Fix #372: Remove redundant manual CORS headers in app.py

[SriHarsha-23]

Linked issue

• Closes [Bug] Redundant manual CORS headers in app.py conflict with Flask-CORS and violate W3C spec #372
• Related #

Existing related work reviewed

• Issues/PRs reviewed:
• If none found, write: None found after search

Overlap assessment

• Classification: none
• Overlapping items: N/A
• Why this is not duplicate/superseded: N/A

Why this PR should proceed

• Resolves a network security conflict caused by legacy technical debt.

Summary

• What changed: Removed the legacy @app.after_request block in API/app.py that manually injected CORS headers.
• Why: The application already utilizes the Flask-CORS middleware (CORS(app)). The manual hook was injecting duplicate Access-Control-Allow-Origin headers (violating W3C specs) and hardcoding an invalid portless localhost origin along with dead Heroku routes. Removing it allows Flask-CORS to handle cross-origin requests securely and dynamically.

Validation

• Tests added/updated (or not applicable)
• Validation steps documented
• Evidence attached (logs/screenshots/output as relevant)

Validation steps: Verified that API/app.py compiles and the local Flask server runs successfully without the removed block, allowing Flask-CORS to handle headers normally.

Documentation

• Docs updated in this PR (or not applicable)
• Any setup/workflow changes reflected in repo docs

Scope check

• No unrelated refactors
• Implemented from a feature branch
• Change is deliverable without upstream OSeMOSYS/MUIO dependency
• Base repo/branch is EAPD-DRB/MUIOGO:main (not upstream)

Exception rationale