Security and code quality audit fixes

Security:
- Fix SQL injection in updateStore — whitelist allowed field names
- Restrict CORS to same-origin in production
- Cap results at 200 per store to prevent memory issues

Code quality:
- Extract shared queryAll/queryOne to src/server/db/query.ts
- Remove duplicated DB helpers from 5 files
- Handle render_js boolean-to-integer conversion in updateStore

UX:
- Validate headers_json as valid JSON before saving (both forms)
- Show error message if JSON is invalid

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/server/services/store-sync.ts

@@ -2,6 +2,7 @@ import fs from 'node:fs';
 import path from 'node:path';
 import YAML from 'yaml';
 import { getDatabase, saveDatabase } from '../db/connection.js';
+import { queryAll, queryOne } from '../db/query.js';
 
 export interface StoreFileConfig {
   name: string;
@@ -26,22 +27,6 @@ export interface StoreFileConfig {
   headers?: Record<string, string>;
 }
 
-function queryAll(sql: string, params: any[] = []): any[] {
-  const db = getDatabase();
-  const stmt = db.prepare(sql);
-  if (params.length) stmt.bind(params);
-  const rows: any[] = [];
-  while (stmt.step()) {
-    rows.push(stmt.getAsObject());
-  }
-  stmt.free();
-  return rows;
-}
-
-function queryOne(sql: string, params: any[] = []): any | undefined {
-  const rows = queryAll(sql, params);
-  return rows[0];
-}
 
 function slugify(text: string): string {
   return text