gateway: add CORS allow-list for the public REST surface

Adds a `GATEWAY_PUBLIC_HTTP_CORS_ALLOWED_ORIGINS` env-driven allow-list
on the public REST server so the dev UI on https://www.galaxy.lan can
call https://api.galaxy.lan without the browser blocking the
cross-origin response. Defaults to empty (no CORS) so the production
posture stays closed.

The middleware mounts before route classification and anti-abuse, so
OPTIONS preflights never charge against per-class rate-limit buckets.

`tools/dev-deploy/docker-compose.yml` opts the dev gateway into a
single allowed origin (`https://www.galaxy.lan`); local-dev keeps the
defaults because Vite proxies through the same origin.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

tools/dev-deploy/docker-compose.yml

@@ -157,6 +157,10 @@ services:
       GATEWAY_RESPONSE_SIGNER_PRIVATE_KEY_PEM_PATH: /run/secrets/gateway-response.pem
       GATEWAY_REDIS_MASTER_ADDR: "galaxy-redis:6379"
       GATEWAY_REDIS_PASSWORD: galaxy-dev
+      # UI lives on https://www.galaxy.lan; the API is on
+      # https://api.galaxy.lan. Browsers therefore issue cross-origin
+      # requests to the gateway and need an explicit allow-list.
+      GATEWAY_PUBLIC_HTTP_CORS_ALLOWED_ORIGINS: "https://www.galaxy.lan"
       # Anti-abuse defaults are looser than production: the dev
       # environment is shared by a handful of trusted testers who
       # frequently hammer the same identity to reproduce flows.