diff --git a/apps/server/src/core/auth/auth.controller.spec.ts b/apps/server/src/core/auth/auth.controller.spec.ts
index 103d1ec9..a25c90cb 100644
--- a/apps/server/src/core/auth/auth.controller.spec.ts
+++ b/apps/server/src/core/auth/auth.controller.spec.ts
@@ -81,5 +81,25 @@ describe('AuthController', () => {
       expect(result).toBeUndefined();
       expect(res.setCookie).toHaveBeenCalledTimes(1);
     });
+
+    // Guards against an `!== undefined`-style bug: an explicit `false` must
+    // behave exactly like the omitted case (cookie set, no token in the body).
+    it('returns no body token but still sets the cookie when returnToken is false', async () => {
+      const { ctrl, res } = makeController();
+      const loginInput = {
+        email: 'a@b.com',
+        password: 'pw',
+        returnToken: false,
+      };
+
+      const result = await ctrl.login(
+        workspace as any,
+        res as any,
+        loginInput as any,
+      );
+
+      expect(result).toBeUndefined();
+      expect(res.setCookie).toHaveBeenCalledTimes(1);
+    });
   });
 });
diff --git a/apps/server/src/integrations/environment/environment.service.spec.ts b/apps/server/src/integrations/environment/environment.service.spec.ts
index 1af7522f..565755de 100644
--- a/apps/server/src/integrations/environment/environment.service.spec.ts
+++ b/apps/server/src/integrations/environment/environment.service.spec.ts
@@ -25,8 +25,7 @@ describe('EnvironmentService', () => {
   describe('getCorsAllowedOrigins', () => {
     it('splits, trims, and drops empty entries', () => {
       const svc = makeService({
-        CORS_ALLOWED_ORIGINS:
-          'https://a.com, https://b.com ,, https://c.com',
+        CORS_ALLOWED_ORIGINS: 'https://a.com, https://b.com ,, https://c.com',
       });
       expect(svc.getCorsAllowedOrigins()).toEqual([
         'https://a.com',
@@ -39,6 +38,25 @@ describe('EnvironmentService', () => {
       const svc = makeService({});
       expect(svc.getCorsAllowedOrigins()).toEqual([]);
     });
+
+    it('returns an empty array for an empty string', () => {
+      const svc = makeService({ CORS_ALLOWED_ORIGINS: '' });
+      expect(svc.getCorsAllowedOrigins()).toEqual([]);
+    });
+
+    it('returns a single origin unchanged', () => {
+      const svc = makeService({
+        CORS_ALLOWED_ORIGINS: 'https://app.example',
+      });
+      expect(svc.getCorsAllowedOrigins()).toEqual(['https://app.example']);
+    });
+
+    // Adversarial case: leading/trailing/duplicate commas with surrounding
+    // spaces must be dropped, exercising both .map(trim) and .filter(Boolean).
+    it('drops leading/trailing commas with surrounding spaces', () => {
+      const svc = makeService({ CORS_ALLOWED_ORIGINS: ' , a , , b ' });
+      expect(svc.getCorsAllowedOrigins()).toEqual(['a', 'b']);
+    });
   });
 
   describe('isSwaggerEnabled', () => {
@@ -54,6 +72,12 @@ describe('EnvironmentService', () => {
       );
     });
 
+    it('is true for mixed-case "True"', () => {
+      expect(makeService({ SWAGGER_ENABLED: 'True' }).isSwaggerEnabled()).toBe(
+        true,
+      );
+    });
+
     it('defaults to false when absent', () => {
       expect(makeService({}).isSwaggerEnabled()).toBe(false);
     });
@@ -65,6 +89,15 @@ describe('EnvironmentService', () => {
       expect(makeService({ SWAGGER_ENABLED: 'yes' }).isSwaggerEnabled()).toBe(
         false,
       );
+      expect(makeService({ SWAGGER_ENABLED: 'false' }).isSwaggerEnabled()).toBe(
+        false,
+      );
+      expect(makeService({ SWAGGER_ENABLED: '' }).isSwaggerEnabled()).toBe(
+        false,
+      );
+      expect(makeService({ SWAGGER_ENABLED: '1' }).isSwaggerEnabled()).toBe(
+        false,
+      );
     });
   });
 });