Headers removed when adding additional property using Lang facade to API resource

So I had the craziest error happen to me today, and I have no idea how in the world this could be happening. I consider myself to be very familiar with almost every piece of internal Laravel code, and understand how most of it works... But this, I can't wrap my head around.

We are wrapping up version 4 of our API currently and we were adding our new login (we use Passport) endpoint to the API. When we merged the code and deployed it to our staging environment, we started getting CORS errors. The options request from our one frontend client app was making a successful OPTIONS request but when it would go to send the POST login request, it would block the response because there were no Access-Control-* headers on the response... To make things even more confusing, when hitting this endpoint in the staging env from Postman, it would work but the response would display it as if it were just plain text because the Content-Type header was coming back as text/html (we had all request headers set properly such as Accept: application/json). The response in Postman only had 5 headers (normal response has around 10-11 headers for example it always contains the Access-Control-* CORS headers). I narrowed down the issue and it turns out after we login, we return a UserResource and add 2 additional properties to the JSON response. For some reason the code below strips out all headers from the response:

Code causing Headers to be removed:

/**
 * Send the response after the user was authenticated.
 *
 * @param  \App\User $user
 * @param  \Illuminate\Http\Request $request
 * @param  array $data
 * @return \Illuminate\Http\Response
 */
protected function sendLoginResponse(User $user, Request $request, array $data)
{
    $user->load(['providers', 'roles', 'partners']);

    return (new UserResource($user))
        ->withAuthTokens($data)
        ->additional([
            'type'    => 'success',
            'message' => Lang::get('auth.success'),
        ]);
}

Now the crazy part.. The code that fixed this issue is below. The only difference is I don't use the Lang facade to get the message but am just putting in the message myself. I have confirmed that Lang::get('auth.success') does return same exact message as the message below.

Code that works and doesn't cause response headers to be removed:

/**
 * Send the response after the user was authenticated.
 *
 * @param  \App\User $user
 * @param  \Illuminate\Http\Request $request
 * @param  array $data
 * @return \Illuminate\Http\Response
 */
protected function sendLoginResponse(User $user, Request $request, array $data)
{
    $user->load(['providers', 'roles', 'partners']);

    return (new UserResource($user))
        ->withAuthTokens($data)
        ->additional([
            'type'    => 'success',
            'message' => 'You were signed in successfully!',
        ]);
}

How in the world is this possibly causing the headers to be stripped out. I don't know if I just uncovered a crazy hidden bug in the framework or if my brain is fried and I'm just not seeing it. Any ideas?