1. Trips TLS: Removed all ssl CERT_NONE / check_hostname=False from
5 external HTTPS call sites (OpenAI, Gemini, Google Places, Geocode).
All external calls now use default TLS verification.
2. Internal CORS: Removed permissive cors() from inventory and budget.
Both are internal services accessed only via gateway.
3. App visibility: Documented as cosmetic-only in layout.server.ts.
Nav hiding is intentional UX, not access control.
4. Disconnect safety: Added confirm() dialog before service disconnect
in Settings. Prevents accidental disconnects.
5. Inventory cleanup: Removed stale /test startup log message.
Replaced with API key status indicator.
6. Frontend deps: 4 low-severity cookie vulnerabilities in @sveltejs/kit.
Fix requires breaking downgrade to kit@0.0.30 — not safe. Documented.
