The CORS middleware was only using the regex pattern for *.up.railway.app
when ALLOW_RAILWAY_ORIGINS was enabled, ignoring the explicit allowed_origins
list that includes custom domains like app.patherly.com.
Now includes both allow_origins and allow_origin_regex so custom domains
work alongside Railway PR environments.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
d1201cc584