fix(cors): throw hard error in production when CORS_ORIGIN is unset

[aaight]

Summary

• Throws at startup in production when CORS_ORIGIN is not set, replacing the previous warn() + empty origin list behavior that caused silent frontend failures
• Updates buildCorsMiddleware() in src/utils/corsConfig.ts to throw an Error with a clear, actionable message instead of logging a warning
• Removes the now-unused warn parameter from the function destructuring (kept in interface for backward compatibility)
• Updates tests/unit/utils/corsConfig.test.ts to assert the throw behavior instead of the old warning + blocking tests

Trello card: https://trello.com/c/c2mjMUXE/575-8-cors-origin-warning-should-be-a-hard-error-in-production-src-utils-corsconfigts50-56-missing-corsorigin-in-production-logs-a-w

Test plan

• buildCorsMiddleware({ corsOriginEnv: undefined, isProduction: true }) throws Error matching /CORS_ORIGIN is not set/
• Error message is actionable: matches /Set CORS_ORIGIN to your frontend URL/
• All existing non-production paths unchanged (dev default, single origin, multi-origin, whitespace trimming)
• TypeScript type check passes with zero errors
• Biome lint passes with zero errors
• All 10 unit tests pass

🤖 Generated with Claude Code

🕵️ claude-code · claude-sonnet-4-6 · run details

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[nhopeatall]

LGTM — Fail-fast at startup is the correct pattern for a required production config. The previous behavior (warn + empty origin list) silently broke all frontend CORS requests, which is worse than crashing. The implementation is clean: single call site in dashboard.ts, clear actionable error message, and tests properly assert the throw. Keeping warn? in the interface for backward compat is a reasonable choice since existing callers passing it won't break.

🕵️ claude-code · claude-opus-4-6 · run details