Add step library foundation and user preferences (#24)

## Summary
Implements Phase 2.5 Step Library Foundation:

### Issues Completed
- #3 User Preferences - export format default setting
- #5 Step Categories - database table and seed data  
- #6 Step Library - database schema and migrations
- #7 Step Library - CRUD API endpoints
- #8 Step Library - rating and review system

### Changes
**Backend:**
- Migration 007: step_categories table with 10 seeded global categories
- Migration 008: step_library, step_ratings, step_usage_log tables
- Full CRUD API for step categories (/api/v1/step-categories)
- Full CRUD API for step library (/api/v1/steps) with search, filters, ratings
- CORS support for Railway PR environments (ALLOW_RAILWAY_ORIGINS)

**Frontend:**
- User preferences store (Zustand + localStorage)
- Settings page at /settings with export format dropdown
- Default export format applied in SessionDetailPage

### Testing
- Tested in Railway PR environment
- Database seeded with 7 MSP troubleshooting trees
- All API endpoints verified working

backend/app/main.py

@@ -20,6 +20,7 @@ async def lifespan(app: FastAPI):
     # Startup
     logger.info("Starting Patherly API server...")
     logger.info(f"Environment: {'Development' if settings.DEBUG else 'Production'}")
+    logger.info(f"ALLOW_RAILWAY_ORIGINS: {settings.ALLOW_RAILWAY_ORIGINS}")
     # Note: In production, use Alembic migrations instead of init_db
     # await init_db()
     yield
@@ -41,14 +42,33 @@ app = FastAPI(
 app.add_middleware(ErrorLoggingMiddleware)
 app.add_middleware(RequestLoggingMiddleware)
 
-# Configure CORS
-app.add_middleware(
-    CORSMiddleware,
-    allow_origins=settings.allowed_origins,
-    allow_credentials=True,
-    allow_methods=["*"],
-    allow_headers=["*"],
-)
+# Configure CORS with dynamic origin checking for Railway PR environments
+def get_allowed_origins():
+    """Return origins list or callable for dynamic checking."""
+    if settings.ALLOW_RAILWAY_ORIGINS:
+        # Use callable to dynamically check Railway origins
+        def check_origin(origin: str) -> bool:
+            return settings.is_origin_allowed(origin)
+        return check_origin
+    return settings.allowed_origins
+
+# Note: When ALLOW_RAILWAY_ORIGINS is True, we use allow_origin_regex for Railway domains
+if settings.ALLOW_RAILWAY_ORIGINS:
+    app.add_middleware(
+        CORSMiddleware,
+        allow_origin_regex=r"https://.*\.up\.railway\.app",
+        allow_credentials=True,
+        allow_methods=["*"],
+        allow_headers=["*"],
+    )
+else:
+    app.add_middleware(
+        CORSMiddleware,
+        allow_origins=settings.allowed_origins,
+        allow_credentials=True,
+        allow_methods=["*"],
+        allow_headers=["*"],
+    )
 
 # Include API router
 app.include_router(api_router, prefix=settings.API_V1_PREFIX)
@@ -68,3 +88,13 @@ async def root():
 async def health_check():
     """Health check endpoint."""
     return {"status": "healthy"}
+
+
+@app.get("/debug/cors")
+async def debug_cors():
+    """Debug endpoint to check CORS configuration."""
+    return {
+        "allow_railway_origins": settings.ALLOW_RAILWAY_ORIGINS,
+        "cors_mode": "regex" if settings.ALLOW_RAILWAY_ORIGINS else "list",
+        "allowed_origins": settings.allowed_origins if not settings.ALLOW_RAILWAY_ORIGINS else "*.up.railway.app (regex)"
+    }