test(offline): add reviewer-requested coverage for offline-sync core logic

Adds the unit tests called out in the PR #120 review (test-coverage
aspect). No production logic changes — the only non-test edit is exporting
the already-injectable warmInfiniteAll helper so it can be unit tested.

Server (Jest):
- persistence.extension.spec.ts: onStoreDocument classification matrix
  (no-op / title-only / body+title / body-only), onLoadDocument seed +
  persist gating (early-return, page-null, ydoc seed, already-seeded
  no-persist, legacy content->ydoc), and seedTitleFragment 4-branch guard.
- collaboration.util.spec.ts: buildTitleSeedYdoc round-trip.
- environment.service.spec.ts: getCorsAllowedOrigins / isSwaggerEnabled.
- auth.controller.spec.ts: login returnToken opt-in branch.

Client (Vitest):
- query-persister.test.ts: shouldDehydrateOfflineQuery status + allowlist
  gates and OFFLINE_PERSIST_ROOTS membership.
- is-capacitor.test.ts: isCapacitorNativePlatform platform detection.
- make-offline.test.ts: warmInfiniteAll cursor walk / maxPages / error
  swallow, and warmPageYdoc settle-once + timeout + teardown.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

apps/server/src/core/auth/auth.controller.spec.ts

@@ -19,4 +19,67 @@ describe('AuthController', () => {
   it('should be defined', () => {
     expect(controller).toBeDefined();
   });
+
+  // The EE MFA module is absent in this repo, so require() throws and is caught;
+  // login falls through to authService.login -> setAuthCookie -> returnToken.
+  describe('login returnToken branch', () => {
+    const workspace = { id: 'ws1', enforceSso: false };
+
+    const makeController = () => {
+      const authService = {
+        login: jest.fn().mockResolvedValue('jwt-token-123'),
+      };
+      const environmentService = {
+        getCookieExpiresIn: jest.fn().mockReturnValue(new Date()),
+        isHttps: jest.fn().mockReturnValue(false),
+      };
+      const ctrl = new AuthController(
+        authService as any,
+        {} as any,
+        environmentService as any,
+        {} as any,
+        {} as any,
+      );
+      const res = { setCookie: jest.fn() };
+      return { ctrl, authService, res };
+    };
+
+    it('returns the body token and sets the cookie when returnToken is true', async () => {
+      const { ctrl, authService, res } = makeController();
+      const loginInput = {
+        email: 'a@b.com',
+        password: 'pw',
+        returnToken: true,
+      };
+
+      const result = await ctrl.login(
+        workspace as any,
+        res as any,
+        loginInput as any,
+      );
+
+      expect(result).toEqual({ authToken: 'jwt-token-123' });
+      expect(res.setCookie).toHaveBeenCalledTimes(1);
+      expect(res.setCookie).toHaveBeenCalledWith(
+        'authToken',
+        'jwt-token-123',
+        expect.objectContaining({ httpOnly: true }),
+      );
+      expect(authService.login).toHaveBeenCalled();
+    });
+
+    it('returns no body token but still sets the cookie when returnToken is omitted', async () => {
+      const { ctrl, res } = makeController();
+      const loginInput = { email: 'a@b.com', password: 'pw' };
+
+      const result = await ctrl.login(
+        workspace as any,
+        res as any,
+        loginInput as any,
+      );
+
+      expect(result).toBeUndefined();
+      expect(res.setCookie).toHaveBeenCalledTimes(1);
+    });
+  });
 });