fix: remaining code issues — TLS, CORS, disconnect safety, cleanup

1. Trips TLS: Removed all ssl CERT_NONE / check_hostname=False from
   5 external HTTPS call sites (OpenAI, Gemini, Google Places, Geocode).
   All external calls now use default TLS verification.

2. Internal CORS: Removed permissive cors() from inventory and budget.
   Both are internal services accessed only via gateway.

3. App visibility: Documented as cosmetic-only in layout.server.ts.
   Nav hiding is intentional UX, not access control.

4. Disconnect safety: Added confirm() dialog before service disconnect
   in Settings. Prevents accidental disconnects.

5. Inventory cleanup: Removed stale /test startup log message.
   Replaced with API key status indicator.

6. Frontend deps: 4 low-severity cookie vulnerabilities in @sveltejs/kit.
   Fix requires breaking downgrade to kit@0.0.30 — not safe. Documented.

services/inventory/server.js

@@ -22,7 +22,7 @@ const config = {
     workspaceId: ''  // fetched at startup
 };
 
-app.use(cors());
+// CORS disabled — internal service accessed only via gateway
 app.use(express.json());
 // Allow form-encoded payloads from NocoDB webhook buttons
 app.use(express.urlencoded({ extended: true }));
@@ -2053,7 +2053,7 @@ app.listen(port, () => {
     console.log('   API Token: ' + (config.apiToken ? '✅ Set' : '❌ Missing'));
     console.log('');
     console.log('🌐 Open http://localhost:' + externalPort + ' to use the uploader');
-    console.log('🔧 Test endpoint: http://localhost:' + externalPort + '/test');
+    console.log('🔒 API Key: ' + (process.env.SERVICE_API_KEY ? '✅ Required' : '⚠️ Not set'));
     console.log('🎨 Modern theme preview: http://localhost:' + externalPort + '/preview');
 });