fix: update CORS origins and API key requirements in README for production guidelines

README.md

@@ -135,7 +135,7 @@ Response:
 
 | Variable | Default | Description |
 |----------|---------|-------------|
-| `CROWNCODE_CORS_ORIGINS` | `*` | Allowed CORS origins |
+| `CROWNCODE_CORS_ORIGINS` | `http://localhost:3000` | Allowed CORS origins (comma-separated). **Do not use `*` in production.** |
 | `MUSIC_AI_API_URL` | - | Music-AIDetector service URL |
 | `SES_ANALIZI_API_URL` | - | Ses-Analizi service URL |
 | `CROWNCODE_API_TIMEOUT_SEC` | `30` | External service timeout |
@@ -144,7 +144,8 @@ Response:
 | `COMMEND_GEMINI_API_KEY` | - | Gemini API key for Crown Commend (also used as YouTube API Key fallback) |
 | `COMMEND_YOUTUBE_API_KEY` | - | YouTube Data API key for read operations (optional if Gemini key is set) |
 | `COMMEND_TOKEN_JSON` | - | YouTube OAuth token JSON for posting comments (optional) |
-| `COMMEND_API_KEY` | - | API key for commend endpoint auth (optional, disables auth if unset) |
+| `COMMEND_API_KEY` | - | API key for commend endpoint auth (**required in production**) |
+| `COMMEND_REQUIRE_AUTH` | `true` | Fail-closed auth gate. Set to `false` only for local development. |
 | `COMMEND_ENABLE_POSTING` | `false` | Enable YouTube comment posting (`true`/`false`) |
 
 ---