Fix LAN API base and development CORS regression

doc/operations-and-configuration.md

@@ -113,9 +113,14 @@ Selected defaults from `Settings` (`backend/app/core/config.py`):
 ## Frontend Configuration
 
 Frontend runtime API target:
-- `VITE_API_BASE` in `docker-compose.yml` frontend service
+- `VITE_API_BASE` in `docker-compose.yml` frontend service (optional override)
 - `VITE_API_TOKEN` in `docker-compose.yml` frontend service (optional compatibility fallback only)
 
+When `VITE_API_BASE` is unset, frontend API helpers resolve the backend URL dynamically as:
+- `http://<current-frontend-hostname>:8000/api/v1`
+
+This keeps development access working when the UI is opened through a LAN IP instead of `localhost`.
+
 Frontend API authentication behavior:
 - `frontend/src/lib/api.ts` resolves bearer tokens at request time in this order:
   - custom runtime resolver (`setApiTokenResolver`)
@@ -163,6 +168,7 @@ Retention settings are used by worker cleanup and by `POST /api/v1/processing/lo
   - `documents` endpoints: user token or admin token
   - `settings` and `processing/logs` endpoints: admin token only
 - Development environments can allow tokenless user-role access for document/search routes via `ALLOW_DEVELOPMENT_ANONYMOUS_USER_ACCESS=true`; production remains token-enforced.
+- Development CORS allows localhost and RFC1918 private-network origins via regex in addition to explicit `CORS_ORIGINS`, so LAN-hosted frontend access remains functional.
 - Authentication fails closed when `ADMIN_API_TOKEN` is not configured and admin access is requested.
 - Document preview endpoint blocks inline rendering for script-capable MIME types and forces attachment responses for active content.
 - Provider base URLs are validated on settings updates and before outbound model calls: