[New] Integration / API: No CORS support — the API cannot be called from a browser

Area: Integration / API (audit p13) · Surface: mobieusAPI · Dimension: competitor-gap · Severity: minor

Circle and Intercom support browser-side SDK/widget usage and document CORS behavior. Mobieus API keys are bearer secrets so unrestricted CORS would be wrong, but the total absence means a tenant cannot build even a same-origin or allowlisted-origin browser dashboard against the API without a server-side proxy. Competitors that target no-code builders expose at least an allowlisted-origin CORS config per key. At minimum a per-key allowed-origins list with an OPTIONS preflight responder would unblock embedded dashboards and headless front-ends.

Evidence

`grep -rn "Access-Control-Allow|CORS" platform/src/Middleware/ platform/src/Controllers/Api/` returns nothing. The /api/v1 group (routes.php:166-173) runs ApiKeyAuth + RateLimit + ErrorEnvelope middleware but emits no Access-Control headers and has no OPTIONS preflight handler.

Suggested fix. Add an optional allowed_origins column to api_keys and a CorsMiddleware in the /api/v1 group that echoes Access-Control-Allow-Origin for allowlisted origins and answers OPTIONS preflights; keep default empty (no CORS) so existing keys are unaffected.

Filed by the automated tenant-app audit and adversarially evidence-verified. Status: verified. Open — not yet actioned.