feat: configure explicit CORS with allowed origins whitelist

[DeePrincipal-dev-lang]

Configure explicit CORS with allowed origins whitelist

CORS was previously open to all origins via cors() with no configuration,
allowing any domain to call the API in production.

Changes:

• app.js — replaced bare cors() with an explicit config: origin whitelist
  validation, credentials: true, preflight support, and server-to-server requests
  blocked in production
• config.js — added ALLOWED_ORIGINS env var (Zod-validated, comma-separated,
  defaults to http://localhost:3000)
• .env.example — documented ALLOWED_ORIGINS with usage example
• tests/cors.test.js — 5 tests covering allowed origin, blocked origin,
  preflight, credentials header, and multiple origins

To configure in production:

ALLOWED_ORIGINS=https://app.vaccichain.io,https://admin.vaccichain.io

Wildcard * is never used. Credentials are only sent to explicitly listed
origins.
closes #29

[drips-wave]

@DeePrincipal-dev-lang Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits