[IMP] add server settings for CORS

[RaoufGhrissi]

Dependent on: ActivityWatch/aw-server-rust#581

[RaoufGhrissi]

I will apply the same changes to aw-server once validated on aw-server-rust

[greptile-apps]

Greptile Summary

This PR adds a new ServerSettings panel to the settings page that lets users configure CORS origins for aw-server-rust (dependent on aw-server-rust#581). It introduces four new fields to the Pinia settings store (cors, cors_regex, cors_allow_aw_chrome_extension, cors_allow_all_mozilla_extension), wires them up through the existing update()/save() mechanism, and renders a UI with text inputs for exact/regex origins and checkboxes for convenience shortcuts.

Key observations:

• The component structure and computed-property pattern follow the existing convention established by DeveloperSettings.vue.
• cors_allow_aw_chrome_extension defaults to true, which will be silently persisted to the server on the first save of any setting — potentially overriding a more-restrictive server-side default without explicit user action.
• The two text inputs use eager v-model (fires on every keystroke), triggering a GET + POST cycle per character. Using v-model.lazy would limit saves to blur/Enter, matching user intent better for long URLs.
• Several issues flagged in earlier review threads (Markdown bold in Pug, regex-escaping guidance, duplicate commit hash) remain unaddressed in the current HEAD.

Confidence Score: 4/5

Safe to merge with minor fixes; several earlier review-thread issues remain open in the current HEAD.

No blocking regressions are introduced and the code follows established codebase patterns. However, the silent server-side opt-in for Chrome extension CORS (default true persisted on any settings save) is a real behaviour difference from what a user would expect, and several previous review comments have not yet been addressed, keeping confidence at 4 rather than 5.

src/stores/settings.ts (default value for cors_allow_aw_chrome_extension) and src/views/settings/ServerSettings.vue (open previous-thread issues, eager v-model on text inputs)

Important Files Changed

Filename	Overview
src/stores/settings.ts	Adds four new CORS-related fields to the settings store state and defaults; follows existing patterns, but the default cors_allow_aw_chrome_extension: true will be silently pushed to the server the first time any settings save occurs.
src/views/settings/ServerSettings.vue	New CORS settings panel; several open review-thread issues remain unaddressed (regex escaping guidance, Markdown bold syntax in Pug, duplicate commit hash, unused data property).
src/views/settings/Settings.vue	Correctly registers and renders the new ServerSettings component at the bottom of the settings page.

Sequence Diagram

sequenceDiagram
    participant User
    participant ServerSettings.vue
    participant SettingsStore (Pinia)
    participant aw-server-rust

    User->>ServerSettings.vue: types in CORS field / toggles checkbox
    ServerSettings.vue->>SettingsStore (Pinia): update({ cors | cors_regex | cors_allow_* })
    SettingsStore (Pinia)->>SettingsStore (Pinia): $patch(new_state)
    SettingsStore (Pinia)->>aw-server-rust: GET /0/settings
    aw-server-rust-->>SettingsStore (Pinia): current server_settings
    SettingsStore (Pinia)->>aw-server-rust: POST /0/settings/{key} (for each changed key)
    aw-server-rust-->>SettingsStore (Pinia): 200 OK
    SettingsStore (Pinia)->>aw-server-rust: GET /0/settings (reload)
    aw-server-rust-->>SettingsStore (Pinia): updated settings

    Note over aw-server-rust: Restart required for CORS changes to take effect

Loading

_{Reviews (3): Last reviewed commit: "[IMP] add server settings for CORS" | Re-trigger Greptile}

[greptile-apps]

Markdown bold syntax renders literally in Pug

The **Manifest URL** syntax is Markdown, not Pug/HTML. Pug templates do not process Markdown, so users will see the asterisks rendered literally in the browser (**Manifest URL** instead of Manifest URL). Use an inline <b> tag or Pug's b element instead.

Suggested change

	li Look for your extension and copy the **Manifest URL** (e.g. <code>moz-extension://4b931c07deded...ff152/manifest.json</code>).
	li Look for your extension and copy the <b>Manifest URL</b> (e.g. <code>moz-extension://4b931c07deded...ff152/manifest.json</code>).

[greptile-apps]

Regex field instructions advise pasting literal URLs containing unescaped dots

Step 3 tells the user to paste a raw moz-extension://... URL (e.g. moz-extension://4b931c07deded...ff152) into the Regex CORS origins field. However, the dots (.) in that URL are regex metacharacters that match any character, so the pattern will also match origins with different characters in those positions. This could allow an unintended extension to bypass the CORS check.

Consider updating the instructions to advise users to escape literal dots with \., or direct them to paste the origin into the Fixed CORS origins field instead (which uses exact matching), if the backend supports it.

[greptile-apps]

Duplicate commit hash display

The "Web UI commit hash" line is already shown at the bottom of DeveloperSettings.vue. Having it repeated at the bottom of ServerSettings.vue as well is redundant and looks like an accidental copy-paste. Consider removing it from ServerSettings.vue.

[greptile-apps]

Unused showSettings data property

The data() function exposes showSettings: false, but this property is never referenced anywhere in the template or the computed/methods sections. It appears to be an accidental copy-paste artefact from another settings component. It can be safely removed.

Suggested change

	return {
	showSettings: false,
	};
	},
	computed: {