AccessLog returns middleware that logs each request's method, path, status,
duration, and response size. It seeds a request_id into the context logger
so all log lines within a request share a correlation field.
Place inside otelhttp so trace context is available.
CORS adds permissive cross-origin headers required for browser-based OAuth2 clients
(e.g. the MCP Inspector). Handles OPTIONS preflight requests with a 204 short-circuit
so they never reach authentication or business logic.