fix(api): restrict WebSocket CORS to trusted origins

[leandromasotti]

Summary

Restrict WebSocket CORS from wildcard to trusted origins

Related issues

Link any related issues. Use Closes #189 to close issues automatically.

Closes:

Type of change

• feat
• fix
• docs
• chore
• test
• ci

Match the PR title to Conventional Commits: <type>(<scope>): <summary>.

Testing performed

6 unit tests were added

Example:

cd api
npm run lint
npm run build
npm test

Screenshots (if applicable)

Attach screenshots or animated GIFs for UI changes.

Checklist — author

• I rebased onto origin/main and resolved conflicts.
• I ran the quality gates locally: npm run lint, npm run build, npm test.
• Title follows Conventional Commits and references the issue (see above).
• I added/updated tests where applicable and they pass locally.
• No new TypeScript errors or lint warnings introduced.
• I updated documentation if the change affects public behavior.
• Screenshots included for UI changes.

Checklist — reviewer guidance

• Required checks: lint, build, unit tests, and any package-specific E2E must be green.
• Request review from CODEOWNER(s) for touched packages.
• Prefer small, focused PRs. If large, confirm feature-flagging or follow-up tasks.

---

Follow the full PR process in CONTRIBUTING.md — particularly: sync with main, run quality gates, request a CODEOWNER review, and use squash-and-merge with a Conventional Commit-style squash message.

[Xhristin3]

Hey @leandromasotti — great work on this! Replacing the wildcard CORS with env-driven, comma-separated trusted origins (plus the sensible localhost fallback for dev) is exactly the move. The unit tests covering the resolver look thorough. Merged, thanks for tightening the gateway! \ud83d\ude80