feat(security): enhance CORS configuration for Vercel frontend

- Create enhanced CORS middleware with dynamic origin validation
- Add support for Vercel preview deployment patterns
- Configure proper credentials and exposed headers
- Implement CORS validator utility for testing
- Add comprehensive CORS documentation
- Update config with additional Vercel domains
- Support wildcard patterns for deployment previews

docs/CORS_CONFIGURATION.md

@@ -0,0 +1,216 @@
+# CORS Configuration Guide
+
+## Overview
+
+The Cidadão.AI backend uses an enhanced CORS (Cross-Origin Resource Sharing) middleware specifically optimized for integration with Vercel-deployed frontends and other modern deployment platforms.
+
+## Features
+
+- ✅ **Dynamic Origin Validation**: Supports wildcard patterns for Vercel preview deployments
+- ✅ **Credentials Support**: Full support for cookies and authentication tokens
+- ✅ **Preflight Optimization**: Efficient handling of OPTIONS requests
+- ✅ **Environment Awareness**: Different rules for development/production
+- ✅ **Custom Headers**: Support for rate limiting and correlation headers
+
+## Configuration
+
+### Environment Variables
+
+Configure CORS through environment variables or `.env` file:
+
+```bash
+# Allowed origins (comma-separated)
+CORS_ORIGINS=["https://cidadao-ai-frontend.vercel.app","https://*.vercel.app"]
+
+# Allow credentials (cookies, auth headers)
+CORS_ALLOW_CREDENTIALS=true
+
+# Allowed methods
+CORS_ALLOW_METHODS=["GET","POST","PUT","DELETE","PATCH","OPTIONS","HEAD"]
+
+# Max age for preflight cache (seconds)
+CORS_MAX_AGE=86400
+```
+
+### Default Configuration
+
+The default configuration in `src/core/config.py` includes:
+
+```python
+cors_origins = [
+    "http://localhost:3000",          # Local development
+    "http://localhost:3001",          # Alternative port
+    "http://127.0.0.1:3000",         # IP-based localhost
+    "https://cidadao-ai-frontend.vercel.app",  # Production
+    "https://cidadao-ai.vercel.app",          # Alternative production
+    "https://*.vercel.app",                   # Vercel previews
+    "https://*.hf.space"                      # HuggingFace Spaces
+]
+```
+
+## Vercel Integration
+
+### Preview Deployments
+
+The enhanced CORS middleware automatically allows Vercel preview deployments matching these patterns:
+
+- `https://cidadao-ai-frontend-[hash]-[team].vercel.app`
+- `https://cidadao-ai-[hash]-[team].vercel.app`
+- `https://[project]-[hash]-[team].vercel.app`
+
+### Production Setup
+
+For production Vercel deployments:
+
+1. Add your production domain to `CORS_ORIGINS`
+2. Ensure `CORS_ALLOW_CREDENTIALS=true` for authentication
+3. Configure exposed headers for client access
+
+## Testing CORS
+
+### Using the Validator
+
+Run the CORS validator to test your configuration:
+
+```bash
+python -m src.utils.cors_validator
+```
+
+This will:
+- Test all configured origins
+- Validate credentials flow
+- Generate nginx/CloudFlare configurations
+
+### Manual Testing
+
+Test CORS with curl:
+
+```bash
+# Preflight request
+curl -X OPTIONS \
+  -H "Origin: https://cidadao-ai-frontend.vercel.app" \
+  -H "Access-Control-Request-Method: POST" \
+  -H "Access-Control-Request-Headers: Content-Type,Authorization" \
+  http://localhost:8000/api/v1/chat/message
+
+# Actual request
+curl -X POST \
+  -H "Origin: https://cidadao-ai-frontend.vercel.app" \
+  -H "Content-Type: application/json" \
+  -d '{"message":"test"}' \
+  http://localhost:8000/api/v1/chat/message
+```
+
+## Common Issues
+
+### 1. "CORS policy blocked" Error
+
+**Symptoms**: Browser shows CORS error, requests fail
+
+**Solutions**:
+- Verify origin is in allowed list
+- Check for typos in origin URL
+- Ensure protocol matches (http vs https)
+
+### 2. Credentials Not Working
+
+**Symptoms**: Cookies not being set, auth failing
+
+**Solutions**:
+- Ensure `CORS_ALLOW_CREDENTIALS=true`
+- Frontend must include `credentials: 'include'` in fetch
+- Origin cannot be `*` when using credentials
+
+### 3. Preview Deployments Blocked
+
+**Symptoms**: Vercel preview URLs getting CORS errors
+
+**Solutions**:
+- Enhanced middleware should handle automatically
+- Check regex patterns match your preview URL format
+- Verify middleware is properly initialized
+
+## Security Considerations
+
+1. **Never use wildcard (`*`) in production** when credentials are enabled
+2. **Validate origins strictly** in production environments
+3. **Limit exposed headers** to only what's necessary
+4. **Use HTTPS** for all production origins
+5. **Implement rate limiting** alongside CORS
+
+## Frontend Configuration
+
+### Next.js (Vercel)
+
+```typescript
+// Frontend API client configuration
+const apiClient = axios.create({
+  baseURL: process.env.NEXT_PUBLIC_API_URL,
+  withCredentials: true,  // Important for cookies
+  headers: {
+    'Content-Type': 'application/json'
+  }
+});
+```
+
+### React SPA
+
+```javascript
+// Fetch with credentials
+fetch('https://api.cidadao.ai/endpoint', {
+  method: 'POST',
+  credentials: 'include',  // Include cookies
+  headers: {
+    'Content-Type': 'application/json'
+  },
+  body: JSON.stringify(data)
+});
+```
+
+## Deployment Configurations
+
+### Nginx
+
+Add to your server block:
+
+```nginx
+# Handle preflight
+if ($request_method = 'OPTIONS') {
+    add_header 'Access-Control-Allow-Origin' '$http_origin' always;
+    add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, PATCH, OPTIONS' always;
+    add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With,X-API-Key' always;
+    add_header 'Access-Control-Allow-Credentials' 'true' always;
+    add_header 'Access-Control-Max-Age' 86400 always;
+    return 204;
+}
+```
+
+### CloudFlare
+
+Create transform rules:
+
+```javascript
+// Allow Vercel origins
+if (http.request.headers["origin"][0] matches "^https://[a-zA-Z0-9-]+\\.vercel\\.app$") {
+  headers["Access-Control-Allow-Origin"] = http.request.headers["origin"][0]
+  headers["Access-Control-Allow-Credentials"] = "true"
+}
+```
+
+## Monitoring
+
+Monitor CORS issues through:
+
+1. **Application logs**: Look for `cors_origin_denied` events
+2. **Browser console**: Check for CORS policy errors
+3. **Network tab**: Inspect preflight OPTIONS requests
+4. **Metrics**: Track failed requests by origin
+
+## Support
+
+For CORS-related issues:
+
+1. Check the [CORS validator output](#testing-cors)
+2. Review application logs for denied origins
+3. Verify frontend is sending correct headers
+4. Contact the platform team if patterns need updating

src/api/app.py

@@ -161,15 +161,9 @@ app.add_middleware(
 #         allowed_hosts=["localhost", "127.0.0.1", "*.cidadao.ai", "testserver"]
 #     )
 
-# CORS middleware with secure configuration
-app.add_middleware(
-    CORSMiddleware,
-    allow_origins=settings.cors_origins,
-    allow_credentials=settings.cors_allow_credentials,
-    allow_methods=settings.cors_allow_methods,
-    allow_headers=settings.cors_allow_headers,
-    expose_headers=["X-RateLimit-Limit", "X-RateLimit-Remaining"]
-)
+# Enhanced CORS middleware for Vercel integration
+from src.api.middleware.cors_enhanced import setup_cors
+setup_cors(app)
 
 # Add observability middleware
 app.add_middleware(CorrelationMiddleware, generate_request_id=True)

src/api/middleware/cors_enhanced.py

@@ -0,0 +1,270 @@
+"""
+Module: api.middleware.cors_enhanced
+Description: Enhanced CORS middleware for Vercel frontend integration
+Author: Anderson H. Silva
+Date: 2025-01-25
+License: Proprietary - All rights reserved
+"""
+
+import re
+from typing import List, Optional, Set
+from urllib.parse import urlparse
+
+from fastapi import Request
+from fastapi.middleware.cors import CORSMiddleware
+from starlette.middleware.base import BaseHTTPMiddleware
+from starlette.responses import Response, PlainTextResponse
+from starlette.types import ASGIApp
+
+from src.core import get_logger
+from src.core.config import settings
+
+logger = get_logger(__name__)
+
+
+class EnhancedCORSMiddleware(BaseHTTPMiddleware):
+    """
+    Enhanced CORS middleware with dynamic origin validation.
+    
+    Features:
+    - Wildcard subdomain support
+    - Vercel preview deployment support
+    - Development/production mode awareness
+    - Custom header handling
+    - Preflight optimization
+    """
+    
+    def __init__(
+        self,
+        app,
+        allowed_origins: Optional[List[str]] = None,
+        allowed_origin_patterns: Optional[List[str]] = None,
+        allow_credentials: bool = True,
+        allowed_methods: Optional[List[str]] = None,
+        allowed_headers: Optional[List[str]] = None,
+        exposed_headers: Optional[List[str]] = None,
+        max_age: int = 3600
+    ):
+        """Initialize enhanced CORS middleware."""
+        super().__init__(app)
+        
+        # Use settings if not provided
+        self.allowed_origins = set(allowed_origins or settings.cors_origins)
+        self.allowed_origin_patterns = allowed_origin_patterns or []
+        self.allow_credentials = allow_credentials
+        self.allowed_methods = allowed_methods or settings.cors_allow_methods
+        self.allowed_headers = allowed_headers or settings.cors_allow_headers
+        self.exposed_headers = exposed_headers or [
+            "X-RateLimit-Limit",
+            "X-RateLimit-Remaining", 
+            "X-RateLimit-Reset",
+            "X-Request-ID",
+            "X-Correlation-ID"
+        ]
+        self.max_age = max_age
+        
+        # Compile regex patterns
+        self.origin_patterns = []
+        for pattern in self.allowed_origin_patterns:
+            try:
+                self.origin_patterns.append(re.compile(pattern))
+            except re.error as e:
+                logger.error(f"Invalid CORS pattern: {pattern} - {e}")
+        
+        # Add default Vercel patterns
+        self._add_vercel_patterns()
+        
+        logger.info(
+            "enhanced_cors_initialized",
+            allowed_origins=list(self.allowed_origins),
+            pattern_count=len(self.origin_patterns),
+            allow_credentials=self.allow_credentials
+        )
+    
+    def _add_vercel_patterns(self):
+        """Add Vercel-specific patterns."""
+        # Vercel preview deployments
+        vercel_patterns = [
+            r"^https://cidadao-ai-frontend-[a-zA-Z0-9]+-neural-thinker\.vercel\.app$",
+            r"^https://cidadao-ai-[a-zA-Z0-9]+-neural-thinker\.vercel\.app$",
+            r"^https://[a-zA-Z0-9-]+\.neural-thinker\.vercel\.app$"
+        ]
+        
+        for pattern in vercel_patterns:
+            try:
+                self.origin_patterns.append(re.compile(pattern))
+            except re.error:
+                pass
+    
+    async def dispatch(self, request: Request, call_next):
+        """Process request with enhanced CORS handling."""
+        origin = request.headers.get("origin")
+        
+        # Handle preflight requests
+        if request.method == "OPTIONS":
+            response = await self._handle_preflight(request, origin)
+            if response:
+                return response
+        
+        # Process regular request
+        response = await call_next(request)
+        
+        # Add CORS headers if origin is allowed
+        if origin and self._is_origin_allowed(origin):
+            response.headers["Access-Control-Allow-Origin"] = origin
+            response.headers["Access-Control-Allow-Credentials"] = str(self.allow_credentials).lower()
+            
+            # Add exposed headers
+            if self.exposed_headers:
+                response.headers["Access-Control-Expose-Headers"] = ", ".join(self.exposed_headers)
+            
+            # Add Vary header for caching
+            vary_headers = response.headers.get("Vary", "").split(", ")
+            if "Origin" not in vary_headers:
+                vary_headers.append("Origin")
+            response.headers["Vary"] = ", ".join(filter(None, vary_headers))
+        
+        return response
+    
+    async def _handle_preflight(self, request: Request, origin: Optional[str]) -> Optional[Response]:
+        """Handle preflight OPTIONS requests."""
+        if not origin or not self._is_origin_allowed(origin):
+            return None
+        
+        # Get requested method and headers
+        requested_method = request.headers.get("Access-Control-Request-Method")
+        requested_headers = request.headers.get("Access-Control-Request-Headers", "").split(", ")
+        
+        # Validate method
+        if requested_method and requested_method not in self.allowed_methods:
+            logger.warning(
+                "cors_preflight_method_denied",
+                origin=origin,
+                method=requested_method
+            )
+            return PlainTextResponse(
+                "Method not allowed",
+                status_code=403
+            )
+        
+        # Build response
+        response = PlainTextResponse("OK", status_code=200)
+        
+        # Set CORS headers
+        response.headers["Access-Control-Allow-Origin"] = origin
+        response.headers["Access-Control-Allow-Methods"] = ", ".join(self.allowed_methods)
+        response.headers["Access-Control-Allow-Headers"] = ", ".join(self._get_allowed_headers(requested_headers))
+        response.headers["Access-Control-Allow-Credentials"] = str(self.allow_credentials).lower()
+        response.headers["Access-Control-Max-Age"] = str(self.max_age)
+        
+        return response
+    
+    def _is_origin_allowed(self, origin: str) -> bool:
+        """Check if origin is allowed."""
+        # Exact match
+        if origin in self.allowed_origins:
+            return True
+        
+        # Wildcard check (for backwards compatibility)
+        for allowed in self.allowed_origins:
+            if allowed == "*":
+                return True
+            if allowed.startswith("https://*.") or allowed.startswith("http://*."):
+                # Simple wildcard subdomain check
+                base_domain = allowed.replace("https://*.", "").replace("http://*.", "")
+                parsed = urlparse(origin)
+                if parsed.hostname and parsed.hostname.endswith(base_domain):
+                    return True
+        
+        # Regex pattern match
+        for pattern in self.origin_patterns:
+            if pattern.match(origin):
+                return True
+        
+        # Development mode - allow localhost
+        if settings.is_development:
+            parsed = urlparse(origin)
+            if parsed.hostname in ["localhost", "127.0.0.1", "::1"]:
+                return True
+        
+        logger.debug(
+            "cors_origin_denied",
+            origin=origin,
+            allowed_count=len(self.allowed_origins)
+        )
+        
+        return False
+    
+    def _get_allowed_headers(self, requested_headers: List[str]) -> List[str]:
+        """Get allowed headers for response."""
+        if "*" in self.allowed_headers:
+            # Allow all requested headers
+            return requested_headers
+        
+        # Filter to allowed headers
+        allowed = set(h.lower() for h in self.allowed_headers)
+        return [h for h in requested_headers if h.lower() in allowed]
+
+
+def setup_cors(app: ASGIApp) -> None:
+    """
+    Setup CORS for the application with enhanced configuration.
+    
+    This replaces the default CORSMiddleware with our enhanced version.
+    """
+    # Remove existing CORS middleware if present
+    middlewares = []
+    for middleware in app.middleware:
+        if not isinstance(middleware, CORSMiddleware):
+            middlewares.append(middleware)
+    app.middleware = middlewares
+    
+    # Add enhanced CORS middleware
+    app.add_middleware(
+        EnhancedCORSMiddleware,
+        allowed_origins=settings.cors_origins,
+        allowed_origin_patterns=[
+            # Vercel preview deployments
+            r"^https://cidadao-ai-frontend-[a-zA-Z0-9]+-.*\.vercel\.app$",
+            r"^https://cidadao-ai-[a-zA-Z0-9]+-.*\.vercel\.app$",
+            # GitHub Codespaces
+            r"^https://.*\.github\.dev$",
+            r"^https://.*\.gitpod\.io$",
+            # Local development with custom ports
+            r"^http://localhost:[0-9]+$",
+            r"^http://127\.0\.0\.1:[0-9]+$"
+        ],
+        allow_credentials=settings.cors_allow_credentials,
+        allowed_methods=["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS", "HEAD"],
+        allowed_headers=[
+            "Accept",
+            "Accept-Language",
+            "Content-Language", 
+            "Content-Type",
+            "Authorization",
+            "X-API-Key",
+            "X-Request-ID",
+            "X-Correlation-ID",
+            "X-CSRF-Token",
+            "X-Requested-With",
+            "Cache-Control",
+            "If-Match",
+            "If-None-Match",
+            "If-Modified-Since",
+            "If-Unmodified-Since"
+        ],
+        exposed_headers=[
+            "X-RateLimit-Limit",
+            "X-RateLimit-Remaining",
+            "X-RateLimit-Reset",
+            "X-RateLimit-Window",
+            "X-Request-ID",
+            "X-Correlation-ID",
+            "X-Total-Count",
+            "Link",
+            "ETag",
+            "Last-Modified",
+            "Cache-Control"
+        ],
+        max_age=86400  # 24 hours for production
+    )

src/core/config.py

@@ -159,19 +159,34 @@ class Settings(BaseSettings):
     cors_origins: List[str] = Field(
         default=[
             "http://localhost:3000",
-            "http://localhost:8000", 
+            "http://localhost:3001",
+            "http://localhost:8000",
+            "http://127.0.0.1:3000",
             "https://cidadao-ai-frontend.vercel.app",
+            "https://cidadao-ai.vercel.app",
             "https://*.vercel.app",
-            "https://neural-thinker-cidadao-ai-backend.hf.space"
+            "https://neural-thinker-cidadao-ai-backend.hf.space",
+            "https://*.hf.space"
         ],
         description="CORS allowed origins"
     )
     cors_allow_credentials: bool = Field(default=True, description="Allow credentials")
     cors_allow_methods: List[str] = Field(
-        default=["GET", "POST", "PUT", "DELETE", "OPTIONS"],
+        default=["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS", "HEAD"],
         description="Allowed methods"
     )
     cors_allow_headers: List[str] = Field(default=["*"], description="Allowed headers")
+    cors_exposed_headers: List[str] = Field(
+        default=[
+            "X-RateLimit-Limit",
+            "X-RateLimit-Remaining",
+            "X-RateLimit-Reset",
+            "X-Request-ID",
+            "X-Total-Count"
+        ],
+        description="Exposed headers"
+    )
+    cors_max_age: int = Field(default=3600, description="CORS max age in seconds")
     
     # Rate Limiting
     rate_limit_per_minute: int = Field(default=60, description="Rate limit per minute")

src/utils/cors_validator.py

@@ -0,0 +1,258 @@
+"""
+Module: utils.cors_validator
+Description: CORS configuration validator and tester
+Author: Anderson H. Silva
+Date: 2025-01-25
+License: Proprietary - All rights reserved
+"""
+
+import httpx
+from typing import Dict, List, Optional, Tuple
+from urllib.parse import urlparse
+
+from src.core import get_logger
+from src.core.config import settings
+
+logger = get_logger(__name__)
+
+
+class CORSValidator:
+    """Validate and test CORS configuration."""
+    
+    def __init__(self, base_url: str = "http://localhost:8000"):
+        """Initialize CORS validator."""
+        self.base_url = base_url
+        self.test_endpoints = [
+            "/",
+            "/health",
+            "/api/v1/chat/message",
+            "/api/v1/investigations/analyze",
+            "/api/v1/auth/login"
+        ]
+    
+    async def validate_origin(
+        self,
+        origin: str,
+        endpoint: str = "/health",
+        method: str = "GET"
+    ) -> Tuple[bool, Dict[str, str]]:
+        """
+        Validate if origin is allowed by CORS policy.
+        
+        Returns:
+            Tuple of (is_allowed, cors_headers)
+        """
+        headers = {
+            "Origin": origin,
+            "User-Agent": "CORS-Validator/1.0"
+        }
+        
+        async with httpx.AsyncClient() as client:
+            try:
+                # Send preflight request
+                preflight_response = await client.options(
+                    f"{self.base_url}{endpoint}",
+                    headers={
+                        **headers,
+                        "Access-Control-Request-Method": method,
+                        "Access-Control-Request-Headers": "Content-Type, Authorization"
+                    }
+                )
+                
+                # Extract CORS headers
+                cors_headers = {}
+                for header in preflight_response.headers:
+                    if header.lower().startswith("access-control-"):
+                        cors_headers[header] = preflight_response.headers[header]
+                
+                # Check if origin is allowed
+                allowed_origin = cors_headers.get("Access-Control-Allow-Origin", "")
+                is_allowed = allowed_origin == origin or allowed_origin == "*"
+                
+                logger.info(
+                    "cors_validation_result",
+                    origin=origin,
+                    endpoint=endpoint,
+                    is_allowed=is_allowed,
+                    cors_headers=cors_headers
+                )
+                
+                return is_allowed, cors_headers
+                
+            except Exception as e:
+                logger.error(
+                    "cors_validation_error",
+                    origin=origin,
+                    endpoint=endpoint,
+                    error=str(e)
+                )
+                return False, {}
+    
+    async def test_all_origins(self) -> Dict[str, Dict[str, any]]:
+        """Test all configured origins."""
+        results = {}
+        
+        # Test configured origins
+        for origin in settings.cors_origins:
+            if origin == "*" or origin.startswith("https://*."):
+                # Skip wildcards
+                continue
+                
+            is_allowed, headers = await self.validate_origin(origin)
+            results[origin] = {
+                "allowed": is_allowed,
+                "headers": headers
+            }
+        
+        # Test common Vercel preview URLs
+        vercel_test_origins = [
+            "https://cidadao-ai-frontend-abc123-neural-thinker.vercel.app",
+            "https://cidadao-ai-preview-xyz789-neural-thinker.vercel.app"
+        ]
+        
+        for origin in vercel_test_origins:
+            is_allowed, headers = await self.validate_origin(origin)
+            results[origin] = {
+                "allowed": is_allowed,
+                "headers": headers,
+                "note": "Vercel preview URL test"
+            }
+        
+        return results
+    
+    def generate_nginx_config(self) -> str:
+        """Generate nginx CORS configuration."""
+        config = """# CORS configuration for Cidadão.AI
+# Add this to your nginx server block
+
+# Handle preflight requests
+if ($request_method = 'OPTIONS') {
+    add_header 'Access-Control-Allow-Origin' '$http_origin' always;
+    add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, PATCH, OPTIONS' always;
+    add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With,X-API-Key' always;
+    add_header 'Access-Control-Allow-Credentials' 'true' always;
+    add_header 'Access-Control-Max-Age' 86400 always;
+    add_header 'Content-Length' 0;
+    add_header 'Content-Type' 'text/plain charset=UTF-8';
+    return 204;
+}
+
+# Add CORS headers to responses
+add_header 'Access-Control-Allow-Origin' '$http_origin' always;
+add_header 'Access-Control-Allow-Credentials' 'true' always;
+add_header 'Access-Control-Expose-Headers' 'X-RateLimit-Limit,X-RateLimit-Remaining,X-RateLimit-Reset,X-Request-ID,X-Total-Count' always;
+"""
+        return config
+    
+    def generate_cloudflare_headers(self) -> List[Dict[str, str]]:
+        """Generate Cloudflare transform rules for CORS."""
+        rules = []
+        
+        # Allow Vercel origins
+        rules.append({
+            "name": "CORS - Vercel Origins",
+            "expression": 'http.request.headers["origin"][0] matches "^https://[a-zA-Z0-9-]+\\.vercel\\.app$"',
+            "headers": {
+                "Access-Control-Allow-Origin": '${http.request.headers["origin"][0]}',
+                "Access-Control-Allow-Credentials": "true",
+                "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, PATCH, OPTIONS"
+            }
+        })
+        
+        # Allow localhost for development
+        rules.append({
+            "name": "CORS - Localhost Development",
+            "expression": 'http.request.headers["origin"][0] in {"http://localhost:3000", "http://127.0.0.1:3000"}',
+            "headers": {
+                "Access-Control-Allow-Origin": '${http.request.headers["origin"][0]}',
+                "Access-Control-Allow-Credentials": "true",
+                "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, PATCH, OPTIONS"
+            }
+        })
+        
+        return rules
+    
+    async def test_credentials_flow(
+        self,
+        origin: str = "https://cidadao-ai-frontend.vercel.app"
+    ) -> Dict[str, any]:
+        """Test CORS with credentials (cookies/auth)."""
+        results = {
+            "origin": origin,
+            "tests": {}
+        }
+        
+        async with httpx.AsyncClient() as client:
+            # Test login endpoint
+            try:
+                response = await client.post(
+                    f"{self.base_url}/api/v1/auth/login",
+                    headers={"Origin": origin},
+                    json={"email": "[email protected]", "password": "test"},
+                    follow_redirects=False
+                )
+                
+                results["tests"]["login"] = {
+                    "status": response.status_code,
+                    "cors_origin": response.headers.get("Access-Control-Allow-Origin"),
+                    "cors_credentials": response.headers.get("Access-Control-Allow-Credentials"),
+                    "has_cookies": "Set-Cookie" in response.headers
+                }
+            except Exception as e:
+                results["tests"]["login"] = {"error": str(e)}
+            
+            # Test authenticated endpoint
+            try:
+                response = await client.get(
+                    f"{self.base_url}/api/v1/chat/history",
+                    headers={
+                        "Origin": origin,
+                        "Authorization": "Bearer test-token"
+                    }
+                )
+                
+                results["tests"]["authenticated"] = {
+                    "status": response.status_code,
+                    "cors_origin": response.headers.get("Access-Control-Allow-Origin"),
+                    "cors_credentials": response.headers.get("Access-Control-Allow-Credentials")
+                }
+            except Exception as e:
+                results["tests"]["authenticated"] = {"error": str(e)}
+        
+        return results
+
+
+# CLI utility
+async def main():
+    """Run CORS validation tests."""
+    import asyncio
+    import json
+    
+    validator = CORSValidator()
+    
+    print("🔍 Testing CORS configuration...\n")
+    
+    # Test all origins
+    print("1. Testing configured origins:")
+    results = await validator.test_all_origins()
+    for origin, result in results.items():
+        status = "✅" if result["allowed"] else "❌"
+        print(f"  {status} {origin}")
+    
+    # Test credentials flow
+    print("\n2. Testing credentials flow:")
+    creds_results = await validator.test_credentials_flow()
+    print(json.dumps(creds_results, indent=2))
+    
+    # Generate configs
+    print("\n3. Generated nginx configuration:")
+    print(validator.generate_nginx_config())
+    
+    print("\n4. Cloudflare transform rules:")
+    cf_rules = validator.generate_cloudflare_headers()
+    print(json.dumps(cf_rules, indent=2))
+
+
+if __name__ == "__main__":
+    import asyncio
+    asyncio.run(main())