fix(SEC-API-25+26): Enable strict ValidationPipe + tighten CORS origin

- Set forbidNonWhitelisted: true in ValidationPipe to reject requests
  with unknown DTO properties, preventing mass assignment vulnerabilities
- Reject requests with no Origin header in production (SEC-API-26)
- Restrict localhost:3001 to development mode only
- Update CORS tests to cover production/development origin validation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

apps/api/src/main.ts

@@ -37,7 +37,7 @@ async function bootstrap() {
     new ValidationPipe({
       transform: true,
       whitelist: true,
-      forbidNonWhitelisted: false,
+      forbidNonWhitelisted: true,
       transformOptions: {
         enableImplicitConversion: false,
       },
@@ -48,21 +48,32 @@ async function bootstrap() {
 
   // Configure CORS for cookie-based authentication
   // SECURITY: Cannot use wildcard (*) with credentials: true
+  const isDevelopment = process.env.NODE_ENV !== "production";
+
   const allowedOrigins = [
     process.env.NEXT_PUBLIC_APP_URL ?? "http://localhost:3000",
-    "http://localhost:3001", // API origin (dev)
     "https://app.mosaicstack.dev", // Production web
     "https://api.mosaicstack.dev", // Production API
   ];
 
+  // Development-only origins (not allowed in production)
+  if (isDevelopment) {
+    allowedOrigins.push("http://localhost:3001"); // API origin (dev)
+  }
+
   app.enableCors({
     origin: (
       origin: string | undefined,
       callback: (err: Error | null, allow?: boolean) => void
     ): void => {
-      // Allow requests with no origin (e.g., mobile apps, Postman)
+      // SECURITY: In production, reject requests with no Origin header.
+      // In development, allow no-origin requests (Postman, curl, mobile apps).
       if (!origin) {
-        callback(null, true);
+        if (isDevelopment) {
+          callback(null, true);
+        } else {
+          callback(new Error("CORS: Origin header is required"));
+        }
         return;
       }