fix(server): CORS 生产环境拒绝通配符

crates/erp-server/src/main.rs

@@ -808,11 +808,19 @@ fn build_cors_layer(allowed_origins: &str) -> tower_http::cors::CorsLayer {
         .collect::<Vec<_>>();
 
     if origins.len() == 1 && origins[0] == "*" {
-        tracing::warn!(
+        #[cfg(not(debug_assertions))]
-            "⚠️  CORS 允许所有来源 — 仅限开发环境使用！\
+        {
-             生产环境请通过 ERP__CORS__ALLOWED_ORIGINS 设置具体的来源域名"
+            tracing::error!("CORS wildcard '*' is not allowed in production builds");
-        );
+            panic!("Refusing to start with CORS wildcard in release mode. Set ERP__CORS__ALLOWED_ORIGINS to specific domains.");
-        return tower_http::cors::CorsLayer::permissive();
+        }
+        #[cfg(debug_assertions)]
+        {
+            tracing::warn!(
+                "⚠️  CORS 允许所有来源 — 仅限开发环境使用！\
+                 生产环境请通过 ERP__CORS__ALLOWED_ORIGINS 设置具体的来源域名"
+            );
+            return tower_http::cors::CorsLayer::permissive();
+        }
     }
 
     let allowed: Vec<HeaderValue> = origins