diff --git a/README.md b/README.md
index bf00a6e..0a87b0c 100644
--- a/README.md
+++ b/README.md
@@ -6,7 +6,9 @@
 
 ## English
 
-Secure configuration file management service. Read, modify, and version-control JSON/YAML config files via REST API. Listens on localhost only — access remotely via SSH tunnel.
+Secure configuration file management service for first-time platform setup. Read, modify, and version-control JSON/YAML config files via REST API. Bound to localhost only — access remotely via an SSH tunnel.
+
+Part of the [HarborForge](../README.md) platform — `AbstractWizard` is the Go secure first-time setup service. The container listens on port `8080` (in the bundled compose file it is published as `127.0.0.1:18080`). It is intentionally separate from the core API (`HarborForge.Backend`, port 8000) and is used to seed and adjust configuration before/around bootstrap.
 
 ### Quick Start
 
@@ -32,6 +34,7 @@ CONFIG_DIR=./configs ./abstract-wizard
 | `CONFIG_DIR` | `/config` | Base directory for config files |
 | `LISTEN_ADDR` | `127.0.0.1:8080` | HTTP listen address |
 | `MAX_BACKUPS` | `10` | Max backup versions per file |
+| `CORS_ORIGINS` | _(empty)_ | Comma-separated allowed CORS origins. Empty or `*` allows all origins. |
 
 ### API
 
@@ -137,10 +140,11 @@ Then access via `http://127.0.0.1:18080` locally.
 ├── audit/
 │   └── logger.go        # Structured JSON audit log
 ├── server/
-│   ├── server.go        # HTTP server, routing, mode state machine
-│   ├── middleware.go     # Request logging middleware
+│   ├── server.go        # HTTP server, routing, mode state machine, graceful shutdown
+│   ├── middleware.go    # Request logging middleware
+│   ├── cors.go          # CORS middleware (CORS_ORIGINS)
 │   └── handlers.go      # API handlers
-├── Dockerfile           # Multi-stage build
+├── Dockerfile           # Multi-stage build (distroless, nonroot)
 └── docker-compose.yaml  # Example deployment
 ```
 
@@ -148,7 +152,9 @@ Then access via `http://127.0.0.1:18080` locally.
 
 ## 中文
 
-安全的配置文件管理服务。通过 REST API 对 JSON/YAML 配置文件进行读取、修改和版本管理，仅监听 localhost，通过 SSH 隧道访问。
+用于平台首次安装的安全配置文件管理服务。通过 REST API 对 JSON/YAML 配置文件进行读取、修改和版本管理，仅监听 localhost，通过 SSH 隧道访问。
+
+本组件是 [HarborForge](../README.md) 平台的一部分 —— `AbstractWizard` 是 Go 编写的安全首次安装服务。容器内监听 `8080` 端口（示例 compose 中映射为 `127.0.0.1:18080`），与核心 API（`HarborForge.Backend`，端口 8000）相互独立，用于在引导前后写入和调整配置。
 
 ### 快速开始
 
@@ -174,6 +180,7 @@ CONFIG_DIR=./configs ./abstract-wizard
 | `CONFIG_DIR` | `/config` | 配置文件存放目录 |
 | `LISTEN_ADDR` | `127.0.0.1:8080` | 监听地址 |
 | `MAX_BACKUPS` | `10` | 每个文件保留的最大备份数 |
+| `CORS_ORIGINS` | _(空)_ | 逗号分隔的允许 CORS 来源；为空或 `*` 时允许所有来源 |
 
 ### API
 
@@ -279,9 +286,10 @@ ssh -L 18080:127.0.0.1:18080 user@server
 ├── audit/
 │   └── logger.go        # 结构化 JSON 审计日志
 ├── server/
-│   ├── server.go        # HTTP 服务、路由、模式状态机
-│   ├── middleware.go     # 请求日志中间件
+│   ├── server.go        # HTTP 服务、路由、模式状态机、优雅关闭
+│   ├── middleware.go    # 请求日志中间件
+│   ├── cors.go          # CORS 中间件（CORS_ORIGINS）
 │   └── handlers.go      # API 处理函数
-├── Dockerfile           # 多阶段构建
+├── Dockerfile           # 多阶段构建（distroless、nonroot）
 └── docker-compose.yaml  # 示例部署配置
 ```