fix: pass allowed methods to CORS middleware

[vissersg]

Requirements

• I have added test coverage for new or changed functionality
• I have followed the repository's pull request submission guidelines
• I have validated my changes against all supported platform versions

Related issues
#669

Describe the solution you've provided

When setting up the CORS middleware each router now passes in a list of methods that it supports, and the middleware handler uses that list to set AllowedMethods. This replaces the hardcoded GET method to ensure all methods are properly handled.

Describe alternatives you've considered

Provide a clear and concise description of any alternative solutions or features you've considered.

Additional context

Add any other context about the pull request here.

---

Note

Low Risk
Low risk: small change to CORS middleware configuration for dev-server SDK routes, with added test coverage to ensure preflight behavior matches allowed methods.

Overview
Fixes CORS handling by replacing the hardcoded GET-only middleware with CorsHeadersForMethods(...), so each SDK subrouter passes its own allowed methods (e.g., GET + REPORT) into handlers.AllowedMethods.

Adds cors_test.go to verify OPTIONS preflight requests succeed for configured methods and are rejected for disallowed methods.

^{Written by Cursor Bugbot for commit 0122e07. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.