Module cors 

Config-driven CORS, applied as one stateless layer at launch.

Off by default (LaunchConfig::cors = None) — zero per-request cost when disabled because the layer simply isn’t mounted. When enabled, the per- request work is a header lookup against a boot-frozen origin list.

Semantics follow the WHATWG fetch spec pragmatically:

• Preflight (OPTIONS + Access-Control-Request-Method) from an allowed origin short-circuits with 204 and the allow-headers — the request never reaches routing, guards, or body read.
• Actual requests from an allowed origin get Access-Control-Allow-* response headers plus Vary: Origin.
• "*" in allow_origins allows any origin. Combined with allow_credentials the specific origin is echoed back (the spec forbids * with credentials).

Structs

CorsConfig

CORS policy, frozen at launch.