Make CORS origins configurable via environment variable in Engine

[KaranJagtiani]

CORS allowed origins in the engine middleware (engine/src/api/middleware/__init__.py) are hardcoded to localhost URLs. This prevents the engine from accepting requests from production frontend domains without code changes.

Scope

• Engine (engine/src/api/config/settings.py):
  • Add a CORS_ORIGINS: str = "http://localhost:3000,http://localhost:3001" setting.
• Engine (engine/src/api/middleware/__init__.py):
  • Read CORS origins from the settings (comma-separated string) instead of hardcoding.
  • Parse the string into a list and pass to CORSMiddleware.
  • Keep the existing localhost defaults for local development.

Acceptance criteria

• CORS origins are read from the CORS_ORIGINS environment variable.
• Multiple origins can be specified as a comma-separated string.
• Default values match the current hardcoded localhost origins.
• Production deployments can configure custom origins without code changes.
• No regressions to CORS behavior in local development.

How to test manually

1. Run the Engine locally without setting CORS_ORIGINS — verify default localhost origins work.
2. Set CORS_ORIGINS=https://app.skyflo.ai,https://staging.skyflo.ai and restart.
3. Make a cross-origin request from one of the configured origins — verify it succeeds.
4. Make a cross-origin request from an unconfigured origin — verify it's blocked.

[MayurK-cmd]

can i work on this?