Add environment-driven CORS settings and backend regression tests

backend/app/main.py

@@ -345,15 +345,17 @@ def create_app(settings: Settings | None = None) -> FastAPI:
     set_setup_complete_cache(app, False)
 
     # --- CORS ---
-    # In production the frontend is served by the same origin.
-    # CORS is intentionally permissive only in development.
-    app.add_middleware(
-        CORSMiddleware,
-        allow_origins=["http://localhost:5173"],  # Vite dev server
-        allow_credentials=True,
-        allow_methods=["*"],
-        allow_headers=["*"],
-    )
+    # Allow origins configured by the runtime environment. In production,
+    # this should be explicitly set to the frontend origin(s) or left empty
+    # when the UI is served from the same origin as the API.
+    if resolved_settings.cors_allowed_origins:
+        app.add_middleware(
+            CORSMiddleware,
+            allow_origins=resolved_settings.cors_allowed_origins,
+            allow_credentials=True,
+            allow_methods=["*"],
+            allow_headers=["*"],
+        )
 
     # --- Middleware ---
     # Note: middleware is applied in reverse order of registration.