Improve CORS defaults and upstream header forwarding

[kmcginnes]

Description

Hardens the proxy server's CORS configuration and upstream response header handling.

• Reflect request origin instead of wildcard — cors() now uses origin: true instead of the default *. When no Origin header is present (same-origin or non-browser clients), no Access-Control-Allow-Origin header is set.
• Restrict allowed methods — Only GET and POST are advertised, matching the actual routes defined in the proxy.
• Cache preflight responses — maxAge: 86400 reduces redundant OPTIONS requests in cross-origin scenarios (e.g., local development).
• Allowlist upstream response headers — Only content-type and content-encoding are forwarded from upstream database responses. Previously all headers were forwarded, which could clobber the proxy's own CORS headers and leak hop-by-hop headers that should not be forwarded by a proxy (RFC 7230 §6.1).

Validation

• 5 new CORS tests in app.test.ts covering origin reflection, no-origin behavior, method restriction, preflight caching, and the upstream header allowlist
• All 1591 tests pass
• pnpm checks passes
• All standard deployments (SageMaker Notebook, EC2, ECS+ALB) are same-origin, so CORS headers are not evaluated by the browser — no behavioral change for production users

Check List

• I confirm that my contribution is made under the terms of the Apache 2.0 license.
• I have verified pnpm checks passes with no errors.
• I have verified pnpm test passes with no failures.
• I have covered new added functionality with unit tests if necessary.
• I have updated documentation if necessary.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 72.59%. Comparing base (c5affc5) to head (b393cd1).
⚠️ Report is 124 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff             @@
##             main    #1653       +/-   ##
===========================================
+ Coverage   47.81%   72.59%   +24.77%     
===========================================
  Files         382      408       +26     
  Lines        8525    12273     +3748     
  Branches     3159     3518      +359     
===========================================
+ Hits         4076     8909     +4833     
+ Misses       3070     2344      -726     
+ Partials     1379     1020      -359     

Flag	Coverage Δ
unittests	72.59% <100.00%> (+24.77%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.