[LOW] Permissive default CORS

[ibuyspy]

\�pp.use(cors())\ at \�pps/api/src/index.ts:35\ allows all origins.

Fix: Use explicit origin allowlist per environment; restrict methods/headers.
Source: Security audit