feat(settings): add CorsSettings struct for CORS configuration

Implements CorsSettings struct with validation and deserialization support
for configuring Cross-Origin Resource Sharing in the application settings.

Ref: T010 (specs/001-modbus-relay-control)

README.md

@@ -25,9 +25,14 @@ STA will provide a modern web interface for controlling Modbus-compatible relay
 - ✅ Vue 3 + TypeScript frontend scaffolding with Vite
 - ✅ Type-safe API client generation from OpenAPI specs
 
-**Phase 2 In Progress - Domain Layer:**
-- 🚧 Domain types with Type-Driven Development (RelayId, RelayState, RelayLabel)
-- 🚧 100% test coverage for domain layer
+**Phase 0.5 In Progress - CORS Configuration:**
+- ✅ T009: CorsSettings tests written (TDD)
+- ✅ T010: CorsSettings struct implemented with fail-safe defaults
+- 🚧 T011-T016: YAML configuration and middleware integration
+
+**Phase 2 Planned - Domain Layer:**
+- 📋 Domain types with Type-Driven Development (RelayId, RelayState, RelayLabel)
+- 📋 100% test coverage for domain layer
 
 **Planned - Phases 3-8:**
 - 📋 Modbus TCP client with tokio-modbus (Phase 3)
@@ -39,7 +44,7 @@ STA will provide a modern web interface for controlling Modbus-compatible relay
 - 📋 US4: Relay labeling (Phase 7)
 - 📋 Production deployment (Phase 8)
 
-See [tasks.md](specs/001-modbus-relay-control/tasks.md) for detailed implementation roadmap (94 tasks across 8 phases).
+See [tasks.md](specs/001-modbus-relay-control/tasks.md) for detailed implementation roadmap (102 tasks across 9 phases).
 
 ## Architecture
 
@@ -47,6 +52,7 @@ See [tasks.md](specs/001-modbus-relay-control/tasks.md) for detailed implementat
 - **Backend**: Rust 2024 with Poem web framework
 - **Configuration**: YAML-based with environment variable overrides
 - **API**: RESTful HTTP with OpenAPI documentation
+- **CORS**: Configurable middleware for production security
 
 **Planned:**
 - **Modbus Integration**: tokio-modbus for Modbus TCP communication
@@ -102,11 +108,37 @@ Override with environment variables:
 APP__MODBUS__HOST=192.168.1.100 cargo run
 ```
 
+#### CORS Configuration
+
+For development with frontend on `localhost:5173`:
+
+```yaml
+# backend/settings/development.yaml
+cors:
+  allowed_origins:
+    - "*"
+  allow_credentials: false
+  max_age_secs: 3600
+```
+
+For production with frontend on Cloudflare Pages:
+
+```yaml
+# backend/settings/production.yaml
+cors:
+  allowed_origins:
+    - "https://sta.example.com"
+  allow_credentials: true  # Required for Authelia authentication
+  max_age_secs: 3600
+```
+
+See [CORS Configuration Guide](docs/cors-configuration.md) for complete documentation.
+
 ## API Documentation
 
 The server provides OpenAPI documentation via Swagger UI:
-- Swagger UI: `http://localhost:8080/`
-- OpenAPI Spec: `http://localhost:8080/openapi.json`
+- Swagger UI: `http://localhost:3100/`
+- OpenAPI Spec: `http://localhost:3100/openapi.json`
 
 **Current Endpoints:**
 - `GET /api/health` - Health check endpoint
@@ -131,7 +163,7 @@ sta/                          # Repository root
 │   │   ├── startup.rs       - Application builder and server config
 │   │   ├── settings.rs      - Configuration management
 │   │   ├── telemetry.rs     - Logging and tracing setup
-│   │   ├── domain/          - Business logic (Phase 2 in progress)
+│   │   ├── domain/          - Business logic (planned Phase 2)
 │   │   │   └── relay/       - Relay domain types and repository traits
 │   │   ├── application/     - Use cases (planned Phase 3-4)
 │   │   ├── infrastructure/  - External integrations (Phase 3)
@@ -146,12 +178,15 @@ sta/                          # Repository root
 │   └── tests/               - Integration tests
 ├── src/                     # Frontend source (Vue/TypeScript)
 │   └── api/                 - Type-safe API client
-├── specs/                   # Feature specifications and documentation
+├── docs/                    # Project documentation
+│   ├── cors-configuration.md    - CORS setup guide
+│   └── Modbus_POE_ETH_Relay.md - Hardware documentation
+├── specs/                   # Feature specifications
 │   ├── constitution.md      - Architectural principles
 │   └── 001-modbus-relay-control/
 │       ├── spec.md          - Feature specification
 │       ├── plan.md          - Implementation plan
-│       ├── tasks.md         - Task breakdown (94 tasks)
+│       ├── tasks.md         - Task breakdown (102 tasks)
 │       └── research-cors.md - CORS configuration research
 ├── package.json             - Frontend dependencies
 ├── vite.config.ts          - Vite build configuration
@@ -168,19 +203,25 @@ sta/                          # Repository root
 - tracing + tracing-subscriber (structured logging)
 - governor (rate limiting)
 - thiserror (error handling)
+- serde + serde_yaml (configuration deserialization)
 
 **Planned Dependencies:**
 - tokio-modbus 0.17 (Modbus TCP client)
 - SQLx 0.8 (async SQLite database access)
 - mockall 0.13 (mocking for tests)
 
-**Frontend** (planned):
+**Frontend** (scaffolding complete):
 - Vue 3 + TypeScript
 - Vite build tool
-- Axios (HTTP client)
+- openapi-typescript (type-safe API client generation)
 
 ## Documentation
 
+### Configuration Guides
+- [CORS Configuration](docs/cors-configuration.md) - Cross-origin setup for frontend-backend communication
+- [Modbus Hardware Documentation](docs/Modbus_POE_ETH_Relay.md) - 8-channel relay device documentation
+
+### Development Guides
 - [Project Constitution](specs/constitution.md) - Architectural principles and development guidelines
 - [Modbus Relay Control Spec](specs/001-modbus-relay-control/spec.md) - Feature specification
 - [CLAUDE.md](CLAUDE.md) - Developer guide and code style rules