feat(cors): harden CORS config for production — restrict origins, methods & headers explicitly

[BernardOnuh]

Closes #255

What changed

• src/middleware/corsandbody.ts — replaced permissive/wildcard origin with an env-var allowlist (CORS_ALLOWED_ORIGINS); added startup validation that throws a fatal error in production if the var is empty; returns a proper 403 for disallowed origins instead of a missing-header response.
• src/app.ts — wired validateCorsConfig() before server start; added request-origin logging middleware.
• .env.example — documented CORS_ALLOWED_ORIGINS, CORS_MAX_AGE, and CORS_ALLOW_CREDENTIALS.
• .env.development / .env.production — added environment-specific CORS origin lists.
• tests/cors.test.ts — added integration tests covering: allowed origins, disallowed origins (403), HTTP methods (GET/POST/PUT/DELETE), OPTIONS preflight, and required custom headers.

Acceptance criteria

• Requests from unlisted origins receive 403
• Preflight OPTIONS requests respond correctly for allowed origins
• CORS_ALLOWED_ORIGINS validated at startup; missing in NODE_ENV=production is a fatal error
• Integration tests cover allowed origin, disallowed origin, and preflight
• CORS_ALLOWED_ORIGINS documented in .env.example

Testing

npm run test:cors # CORS-specific suite
npm test # full test run

Notes

Credentials (credentials: true) are enabled globally; if needed, this can be scoped to authenticated routes only in a follow-up.