Fix: Add lvh.me to CORS allowed origins for development

- Added http://lvh.me:5173 and http://lvh.me:5174 to CORS_ALLOWED_ORIGINS
- Added regex pattern to allow all *.lvh.me subdomains in CORS_ALLOWED_ORIGIN_REGEXES
- This allows frontend at lvh.me:5173 to make requests to API at api.lvh.me:8000
- CORS preflight requests now return proper Access-Control-Allow-Origin headers
- Quick login and all API calls from frontend now work without CORS errors

Testing confirmed:
✓ OPTIONS request to /api/auth-token/ returns 200 OK with CORS headers
✓ Access-Control-Allow-Origin: http://lvh.me:5173
✓ Access-Control-Allow-Methods: DELETE, GET, OPTIONS, PATCH, POST, PUT

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

smoothschedule/config/settings/base.py

@@ -325,6 +325,8 @@ CORS_ALLOWED_ORIGINS = env.list(
         "http://localhost:3000",
         "http://localhost:5173",
         "http://127.0.0.1:5173",
+        "http://lvh.me:5173",
+        "http://lvh.me:5174",
     ],
 )
 
@@ -332,7 +334,7 @@ CORS_ALLOWED_ORIGINS = env.list(
 # Production: configure via DJANGO_CORS_ALLOWED_ORIGIN_REGEXES
 _cors_regexes = env(
     "DJANGO_CORS_ALLOWED_ORIGIN_REGEXES",
-    default="",
+    default="^http(s)?://.*\\.lvh\\.me(:\\d+)?$",  # Allow all *.lvh.me subdomains
 )
 CORS_ALLOWED_ORIGIN_REGEXES = [
     regex.strip() for regex in _cors_regexes.split(",") if regex.strip()