feat(security): CORS middleware with configurable origins

## Summary
No `CORSMiddleware`. If the frontend ever moves to a different origin (separate CDN, mobile wrapper, staging subdomain), every XHR breaks.

## Changes
- `backend/gateway/src/main.py`:
  ```python
  app.add_middleware(
      CORSMiddleware,
      allow_origins=settings.cors_origins,
      allow_credentials=True,
      allow_methods=["*"],
      allow_headers=["*"],
  )
  ```
- `settings.cors_origins` from `GATEWAY__CORS_ORIGINS` (comma-separated). Default empty (same-origin only).

## Verification
- With `GATEWAY__CORS_ORIGINS=https://app.example.com`, an `OPTIONS` preflight returns correct `Access-Control-Allow-Origin`.
- Unlisted origin preflight is rejected.


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(security): CORS middleware with configurable origins #8

Summary

Changes

Verification

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

feat(security): CORS middleware with configurable origins #8

Description

Summary

Changes

Verification

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions