fix(devserver): tighten cors origin validation

[Abhijeet Prasad (AbhiPrasad)]

Use a full regex match for preview Braintrust origins so crafted hostnames that merely share the allowed prefix are rejected. Add focused tests for valid preview origins, suffix bypass attempts, and OPTIONS header reflection behavior.

[starfolkai]

Drop into this review session: sfk devbox connect pr-203-braintrust-sdk-python-1144 --attach

No serious bugs or issues found 🎉

The match() to fullmatch() fix correctly closes the CORS origin suffix bypass. Tests are colocated with the code they cover and follow existing patterns in the directory.

Note (below threshold, not flagged as an issue): test_cors.py may not be collected by the existing test_cli nox session in py/noxfile.py, which hard-codes test_server_integration.py. Consider adding the new file to that session or broadening it to discover all devserver tests.