Revert API_BASE_URL default: keep same-origin proxy for client-side CORS

Commit e20ef94 set the default to https://flights.test.aeroflot.ru/api,
which broke the browser client (no CORS headers on the test env;
scripts/dev-server.mjs is the only layer that can bypass it).

Keep PROD_ORIGIN pointing at the test env for SEO, but restore
API_BASE_URL default to http://localhost:8080/api with a comment
explaining the proxy chain: dev → Express+curl → flights.test.aeroflot.ru.
Production deployments continue to set API_BASE_URL explicitly.

scripts/dev-server.mjs

@@ -25,23 +25,11 @@ const modernBin = resolve("node_modules", ".bin", "modern");
 const modernProcess = existsSync(modernBin)
   ? spawn(modernBin, ["dev"], {
       stdio: "inherit",
-      env: {
-        ...process.env,
-        PORT: String(MODERNJS_PORT),
-        // Point the browser bundle at the same-origin proxy so CORS/WAF stay
-        // bypassed. The proxy (this file) forwards to API_TARGET via curl.
-        API_BASE_URL: process.env.API_BASE_URL ?? "http://localhost:8080/api",
-      },
+      env: { ...process.env, PORT: String(MODERNJS_PORT) },
     })
   : spawn(process.execPath, [resolve("node_modules", "@modern-js/app-tools", "bin", "modern.js"), "dev"], {
       stdio: "inherit",
-      env: {
-        ...process.env,
-        PORT: String(MODERNJS_PORT),
-        // Point the browser bundle at the same-origin proxy so CORS/WAF stay
-        // bypassed. The proxy (this file) forwards to API_TARGET via curl.
-        API_BASE_URL: process.env.API_BASE_URL ?? "http://localhost:8080/api",
-      },
+      env: { ...process.env, PORT: String(MODERNJS_PORT) },
     });
 modernProcess.on("error", (err) => {
   console.error("Modern.js failed:", err);

src/env/env.test.ts

@@ -58,9 +58,9 @@ describe("getEnv", () => {
     const { getEnv, __resetEnvCacheForTests } = await import("./index.js");
     __resetEnvCacheForTests();
     const env = getEnv();
-    // Default points to the test environment. Dev server overrides this to
-    // "http://localhost:8080/api" so browser calls route through the proxy.
-    expect(env.API_BASE_URL).toBe("https://flights.test.aeroflot.ru/api");
+    // API_BASE_URL defaults to the same-origin proxy path; the proxy
+    // forwards to https://flights.test.aeroflot.ru (see scripts/dev-server.mjs).
+    expect(env.API_BASE_URL).toBe("http://localhost:8080/api");
   });
 
   it("throws when NODE_ENV is not one of the allowed values", async () => {

src/env/index.ts

@@ -9,11 +9,12 @@ const EnvSchema = z.object({
   NODE_ENV: z.enum(["development", "test", "testing", "staging", "production"]).default("development"),
   BUILD_TARGET: z.enum(["standalone", "remote"]).default("standalone"),
   PROD_ORIGIN: z.string().url().default("https://flights.test.aeroflot.ru"),
-  // Defaults to the test environment. In dev, scripts/dev-server.mjs injects
-  // API_BASE_URL=http://localhost:8080/api so browser calls route through the
-  // same-origin curl-based WAF-bypass proxy. In production, a deployment-time
-  // env var should set this to the live API host.
-  API_BASE_URL: z.string().url().default("https://flights.test.aeroflot.ru/api"),
+  // Same-origin /api — proxied upstream to https://flights.test.aeroflot.ru.
+  // In dev, scripts/dev-server.mjs runs an Express+curl proxy on :8080 that
+  // bypasses CORS and the WAF TLS-fingerprint filter. In production, the
+  // reverse proxy / CDN forwards /api to the real host. Deployments that
+  // call the API directly (no proxy) must set API_BASE_URL explicitly.
+  API_BASE_URL: z.string().url().default("http://localhost:8080/api"),
   SIGNALR_HUB_URL: z.string().url().default("http://platform.yc.webzavod.ru/tracker/hub"),
   OTEL_EXPORTER_OTLP_ENDPOINT: z.string().url().optional(),
   OTEL_EXPORTER_OTLP_HEADERS: z.string().optional(),