fix: add CORS env vars to Swarm/Portainer compose and log trusted origins

The Swarm deployment uses docker-compose.swarm.portainer.yml, not the
root docker-compose.yml. Add NEXT_PUBLIC_APP_URL, NEXT_PUBLIC_API_URL,
and TRUSTED_ORIGINS to the API service environment. Also log trusted
origins at startup for easier CORS debugging.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

apps/api/src/main.ts

@@ -49,8 +49,10 @@ async function bootstrap() {
 
   // Configure CORS for cookie-based authentication
   // Origin list is shared with BetterAuth trustedOrigins via getTrustedOrigins()
+  const trustedOrigins = getTrustedOrigins();
+  console.log(`[CORS] Trusted origins: ${JSON.stringify(trustedOrigins)}`);
   app.enableCors({
-    origin: getTrustedOrigins(),
+    origin: trustedOrigins,
     credentials: true, // Required for cookie-based authentication
     methods: ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
     allowedHeaders: ["Content-Type", "Authorization", "Cookie", "X-CSRF-Token", "X-Workspace-Id"],

docker-compose.swarm.portainer.yml

@@ -138,6 +138,10 @@ services:
       MOSAIC_TELEMETRY_API_KEY: ${MOSAIC_TELEMETRY_API_KEY:-}
       MOSAIC_TELEMETRY_INSTANCE_ID: ${MOSAIC_TELEMETRY_INSTANCE_ID:-}
       MOSAIC_TELEMETRY_DRY_RUN: ${MOSAIC_TELEMETRY_DRY_RUN:-false}
+      # Frontend URLs (for CORS and auth redirects)
+      NEXT_PUBLIC_APP_URL: ${NEXT_PUBLIC_APP_URL}
+      NEXT_PUBLIC_API_URL: ${NEXT_PUBLIC_API_URL}
+      TRUSTED_ORIGINS: ${TRUSTED_ORIGINS:-}
     healthcheck:
       test:
         [