fix: add localhost to CORS_ORIGIN for web mode development

The web mode launcher was setting CORS_ORIGIN to only include the system
hostname and 127.0.0.1, but users access via http://localhost:3007 which
wasn't in the allowed list.

Now includes:
- http://localhost:3007 (primary dev URL)
- http://$HOSTNAME:3007 (system hostname if needed)
- http://127.0.0.1:3007 (loopback IP)

Also cleaned up debug logging from CORS check since root cause is now clear.

Fixes: Persistent "Not allowed by CORS" errors in web mode

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

apps/server/src/index.ts

@@ -164,12 +164,9 @@ app.use(
         return;
       }
 
-      console.log(`[CORS] Checking origin: ${origin}`);
-
       // If CORS_ORIGIN is set, use it (can be comma-separated list)
       const allowedOrigins = process.env.CORS_ORIGIN?.split(',').map((o) => o.trim());
       if (allowedOrigins && allowedOrigins.length > 0 && allowedOrigins[0] !== '*') {
-        console.log(`[CORS] CORS_ORIGIN env var is set: ${allowedOrigins.join(', ')}`);
         if (allowedOrigins.includes(origin)) {
           callback(null, origin);
         } else {
@@ -182,7 +179,6 @@ app.use(
       try {
         const url = new URL(origin);
         const hostname = url.hostname;
-        console.log(`[CORS] Parsed hostname: ${hostname}`);
 
         if (
           hostname === 'localhost' ||
@@ -193,16 +189,14 @@ app.use(
           hostname.startsWith('10.') ||
           hostname.startsWith('172.')
         ) {
-          console.log(`[CORS] ✓ Allowing origin: ${origin}`);
           callback(null, origin);
           return;
         }
       } catch (err) {
-        console.error(`[CORS] Error parsing URL: ${origin}`, err);
+        // Ignore URL parsing errors
       }
 
       // Reject other origins by default for security
-      console.log(`[CORS] ✗ Rejecting origin: ${origin}`);
       callback(new Error('Not allowed by CORS'));
     },
     credentials: true,