[Web runtime] Add SSE subscribe + CORS to HttpTransport

[minggangw]

Adds Server-Sent Events (SSE) subscription support and CORS to the HTTP transport, so browsers and other HTTP clients can subscribe to ROS topics over plain HTTP (no WebSocket required) and call the runtime cross-origin.

Core (lib/runtime/)

• transports/http.js (+334 / −26) — the bulk of the change:
  • New HttpSseConnection: a long-lived Connection that streams one subscription as text/event-stream. The 200 SSE headers are deferred until the dispatcher acks ({ok:true}), so a rejected subscribe still returns a normal JSON error instead of a half-open stream; on success it emits a ready event ({capability, subId:"sse"}) followed by message events, and starts an unref'd keep-alive setInterval. Includes _writeEvent, _writeError, and a once-only close path.
  • subscribe is served only when sse: true, via GET /capability/subscribe/<name> (non-GET → 405 with allow: GET; unexposed / sse off → JSON 404); call and publish continue to work as before.
  • CORS via _applyCors / _normaliseCors: cors accepts true/'*' (any origin), a single origin string, or an allow-list array. Allow-list mode echoes a matching Origin and sets Vary: Origin. Access-Control-Allow-Headers reflects the browser's Access-Control-Request-Headers on preflight (falling back to content-type), so Authorization and custom headers pass. OPTIONS preflight returns 204 for capability routes when CORS is on. CORS headers are applied first, so they appear on JSON replies, 204s, and SSE streams alike.
  • sseKeepAliveMs configurable (default 15000, 0 disables).
• cli-config.js (+67 / −5) — new flags --http-sse, --http-sse-keep-alive <ms>, and repeatable --http-cors <origin>; maps to http.sse / http.sseKeepAliveMs / http.cors. DEFAULTS, validation, merge, HELP, and examples all updated.
• index.d.ts (+3) — HttpTransportOptions gains sse?: boolean; sseKeepAliveMs?: number; cors?: boolean | string | string[];.

CLI (bin/rclnodejs-web.js)

• (+16 / −1) Passes sse / sseKeepAliveMs / cors through to HttpTransport, and re-runs validateConfig on the merged result so flag-only values (e.g. --http-sse-keep-alive foo → NaN) are rejected before reaching the transport; banner distinguishes "call/publish + subscribe (SSE)" vs "call/publish only".

Demos (demo/web/javascript, demo/web/typescript)

• runtime.mjs (+20 / −13) — HttpTransport runs with sse: true, cors: true; exposes /add_two_ints, publishes/subscribes /web_demo_chatter, and subscribes /topic (drops the standalone /web_demo_tick publisher so all panels share one topic); banner gains an "HTTP SSE" line.
• web.json (+6 / −4) — http block now sets port: 9001, sse: true, cors: "*"; subscribe exposes /web_demo_chatter + /topic.
• index.html (+237 / −18) — new native EventSource (SSE) panel and fetch() panel with ready/message/error handlers and open/close controls, plus curl examples.
• javascript/README.md (+82 / −19), typescript/README.md (+15 / −15) — document the SSE/CORS flow; the TS demo notes its HTTP transport stays call/publish-only and points to the JS demo for SSE.

Docs

• web/README.md (+25 / −1) — §3 curl recipes gain an SSE curl -N example and a browser EventSource snippet.
• README.md (+4 / −4), scripts/npmjs-readme.md (+1 / −1) — rclnodejs/web bullet notes subscribe over SSE and a CORS-enabled browser fetch() / EventSource.

Tests

• test/test-web-http.js (+278) — SSE + CORS HTTP integration suite: deferred-header behaviour, ready/message events, keep-alive, 404/405 routing, preflight, origin echo / allow-list.
• test/test-web-cli.js (+105) — new cases for --http-sse, --http-sse-keep-alive (including bin-flow NaN rejection), and --http-cors (single, accumulation, precedence) plus config validation.

Fix: #1510

[Copilot]

Pull request overview

Adds opt-in HTTP subscribe support for the Web Runtime via Server-Sent Events (SSE) and introduces configurable CORS handling so browser/HTTP-only clients can access the HTTP transport cross-origin.

Changes:

• Add HttpSseConnection and a GET /capability/subscribe/<name> SSE route to HttpTransport (opt-in via sse / sseKeepAliveMs), plus CORS + OPTIONS preflight support.
• Extend the CLI/config system with --http-sse, --http-sse-keep-alive <ms>, and repeatable --http-cors <origin> flags (and matching web.json keys).
• Update the web demos/docs to showcase SSE + native browser EventSource, and add CLI parsing/validation tests.

Reviewed changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
test/test-web-cli.js	Adds unit tests for new CLI flags and config validation/merge behavior (SSE + CORS).
lib/runtime/transports/http.js	Implements SSE subscribe connection/route and adds CORS handling + OPTIONS preflight to the HTTP transport.
lib/runtime/cli-config.js	Adds defaults, argv parsing, config validation, merge rules, and help text for http.sse, http.sseKeepAliveMs, http.cors.
demo/web/typescript/README.md	Documents that HTTP subscribe-over-SSE is opt-in and points to the JS demo for an SSE example.
demo/web/javascript/runtime.mjs	Enables SSE + CORS for the JS demo runtime and exposes /topic for pairing with the publisher example.
demo/web/javascript/README.md	Documents SSE subscribe usage (curl + browser EventSource) and the required CORS setting.
demo/web/javascript/index.html	Adds a native EventSource panel demonstrating SSE subscribe from the browser.
bin/rclnodejs-web.js	Wires new config fields into HttpTransport construction and updates the startup banner wording.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coveralls]

coverage: 91.178% (-0.04%) from 91.219% — minggangw:fix-1510-sse into RobotWebTools:develop

[Copilot]

Pull request overview

Copilot reviewed 8 out of 10 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 9 out of 11 changed files in this pull request and generated 2 comments.