fix(mana-core-auth): configure helmet for cross-origin requests

Update helmet middleware to allow cross-origin resource policy and
opener policy for proper CORS functionality with frontend apps.

Also add debug logging for configured CORS origins.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

services/mana-core-auth/src/main.ts

@@ -10,12 +10,18 @@ async function bootstrap() {
 
 	const configService = app.get(ConfigService);
 
-	// Security middleware
-	app.use(helmet());
+	// Security middleware - configure helmet to allow CORS
+	app.use(
+		helmet({
+			crossOriginResourcePolicy: { policy: 'cross-origin' },
+			crossOriginOpenerPolicy: { policy: 'same-origin-allow-popups' },
+		})
+	);
 	app.use(cookieParser());
 
 	// CORS configuration
 	const corsOrigins = configService.get<string[]>('cors.origin') || [];
+	console.log('📋 CORS Origins configured:', corsOrigins);
 	app.enableCors({
 		origin: corsOrigins,
 		credentials: true,