docs: refresh README — accuracy pass + HarborForge platform context

Verified against current code; fixed stale/inaccurate sections and
documented previously-undocumented features/flags/endpoints. Added a
"Part of the HarborForge platform" reference and role/port.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

README.md

@@ -6,7 +6,9 @@
 
 ## English
 
-Secure configuration file management service. Read, modify, and version-control JSON/YAML config files via REST API. Listens on localhost only — access remotely via SSH tunnel.
+Secure configuration file management service for first-time platform setup. Read, modify, and version-control JSON/YAML config files via REST API. Bound to localhost only — access remotely via an SSH tunnel.
+
+Part of the [HarborForge](../README.md) platform — `AbstractWizard` is the Go secure first-time setup service. The container listens on port `8080` (in the bundled compose file it is published as `127.0.0.1:18080`). It is intentionally separate from the core API (`HarborForge.Backend`, port 8000) and is used to seed and adjust configuration before/around bootstrap.
 
 ### Quick Start
 
@@ -32,6 +34,7 @@ CONFIG_DIR=./configs ./abstract-wizard
 | `CONFIG_DIR` | `/config` | Base directory for config files |
 | `LISTEN_ADDR` | `127.0.0.1:8080` | HTTP listen address |
 | `MAX_BACKUPS` | `10` | Max backup versions per file |
+| `CORS_ORIGINS` | _(empty)_ | Comma-separated allowed CORS origins. Empty or `*` allows all origins. |
 
 ### API
 
@@ -137,10 +140,11 @@ Then access via `http://127.0.0.1:18080` locally.
 ├── audit/
 │   └── logger.go        # Structured JSON audit log
 ├── server/
-│   ├── server.go        # HTTP server, routing, mode state machine
+│   ├── server.go        # HTTP server, routing, mode state machine, graceful shutdown
 │   ├── middleware.go    # Request logging middleware
+│   ├── cors.go          # CORS middleware (CORS_ORIGINS)
 │   └── handlers.go      # API handlers
-├── Dockerfile           # Multi-stage build
+├── Dockerfile           # Multi-stage build (distroless, nonroot)
 └── docker-compose.yaml  # Example deployment
 ```
 
@@ -148,7 +152,9 @@ Then access via `http://127.0.0.1:18080` locally.
 
 ## 中文
 
-安全的配置文件管理服务。通过 REST API 对 JSON/YAML 配置文件进行读取、修改和版本管理，仅监听 localhost，通过 SSH 隧道访问。
+用于平台首次安装的安全配置文件管理服务。通过 REST API 对 JSON/YAML 配置文件进行读取、修改和版本管理，仅监听 localhost，通过 SSH 隧道访问。
+
+本组件是 [HarborForge](../README.md) 平台的一部分 —— `AbstractWizard` 是 Go 编写的安全首次安装服务。容器内监听 `8080` 端口（示例 compose 中映射为 `127.0.0.1:18080`），与核心 API（`HarborForge.Backend`，端口 8000）相互独立，用于在引导前后写入和调整配置。
 
 ### 快速开始
 
@@ -174,6 +180,7 @@ CONFIG_DIR=./configs ./abstract-wizard
 | `CONFIG_DIR` | `/config` | 配置文件存放目录 |
 | `LISTEN_ADDR` | `127.0.0.1:8080` | 监听地址 |
 | `MAX_BACKUPS` | `10` | 每个文件保留的最大备份数 |
+| `CORS_ORIGINS` | _(空)_ | 逗号分隔的允许 CORS 来源；为空或 `*` 时允许所有来源 |
 
 ### API
 
@@ -279,9 +286,10 @@ ssh -L 18080:127.0.0.1:18080 user@server
 ├── audit/
 │   └── logger.go        # 结构化 JSON 审计日志
 ├── server/
-│   ├── server.go        # HTTP 服务、路由、模式状态机
+│   ├── server.go        # HTTP 服务、路由、模式状态机、优雅关闭
 │   ├── middleware.go    # 请求日志中间件
+│   ├── cors.go          # CORS 中间件（CORS_ORIGINS）
 │   └── handlers.go      # API 处理函数
-├── Dockerfile           # 多阶段构建
+├── Dockerfile           # 多阶段构建（distroless、nonroot）
 └── docker-compose.yaml  # 示例部署配置
 ```

main.go

@@ -4,6 +4,7 @@ import (
 	"log"
 	"os"
 	"strconv"
+	"strings"
 
 	"AbstractWizard/audit"
 	"AbstractWizard/server"
@@ -14,6 +15,7 @@ func main() {
 		ConfigDir:   envOrDefault("CONFIG_DIR", "/config"),
 		ListenAddr:  envOrDefault("LISTEN_ADDR", "127.0.0.1:8080"),
 		MaxBackups:  envOrDefaultInt("MAX_BACKUPS", 10),
+		CORSOrigins: parseCSV(os.Getenv("CORS_ORIGINS")),
 	}
 
 	if err := os.MkdirAll(cfg.ConfigDir, 0o755); err != nil {
@@ -23,7 +25,8 @@ func main() {
 	auditLog := audit.NewLogger()
 	srv := server.New(cfg, auditLog)
 
-	log.Printf("config_dir=%s listen_addr=%s max_backups=%d", cfg.ConfigDir, cfg.ListenAddr, cfg.MaxBackups)
+	log.Printf("config_dir=%s listen_addr=%s max_backups=%d cors_origins=%v",
+		cfg.ConfigDir, cfg.ListenAddr, cfg.MaxBackups, cfg.CORSOrigins)
 
 	if err := srv.ListenAndServe(); err != nil {
 		log.Fatalf("server error: %v", err)
@@ -49,3 +52,18 @@ func envOrDefaultInt(key string, defaultVal int) int {
 	}
 	return n
 }
+
+func parseCSV(s string) []string {
+	if s == "" {
+		return nil
+	}
+	parts := strings.Split(s, ",")
+	result := make([]string, 0, len(parts))
+	for _, p := range parts {
+		p = strings.TrimSpace(p)
+		if p != "" {
+			result = append(result, p)
+		}
+	}
+	return result
+}

server/cors.go

@@ -0,0 +1,43 @@
+package server
+
+import (
+	"net/http"
+	"strings"
+)
+
+// CORSMiddleware adds CORS headers based on allowed origins.
+// If allowedOrigins is empty or contains "*", all origins are allowed.
+func CORSMiddleware(allowedOrigins []string, next http.Handler) http.Handler {
+	allowAll := len(allowedOrigins) == 0
+	originSet := make(map[string]bool, len(allowedOrigins))
+	for _, o := range allowedOrigins {
+		o = strings.TrimSpace(o)
+		if o == "*" {
+			allowAll = true
+		}
+		originSet[o] = true
+	}
+
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		origin := r.Header.Get("Origin")
+		if origin == "" {
+			next.ServeHTTP(w, r)
+			return
+		}
+
+		if allowAll || originSet[origin] {
+			w.Header().Set("Access-Control-Allow-Origin", origin)
+			w.Header().Set("Access-Control-Allow-Methods", "GET, PUT, PATCH, POST, DELETE, OPTIONS")
+			w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization")
+			w.Header().Set("Access-Control-Max-Age", "3600")
+			w.Header().Set("Vary", "Origin")
+		}
+
+		if r.Method == http.MethodOptions {
+			w.WriteHeader(http.StatusNoContent)
+			return
+		}
+
+		next.ServeHTTP(w, r)
+	})
+}

server/server.go

@@ -49,6 +49,7 @@ type AppConfig struct {
 	ConfigDir  string
 	ListenAddr string
 	MaxBackups   int
+	CORSOrigins []string
 }
 
 // Server is the main HTTP server.
@@ -73,7 +74,7 @@ func New(cfg AppConfig, auditLog *audit.Logger) *Server {
 
 	s.srv = &http.Server{
 		Addr:         cfg.ListenAddr,
-		Handler:      LoggingMiddleware(mux),
+		Handler:      CORSMiddleware(cfg.CORSOrigins, LoggingMiddleware(mux)),
 		ReadTimeout:  10 * time.Second,
 		WriteTimeout: 30 * time.Second,
 		IdleTimeout:  60 * time.Second,