feat(ui): add standalone dashboard mode and relay switching (v0.52.2)

- Add standalone mode for dashboard to connect to any ORLY relay
- Implement relay switcher dropdown in header for standalone mode
- Add mobile drawer sidebar at 640px breakpoint with hamburger menu
- Add dedicated fallback pool for profile/relay list/contact list fetches
- Fix relay URL display to show host instead of NIP-11 name
- Add filter validation and defensive checks in event fetching
- Auto-expand search window from 30 days to 6 months on few results
- Add CORS support for API endpoints with configurable origins
- Fetch user relay list (NIP-65 kind 10002) and contact list on login
- Fix light mode user name color visibility in header

Files modified:
- app/config/config.go: Add CORS configuration options
- app/server.go: Add CORS middleware for API endpoints
- app/handle-relayinfo.go: Include CORS in relay info
- app/web/src/config.js: New config module for standalone mode
- app/web/src/stores.js: Add relay URL and standalone mode stores
- app/web/src/nostr.js: Add fallback pool, filter validation, relay/contact fetch
- app/web/src/Header.svelte: Relay dropdown, mobile menu, static indicator
- app/web/src/Sidebar.svelte: Mobile drawer mode with overlay
- app/web/src/App.svelte: Relay switching, mobile menu state, NIP-65 fetch
- app/web/src/api.js: Use configurable base URL
- app/web/src/constants.js: Add fallback relays, dynamic relay URLs
- cmd/dashboard-server/main.go: New standalone dashboard server

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

app/server.go

@@ -141,6 +141,32 @@ func (s *Server) isIPBlacklisted(remote string) bool {
 	return false
 }
 
+// isAllowedCORSOrigin checks if the given origin is allowed for CORS requests.
+// Returns true if:
+//   - CORSOrigins contains "*" (allow all)
+//   - CORSOrigins is empty (allow all when CORS is enabled)
+//   - The origin matches one of the configured origins
+func (s *Server) isAllowedCORSOrigin(origin string) bool {
+	if origin == "" {
+		return false
+	}
+
+	// If no specific origins configured, allow all
+	if len(s.Config.CORSOrigins) == 0 {
+		return true
+	}
+
+	for _, allowed := range s.Config.CORSOrigins {
+		if allowed == "*" {
+			return true
+		}
+		if allowed == origin {
+			return true
+		}
+	}
+	return false
+}
+
 func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	// Check if this is a blossom-related path (needs CORS headers)
 	path := r.URL.Path
@@ -163,8 +189,31 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 			w.WriteHeader(http.StatusOK)
 			return
 		}
-	} else if r.Method == "OPTIONS" {
-		// Handle OPTIONS for non-blossom paths
+	}
+
+	// Set CORS headers for API endpoints when enabled (for standalone dashboard mode)
+	// Also allow root path for NIP-11 relay info requests
+	isAPIPath := strings.HasPrefix(path, "/api/")
+	isRelayInfoRequest := path == "/" && r.Header.Get("Accept") == "application/nostr+json"
+	if s.Config != nil && s.Config.CORSEnabled && (isAPIPath || isRelayInfoRequest) {
+		origin := r.Header.Get("Origin")
+		if s.isAllowedCORSOrigin(origin) {
+			w.Header().Set("Access-Control-Allow-Origin", origin)
+			w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS")
+			w.Header().Set("Access-Control-Allow-Headers", "Authorization, Content-Type, Accept")
+			w.Header().Set("Access-Control-Allow-Credentials", "true")
+			w.Header().Set("Access-Control-Max-Age", "86400")
+		}
+
+		// Handle preflight OPTIONS requests for API paths
+		if r.Method == "OPTIONS" {
+			w.WriteHeader(http.StatusOK)
+			return
+		}
+	}
+
+	if r.Method == "OPTIONS" && !isBlossomPath && !isAPIPath {
+		// Handle OPTIONS for other paths
 		if s.mux != nil {
 			s.mux.ServeHTTP(w, r)
 			return