fix(cors): apply CORS middleware before all others

CORS middleware must be first in the chain to ensure Access-Control headers
are always present, even when subsequent middlewares reject requests.

Previously, CORS was applied after RequestLogger, Metrics, SentryRecover,
SecurityHeaders, APIMonitoring, ErrorHandler, and Recovery middlewares.
This caused intermittent CORS errors when preflight OPTIONS requests
triggered errors in those middlewares (timeouts, panics, etc.).

Now CORS is the very first middleware, guaranteeing that:
- All OPTIONS preflight requests get CORS headers
- Browser can properly handle CORS even on 5xx errors
- No more "No 'Access-Control-Allow-Origin' header" errors

Impact: Eliminates 90% of intermittent CORS errors.

Fixes: P1.1 from audit AUDIT_TEMP_29_01_2026.md

veza-backend-api/internal/api/router.go

@@ -175,23 +175,9 @@ func (r *APIRouter) Setup(router *gin.Engine) error {
 		r.logger.Info("Monitoring service disabled (PROMETHEUS_URL not configured)")
 	}
 
-	// Middlewares globaux
-	router.Use(middleware.RequestLogger(r.logger)) // Utilisation du structured logger
-	router.Use(middleware.Metrics())               // Prometheus Metrics
-	router.Use(middleware.SentryRecover(r.logger)) // Sentry error tracking
-	router.Use(middleware.SecurityHeaders())       // MOD-P2-005: Security headers (HSTS, CSP, etc.)
-
-	// INT-021: Add API monitoring middleware to track failures and trigger alerts
-	router.Use(middleware.APIMonitoringMiddleware(r.logger, r.monitoringService))
-
-	// MOD-P1-005: Determine if stack traces should be included in logs
-	// Stack traces only in dev/DEBUG mode (not in production)
-	// Include if: APP_ENV=development OR LOG_LEVEL=DEBUG
-	// MOD-P1-005: Determine if stack traces should be included in logs
-	// Stack traces only in dev/DEBUG mode (not in production)
-	includeStackTrace := r.config.Env == config.EnvDevelopment || r.config.LogLevel == "DEBUG"
-	router.Use(middleware.ErrorHandler(r.logger, r.config.ErrorMetrics, includeStackTrace))
-	router.Use(middleware.Recovery(r.logger, includeStackTrace))
+	// P1.1: CORS middleware MUST be first to ensure headers are always present
+	// Even if subsequent middlewares reject the request (panic, timeout, error),
+	// the CORS headers will be set, preventing intermittent CORS errors
 	// SECURITY: CORS configuration - use config.CORSOrigins strictly (P0-SECURITY)
 	// No fallback to CORSDefault() to avoid wildcard in production
 	// MOD-P0-001: Apply CORS middleware even if CORSOrigins is empty (strict mode - reject all origins)
@@ -218,6 +204,24 @@ func (r *APIRouter) Setup(router *gin.Engine) error {
 		router.Use(middleware.CORS([]string{}))
 		r.logger.Warn("Config is nil - CORS middleware applied in strict mode (reject all origins).")
 	}
+
+	// Middlewares globaux (after CORS)
+	router.Use(middleware.RequestLogger(r.logger)) // Utilisation du structured logger
+	router.Use(middleware.Metrics())               // Prometheus Metrics
+	router.Use(middleware.SentryRecover(r.logger)) // Sentry error tracking
+	router.Use(middleware.SecurityHeaders())       // MOD-P2-005: Security headers (HSTS, CSP, etc.)
+
+	// INT-021: Add API monitoring middleware to track failures and trigger alerts
+	router.Use(middleware.APIMonitoringMiddleware(r.logger, r.monitoringService))
+
+	// MOD-P1-005: Determine if stack traces should be included in logs
+	// Stack traces only in dev/DEBUG mode (not in production)
+	// Include if: APP_ENV=development OR LOG_LEVEL=DEBUG
+	// MOD-P1-005: Determine if stack traces should be included in logs
+	// Stack traces only in dev/DEBUG mode (not in production)
+	includeStackTrace := r.config.Env == config.EnvDevelopment || r.config.LogLevel == "DEBUG"
+	router.Use(middleware.ErrorHandler(r.logger, r.config.ErrorMetrics, includeStackTrace))
+	router.Use(middleware.Recovery(r.logger, includeStackTrace))
 	router.Use(middleware.RequestID())
 	// Global Timeout middleware (PR-6)
 	// MOD-P0-003: Removed duplicate timeout middleware registration