feat(logout): wire injector to web-svc-logout and add robust CORS/CSP for /logout

- sys-front-inj-logout: depend on web-svc-logout (run-once guarded) and simplify task flow.
- web-svc-logout: align feature flags/formatting and extend CSP:
  - add cdn.jsdelivr.net to connect/script/style and quote values.
- Nginx: move CORS config into logout-proxy.conf.j2 with dynamic vars:
  - Access-Control-Allow-Origin set to canonical logout origin,
  - Allow-Credentials=true,
  - Allow-Methods=GET, OPTIONS,
  - basic headers list (Accept, Authorization),
  - cache disabled for /logout responses.
- Drop obsolete CORS var passing from 01_core.yml; headers now templated at proxy layer.

Prepares clean cross-origin logout orchestration from https://logout.veen.world.

Refs: ChatGPT discussion – https://chatgpt.com/share/68ebb75f-0170-800f-93c5-e5cb438b8ed4

roles/sys-front-inj-logout/tasks/01_core.yml

@@ -1,8 +1,12 @@
-- name: Include dependency 'sys-svc-webserver-core'
+- name: Include dependency 'web-svc-logout'
   include_role:
-    name: sys-svc-webserver-core
+    name: web-svc-logout
   when: 
-    - run_once_sys_svc_webserver_core is not defined
+    - run_once_web_svc_logout is not defined
   
 - name: "deploy the logout.js"
-  include_tasks: "02_deploy.yml"
+  include_tasks: "02_deploy.yml"
+
+- set_fact:
+    run_once_sys_front_inj_logout: true
+  changed_when: false

roles/sys-front-inj-logout/tasks/main.yml

@@ -1,7 +1,5 @@
-- block:
-  - include_tasks: 01_core.yml
-  - set_fact:
-      run_once_sys_front_inj_logout: true
+- name: "Load base for '{{ application_id }}'"
+  include_tasks: 01_core.yml
   when: run_once_sys_front_inj_logout is not defined
 
 - name: "Load logout code for '{{ application_id }}'"