[1.0.1][Security] Remove wildcard CORS fallback and fail closed in production

[0sm0s1z]

Summary

sirius-api currently falls back to * for CORS origins when CORS_ALLOWED_ORIGINS is unset.

Why this matters

Wildcard CORS in production can expose APIs to unintended browser origins and increase abuse surface.

Evidence

In sirius-api/main.go, when CORS_ALLOWED_ORIGINS is empty, origin fallback is *.

Current behavior

• CORS_ALLOWED_ORIGINS missing -> AllowOrigins = "*"

Expected behavior

• production should fail startup (or fail closed) when allowed origins are not explicitly configured
• no wildcard default in production mode

Proposed fix

1. Keep permissive defaults only for local/dev mode if needed.
2. In production mode, require non-empty explicit allowlist.
3. Validate and normalize configured origins at startup.
4. Add tests for missing/invalid/valid origin configurations.
5. Document required prod env var usage.

Acceptance criteria

• Production mode does not allow wildcard fallback.
• Startup fails when CORS_ALLOWED_ORIGINS is missing in production.
• CORS tests validate strict allowlist behavior.
• Deployment docs include explicit CORS origin requirements.

Release target

1.0.1 security hardening