fix(backend): restrict CORS to configurable origins and explicit methods/headers

[dataCenter430]

Related Issue

CORS configuration: missing or overly permissive CORS can allow unwanted origins.

Closes #1260

Description

Replace permissive CORS (allow_origins=[""] with allow_credentials=True and
allow_methods/allow_headers=[""]) with a safe, configurable setup:

• Origins: read from CORS_ORIGINS (comma-separated) in ~/.eigent/.env or env.
  In development, if unset, allow only http://localhost:5173, 127.0.0.1:5173,
  and ports 3000. In non-development, allow no origins until CORS_ORIGINS is set.
• Methods: GET, POST, PUT, DELETE, OPTIONS only.
• Headers: Content-Type, Authorization, x-stack-auth only.

Document CORS_ORIGINS in backend README. Ensures credentials work correctly
(no wildcard origin with credentials) and reduces risk of unwanted origins
calling the API from the browser.

Why?

• Security: Overly permissive CORS lets any website send credentialed requests to your API from the browser; restricting to an explicit origin list and to the methods/headers the app uses reduces that risk.
• Correctness: Using allow_origins=["*"] with allow_credentials=True is invalid per the CORS spec; browsers may ignore or mishandle it. Using a concrete list of origins with credentials is valid and predictable.
• Operability: Development keeps working with default localhost origins; production stays strict until CORS_ORIGINS is set, and the README explains how to configure it.

What is the purpose of this pull request?

• Bug fix
• New Feature
• Documentation update
• Other

Contribution Guidelines Acknowledgement

• I have read and agree to the Eigent Contribution Guideline