feat(security): SEC-015 Strict CORS Origin Validation and Specs Update

cmd/soc/main.go

@@ -19,6 +19,7 @@ import (
 	"runtime"
 	"runtime/debug"
 	"strconv"
+	"strings"
 	"syscall"
 
 	"github.com/syntrex/gomcp/internal/application/soc"
@@ -122,6 +123,16 @@ func main() {
 	socSvc := soc.NewService(socRepo, decisionLogger)
 	srv := sochttp.New(socSvc, port)
 
+	// Configure CORS
+	if corsEnv := env("SOC_CORS_ORIGIN", ""); corsEnv != "" {
+		parts := strings.Split(corsEnv, ",")
+		for i := range parts {
+			parts[i] = strings.TrimSpace(parts[i])
+		}
+		srv.SetCORSOrigins(parts)
+		slog.Info("CORS strict origins configured", "origins", len(parts))
+	}
+
 	// Threat Intelligence Store — always initialized for IOC enrichment (§6)
 	threatIntelStore := soc.NewThreatIntelStore()
 	threatIntelStore.AddDefaultFeeds()