fix: CORS for all /app routes + fix CI migration out-of-order error

[ToriChanIntegration]

Summary (AI generated)

• Applied useCors middleware globally (*) to all /app routes instead of only /demo and /store-metadata
• Added --include-all flag to supabase db push in CI to handle out-of-order local migrations

Motivation (AI generated)

CORS fix: OPTIONS preflight requests to /app/:id were returning 404, blocking the onboarding flow. The browser sends a preflight OPTIONS before any cross-origin call, but CORS middleware was only set on /demo and /store-metadata — leaving all other routes unhandled.

CI migration fix: supabase db push was failing with:

"Found local migration files to be inserted before the last migration on remote database."

Migration 20260317020500_revoke_cleanup_expired_demo_apps_public_exec.sql was committed out-of-order and never applied to the remote DB. Its timestamp is earlier than the last applied remote migration, so the normal db push rejects it. The --include-all flag is the correct way to handle this scenario — it applies all unapplied local migrations regardless of timestamp order.

Business Impact (AI generated)

• Unblocks onboarding: new users can create their first app without hitting a CORS wall
• Unblocks deployments: CI was failing on every push due to the unapplied migration

Test Plan (AI generated)

• Start local Supabase (bun run supabase:start) and backend (bun backend)
• From a browser (cross-origin), issue OPTIONS /app/:id — expect 200 with CORS headers instead of 404
• Complete the onboarding flow end-to-end: create org → create app → no CORS errors in browser console
• Confirm CI "Apply Supabase Migrations" step passes after merging
• Run backend tests: bun test:backend

Generated with AI

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud