fix: update CORS E2E tests to use configured origin

Tests were sending Origin headers (localhost:3000, example.com) that
don't match the CORS_ORIGINS allowlist. Updated to use http://localhost:8787
and assert the echoed origin instead of wildcard '*'.

Author: mmcintosh

tests/e2e/07-api.spec.ts

@@ -55,17 +55,18 @@ test.describe('API Endpoints', () => {
   });
 
   test('should handle CORS for API endpoints', async ({ request }) => {
+    // Use the origin configured in CORS_ORIGINS (wrangler.toml)
     const response = await request.get('/api', {
       headers: {
-        'Origin': 'http://localhost:3000'
+        'Origin': 'http://localhost:8787'
       }
     });
-    
+
     expect(response.ok()).toBeTruthy();
-    
-    // Check for CORS headers
+
+    // Check for CORS headers — should echo back the allowed origin
     const corsHeader = response.headers()['access-control-allow-origin'];
-    expect(corsHeader).toBeDefined();
+    expect(corsHeader).toBe('http://localhost:8787');
   });
 
   test('should handle content negotiation', async ({ request }) => {

tests/e2e/08-collections-api.spec.ts

@@ -78,14 +78,16 @@ test.describe('Collections API', () => {
     });
 
     test('should handle CORS headers', async ({ request }) => {
+      // Use the origin configured in CORS_ORIGINS (wrangler.toml)
       const response = await request.get('/api/collections', {
         headers: {
-          'Origin': 'https://example.com'
+          'Origin': 'http://localhost:8787'
         }
       });
-      
+
       expect(response.ok()).toBeTruthy();
-      expect(response.headers()['access-control-allow-origin']).toBe('*');
+      // CORS now echoes back the allowed origin instead of wildcard
+      expect(response.headers()['access-control-allow-origin']).toBe('http://localhost:8787');
     });
 
     test('should have consistent timestamp format', async ({ request }) => {

tests/e2e/smoke.spec.ts

@@ -248,18 +248,18 @@ test.describe('Smoke Tests - Critical Path', () => {
   });
 
   test('CORS headers are present on API endpoints', async ({ request }) => {
+    // Use the origin configured in CORS_ORIGINS (wrangler.toml)
     const response = await request.get('/api', {
       headers: {
-        'Origin': 'http://localhost:3000'
+        'Origin': 'http://localhost:8787'
       }
     });
 
     expect(response.ok()).toBeTruthy();
 
-    // Verify CORS header is present
+    // Verify CORS header echoes back the allowed origin
     const corsHeader = response.headers()['access-control-allow-origin'];
-    expect(corsHeader).toBeDefined();
-    expect(corsHeader).toBeTruthy();
+    expect(corsHeader).toBe('http://localhost:8787');
   });
 
   test('API returns correct content-type headers', async ({ request }) => {