feat(api): add CORS middleware and /health contract test

CORS:
- New setting CORS_ALLOWED_ORIGINS (comma separated). Defaults cover
  the three local Vite ports (5173, 5273, 4173); production overlay
  expects the real origin in .env.prod.
- main.py wires CORSMiddleware from settings.cors_origins. No * in
  production - see RUNBOOK and .env.prod.example.
- docker-compose.yml forwards the variable to both api and worker.

Tests:
- tests/test_api_health.py uses FastAPI TestClient and monkeypatches
  the five probe functions (postgres/minio/opensearch/qdrant/redis).
  Verifies the all-ok, any-error, and degraded paths, that the root
  endpoint reports the configured api prefix, and that the CORS
  preflight echoes the allowed origin.
- pytest tests/test_api_health.py -q: 5 passed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

app/config.py

@@ -27,6 +27,14 @@ class Settings(BaseSettings):
     app_input_dir: str = Field("/data/input", alias="APP_INPUT_DIR")
     app_work_dir: str = Field("/data/work", alias="APP_WORK_DIR")
     app_api_prefix: str = Field("/api/v1", alias="APP_API_PREFIX")
+    cors_allowed_origins: str = Field(
+        "http://localhost:5173,http://localhost:5273,http://localhost:4173",
+        alias="CORS_ALLOWED_ORIGINS",
+    )
+
+    @property
+    def cors_origins(self) -> list[str]:
+        return [o.strip() for o in self.cors_allowed_origins.split(",") if o.strip()]
 
     # ---------------- Postgres ----------------
     postgres_host: str = Field("postgres", alias="POSTGRES_HOST")