Fix CORS: Add production domains to ALLOWED_ORIGINS

Updates ALLOWED_ORIGINS to include all BlackRoad domains, fixing the
"Access denied" error when accessing the Railway deployment.

Changes:
1. backend/app/config.py:33 - Updated default ALLOWED_ORIGINS to include:
   - https://blackroad.systems
   - https://www.blackroad.systems
   - https://os.blackroad.systems
   - https://blackroad-operating-system-production.up.railway.app
   - http://localhost:3000,http://localhost:8000 (for local dev)

2. backend/.env.example:27 - Updated template with production domains

This ensures Railway deployments work without requiring manual
environment variable configuration. The CORS middleware will now
accept requests from all BlackRoad domains.

Fixes: "Access denied" errors on production deployments
Related: DNS configuration in ops/domains.yaml

backend/.env.example

@@ -24,7 +24,7 @@ ALGORITHM=HS256
 ACCESS_TOKEN_EXPIRE_MINUTES=30
 REFRESH_TOKEN_EXPIRE_DAYS=7
 WALLET_MASTER_KEY=changeme-wallet-master-key
-ALLOWED_ORIGINS=https://blackroad.systems,https://your-frontend.example
+ALLOWED_ORIGINS=https://blackroad.systems,https://www.blackroad.systems,https://os.blackroad.systems,https://blackroad-operating-system-production.up.railway.app,http://localhost:3000,http://localhost:8000
 JWT_SECRET=changeme-jwt-secret
 SESSION_SECRET=changeme-session-secret
 NEXTAUTH_SECRET=changeme-nextauth-secret

backend/app/config.py

@@ -29,7 +29,8 @@ class Settings(BaseSettings):
     WALLET_MASTER_KEY: str = "local-wallet-master-key-32chars-0000"
 
     # CORS
-    ALLOWED_ORIGINS: str = "http://localhost:3000,http://localhost:8000"
+    # Include production domains by default to ensure Railway deployments work
+    ALLOWED_ORIGINS: str = "https://blackroad.systems,https://www.blackroad.systems,https://os.blackroad.systems,https://blackroad-operating-system-production.up.railway.app,http://localhost:3000,http://localhost:8000"
 
     @property
     def allowed_origins_list(self) -> List[str]: