fix(cors): allow credentials with echo-mode origin

Hono cors middleware with credentials: true requires origin to be
a concrete value, not '*'. Using origin callback that echoes
back the requesting origin satisfies browser CORS requirements
for fetch() with credentials: 'include'.

Fixes: API calls returning 401 on production because cookies
were not sent with cross-origin requests.

Refs: production server, admin dashboard

src/server/index.ts

@@ -245,8 +245,18 @@ db.run(`
 `)
 db.run('CREATE INDEX IF NOT EXISTS idx_analytics_daily_date ON analytics_daily(date)')
 
-// Middleware
-app.use('*', cors())
+// Middleware - CORS: credentials=true requires explicit origin, not '*'
+// When credentials: 'include' is used in fetch(), browser requires concrete origin
+app.use('*', cors({
+  origin: (origin) => {
+    // Echo back the requesting origin if it exists (null = no origin header)
+    return origin || '*'
+  },
+  credentials: true,
+  allowHeaders: ['Origin', 'Content-Type', 'Accept', 'X-Requested-With'],
+  allowMethods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
+  maxAge: 86400
+}))
 app.use('*', logger())
 
 // Serve static files FIRST for all contexts