feat: harden billing verification and add browse route parity

app/routes/api.php

@@ -2,19 +2,35 @@
 
 use App\Http\Controllers\Api\V1\EmojiApiController;
 use App\Http\Controllers\Api\V1\LicenseController;
+use App\Http\Controllers\Api\V1\SystemController;
 use Illuminate\Support\Facades\Route;
 
 Route::options('/v1/{any}', function () {
-    return response('', 204, [
-        'Access-Control-Allow-Origin' => '*',
+    $headers = [
         'Access-Control-Allow-Methods' => 'GET, POST, OPTIONS',
         'Access-Control-Allow-Headers' => 'Content-Type, Authorization, X-License-Key, X-Account-Id, X-Dewemoji-Frontend',
-    ]);
+        'Vary' => 'Origin',
+    ];
+    $origin = request()->headers->get('Origin', '');
+    $allowedOrigins = config('dewemoji.cors.allowed_origins', []);
+    if (is_array($allowedOrigins) && in_array($origin, $allowedOrigins, true)) {
+        $headers['Access-Control-Allow-Origin'] = $origin;
+    }
+
+    return response('', 204, $headers);
 })->where('any', '.*');
 
 Route::prefix('v1')->group(function () {
     Route::get('/categories', [EmojiApiController::class, 'categories']);
     Route::get('/emojis', [EmojiApiController::class, 'emojis']);
-    Route::post('/license/verify', [LicenseController::class, 'verify']);
-});
+    Route::get('/emoji', [EmojiApiController::class, 'emoji']);
+    Route::get('/emoji/{slug}', [EmojiApiController::class, 'emoji']);
 
+    Route::post('/license/verify', [LicenseController::class, 'verify']);
+    Route::post('/license/activate', [LicenseController::class, 'activate']);
+    Route::post('/license/deactivate', [LicenseController::class, 'deactivate']);
+
+    Route::get('/health', [SystemController::class, 'health']);
+    Route::get('/metrics-lite', [SystemController::class, 'metricsLite']);
+    Route::get('/metrics', [SystemController::class, 'metrics']);
+});