OpenSea CORS + GraphQL Introspection PoC

Vulnerability: gql.opensea.io reflects any Origin with Access-Control-Allow-Credentials: true. Combined with a rich unauthenticated GraphQL API, any website can exfiltrate: portfolio values, token holdings (with cost basis & P/L), NFT inventory, transaction history, and profile data for any wallet address. Additionally, 94 mutations and 200+ query definitions are exposed via introspection without authentication.