T-005: Security hardening - CORS, Rate Limit, CSRF

- CORS: Restrict allowed origins to specific frontend URLs, limit methods and headers
- Rate Limit: Add fine-grained endpoint-specific rate limits for sensitive operations
  - Login: 5 requests/minute
  - Register: 3 requests/hour
  - Password change: 3 requests/5 minutes
  - Payment: 20 requests/minute
  - Admin: 30 requests/minute
- CSRF: Add CSRF protection middleware with double-submit cookie pattern
  - New app/core/csrf.py module with CSRFMiddleware
  - Require CSRF tokens on sensitive endpoints (auth, payment, profile)
  - Skip webhook endpoints for CSRF validation
- Fix pydantic-settings import in config.py

backend/app/main.py

@@ -3,6 +3,7 @@ from fastapi.middleware.cors import CORSMiddleware
 from app.config import settings
 from app.core.exceptions import register_exception_handlers
 from app.core.middleware import TierMiddleware, QuotaMiddleware, RateLimitMiddleware
+from app.core.csrf import CSRFMiddleware
 import logging
 
 logging.basicConfig(level=logging.INFO)
@@ -34,14 +35,70 @@ app = FastAPI(
     debug=settings.DEBUG,
 )
 
+# =============================================================================
+# CORS Configuration - Security Hardened
+# =============================================================================
+# Only allow specific origins (frontend URLs)
+# Only allow specific HTTP methods (no TRACE, CONNECT, etc.)
+# Only allow specific headers (no arbitrary headers)
+# =============================================================================
+
+# Define allowed origins from environment/config
+# In production, this should be your actual frontend domain(s)
+ALLOWED_ORIGINS = [
+    settings.FRONTEND_URL,
+    "http://localhost:3000",   # Legacy frontend
+    "http://localhost:5173",   # Vite dev server
+    "http://localhost:5174",   # User workspace dev server
+    "https://trade.yuzhiran.com",  # Production domain
+    "https://trade.yuzhiran.com/app",
+    "https://trade.yuzhiran.com/admin",
+    "https://trade.yuzhiran.com/workspace",
+]
+
+# Allowed HTTP methods (explicitly listed for security)
+ALLOWED_METHODS = [
+    "GET",
+    "POST",
+    "PUT",
+    "PATCH",
+    "DELETE",
+    "OPTIONS",
+]
+
+# Allowed headers (explicitly listed)
+ALLOWED_HEADERS = [
+    "Authorization",
+    "Content-Type",
+    "X-CSRF-Token",
+    "X-Requested-With",
+    "Accept",
+    "Origin",
+]
+
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=[settings.FRONTEND_URL],
+    allow_origins=ALLOWED_ORIGINS,
     allow_credentials=True,
-    allow_methods=["*"],
-    allow_headers=["*"],
+    allow_methods=ALLOWED_METHODS,
+    allow_headers=ALLOWED_HEADERS,
+    max_age=600,  # Preflight cache duration
+    expose_headers=[
+        "X-RateLimit-Limit",
+        "X-RateLimit-Remaining",
+        "X-RateLimit-Reset",
+        "X-RateLimit-Name",
+        "X-CSRF-Token",
+    ],
 )
 
+# =============================================================================
+# Security Middleware Stack
+# =============================================================================
+# Order matters - CSRF should come after CORS but before other middleware
+# =============================================================================
+
+app.add_middleware(CSRFMiddleware)
 app.add_middleware(RateLimitMiddleware)
 app.add_middleware(QuotaMiddleware)
 app.add_middleware(TierMiddleware)
@@ -49,12 +106,30 @@ app.add_middleware(TierMiddleware)
 register_exception_handlers(app)
 
 
+@app.on_event("startup")
+async def load_ai_providers_from_db():
+    try:
+        from app.database import get_db
+        from app.ai.router import get_ai_router
+
+        async for db in get_db():
+            router = get_ai_router()
+            count = await router.reload_from_db(db)
+            if count == 0:
+                seeded = await router.seed_from_env(db)
+                if seeded:
+                    await router.reload_from_db(db)
+            break
+    except Exception as e:
+        logger.warning(f"AI provider DB load failed (tables may not exist yet): {e}")
+
+
 @app.get("/health")
 async def health():
     return {"status": "ok", "app": settings.APP_NAME, "version": "1.0.0"}
 
 
-from app.api.v1 import auth, marketing, translate, customer, quotation, whatsapp, product, exchange, push, admin, analytics, teams, onboarding, notification, feedback, payment, interaction, silent_pattern, training, followup, ai_assistant, discovery, discovery_record, certification, invoice, usage, referral, admin_search, search
+from app.api.v1 import auth, marketing, translate, customer, quotation, whatsapp, product, exchange, push, admin, analytics, teams, onboarding, notification, feedback, payment, interaction, silent_pattern, training, followup, ai_assistant, discovery, discovery_record, certification, invoice, usage, referral, admin_search, search, admin_ai
 
 app.include_router(auth.router, prefix="/api/v1/auth", tags=["auth"])
 app.include_router(marketing.router, prefix="/api/v1/marketing", tags=["marketing"])
@@ -85,6 +160,7 @@ app.include_router(invoice.router, prefix="/api/v1/invoices", tags=["invoices"])
 app.include_router(usage.router, prefix="/api/v1/usage", tags=["usage"])
 app.include_router(referral.router, prefix="/api/v1/referral", tags=["referral"])
 app.include_router(admin_search.router, prefix="/api/v1/admin", tags=["admin"])
+app.include_router(admin_ai.router, prefix="/api/v1/admin", tags=["admin"])
 app.include_router(search.router, prefix="/api/v1/search", tags=["search"])