v1.7.13: Enhance CORS and middleware config exposure

Enhance CORS and middleware config exposure

• Fix CORS multiple origins with credentials (auto-match request origin)
• Add missing CORS options: exposedHeaders, maxAge, preflightContinue
• Standardize on allowedHeaders throughout (removed headers alias)
• Add CSRF config to security section with all options
• Add CSP config to security section with full directives support
• Expand Helmet config with detailed options (backward compatible)
• Add Session config to modules section with all options
• Update all validators and default schemas
• Add comprehensive CORS tests for new functionality