fix(api): restrict CORS origin on Gemini estimation endpoint

[kumudranjan6127-debug]

What changed

Replaced the wildcard Access-Control-Allow-Origin: * header in the
Gemini estimation endpoint with the project's Firebase Hosting domain,
so no external site can call the endpoint and drain the API quota.

Falls back to https://servio-0.web.app/ if ALLOWED_ORIGIN is not
set. Documented in .env.example.

Action required after merge

Add ALLOWED_ORIGIN=https://servio-0.web.app/ in
Vercel → Project → Settings → Environment Variables.

Files changed

• api/estimate.ts — 1 line changed
• .env.example — ALLOWED_ORIGIN documented
  closes CORS wildcard on /api/estimate — api/estimate.ts:126 #207

Summary by CodeRabbit

• Bug Fixes

  • Tightened cross-origin access for the estimation endpoint by restricting requests to a configurable allowed origin instead of allowing all origins.
  • Added a safe default approved web app domain to ensure browser access works out of the box.

• Documentation

  • Updated the environment setup template to include a new ALLOWED_ORIGIN variable (with guidance) for controlling which domain can access the endpoint.

[vercel]

@kumudranjan6127-debug is attempting to deploy a commit to the hrx01-dev's projects Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 93c03d4d-cdfd-4358-a55b-0c57861dc4a3

📥 Commits

Reviewing files that changed from the base of the PR and between 1e6fff2 and 76b862a.

📒 Files selected for processing (2)

• .env.example
• api/estimate.ts

✅ Files skipped from review due to trivial changes (1)

• .env.example

🚧 Files skipped from review as they are similar to previous changes (1)

• api/estimate.ts

---

📝 Walkthrough

Walkthrough

The PR adds an ALLOWED_ORIGIN example environment variable and changes /api/estimate to send Access-Control-Allow-Origin from that value, with a fallback to https://servio-0.web.app/.

Changes

CORS origin restriction

Layer / File(s)	Summary
Env example and response header .env.example, api/estimate.ts	Adds ALLOWED_ORIGIN to the example environment config and uses it when setting the /api/estimate CORS origin header.

Sequence Diagram(s)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

Possibly related PRs

• hrx01-dev/Servio#180: Also changes api/estimate.ts CORS handling, though that PR includes additional Gemini model changes.

Poem

A bunny hops by, ears held high,
Whiskers twitching at the CORS sky.
One origin now gleams, not all in view,
Hop-hop, the endpoint knows what to do. 🐰

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: restricting the CORS origin for the Gemini estimation endpoint.
Linked Issues check	✅ Passed	The PR matches issue #207 by replacing the wildcard origin with process.env.ALLOWED_ORIGIN and providing a fallback origin.
Out of Scope Changes check	✅ Passed	The changes stay within the requested CORS restriction and environment documentation updates.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.env.example:
- Around line 23-26: The ALLOWED_ORIGIN example and runtime fallback currently
include a trailing slash, which causes the serialized origin to mismatch browser
Origin headers. Update the documented default and any fallback value used by the
CORS check in the Gemini estimation endpoint so it uses the bare origin string
without the trailing slash, and keep the logic in the endpoint’s origin
comparison aligned with that value.

In `@api/estimate.ts`:
- Line 125: The CORS origin being set in estimate.ts uses a value with a
trailing slash, which can prevent exact Origin matching in browsers. Update the
Access-Control-Allow-Origin handling in the estimate response path to use the
origin without the trailing slash, or normalize ALLOWED_ORIGIN before passing it
to res.setHeader so it always matches the browser Origin exactly. Also update
the default/example value referenced by ALLOWED_ORIGIN to the slashless form so
the configuration stays consistent.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 0c24147b-3ef2-4f71-9636-aa959871ef78

📥 Commits

Reviewing files that changed from the base of the PR and between 8bb2341 and 1e6fff2.

📒 Files selected for processing (2)

• .env.example
• api/estimate.ts

[hrx01-dev]

Approving this ci green