Close the two "[test coverage]" review gaps on PR #116 (mobile bootstrap):
- auth.controller.spec.ts: unit-test AuthController.login() returnToken
branches via direct instantiation. returnToken:true returns exactly
{ authToken } alongside the httpOnly cookie; omitted/explicit-false return
strictly undefined (the token must never leak into the response body for
web clients) while the cookie is still set.
- environment.service.spec.ts: table-driven tests for getCorsAllowedOrigins()
(split/trim/filter of CORS_ALLOWED_ORIGINS) and isSwaggerEnabled()
(case-insensitive SWAGGER_ENABLED === 'true'), the two parsers feeding the
CORS allowlist and Swagger exposure trust boundaries.
Tests only; no production code changed.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
16 suites were disabled via testPathIgnorePatterns due to two root causes: lib0
ESM not transformed (the @hocuspocus/server -> lib0/decoding.js chain) and stock
'should be defined' specs built via Test.createTestingModule without providers.
Add lib0 to transformIgnorePatterns; convert the 14 DI placeholders to direct
new X(...) instantiation with stub deps (keeping a real construct smoke test);
re-enable the suites. Also updates the public-share limiter test to assert the
fail-closed behavior from #62 (surfaced now that the suite runs). Full server
suite: 67 passed, 689 tests.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
