Fix Opus code review findings: config race condition, error logging, CORS warnings

- Fix race condition in update_config: build response under write lock
  instead of dropping lock then re-reading (avoids stale data)
- Log config file rename errors instead of silently ignoring with let _ =
- Log CORS origin parse failures as warnings for debuggability
- Harden Ollama sidecar security context: drop all capabilities

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: haasonsaas

charts/diffscope/templates/deployment.yaml

@@ -157,6 +157,10 @@ spec:
         - name: ollama
           securityContext:
             allowPrivilegeEscalation: false
+            runAsNonRoot: false
+            capabilities:
+              drop:
+                - ALL
           image: "{{ .Values.ollama.image.repository }}:{{ .Values.ollama.image.tag }}"
           imagePullPolicy: {{ .Values.ollama.image.pullPolicy }}
           ports:

src/server/api.rs

@@ -457,19 +457,19 @@ pub async fn update_config(
 
     *config = new_config;
     config.normalize();
-    drop(config);
 
-    // Persist config to disk
-    AppState::save_config_async(&state);
-
-    // Return updated config (redacted)
-    let config = state.config.read().await;
+    // Build response while still holding the write lock
     let mut result = serde_json::to_value(&*config).unwrap_or_default();
     if let Some(obj) = result.as_object_mut() {
         if obj.contains_key("api_key") {
             obj.insert("api_key".to_string(), serde_json::json!("***"));
         }
     }
 
+    drop(config);
+
+    // Persist config to disk
+    AppState::save_config_async(&state);
+
     Ok(Json(result))
 }

src/server/mod.rs

@@ -61,14 +61,21 @@ async fn serve_embedded(uri: axum::http::Uri) -> Response {
 pub async fn start_server(config: Config, host: &str, port: u16) -> anyhow::Result<()> {
     let state = Arc::new(state::AppState::new(config)?);
 
-    let allowed_origins: Vec<axum::http::HeaderValue> = [
+    let origin_strings = [
         format!("http://localhost:{}", port),
         format!("http://127.0.0.1:{}", port),
         "http://localhost:5173".to_string(),
-    ]
-    .iter()
-    .filter_map(|s| s.parse().ok())
-    .collect();
+    ];
+    let allowed_origins: Vec<axum::http::HeaderValue> = origin_strings
+        .iter()
+        .filter_map(|s| match s.parse() {
+            Ok(v) => Some(v),
+            Err(e) => {
+                eprintln!("Warning: failed to parse CORS origin '{}': {}", s, e);
+                None
+            }
+        })
+        .collect();
 
     let cors = CorsLayer::new()
         .allow_origin(allowed_origins)

src/server/state.rs

@@ -134,7 +134,9 @@ impl AppState {
                 eprintln!("Failed to write config: {}", e);
                 return;
             }
-            let _ = tokio::fs::rename(&tmp_path, &state.config_path).await;
+            if let Err(e) = tokio::fs::rename(&tmp_path, &state.config_path).await {
+                eprintln!("Failed to rename config file: {}", e);
+            }
         });
     }