add HTTP_CORS_ALLOWED_ORIGINS to configure cors.allowedOrigins

[mborne]

TL;DR

This PR adds CORS origin configuration for HTTP transport to improve security against DNS rebinding and make production deployment safer.

Short Description

• Adds HTTP_CORS_ALLOWED_ORIGINS to configure the list of allowed origins in HTTP mode.
• Wires this value into the MCP server CORS configuration.
• Logs a clear warning when the variable is not set (security recommendation).
• Updates README documentation with the new variable and a usage example.

Why

The current HTTP setup is permissive by default. This PR introduces an explicit, environment-driven way to restrict allowed origins (local, staging, production).

Impact

• Backward compatible: server still starts if the variable is not set.
• Better security posture when the variable is configured.
• No functional change to business tools.

Example

HTTP_CORS_ALLOWED_ORIGINS="http://localhost:3000,https://geollm.beta.ign.fr"

Reference

Closes #93

[Copilot]

Pull request overview

This PR addresses issue #93 by adding an environment-driven way to configure HTTP CORS origin validation for the MCP server, with corresponding documentation updates. In the codebase, this affects the server bootstrap path in src/index.ts and the deployment/configuration guidance in README.md.

Changes:

• Add HTTP_CORS_ALLOWED_ORIGINS parsing in the server startup code and pass it into HTTP transport CORS options.
• Emit a warning when the CORS origins variable is not configured.
• Document the new variable in the README and update the table of contents.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File	Description
src/index.ts	Adds env parsing, warning logic, and HTTP transport CORS wiring at server startup.
README.md	Documents the new environment variable and updates README navigation.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.