Migrate CORS middleware to lib-commons chttp.WithCORS() across all components

[gandalf-at-lerian]

Context

The plugins (plugin-auth, plugin-identity) have already migrated from Fiber's cors.New() to lib-commons v4's chttp.WithCORS(). Midaz components still use cors.New() directly.

Problem

• Inconsistent CORS behavior between Midaz and plugins
• No security warnings when CORS wildcard (*) is used in production
• No integration with the security tier configuration
• Each component configures CORS independently with potentially different settings

Proposed Change

Replace cors.New() with chttp.WithCORS() from lib-commons v4 in all Midaz components:

• ledger
• transaction
• plugin-crm
• onboarding

What chttp.WithCORS() provides

• Configurable via environment variables (consistent across services)
• Security warnings when wildcard origins are used
• Integration with the security tier model
• Same behavior already running in plugins

Acceptance Criteria

• All four components use chttp.WithCORS() instead of cors.New()
• CORS configuration is driven by env vars (aligned with plugin pattern)
• No wildcard CORS in production environments (or explicit warning logged)
• Existing CORS behavior preserved for development environments