Security: shared Origin-allowlist gate + production-required allowedOrigins on proxy (#279 MEDIUM-1)

## Parent PRD

#279

## What to build

Build a shared CORS/Origin-allowlist helper consumed by both proxy and cart routes. Make `createEpProxyRoutes` throw at factory construction in production when `allowedOrigins` is omitted; in dev, keep the localhost defaults but emit a warning. See PRD §MEDIUM-1 and the "Origin-allowlist gate" deep-module in PRD §Implementation Decisions.

## Acceptance criteria

- [ ] Shared helper `buildCorsHeaders(request, allowed) → headers | null` (or equivalent shape) lives in a single module
- [ ] Helper is unit-tested in isolation: allowed origin → full headers; disallowed → empty; missing → empty
- [ ] `createEpProxyRoutes` throws in production when `allowedOrigins` is unset
- [ ] `createEpProxyRoutes` warns in dev when defaulting to localhost allowlist
- [ ] Example app `app/api/ep/proxy/[fn]/route.ts` passes an explicit `allowedOrigins` value
- [ ] Existing proxy CORS behavior preserved (preflight 204 with reflected origin)

## Blocked by

None — can start immediately.

## User stories addressed

- User story 2

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security: shared Origin-allowlist gate + production-required allowedOrigins on proxy (#279 MEDIUM-1) #283

Parent PRD

What to build

Acceptance criteria

Blocked by

User stories addressed

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Security: shared Origin-allowlist gate + production-required allowedOrigins on proxy (#279 MEDIUM-1) #283

Description

Parent PRD

What to build

Acceptance criteria

Blocked by

User stories addressed

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions