fix: restore localhost-only server defaults

[jingxiang-z]

Description

Checklist

• I am familiar with the Contributing Guidelines.
• New or existing tests cover these changes.
• The documentation is up to date with these changes.

Summary by CodeRabbit

• Configuration

  • Agent network binding changed to listen on localhost (127.0.0.1:15133) instead of all network interfaces.

• Refactor

  • Removed CORS header handling from server middleware.

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request removes custom CORS middleware from the server's request handling, eliminating explicit Access-Control-Allow-* header management and OPTIONS request short-circuiting. Corresponding test assertions are updated to reflect the absence of CORS headers. Additionally, the Helm chart restricts the agent's network binding from all interfaces to loopback only.

Changes

Cohort / File(s)	Summary
CORS Middleware Removal internal/server/server.go, internal/server/handlers_test.go	Removed custom CORS middleware that set Access-Control-Allow-Origin, Access-Control-Allow-Methods, and Access-Control-Allow-Headers headers, and handled OPTIONS preflight requests with 204 responses. Test expectations updated to reflect empty CORS headers and 404 response for OPTIONS requests instead of 204.
Network Binding Configuration deployments/helm/fleet-intelligence-agent/values.yaml	Updated listenAddress from 0.0.0.0:15133 (all interfaces) to 127.0.0.1:15133 (loopback only), restricting agent network access to localhost.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 Whiskers twitching with delight,
CORS headers fade from sight,
Localhost walls keep us tight,
Security shines ever bright! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix: restore localhost-only server defaults' directly aligns with the main changes: updating listenAddress to 127.0.0.1 (localhost) and removing CORS middleware that previously allowed all origins.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/helm-localhost-cors

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}