feat: CORS, role in auth, banner_url, diary sort, cleanup

- CORS layer on API routes via CORS_ORIGINS env var
- role field in login + profile responses
- banner_url in profile response
- diary sort_by: rating_desc/rating_asc/date_asc/date_desc
- UserRole::as_str() to deduplicate role mapping
- typed DTOs for import preview (replace ad-hoc JSON)
- warn on invalid CORS origins

crates/application/src/auth/login.rs

@@ -10,6 +10,7 @@ pub struct LoginResult {
     pub user_id: Uuid,
     pub email: String,
     pub expires_at: DateTime<Utc>,
+    pub role: String,
 }
 
 pub async fn execute(ctx: &AppContext, query: LoginQuery) -> Result<LoginResult, DomainError> {
@@ -37,6 +38,7 @@ pub async fn execute(ctx: &AppContext, query: LoginQuery) -> Result<LoginResult,
         user_id: user.id().value(),
         email: user.email().value().to_string(),
         expires_at: generated.expires_at,
+        role: user.role().as_str().into(),
     })
 }
 

crates/application/src/users/get_current_profile.rs

@@ -6,6 +6,8 @@ pub struct CurrentProfileData {
     pub username: String,
     pub bio: Option<String>,
     pub avatar_url: Option<String>,
+    pub banner_url: Option<String>,
+    pub role: String,
 }
 
 pub async fn execute(
@@ -23,10 +25,15 @@ pub async fn execute(
     let avatar_url = user
         .avatar_path()
         .map(|path| format!("{}/images/{}", ctx.config.base_url, path));
+    let banner_url = user
+        .banner_path()
+        .map(|path| format!("{}/images/{}", ctx.config.base_url, path));
 
     Ok(CurrentProfileData {
         username: user.username().value().to_string(),
         bio: user.bio().map(|s| s.to_string()),
         avatar_url,
+        banner_url,
+        role: user.role().as_str().into(),
     })
 }