Add CORS configuration with allowlist support

[Sulex45]

Description:
Replace the open cors() config with a configurable allowlist of allowed origins.
Acceptance Criteria:

ALLOWED_ORIGINS env var accepts comma-separated list of origins
If unset, defaults to * (open) in development, restrictive in production
Returns proper CORS headers for allowed origins
Test added

[toniasteve15-ui]

@toniasteve15-ui has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

Hi, This issue is something i can resolve, I'd love to work on it Kindly Assign me, Thank you.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @toniasteve15-ui to this issue.

[drips-wave]

Congratulations, @toniasteve15-ui! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 2, 2026.

🧑‍💻 @toniasteve15-ui: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊