Harden CORS: fail closed when CORS_ALLOWED_ORIGINS empty

## Summary

Production origins are not yet known. CORS is currently relaxed (empty allowlist = allow-all) to avoid breaking deployments.

## Task

When production origins are known:
1. Set `CORS_ALLOWED_ORIGINS` in Vercel and any plugin backend deployments (e.g. `https://app.naap.io,https://your-app.vercel.app`)
2. Update CORS logic to **fail closed** when allowlist is empty (reject requests with Origin header)
3. Remove the allow-all fallback

## Files to update

- `packages/plugin-server-sdk/src/server.ts`
- `services/plugin-server/src/server.ts`
- `plugins/plugin-publisher/backend/src/server.ts`

## References

See `// TODO:` comments in the CORS config of the above files.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Harden CORS: fail closed when CORS_ALLOWED_ORIGINS empty #92

Summary

Task

Files to update

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Harden CORS: fail closed when CORS_ALLOWED_ORIGINS empty #92

Description

Summary

Task

Files to update

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions