[feat] Make CORS origins configurable

[ThePlenkov]

Problem

The CORS_ORIGINS list in cli_agent_orchestrator/constants.py is hardcoded to the Vite dev server ports:

CORS_ORIGINS = [
    "http://localhost:5173",
    "http://127.0.0.1:5173",
    # ... other hardcoded origins
]

When serving the CAO web UI on a different port (e.g. 9889 in production, or any custom port via --port), the browser blocks API requests due to CORS policy.

Proposed Solution

Make CORS origins configurable via environment variable, with the current hardcoded list as defaults:

import os

_DEFAULT_ORIGINS = [
    "http://localhost:5173",
    "http://127.0.0.1:5173",
]

_extra = os.environ.get("CAO_CORS_ORIGINS", "")
CORS_ORIGINS = _DEFAULT_ORIGINS + [o.strip() for o in _extra.split(",") if o.strip()]

Alternatively (or additionally), automatically derive CORS origins from the --port flag passed to cao-server:

# In server startup, after parsing --port:
if port != 5173:
    CORS_ORIGINS.extend([
        f"http://localhost:{port}",
        f"http://127.0.0.1:{port}",
    ])

Workaround

We currently patch constants.py at install time to add our port:

"http://localhost:9889",
"http://127.0.0.1:9889",

Use Case

Anyone running the CAO server on a non-default port (Docker deployments, reverse proxies, devcontainers, production setups) hits this. The --port flag on cao-server already allows changing the port, but CORS doesn't follow.

[call-me-ram]

PR #255 picks up the CORS half of this — CAO_CORS_ORIGINS (comma-separated) extends the built-in list rather than replacing it, so the default Vite ports keep working and operators can add a custom production origin on top.\n\nThe PR does not yet wire CORS origins to the --port flag (the second half of your suggestion). Happy to follow up with that if the env-var approach lands and you'd still like the auto-derivation — let me know which form you'd prefer.