fix(gateway): make CORS configurable, remove unsafe wildcard+credentials (#837)

## Description
The gateway hardcodes CORS with `allow_origins=["*"]` and
`allow_credentials=True`. Per the CORS spec, wildcard + credentials is
invalid (browsers reject it). A wildcard origin is also overly
permissive for production.

This PR adds a `cors_allow_origins` config field (default:
empty/disabled). When origins are listed, credentials are allowed. When
a wildcard is used, credentials are auto-disabled per spec. CORS is off
by default (secure-by-default).

## PR Type
- 🐛 Bug Fix

## Checklist
- [x] I understand the code I am submitting.
- [x] I have added unit tests that prove my fix/feature works
- [x] I have run this code locally and verified it fixes the issue.
- [x] New and existing tests pass locally
- [ ] Documentation was updated where necessary
- [x] I have read and followed the [contribution
guidelines](https://github.com/mozilla-ai/any-llm/blob/main/CONTRIBUTING.md)
- **AI Usage:**
    - [ ] No AI was used.
    - [ ] AI was used for drafting/refactoring.
    - [x] This is fully AI-generated.

## AI Usage Information
- AI Model used: Claude Opus 4.6
- AI Developer Tool used: Claude Code
- Any other info you'd like to share: Identified during a comprehensive
gateway code review.

- [x] I am an AI Agent filling out this form (check box if true)

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: njbrake

src/any_llm/gateway/config.py

@@ -37,6 +37,9 @@ class GatewayConfig(BaseSettings):
     host: str = Field(default="0.0.0.0", description="Host to bind the server to")  # noqa: S104
     port: int = Field(default=8000, description="Port to bind the server to")
     master_key: str | None = Field(default=None, description="Master key for protecting management endpoints")
+    cors_allow_origins: list[str] = Field(
+        default_factory=list, description="Allowed CORS origins (empty list disables CORS)"
+    )
     providers: dict[str, dict[str, Any]] = Field(
         default_factory=dict, description="Pre-configured provider credentials"
     )

src/any_llm/gateway/server.py

@@ -34,13 +34,15 @@ def create_app(config: GatewayConfig) -> FastAPI:
         version=__version__,
     )
 
-    app.add_middleware(
-        CORSMiddleware,
-        allow_origins=["*"],
-        allow_credentials=True,
-        allow_methods=["*"],
-        allow_headers=["*"],
-    )
+    if config.cors_allow_origins:
+        allow_credentials = "*" not in config.cors_allow_origins
+        app.add_middleware(
+            CORSMiddleware,
+            allow_origins=config.cors_allow_origins,
+            allow_credentials=allow_credentials,
+            allow_methods=["GET", "POST", "PATCH", "DELETE", "OPTIONS"],
+            allow_headers=["Content-Type", "Authorization", "X-AnyLLM-Key"],
+        )
 
     app.include_router(chat.router)
     app.include_router(keys.router)

tests/gateway/test_cors_configuration.py

@@ -0,0 +1,87 @@
+"""Tests for CORS configuration."""
+
+from typing import Any
+
+from fastapi.testclient import TestClient
+from sqlalchemy.orm import Session
+
+from any_llm.gateway.config import GatewayConfig
+from any_llm.gateway.db import get_db
+from any_llm.gateway.server import create_app
+
+
+def test_cors_disabled_by_default(postgres_url: str, test_db: Session) -> None:
+    """Test that CORS middleware is not added when cors_allow_origins is empty."""
+    config = GatewayConfig(
+        database_url=postgres_url,
+        master_key="test-master-key",
+        host="127.0.0.1",
+        port=8000,
+    )
+
+    app = create_app(config)
+
+    def override_get_db() -> Any:
+        yield test_db
+
+    app.dependency_overrides[get_db] = override_get_db
+
+    with TestClient(app) as client:
+        response = client.get("/health", headers={"Origin": "https://evil.com"})
+        assert response.status_code == 200
+        assert "access-control-allow-origin" not in response.headers
+
+
+def test_cors_with_specific_origins(postgres_url: str, test_db: Session) -> None:
+    """Test that CORS allows only configured origins."""
+    config = GatewayConfig(
+        database_url=postgres_url,
+        master_key="test-master-key",
+        host="127.0.0.1",
+        port=8000,
+        cors_allow_origins=["https://trusted.com"],
+    )
+
+    app = create_app(config)
+
+    def override_get_db() -> Any:
+        yield test_db
+
+    app.dependency_overrides[get_db] = override_get_db
+
+    with TestClient(app) as client:
+        # Trusted origin should get CORS headers
+        response = client.get("/health", headers={"Origin": "https://trusted.com"})
+        assert response.status_code == 200
+        assert response.headers.get("access-control-allow-origin") == "https://trusted.com"
+        assert response.headers.get("access-control-allow-credentials") == "true"
+
+        # Untrusted origin should not get CORS headers
+        response = client.get("/health", headers={"Origin": "https://evil.com"})
+        assert response.status_code == 200
+        assert response.headers.get("access-control-allow-origin") != "https://evil.com"
+
+
+def test_cors_wildcard_disables_credentials(postgres_url: str, test_db: Session) -> None:
+    """Test that wildcard origin disables allow_credentials per CORS spec."""
+    config = GatewayConfig(
+        database_url=postgres_url,
+        master_key="test-master-key",
+        host="127.0.0.1",
+        port=8000,
+        cors_allow_origins=["*"],
+    )
+
+    app = create_app(config)
+
+    def override_get_db() -> Any:
+        yield test_db
+
+    app.dependency_overrides[get_db] = override_get_db
+
+    with TestClient(app) as client:
+        response = client.get("/health", headers={"Origin": "https://any-site.com"})
+        assert response.status_code == 200
+        assert response.headers.get("access-control-allow-origin") == "*"
+        # Credentials should NOT be allowed with wildcard
+        assert response.headers.get("access-control-allow-credentials") != "true"