fix: restrict CORS origins, require payment env vars, replace raw SQL with Prisma findMany

- AI service: replace allow_origins=["*"] with env-configured AI_CORS_ORIGINS
- Payment services (VNPay, MoMo, ZaloPay): use requireEnv() instead of empty string defaults for credentials
- Search indexer: replace raw SQL template literals with Prisma findMany + parameterized PostGIS queries

Co-Authored-By: Paperclip <noreply@paperclip.ing>

apps/api/src/modules/payments/infrastructure/services/momo.service.ts

@@ -10,21 +10,29 @@ import {
   type RefundResult,
 } from './payment-gateway.interface';
 
+function requireEnv(key: string): string {
+  const value = process.env[key];
+  if (!value) {
+    throw new Error(`Missing required environment variable: ${key}`);
+  }
+  return value;
+}
+
 @Injectable()
 export class MomoService implements IPaymentGateway {
   private readonly logger = new Logger(MomoService.name);
   readonly provider: PaymentProvider = 'MOMO';
 
   private get partnerCode(): string {
-    return process.env['MOMO_PARTNER_CODE'] ?? '';
+    return requireEnv('MOMO_PARTNER_CODE');
   }
 
   private get accessKey(): string {
-    return process.env['MOMO_ACCESS_KEY'] ?? '';
+    return requireEnv('MOMO_ACCESS_KEY');
   }
 
   private get secretKey(): string {
-    return process.env['MOMO_SECRET_KEY'] ?? '';
+    return requireEnv('MOMO_SECRET_KEY');
   }
 
   private get endpoint(): string {