From f95d69c9158ec6d8c13d34af80f32b9743f7767a Mon Sep 17 00:00:00 2001
From: "IETM_FIXE\\ietm6" <ietm64@igmlcreation.fr>
Date: Fri, 24 Apr 2026 08:46:26 +0200
Subject: [PATCH] =?UTF-8?q?Fix=20CORS=20403=20sur=20POST=20:=20passer=20AP?=
 =?UTF-8?q?P=5FCORS=5FALLOWED=5FORIGINS=20au=20core=20d=C3=A9mo?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 demo/docker-compose.infra.yml | 2 ++
 demo/orchestrator/config.go   | 4 ++++
 demo/orchestrator/docker.go   | 6 +++++-
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/demo/docker-compose.infra.yml b/demo/docker-compose.infra.yml
index 32bb390..98f0f49 100644
--- a/demo/docker-compose.infra.yml
+++ b/demo/docker-compose.infra.yml
@@ -51,6 +51,8 @@ services:
       BRAIN_INTERNAL_SECRET_DEFAULT: ${BRAIN_INTERNAL_SECRET_DEFAULT:-change-me}
       # Rate limit : 1 creation par IP par fenetre (en secondes).
       RATE_LIMIT_WINDOW_SECONDS: ${RATE_LIMIT_WINDOW_SECONDS:-60}
+      # Domaine public : propage aux cores de session pour configurer CORS.
+      DEMO_HOST: ${DEMO_HOST:-loremind-demo.igmlcreation.fr}
     networks:
       - traefik
       - sessions
diff --git a/demo/orchestrator/config.go b/demo/orchestrator/config.go
index 8346ab0..0a92681 100644
--- a/demo/orchestrator/config.go
+++ b/demo/orchestrator/config.go
@@ -22,6 +22,7 @@ type Config struct {
 	PreparingPage      string
 	RateLimitWindow    time.Duration
 	MaxBodyBytes       int64
+	DemoHost           string
 }
 
 func loadConfig() *Config {
@@ -40,6 +41,9 @@ func loadConfig() *Config {
 		RateLimitWindow:    time.Duration(envInt("RATE_LIMIT_WINDOW_SECONDS", 60)) * time.Second,
 		// 10 Mo : aligne avec la limite d'upload d'image cote core.
 		MaxBodyBytes: int64(envInt("MAX_BODY_MB", 10)) * 1024 * 1024,
+		// Utilise pour injecter APP_CORS_ALLOWED_ORIGINS dans les cores spawnes :
+		// sans ca, Spring bloque les POST avec 403 (origine rejetee).
+		DemoHost: envStr("DEMO_HOST", "loremind-demo.igmlcreation.fr"),
 	}
 }
 
diff --git a/demo/orchestrator/docker.go b/demo/orchestrator/docker.go
index 873a035..0c9bb32 100644
--- a/demo/orchestrator/docker.go
+++ b/demo/orchestrator/docker.go
@@ -139,7 +139,11 @@ func (d *DockerClient) SpawnTrio(ctx context.Context, sessionID string, cfg *Con
 			"ADMIN_USERNAME=admin",
 			"ADMIN_PASSWORD=" + adminPassword,
 			"DEMO_MODE=true",
-			"CORS_ALLOWED_ORIGINS=*",
+			// CorsConfig.java lit app.cors.allowed-origins (= APP_CORS_ALLOWED_ORIGINS
+			// via le relaxed binding Spring). Necessaire meme en same-origin car
+			// le browser envoie Origin sur les POST et le CorsFilter 403 les
+			// origines inconnues.
+			"APP_CORS_ALLOWED_ORIGINS=https://" + cfg.DemoHost,
 		},
 		Labels: copyLabels(labels, "core"),
 		Memory: cfg.CoreMemoryBytes,