feat: add configurable CORS origins for production security

[bianbiandashen]

Summary

Replace hardcoded Access-Control-Allow-Origin: * with a configurable CORS policy to enhance security in production deployments.

Problem

The current CORS configuration allows any origin:

"Access-Control-Allow-Origin": "*"

This is convenient for development but poses security risks in production, allowing any website to make requests to the API.

Solution

Add configurable CORS origins via environment variable with flexible pattern matching.

Configuration

Set AGENTATION_CORS_ORIGINS environment variable:

# Single origin
AGENTATION_CORS_ORIGINS=https://example.com

# Multiple origins (comma-separated)
AGENTATION_CORS_ORIGINS=https://app.example.com,https://admin.example.com

# Regex pattern (e.g., all subdomains)
AGENTATION_CORS_ORIGINS=regex:https://.*\.example\.com

# Mixed
AGENTATION_CORS_ORIGINS=https://app.example.com,regex:https://.*\.dev\.example\.com

Features

Feature	Description
Multiple origins	Comma-separated list
Regex patterns	Prefix with regex:
Production warning	Logs warning if using * with NODE_ENV=production
Vary header	Proper caching support for non-wildcard origins
Backward compatible	Defaults to * if not set

Implementation

• getCorsAllowedOrigins(): Parse env var into origin list
• isOriginAllowed(): Check if request origin matches config
• getCorsOriginHeader(): Get appropriate ACAO header value
• Updated sendJson(), sendError(), handleCors() to accept origin

Changes

• mcp/src/server/http.ts: Add CORS configuration logic

Test plan

• Verified wildcard mode works (backward compatible)
• Verified single origin restriction works
• Verified multiple origins work
• Verified regex patterns work
• Verified Vary header is set for non-wildcard
• Verified production warning is logged

[vercel]

@bianbiandashen is attempting to deploy a commit to the Benji Taylor's Projects Team on Vercel.

A member of the Team first needs to authorize it.