Hardcode CORS credentials disabled and remove env toggle

doc/operations-and-configuration.md

@@ -64,7 +64,6 @@ Use `.env.example` as baseline. The table below documents user-managed settings
 | `PUBLIC_BASE_URL` | `http://localhost:8000` | `https://api.example.com` |
 | `VITE_API_BASE` | empty for host-derived `http://<frontend-host>:8000/api/v1`, or explicit local URL | `https://api.example.com/api/v1` |
 | `CORS_ORIGINS` | `["http://localhost:5173","http://localhost:3000"]` | exact frontend origins only, for example `["https://app.example.com"]` |
-| `CORS_ALLOW_CREDENTIALS` | `false` | `false` (Authorization header flow does not need credentialed CORS) |
 | `REDIS_URL` | `redis://:<password>@redis:6379/0` in isolated local network | `rediss://:<password>@redis.internal:6379/0` |
 | `REDIS_SECURITY_MODE` | `compat` or `auto` | `strict` |
 | `REDIS_TLS_MODE` | `allow_insecure` or `auto` | `required` |
@@ -77,6 +76,8 @@ Use `.env.example` as baseline. The table below documents user-managed settings
 | `CONTENT_EXPORT_MAX_TOTAL_BYTES` | default `52428800` (50 MiB) or lower | tuned to production capacity |
 | `CONTENT_EXPORT_RATE_LIMIT_PER_MINUTE` | default `6` | tuned to API throughput and abuse model |
 
+`PUBLIC_BASE_URL` must point to the backend API public URL, not the frontend URL.
+
 ## HTTPS Proxy Deployment Notes
 
 This application supports both:
@@ -88,7 +89,7 @@ Recommended LIVE pattern:
 2. Keep container published ports bound to localhost or internal network.
 3. Set `PUBLIC_BASE_URL` and `VITE_API_BASE` to final HTTPS URLs.
 4. Set `CORS_ORIGINS` to exact HTTPS frontend origins.
-5. Keep `CORS_ALLOW_CREDENTIALS=false` for bearer header flow.
+5. Credentialed CORS is intentionally disabled in application code for bearer-header auth.
 
 ## Security Controls