chore(agent): bump rack-cors to ~> 3.0

[bexchauveto]

What

Bumps the rack-cors runtime dependency of forest_admin_agent from ~> 2.0 (resolved 2.0.2) to ~> 3.0 (resolved 3.0.0).

Why it's safe

rack-cors 3.0.0 is the only release after 2.0.2, and its breaking changes are purely environmental — no config DSL changes:

3.0.0 requirement	This repo	OK?
Rack >= 3.0.14	resolves rack 3.2.6	✅
Drops Ruby 2.3	gemspec requires >= 3.0.0	✅
Adds logger runtime dep	already in the tree	✅

The CORS config DSL (allow/origins/resource) used in forest_admin_rails/lib/forest_admin_rails/engine.rb is unchanged in 3.0.0.

Testing

• CORS middleware-loading specs (engine_spec.rb) — pass
• forest_controller_spec.rb "exposes Content-Disposition via CORS" — pass
• Verified the bump introduces zero new failures: the few failures in the full rails suite (a production-logging mock expectation and routes_spec AgentFactory stubbing) reproduce identically on rack-cors 2.0.2 / pass in isolation, so they are pre-existing test-isolation issues unrelated to this change.

Note: package Gemfile.lock files are gitignored, so only the gemspec constraint is committed.

Note

Bump rack-cors dependency to ~> 3.0 in forest_admin_agent

Updates the rack-cors constraint in forest_admin_agent.gemspec from ~> 2.0 to ~> 3.0. Risk: projects depending on this gem must now have rack-cors 3.x available.

^{Macroscope summarized 48fae14.}

[bexchauveto]

✅ Verified against the forest POC

Tested the bump end-to-end with the local POC (forest-poc), which consumes these gems via FOREST_PATH. All three services resolved rack-cors 3.0.0 cleanly with no bundler conflicts:

Service	Role	rack-cors
billing	RPC agent (:5000)	3.0.0
catalog	RPC agent (:5001)	3.0.0
gateway	forest_admin_rails (CORS consumer, :5002)	3.0.0

App boot: Full Rails environment loads with rack-cors 3.0.0 on rack 3.2.6 — Rack::Cors resolves and loads with no errors.

Live CORS behavior — exercised the engine's exact load_cors DSL with real requests:

1. Preflight from app.forestadmin.com (allowed) → 200 with access-control-allow-origin: https://app.forestadmin.com, allow-methods, max-age: 86400, allow-credentials: true, allow-headers: Authorization ✅
2. GET from allowed origin → 200 with full CORS headers ✅
3. Preflight from evil.com (disallowed) → 200 with no access-control-allow-origin header — correctly denied ✅

The origin regex /\A.*\.forestadmin\.com\z/ matches correctly and credentials-mode echoes the specific origin (not *), as expected.

Conclusion: the ~> 3.0 bump works without problem.

[forest-bot]

🎉 This PR is included in version 1.32.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀