
 	allowedOrigins := []string{
 		"http://localhost:3000",
-		"http://127.0.0.1:3000",
 		"http://localhost:8080",
+		"http://127.0.0.1:3000",
 		"http://127.0.0.1:8080",
 	}
 
@@ -125,3 +110,20 @@ func CORSPreflightHandler(w http.ResponseWriter, r *http.Request) {
 
 	w.WriteHeader(http.StatusOK)
 }
+
+// isLocalhostOrigin checks if an origin is a localhost/127.0.0.1 development origin
+func isLocalhostOrigin(origin string) bool {
+	if origin == "" {
+		return false
+	}
+
+	// Allow localhost and 127.0.0.1 on any port for development
+	return strings.HasPrefix(origin, "http://localhost:") ||
+		strings.HasPrefix(origin, "https://localhost:") ||
+		strings.HasPrefix(origin, "http://127.0.0.1:") ||
+		strings.HasPrefix(origin, "https://127.0.0.1:") ||
+		origin == "http://localhost" ||
+		origin == "https://localhost" ||
+		origin == "http://127.0.0.1" ||
+		origin == "https://127.0.0.1"
+}