fix: scope CORS regex to project name, not all Vercel apps

https://.*\.vercel\.app is too broad -- allows any Vercel project to
call our backend. Scoped to https://opencodeintel.*\.vercel\.app so
only our preview deploys are allowed.

Author: DevanshuNEU

.env.example

@@ -41,8 +41,8 @@ GITHUB_REDIRECT_URI=http://localhost:3000/auth/github/callback
 # Comma-separated list of allowed origins
 ALLOWED_ORIGINS=http://localhost:3000
 # Regex for dynamic CORS origins (Vercel preview deploys)
-# Set on Railway to allow PR preview URLs to call the backend
-# ALLOW_ORIGIN_REGEX=https://.*\.vercel\.app
+# Scoped to our project name so only our previews can call the backend
+# ALLOW_ORIGIN_REGEX=https://opencodeintel.*\.vercel\.app
 
 # Redis (auto-configured in Docker, set REDIS_URL in Railway)
 REDIS_HOST=redis

backend/main.py

@@ -75,8 +75,8 @@ async def dispatch(self, request: Request, call_next):
 app.add_middleware(RequestSizeLimitMiddleware)
 
 ALLOWED_ORIGINS = os.getenv("ALLOWED_ORIGINS", "http://localhost:3000").split(",")
-# Allow Vercel preview deploys (dynamic subdomains) so PRs can be tested
-# against the production backend without CORS issues
+# Allow Vercel preview deploys so PRs can be tested against prod backend.
+# Set to project-scoped regex: https://opencodeintel.*\.vercel\.app
 ALLOW_ORIGIN_REGEX = os.getenv("ALLOW_ORIGIN_REGEX", "")
 app.add_middleware(
     CORSMiddleware,