bd62fcb599
Apps run on different hostnames (crm.gosec.internal, chronos.gosec.internal, …) so the browser fetch from <AppShell> to shell-api.gosec.internal is cross-origin and was being blocked. Add Fiber's cors middleware. Allowlist: any *.gosec.internal or *.gosec.cloud origin (override via CORS_ORIGINS env if a tighter list is needed). Allow Authorization + Content-Type + If-None-Match on the request side; expose ETag on the response side. Methods limited to GET + OPTIONS. Image: v0.1.4 Verified: curl -X OPTIONS https://shell-api.gosec.internal/api/v1/shell/gsc-crm -H "Origin: https://crm.gosec.internal" → 204 with access-control-allow-origin: https://crm.gosec.internal Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>