Fix CORS middleware panic and add Procfile

- Transform ALLOWED_HOSTS to proper origins with http/https prefix
- Fallback to AllowAllOrigins if no valid origins configured
- Add Procfile for dokku process types

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Procfile

@@ -0,0 +1,2 @@
+web: /app/api
+worker: /app/worker

internal/router/router.go

@@ -124,11 +124,35 @@ func corsMiddleware(cfg *config.Config) gin.HandlerFunc {
 		MaxAge:           12 * time.Hour,
 	}
 
-	// In debug mode, allow all origins; otherwise use configured hosts
+	// In debug mode or if no proper origins configured, allow all origins
 	if cfg.Server.Debug {
 		corsConfig.AllowAllOrigins = true
 	} else {
-		corsConfig.AllowOrigins = cfg.Server.AllowedHosts
+		// Transform allowed hosts to proper origins with https://
+		var origins []string
+		for _, host := range cfg.Server.AllowedHosts {
+			host = strings.TrimSpace(host)
+			if host == "" {
+				continue
+			}
+			if host == "*" {
+				corsConfig.AllowAllOrigins = true
+				break
+			}
+			// If host doesn't have scheme, add https://
+			if !strings.HasPrefix(host, "http://") && !strings.HasPrefix(host, "https://") {
+				origins = append(origins, "https://"+host)
+				origins = append(origins, "http://"+host) // Also allow http for dev
+			} else {
+				origins = append(origins, host)
+			}
+		}
+		if !corsConfig.AllowAllOrigins && len(origins) > 0 {
+			corsConfig.AllowOrigins = origins
+		} else if !corsConfig.AllowAllOrigins {
+			// Fallback to allow all if no valid origins
+			corsConfig.AllowAllOrigins = true
+		}
 	}
 
 	return cors.New(corsConfig)