fix(api): drop flask_cors from cm_api (CORS-A defense-in-depth)

api-server is internal-only after C5 (no host port in prod compose),
so the permissive 'CORS(app)' default never fires in normal operation.
Removing it eliminates a stale '*' Access-Control-Allow-Origin that
would become attack surface if a host port were ever accidentally
re-exposed.

Server-side fetches from web-view (legacy Flask) and web-next
(Next.js RSC) don't trigger CORS — that's a browser-only mechanism.

flask_cors stays in requirements.txt because cm_web_view.py still
imports it; both get removed in B4 when the legacy web-view retires.

app/cm_api.py

@@ -1,7 +1,6 @@
 import os
 import threading
 from flask import Flask, jsonify, request
-from flask_cors import CORS
 from .db import DB
 
 
@@ -19,7 +18,12 @@ class CM_API:
     
     def __init__(self):
         self.app = Flask(__name__)
-        CORS(self.app)
+        # No CORS middleware: api-server is internal-only (no host port
+        # in prod compose, per C5). Browsers can't reach it directly,
+        # and server-side fetches from web-view / web-next don't trigger
+        # CORS. Removing flask_cors removes a permissive '*' origin
+        # default that becomes an attack surface if a host port is ever
+        # accidentally re-exposed.
         self._register_routes()
     
     def _get_database_connection(self):