fix: restrict CORS to configured origins (closes #40)

- Add CORSOrigins config field (UPAAS_CORS_ORIGINS env var) - Default to same-origin only (no CORS headers when unconfigured) - When configured, allow specified origins with AllowCredentials: true - Add tests for CORS middleware behavior
2026-02-19 13:45:18 -08:00
parent 506c795f16
commit 02847eea92
6 changed files with 105 additions and 61 deletions
--- a/internal/service/deploy/deploy.go
+++ b/internal/service/deploy/deploy.go
@@ -82,7 +82,7 @@ type deploymentLogWriter struct {
 	lineBuffer bytes.Buffer // buffer for incomplete lines
 	mu         sync.Mutex
 	done       chan struct{}
-	flushed    sync.WaitGroup // waits for flush goroutine to finish
+	flushed    sync.WaitGroup  // waits for flush goroutine to finish
 	flushCtx   context.Context //nolint:containedctx // needed for async flush goroutine
 }