feat: CORS, role in auth, banner_url, diary sort, cleanup

- CORS layer on API routes via CORS_ORIGINS env var
- role field in login + profile responses
- banner_url in profile response
- diary sort_by: rating_desc/rating_asc/date_asc/date_desc
- UserRole::as_str() to deduplicate role mapping
- typed DTOs for import preview (replace ad-hoc JSON)
- warn on invalid CORS origins

crates/domain/src/models/mod.rs

@@ -317,6 +317,15 @@ pub enum UserRole {
     Admin,
 }
 
+impl UserRole {
+    pub fn as_str(&self) -> &'static str {
+        match self {
+            Self::Standard => "standard",
+            Self::Admin => "admin",
+        }
+    }
+}
+
 #[derive(Debug, Clone)]
 pub struct ProfileField {
     pub name: String,