feat(config): make CORS allowed origins configurable via env

[raulanatol]

Summary

• Adds a new CORSSettings block (env prefix CORS_) and exposes it as settings.CORS.ORIGINS.
• src/main.py now feeds allow_origins from settings.CORS.ORIGINS instead of a hardcoded list. Defaults preserve the prior values (http://localhost, http://127.0.0.1:8000, https://api.honcho.dev) so existing deployments behave identically.
• Documented under a new CORS Settings section in .env.template.

Motivation: self-hosted deployments behind custom domains currently have to patch src/main.py to whitelist their frontend. With this change a single env var is enough:

CORS_ORIGINS=["https://app.example.com","https://staging.example.com"]

Scope is intentionally limited to origins. The allow_methods / allow_headers wildcards flagged in #394 are left as-is to keep this PR focused on the env-configurability hole; happy to follow up in a separate PR if maintainers want them tightened too.

Test plan

• uv run ruff check src/
• uv run ruff format --check src/
• uv run basedpyright src/main.py src/config.py — 0 errors
• Verified defaults load unchanged: uv run python -c "from src.config import settings; print(settings.CORS.ORIGINS)"
• Verified env override: CORS_ORIGINS='["http://foo.test","https://bar.test"]' uv run python -c ...
• Maintainers: smoke test that CORS preflight from a custom origin works once CORS_ORIGINS is set

Summary by CodeRabbit

• New Features

  • CORS origins are now configurable at runtime via environment settings; the app reads allowed origins from configuration instead of using a hardcoded list.

• Chores

  • Updated environment template with a new CORS section and example list of allowed origins for local and production use.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 50ea94de-9b80-42d4-b4fe-dddb59847f5a

📥 Commits

Reviewing files that changed from the base of the PR and between 61e269f and 4db285c.

📒 Files selected for processing (1)

• src/config.py

🚧 Files skipped from review as they are similar to previous changes (1)

• src/config.py

---

Walkthrough

This PR externalizes CORS allowed origins from hardcoded values into a configurable CORSSettings model. A new settings class with environment variable and TOML support is defined, integrated into the application's top-level settings, applied to CORS middleware initialization, and documented in the environment template.

Changes

CORS Configuration Externalization

Layer / File(s)	Summary
Configuration model and middleware integration src/config.py, src/main.py, .env.template	CORSSettings class with ORIGINS default allowlist is defined with CORS_ env/TOML configuration, added to AppSettings, wired into CORSMiddleware to replace hardcoded origin lists, and documented in the environment template.

Sequence Diagram

sequenceDiagram
  participant App as Application
  participant Settings as AppSettings.CORS
  participant Middleware as CORSMiddleware
  App->>Settings: read ORIGINS (settings.CORS.ORIGINS)
  App->>Middleware: add_middleware(..., allow_origins=settings.CORS.ORIGINS)
  Middleware->>Middleware: enforce CORS using allow_origins

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A rabbit hops through CORS once more,
No hardcoding—just a config store!
Env vars dance where lists once lay,
Origins now flexible to sway. 🌐

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately describes the main change: making CORS allowed origins configurable via environment variables.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}