fix: return 403 for disallowed origins on CORS preflight

- Change OPTIONS preflight to return 403 Forbidden for disallowed origins
  instead of 204 No Content without CORS headers
- Prevents endpoint discovery by unauthorized origins
- Clarify README security note about startup failure for invalid config
- Add explicit wildcard check in CorsConfigBuilder validation

Author: bburda

src/ros2_medkit_gateway/README.md

@@ -377,7 +377,7 @@ cors:
   max_age_seconds: 86400
 ```
 
-> ⚠️ **Security Note:** Using `["*"]` as `allowed_origins` is not recommended for production. When `allow_credentials` is `true`, wildcard origins are rejected at startup.
+> ⚠️ **Security Note:** Using `["*"]` as `allowed_origins` is not recommended for production. When `allow_credentials` is `true`, wildcard origins will cause the application to fail to start with an exception.
 
 ## Architecture
 

src/ros2_medkit_gateway/include/ros2_medkit_gateway/config.hpp

@@ -54,7 +54,7 @@ class CorsConfigBuilder {
   CorsConfigBuilder & with_headers(std::vector<std::string> headers);
   CorsConfigBuilder & with_credentials(bool credentials);
   CorsConfigBuilder & with_max_age(int seconds);
-  CorsConfig && build();
+  CorsConfig build();
 
  private:
   CorsConfig config_;

src/ros2_medkit_gateway/src/config.cpp

@@ -45,7 +45,7 @@ CorsConfigBuilder & CorsConfigBuilder::with_max_age(int seconds) {
   return *this;
 }
 
-CorsConfig && CorsConfigBuilder::build() {
+CorsConfig CorsConfigBuilder::build() {
   // Enable CORS only if origins are configured
   config_.enabled = !config_.allowed_origins.empty();
 

src/ros2_medkit_gateway/src/rest_server.cpp

@@ -42,12 +42,14 @@ RESTServer::RESTServer(GatewayNode * node, const std::string & host, int port, c
       }
 
       // Handle preflight OPTIONS requests
-      // Only set Max-Age and return 204 for allowed origins
+      // Return 204 for allowed origins, 403 for disallowed (prevents endpoint discovery)
       if (req.method == "OPTIONS") {
         if (origin_allowed) {
           res.set_header("Access-Control-Max-Age", std::to_string(cors_config_.max_age_seconds));
+          res.status = StatusCode::NoContent_204;
+        } else {
+          res.status = StatusCode::Forbidden_403;
         }
-        res.status = StatusCode::NoContent_204;
         return httplib::Server::HandlerResponse::Handled;
       }
       return httplib::Server::HandlerResponse::Unhandled;

src/ros2_medkit_gateway/test/test_cors.test.py

@@ -185,7 +185,7 @@ def test_03_preflight_options_request(self):
         )
 
     def test_04_preflight_disallowed_origin_no_cors_headers(self):
-        """Test preflight from disallowed origin gets no CORS headers."""
+        """Test preflight from disallowed origin returns 403 Forbidden."""
         response = requests.options(
             f'{self.BASE_URL_NO_CREDS}/health',
             headers={
@@ -194,15 +194,15 @@ def test_04_preflight_disallowed_origin_no_cors_headers(self):
             },
             timeout=5
         )
-        # Returns 204 but without CORS headers
-        self.assertEqual(response.status_code, 204)
+        # Returns 403 Forbidden for disallowed origins (prevents endpoint discovery)
+        self.assertEqual(response.status_code, 403)
         self.assertIsNone(
             response.headers.get('Access-Control-Allow-Origin'),
             'CORS headers should NOT be set for disallowed origin'
         )
         self.assertIsNone(
             response.headers.get('Access-Control-Max-Age'),
-            'Max-Age should NOT be set for disallowed origin (prevents caching)'
+            'Max-Age should NOT be set for disallowed origin'
         )
 
     def test_05_cors_on_put_endpoint(self):