fix: validate_startup checks CORS wildcard in production

validate_startup() now exits with an error if CORS_ORIGINS contains
a wildcard '*' in production mode, matching the runtime stripping
already done in _get_cors_origins().

Fixes #472

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/config.py

@@ -66,7 +66,7 @@ class Settings(BaseSettings):
 
     # ── Backend selection ────────────────────────────────────────────────────
     # "ollama"  — always use Ollama (default, safe everywhere)
-    # "auto"    — auto-detect best available backend
+    # "auto"    — pick best available local backend, fall back to Ollama
     timmy_model_backend: Literal["ollama", "grok", "claude", "auto"] = "ollama"
 
     # ── Grok (xAI) — opt-in premium cloud backend ────────────────────────
@@ -469,6 +469,12 @@ def validate_startup(*, force: bool = False) -> None:
                 ", ".join(_missing),
             )
             sys.exit(1)
+        if "*" in settings.cors_origins:
+            _startup_logger.error(
+                "PRODUCTION SECURITY ERROR: Wildcard '*' in CORS_ORIGINS is not "
+                "allowed in production — set explicit origins via CORS_ORIGINS env var."
+            )
+            sys.exit(1)
         _startup_logger.info("Production mode: security secrets validated ✓")
     else:
         if not settings.l402_hmac_secret:

tests/test_lazy_init.py

@@ -37,6 +37,19 @@ class TestConfigLazyValidation:
         ):
             validate_startup(force=True)
 
+    def test_validate_startup_exits_on_cors_wildcard_in_production(self):
+        """validate_startup() should exit in production when CORS has wildcard."""
+        from config import settings, validate_startup
+
+        with (
+            patch.object(settings, "timmy_env", "production"),
+            patch.object(settings, "l402_hmac_secret", "test-secret-hex-value-32"),
+            patch.object(settings, "l402_macaroon_secret", "test-macaroon-hex-value-32"),
+            patch.object(settings, "cors_origins", ["*"]),
+            pytest.raises(SystemExit),
+        ):
+            validate_startup(force=True)
+
     def test_validate_startup_ok_with_secrets(self):
         """validate_startup() should not exit when secrets are set."""
         from config import settings, validate_startup

tests/timmy/test_agent.py

@@ -81,6 +81,7 @@ def test_create_timmy_respects_custom_ollama_url():
         mock_settings.ollama_url = custom_url
         mock_settings.ollama_num_ctx = 4096
         mock_settings.timmy_model_backend = "ollama"
+        mock_settings.airllm_model_size = "70b"
 
         from timmy.agent import create_timmy
 
@@ -158,6 +159,7 @@ def test_resolve_backend_auto_uses_airllm_on_apple_silicon():
         patch("timmy.agent.settings") as mock_settings,
     ):
         mock_settings.timmy_model_backend = "auto"
+        mock_settings.airllm_model_size = "70b"
         mock_settings.ollama_model = "llama3.2"
 
         from timmy.agent import _resolve_backend
@@ -172,6 +174,7 @@ def test_resolve_backend_auto_falls_back_on_non_apple():
         patch("timmy.agent.settings") as mock_settings,
     ):
         mock_settings.timmy_model_backend = "auto"
+        mock_settings.airllm_model_size = "70b"
         mock_settings.ollama_model = "llama3.2"
 
         from timmy.agent import _resolve_backend
@@ -256,6 +259,7 @@ def test_create_timmy_includes_tools_for_large_model():
         mock_settings.ollama_url = "http://localhost:11434"
         mock_settings.ollama_num_ctx = 4096
         mock_settings.timmy_model_backend = "ollama"
+        mock_settings.airllm_model_size = "70b"
         mock_settings.telemetry_enabled = False
 
         from timmy.agent import create_timmy