fix(cors): allow PUT in embed CORS policy for OTP verification

Both /api/chat/[identifier]/otp and /api/form/[identifier]/otp export
PUT for OTP code verification. The embed policy advertised only
GET/POST/OPTIONS, so cross-origin embed clients failed preflight on
verify. Add PUT and assert it in the embed policy test.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: waleedlatif1

apps/sim/proxy.test.ts

@@ -57,12 +57,19 @@ describe('resolveApiCorsPolicy', () => {
       expect(policy).toEqual({
         origin: 'https://customer.example',
         credentials: false,
-        methods: 'GET, POST, OPTIONS',
+        methods: 'GET, POST, PUT, OPTIONS',
         headers: 'Content-Type, X-Requested-With',
       })
     }
   })
 
+  it('allows PUT on the embed policy (used by OTP verification on /[identifier]/otp)', () => {
+    const policy = resolveApiCorsPolicy(
+      makeRequest('/api/chat/abc/otp', 'https://customer.example')
+    )
+    expect(policy.methods).toContain('PUT')
+  })
+
   it('falls back to wildcard for chat/form embeds when no origin header is present', () => {
     expect(resolveApiCorsPolicy(makeRequest('/api/chat/abc')).origin).toBe('*')
   })

apps/sim/proxy.ts

@@ -89,7 +89,8 @@ const CORS_RULES: readonly CorsRule[] = [
     policy: (request) => ({
       origin: request.headers.get('origin') || '*',
       credentials: false,
-      methods: 'GET, POST, OPTIONS',
+      // PUT is required for OTP verification on /[identifier]/otp.
+      methods: 'GET, POST, PUT, OPTIONS',
       headers: 'Content-Type, X-Requested-With',
     }),
   },