feat: CORS, role in auth, banner_url, diary sort, cleanup

- CORS layer on API routes via CORS_ORIGINS env var
- role field in login + profile responses
- banner_url in profile response
- diary sort_by: rating_desc/rating_asc/date_asc/date_desc
- UserRole::as_str() to deduplicate role mapping
- typed DTOs for import preview (replace ad-hoc JSON)
- warn on invalid CORS origins

crates/presentation/src/routes.rs

@@ -264,7 +264,16 @@ fn cors_layer() -> CorsLayer {
     } else {
         let parsed: Vec<_> = origins
             .split(',')
-            .filter_map(|s| s.trim().parse().ok())
+            .filter_map(|s| {
+                let trimmed = s.trim();
+                match trimmed.parse() {
+                    Ok(v) => Some(v),
+                    Err(e) => {
+                        tracing::warn!("ignoring invalid CORS origin {trimmed:?}: {e}");
+                        None
+                    }
+                }
+            })
             .collect();
         layer
             .allow_origin(AllowOrigin::list(parsed))