Greptile Summary

This PR fixes missing CORS and security headers on the /v1/graphql endpoint by adding 'graphql' to the groups list of the security-headers init hook in general.php. The global Http::options() handler already covered preflight (OPTIONS) requests for all routes — this change fills the gap for actual GET/POST GraphQL requests.

• Adds 'graphql' to ->groups(['api', 'web', 'graphql']) on the CORS/security-headers init hook (line 990), so Access-Control-*, X-Content-Type-Options, and Strict-Transport-Security headers are now sent on GraphQL responses.
• The graphql-specific init hook in app/controllers/api/graphql.php and the global OPTIONS handler are unaffected and remain correct.

Confidence Score: 5/5

The change is a one-line group registration addition with no side effects outside of the CORS/security-headers middleware being applied to GraphQL requests.

The fix is minimal and correct: the same init hook already runs cleanly for 'api' and 'web' groups, the graphql routes use the same $cors and $originValidator dependencies, and the global OPTIONS handler already covered preflight. There is no logic altered, only a missing group name added.

No files require special attention.

Important Files Changed

_{Reviews (1): Last reviewed commit: "fix: add CORS headers to GraphQL endpoin..." | Re-trigger Greptile}