0c4aee7467
PR #120 rewrote auth.controller.spec.ts and environment.service.spec.ts in a leaner style but dropped several edge cases that PR #116 covered. Port the gaps so the server coverage matches the original review intent: - auth.controller: returnToken=false must behave like the omitted case (no token in the response body, cookie still set) — guards an `!== undefined`-style regression. - environment.getCorsAllowedOrigins: empty string -> [], single origin, and leading/trailing/duplicate commas with spaces -> trimmed list. - environment.isSwaggerEnabled: mixed-case "True" -> true; "false"/""/"1" -> false. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>