fix: restore Cloud.gov client origins to CORS whitelist

The pen test remediation over-trimmed the CORSWhitelist, removing
legitimate dev/staging/prod client URLs. The actual CORS fix was in
the callback logic (rejecting undefined origins), not in removing
real client origins.

Author: collinschreyer-dev

server/config/config.js

@@ -80,6 +80,10 @@ module.exports = {
     "CORSWhitelist": [
       "http://localhost:4200",
       "https://srt.app.cloud.gov",
+      "https://srt-client.app.cloud.gov",
+      "https://srt-client-dev.app.cloud.gov",
+      "https://srt-client-staging.app.cloud.gov",
+      "https://srt-client-prod.app.cloud.gov",
     ],
     "constants": {
       "EMAIL_ACTION": "Sent email to POC",