Dev-Server CORS middleware incorrectly rejects methods

[vissersg]

Is this a support request?
This is directly related to the CLI / Dev-Server code.

Describe the bug
The CorsHeaders defined here only allow the GET method. For routers that support REPORT (such as the evalXRouter) the preflight checks will fail for that method and the client will receive a 405 status code when trying to connect.

To reproduce

1. Run the ldcli dev server
2. Curl the sdk/evalx/{envId}/contexts endpoint with REPORT, it will pass as expected

$ curl -X REPORT http://localhost:8765/sdk/evalx/dev/contexts

{"foo":{"value":false,"version":16,"trackEvents":false}}                

3. Simulate a preflight check for that endpoint & method, it will reject with a 405 status code

$ curl -i -X OPTIONS "http://localhost:8765/sdk/evalx/dev/contexts" \
  -H "Origin: http://localhost:8080" \
  -H "Access-Control-Request-Method: REPORT" \
  -H "Access-Control-Request-Headers: content-type"

HTTP/1.1 405 Method Not Allowed
Date: Tue, 24 Mar 2026 16:44:27 GMT
Content-Length: 0

Expected behavior
The CORS middleware should support the same methods that each router does, such that preflight checks return correctly for REPORT methods.

Logs
If applicable, add any log output related to your problem.

CLI version
2.2.0

OS/platform
macOS 14.8.4

Additional context
Add any other context about the problem here.

[vissersg]

I have opened #670 with a proposed fix for the issue, please let me know if an alternative approach would be preferred 🙏

Thanks!