Close the two "[test coverage]" review gaps on PR #116 (mobile bootstrap):
- auth.controller.spec.ts: unit-test AuthController.login() returnToken
branches via direct instantiation. returnToken:true returns exactly
{ authToken } alongside the httpOnly cookie; omitted/explicit-false return
strictly undefined (the token must never leak into the response body for
web clients) while the cookie is still set.
- environment.service.spec.ts: table-driven tests for getCorsAllowedOrigins()
(split/trim/filter of CORS_ALLOWED_ORIGINS) and isSwaggerEnabled()
(case-insensitive SWAGGER_ENABLED === 'true'), the two parsers feeding the
CORS allowlist and Swagger exposure trust boundaries.
Tests only; no production code changed.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
92d03f1ff6