Fix CORS Errors on FastAPI

FastAPI applications add CORSMiddleware with explicit allow_origins—wildcards and credentials do not mix per the Fetch spec. Mount the middleware first so every route, including OpenAPI and health checks, gets consistent headers.

AI gateways such as vLLM or Ollama HTTP frontends often omit CORS; put Nginx or FastAPI in front to add preflight support for browser-based chat UIs. Lock origins to your admin UI hostname.