fix: Use CORS_ORIGIN env var in allowed origins list

- Add corsOrigin from config to allowedOrigins array
- Log warning when CORS blocks an origin (helps debugging)

backend/src/main.ts

@@ -27,17 +27,19 @@ async function bootstrap(): Promise<void> {
   app.use(helmet());
   app.use(compression());
 
-  // CORS configuration - Allow multiple origins for local development
+  // CORS configuration - Allow configured origin plus local development origins
   const allowedOrigins = [
+    corsOrigin,
     'http://localhost:4200',
     'http://localhost:3000',
     'http://localhost:8080',
-  ];
+  ].filter(Boolean);
   app.enableCors({
     origin: (origin, callback) => {
       if (!origin || allowedOrigins.includes(origin)) {
         callback(null, true);
       } else {
+        logger.warn(`CORS blocked origin: ${origin}. Allowed: ${allowedOrigins.join(', ')}`);
         callback(null, false);
       }
     },