v3: added attachments to resources, allow users to paste images into TextEditor, strengthened WS reliability

README.md

@@ -38,18 +38,18 @@ Open [http://localhost:3000](http://localhost:3000). On first run a default `adm
 
 See [`.env.example`](.env.example) for the full list with descriptions. Key variables:
 
-| Variable                  | Description                                                                  | Default                 |
-| ------------------------- | ---------------------------------------------------------------------------- | ----------------------- |
-| `GERBEUR_JWT_SECRET`      | JWT signing secret — **required**, generate with `openssl rand -hex 32`      | —                       |
-| `GERBEUR_PORT`            | API server port                                                              | `8000`                  |
-| `GERBEUR_ALLOWED_ORIGINS` | Comma-separated list of allowed CORS origins                                 | `http://localhost:3000` |
-| `VITE_API_HOSTNAME`       | Override API hostname in the frontend bundle (see [Production](#production)) | unset                   |
+| Variable                  | Description                                                                                           | Default                 |
+| ------------------------- | ----------------------------------------------------------------------------------------------------- | ----------------------- |
+| `GERBEUR_JWT_SECRET`      | JWT signing secret — **required**, generate with `openssl rand -hex 32`                               | —                       |
+| `GERBEUR_PORT`            | API server port                                                                                       | `8000`                  |
+| `GERBEUR_ALLOWED_ORIGINS` | Comma-separated list of extra allowed frontend origins; the server's own `BASE_URL` is always allowed | `http://localhost:3000` |
+| `VITE_API_HOSTNAME`       | Override API hostname in the frontend bundle (see [Production](#production))                          | unset                   |
 
 ## Production
 
 ### Docker (recommended)
 
-The standard deployment runs API and frontend in a single container. The API server (Oak) serves the compiled frontend as static files, so both share the same origin — no CORS configuration needed, no `VITE_API_*` build args needed.
+The standard deployment runs API and frontend in a single container. The API server (Oak) serves the compiled frontend as static files, so both share the same origin — no `VITE_API_*` build args needed. The server's own `BASE_URL` is always allowed for HTTP/WebSocket requests automatically.
 
 ```sh
 docker build -t gerbeur .
@@ -59,7 +59,6 @@ docker run -d \
   -v gerbeur-db:/app/api/sql \
   -v gerbeur-uploads:/app/api/uploads \
   -e GERBEUR_JWT_SECRET=$(openssl rand -hex 32) \
-  -e GERBEUR_ALLOWED_ORIGINS=https://example.com \
   -e GERBEUR_PROTOCOL=https \
   -e GERBEUR_HOSTNAME=example.com \
   -e GERBEUR_PORT=8000 \
@@ -73,7 +72,7 @@ The two volumes are required for persistence:
 
 #### Separate API and frontend (optional)
 
-If you need to run the API on a different host than the frontend, pass the API location as build args so it gets baked into the frontend bundle:
+If you need to run the API on a different host than the frontend, pass the API location as build args so it gets baked into the frontend bundle. In that setup, add the frontend origin to `GERBEUR_ALLOWED_ORIGINS` so cross-origin HTTP/WebSocket requests are accepted:
 
 ```sh
 docker build \