[Rust Frontend] Add CORS support

[tahsintunan]

Summary

• Adds CORS to the Rust frontend (tracking: [Roadmap] Rust Frontend Feature Parity #44280), matching the Python frontend's Starlette CORSMiddleware.
• A tower_http::cors::CorsLayer is applied to every response with the same permissive defaults Python uses (allow_origins=["*"], methods/headers ["*"], credentials off), plus a small middleware that keeps non-CORS responses clean.

Notes

• CorsLayer reproduces Starlette's browser behavior: * methods expand to an explicit list, allowed headers union the safelisted set, max-age is 600, Vary: Origin only emits when the origin is dynamic, and * + credentials reflects the request origin (avoids tower-http's wildcard+credentials panic).
• A strip_cors_on_no_origin middleware strips CORS headers from requests without an Origin, keeping non-browser traffic (/health, plain curl) clean.
• CORS sits inside auth in the layer stack, so 401s carry no CORS headers. Preflight OPTIONS bypasses auth and still gets headers.

Known divergences (all browser-invisible)

• A rejected preflight returns 200 with disallowed headers absent, instead of Starlette's 400 "Disallowed CORS ...". The browser blocks the request either way (matching the 400 would mean reimplementing tower-http's internals).
• A bare OPTIONS (no Access-Control-Request-Method) returns 200 instead of 405.

[BugenZhao]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 6c8d2e5ea0

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Preserve the Python --no-allow-credentials flag

For CLI invocations that include the Python-generated negative boolean form --no-allow-credentials (the Python arg builder uses BooleanOptionalAction for bool fields, and the old unsupported entry explicitly recognized this alias), this new supported clap arg only registers --allow-credentials, so the Rust frontend rejects a valid vLLM CORS flag instead of treating it as false. This matters for wrappers or config renderers that emit explicit negative bools; please add proper handling for the negative form when enabling this option.

Useful? React with 👍 / 👎.

[tahsintunan]

This follows how the Rust frontend already handles implemented bool flags: negation is --allow-credentials false, not --no-allow-credentials. None of the existing implemented bool flags mirror Python's --no- form either — e.g. --enable-request-id-headers (which this is modeled on), --enable-prompt-tokens-details, --disable-log-stats all accept --flag true/false only, while Python generates a --no- variant for each via BooleanOptionalAction.

[mergify]

This pull request has merge conflicts that must be resolved before it can be
merged. Please rebase the PR, @tahsintunan.

https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/syncing-a-fork