Add environment-driven CORS settings and backend regression tests

backend/app/config.py

@@ -41,6 +41,14 @@ class Settings(BaseSettings):
         default="UTC",
         description="IANA timezone name used when displaying timestamps in the UI.",
     )
+    cors_allowed_origins: list[str] = Field(
+        default_factory=lambda: ["http://localhost:5173"],
+        description=(
+            "Comma-separated list of allowed CORS origins when the frontend is "
+            "served from a different origin than the backend. "
+            "Leave empty to disable cross-origin requests in production."
+        ),
+    )
     log_level: str = Field(
         default="info",
         description="Application log level: debug | info | warning | error | critical.",

backend/app/main.py

@@ -345,15 +345,17 @@ def create_app(settings: Settings | None = None) -> FastAPI:
     set_setup_complete_cache(app, False)
 
     # --- CORS ---
-    # In production the frontend is served by the same origin.
-    # CORS is intentionally permissive only in development.
-    app.add_middleware(
-        CORSMiddleware,
-        allow_origins=["http://localhost:5173"],  # Vite dev server
-        allow_credentials=True,
-        allow_methods=["*"],
-        allow_headers=["*"],
-    )
+    # Allow origins configured by the runtime environment. In production,
+    # this should be explicitly set to the frontend origin(s) or left empty
+    # when the UI is served from the same origin as the API.
+    if resolved_settings.cors_allowed_origins:
+        app.add_middleware(
+            CORSMiddleware,
+            allow_origins=resolved_settings.cors_allowed_origins,
+            allow_credentials=True,
+            allow_methods=["*"],
+            allow_headers=["*"],
+        )
 
     # --- Middleware ---
     # Note: middleware is applied in reverse order of registration.