@miaws/miaw 1.18.5 → 1.18.6

package/test/server/httpapi-authorization.test.ts

@@ -1,174 +0,0 @@
-import { NodeHttpServer } from "@effect/platform-node"
-import { describe, expect } from "bun:test"
-import { Effect, Layer, Option, Schema } from "effect"
-import { HttpClient, HttpClientRequest, HttpRouter } from "effect/unstable/http"
-import { HttpApi, HttpApiBuilder, HttpApiEndpoint, HttpApiError, HttpApiGroup } from "effect/unstable/httpapi"
-import { ServerAuth } from "../../src/server/auth"
-import {
-  Authorization,
-  authorizationLayer,
-  ServerAuthorization,
-  serverAuthorizationLayer,
-} from "../../src/server/routes/instance/httpapi/middleware/authorization"
-import { testEffect } from "../lib/effect"
-
-const Api = HttpApi.make("test-authorization").add(
-  HttpApiGroup.make("test")
-    .add(
-      HttpApiEndpoint.get("probe", "/probe", {
-        success: Schema.String,
-      }),
-      HttpApiEndpoint.get("missing", "/missing", {
-        success: Schema.String,
-        error: HttpApiError.NotFound,
-      }),
-    )
-    .middleware(Authorization),
-)
-
-const ServerApi = HttpApi.make("test-server-authorization").add(
-  HttpApiGroup.make("test.v2")
-    .add(
-      HttpApiEndpoint.get("probe", "/api/probe", {
-        success: Schema.String,
-      }),
-    )
-    .middleware(ServerAuthorization),
-)
-
-const handlers = HttpApiBuilder.group(Api, "test", (handlers) =>
-  handlers
-    .handle("probe", () => Effect.succeed("ok"))
-    .handle("missing", () => Effect.fail(new HttpApiError.NotFound({}))),
-)
-
-const serverHandlers = HttpApiBuilder.group(ServerApi, "test.v2", (handlers) =>
-  handlers.handle("probe", () => Effect.succeed("ok")),
-)
-
-const apiLayer = HttpRouter.serve(
-  HttpApiBuilder.layer(Api).pipe(Layer.provide(handlers), Layer.provide(authorizationLayer)),
-  { disableListenLog: true, disableLogger: true },
-).pipe(Layer.provideMerge(NodeHttpServer.layerTest))
-
-const v2ApiLayer = HttpRouter.serve(
-  HttpApiBuilder.layer(ServerApi).pipe(Layer.provide(serverHandlers), Layer.provide(serverAuthorizationLayer)),
-  { disableListenLog: true, disableLogger: true },
-).pipe(Layer.provideMerge(NodeHttpServer.layerTest))
-
-const noAuthLayer = ServerAuth.Config.layer({ password: Option.none(), username: "miaw" })
-const secretLayer = ServerAuth.Config.layer({ password: Option.some("secret"), username: "miaw" })
-const kitSecretLayer = ServerAuth.Config.layer({ password: Option.some("secret"), username: "kit" })
-
-const it = testEffect(apiLayer.pipe(Layer.provide(noAuthLayer)))
-const itSecret = testEffect(apiLayer.pipe(Layer.provide(secretLayer)))
-const itKitSecret = testEffect(apiLayer.pipe(Layer.provide(kitSecretLayer)))
-const itV2Secret = testEffect(v2ApiLayer.pipe(Layer.provide(secretLayer)))
-
-const basic = (username: string, password: string) => ServerAuth.header({ username, password }) ?? ""
-
-const token = (username: string, password: string) => Buffer.from(`${username}:${password}`).toString("base64")
-
-const getProbe = (headers?: Record<string, string>) =>
-  HttpClientRequest.get("/probe").pipe(
-    headers ? HttpClientRequest.setHeaders(headers) : (request) => request,
-    HttpClient.execute,
-  )
-
-describe("HttpApi authorization middleware", () => {
-  it.live("allows requests when server password is not configured", () =>
-    Effect.gen(function* () {
-      const response = yield* getProbe()
-
-      expect(response.status).toBe(200)
-      expect(yield* response.json).toBe("ok")
-    }),
-  )
-
-  itSecret.live("requires configured password for basic auth", () =>
-    Effect.gen(function* () {
-      const [missing, badPassword, good] = yield* Effect.all(
-        [
-          getProbe(),
-          getProbe({ authorization: basic("miaw", "wrong") }),
-          getProbe({ authorization: basic("miaw", "secret") }),
-        ],
-        { concurrency: "unbounded" },
-      )
-
-      expect(missing.status).toBe(401)
-      expect(missing.headers["www-authenticate"] ?? "").toContain("Basic")
-      expect(badPassword.status).toBe(401)
-      expect(badPassword.headers["www-authenticate"] ?? "").toContain("Basic")
-      expect(good.status).toBe(200)
-    }),
-  )
-
-  itKitSecret.live("respects configured basic auth username", () =>
-    Effect.gen(function* () {
-      const [defaultUser, configuredUser] = yield* Effect.all(
-        [getProbe({ authorization: basic("miaw", "secret") }), getProbe({ authorization: basic("kit", "secret") })],
-        { concurrency: "unbounded" },
-      )
-
-      expect(defaultUser.status).toBe(401)
-      expect(configuredUser.status).toBe(200)
-    }),
-  )
-
-  itSecret.live("accepts auth token query credentials", () =>
-    Effect.gen(function* () {
-      const response = yield* HttpClient.get(`/probe?auth_token=${encodeURIComponent(token("miaw", "secret"))}`)
-
-      expect(response.status).toBe(200)
-    }),
-  )
-
-  itSecret.live("prefers auth token query credentials over basic auth", () =>
-    Effect.gen(function* () {
-      const response = yield* HttpClientRequest.get(
-        `/probe?auth_token=${encodeURIComponent(token("miaw", "secret"))}`,
-      ).pipe(HttpClientRequest.setHeader("authorization", basic("miaw", "wrong")), HttpClient.execute)
-
-      expect(response.status).toBe(200)
-    }),
-  )
-
-  itSecret.live("preserves handler errors when basic auth succeeds", () =>
-    Effect.gen(function* () {
-      const response = yield* HttpClientRequest.get("/missing").pipe(
-        HttpClientRequest.setHeader("authorization", basic("miaw", "secret")),
-        HttpClient.execute,
-      )
-
-      expect(response.status).toBe(404)
-    }),
-  )
-
-  itSecret.live("preserves handler errors when auth token query succeeds", () =>
-    Effect.gen(function* () {
-      const response = yield* HttpClient.get(`/missing?auth_token=${encodeURIComponent(token("miaw", "secret"))}`)
-
-      expect(response.status).toBe(404)
-    }),
-  )
-
-  itSecret.live("rejects malformed auth token query credentials", () =>
-    Effect.gen(function* () {
-      const response = yield* HttpClient.get("/probe?auth_token=not-base64")
-
-      expect(response.status).toBe(401)
-    }),
-  )
-
-  itV2Secret.live("returns bodyful v2 unauthorized errors", () =>
-    Effect.gen(function* () {
-      const response = yield* HttpClient.get("/api/probe")
-      const body = yield* response.json
-
-      expect(response.status).toBe(401)
-      expect(response.headers["www-authenticate"] ?? "").toContain("Basic")
-      expect(body).toEqual({ _tag: "UnauthorizedError", message: "Authentication required" })
-    }),
-  )
-})

package/test/server/httpapi-compression.test.ts

@@ -1,151 +0,0 @@
-import { afterEach, describe, expect, test } from "bun:test"
-import { gunzipSync, inflateSync } from "node:zlib"
-import { Server } from "../../src/server/server"
-import { resetDatabase } from "../fixture/db"
-import { disposeAllInstances, tmpdir } from "../fixture/fixture"
-
-afterEach(async () => {
-  await disposeAllInstances()
-  await resetDatabase()
-})
-
-function app() {
-  return Server.Default().app
-}
-
-// /config echoes the config back. Padding the config pushes the response body
-// well past the 1024 B threshold so we can observe compression behavior.
-function fatConfig() {
-  const instructions: string[] = []
-  for (let i = 0; i < 50; i++) {
-    instructions.push(`padding-instruction-${i}-${"x".repeat(40)}`)
-  }
-  return {
-    formatter: false,
-    lsp: false,
-    username: "compression-test-user",
-    instructions,
-  }
-}
-
-describe("HttpApi compression", () => {
-  describe("encodes responses", () => {
-    test("gzips JSON when Accept-Encoding includes gzip and body exceeds threshold", async () => {
-      await using tmp = await tmpdir({ config: fatConfig() })
-      const response = await app().request("/config", {
-        headers: { "x-miaw-directory": tmp.path, "accept-encoding": "gzip" },
-      })
-      expect(response.status).toBe(200)
-      expect(response.headers.get("content-encoding")).toBe("gzip")
-      const compressed = new Uint8Array(await response.arrayBuffer())
-      const decompressed = gunzipSync(compressed)
-      const json = JSON.parse(new TextDecoder().decode(decompressed))
-      expect(json).toMatchObject({ username: "compression-test-user" })
-      expect(compressed.byteLength).toBeLessThan(decompressed.byteLength)
-    })
-
-    test("uses deflate when only deflate is acceptable", async () => {
-      await using tmp = await tmpdir({ config: fatConfig() })
-      const response = await app().request("/config", {
-        headers: { "x-miaw-directory": tmp.path, "accept-encoding": "deflate" },
-      })
-      expect(response.status).toBe(200)
-      expect(response.headers.get("content-encoding")).toBe("deflate")
-      const compressed = new Uint8Array(await response.arrayBuffer())
-      const decompressed = inflateSync(compressed)
-      const json = JSON.parse(new TextDecoder().decode(decompressed))
-      expect(json).toMatchObject({ username: "compression-test-user" })
-    })
-
-    test("prefers gzip when both gzip and deflate are acceptable", async () => {
-      await using tmp = await tmpdir({ config: fatConfig() })
-      const response = await app().request("/config", {
-        headers: { "x-miaw-directory": tmp.path, "accept-encoding": "gzip, deflate" },
-      })
-      expect(response.headers.get("content-encoding")).toBe("gzip")
-    })
-
-    test("does not include the original Content-Length when compressed", async () => {
-      await using tmp = await tmpdir({ config: fatConfig() })
-      const response = await app().request("/config", {
-        headers: { "x-miaw-directory": tmp.path, "accept-encoding": "gzip" },
-      })
-      const compressed = new Uint8Array(await response.arrayBuffer())
-      const declared = response.headers.get("content-length")
-      // Either absent (transfer-encoding chunked) or matches the compressed length.
-      if (declared !== null) expect(Number(declared)).toBe(compressed.byteLength)
-    })
-  })
-
-  describe("skips", () => {
-    test("when no Accept-Encoding header is present", async () => {
-      await using tmp = await tmpdir({ config: fatConfig() })
-      const response = await app().request("/config", {
-        headers: { "x-miaw-directory": tmp.path },
-      })
-      expect(response.headers.get("content-encoding")).toBeNull()
-    })
-
-    test("when Accept-Encoding only allows unsupported encodings", async () => {
-      await using tmp = await tmpdir({ config: fatConfig() })
-      const response = await app().request("/config", {
-        headers: { "x-miaw-directory": tmp.path, "accept-encoding": "br" },
-      })
-      expect(response.headers.get("content-encoding")).toBeNull()
-    })
-
-    test("when the response body is below the 1024-byte threshold", async () => {
-      // A bare config produces a tiny response (~few hundred bytes).
-      await using tmp = await tmpdir({ config: { formatter: false, lsp: false } })
-      const response = await app().request("/config", {
-        headers: { "x-miaw-directory": tmp.path, "accept-encoding": "gzip" },
-      })
-      expect(response.status).toBe(200)
-      const body = new Uint8Array(await response.arrayBuffer())
-      expect(body.byteLength).toBeLessThan(1024)
-      expect(response.headers.get("content-encoding")).toBeNull()
-    })
-
-    test("HEAD requests", async () => {
-      await using tmp = await tmpdir({ config: fatConfig() })
-      const response = await app().request("/config", {
-        method: "HEAD",
-        headers: { "x-miaw-directory": tmp.path, "accept-encoding": "gzip" },
-      })
-      expect(response.headers.get("content-encoding")).toBeNull()
-    })
-  })
-
-  describe("streaming exclusions", () => {
-    test("/event SSE is not compressed", async () => {
-      await using tmp = await tmpdir({ config: { formatter: false, lsp: false } })
-      const controller = new AbortController()
-      const response = await app().request("/event", {
-        headers: { "x-miaw-directory": tmp.path, "accept-encoding": "gzip" },
-        signal: controller.signal,
-      })
-      try {
-        expect(response.status).toBe(200)
-        expect(response.headers.get("content-encoding")).toBeNull()
-      } finally {
-        controller.abort()
-        await response.body?.cancel().catch(() => {})
-      }
-    })
-
-    test("/global/event SSE is not compressed", async () => {
-      const controller = new AbortController()
-      const response = await app().request("/global/event", {
-        headers: { "accept-encoding": "gzip" },
-        signal: controller.signal,
-      })
-      try {
-        expect(response.status).toBe(200)
-        expect(response.headers.get("content-encoding")).toBeNull()
-      } finally {
-        controller.abort()
-        await response.body?.cancel().catch(() => {})
-      }
-    })
-  })
-})

package/test/server/httpapi-config.test.ts

@@ -1,110 +0,0 @@
-import { afterEach, describe, expect } from "bun:test"
-import path from "path"
-import { Server } from "../../src/server/server"
-import { Effect, Fiber } from "effect"
-import { resetDatabase } from "../fixture/db"
-import { disposeAllInstances, tmpdir } from "../fixture/fixture"
-import { it } from "../lib/effect"
-import { waitGlobalBusEvent } from "./global-bus"
-
-function app() {
-  return Server.Default().app
-}
-
-function waitDisposed(directory: string) {
-  return waitGlobalBusEvent({
-    message: "timed out waiting for instance disposal",
-    predicate: (event) => event.payload.type === "server.instance.disposed" && event.directory === directory,
-  })
-}
-
-const tmpdirEffect = (options: Parameters<typeof tmpdir>[0]) =>
-  Effect.acquireRelease(
-    Effect.promise(() => tmpdir(options)),
-    (tmp) => Effect.promise(() => tmp[Symbol.asyncDispose]()),
-  )
-
-afterEach(async () => {
-  await disposeAllInstances()
-  await resetDatabase()
-})
-
-describe("config HttpApi", () => {
-  it.live(
-    "serves config update through the default server app",
-    Effect.gen(function* () {
-      const tmp = yield* tmpdirEffect({ config: { formatter: false, lsp: false } })
-      const disposed = yield* waitDisposed(tmp.path).pipe(Effect.forkScoped({ startImmediately: true }))
-
-      const response = yield* Effect.promise(() =>
-        Promise.resolve(
-          app().request("/config", {
-            method: "PATCH",
-            headers: {
-              "content-type": "application/json",
-              "x-miaw-directory": tmp.path,
-            },
-            body: JSON.stringify({ username: "patched-user", formatter: false, lsp: false }),
-          }),
-        ),
-      )
-
-      expect(response.status).toBe(200)
-      expect(yield* Effect.promise(() => response.json())).toMatchObject({
-        username: "patched-user",
-        formatter: false,
-        lsp: false,
-      })
-      yield* Fiber.join(disposed)
-      expect(yield* Effect.promise(() => Bun.file(path.join(tmp.path, "config.json")).json())).toMatchObject({
-        username: "patched-user",
-        formatter: false,
-        lsp: false,
-      })
-    }),
-  )
-
-  it.live(
-    "serves config with active provider model status",
-    Effect.gen(function* () {
-      const tmp = yield* tmpdirEffect({
-        config: {
-          formatter: false,
-          lsp: false,
-          provider: {
-            omniroute: {
-              models: {
-                "gpt-4o": {
-                  status: "active",
-                },
-              },
-            },
-          },
-        },
-      })
-
-      const response = yield* Effect.promise(() =>
-        Promise.resolve(
-          app().request("/config", {
-            headers: {
-              "x-miaw-directory": tmp.path,
-            },
-          }),
-        ),
-      )
-
-      expect(response.status).toBe(200)
-      expect(yield* Effect.promise(() => response.json())).toMatchObject({
-        provider: {
-          omniroute: {
-            models: {
-              "gpt-4o": {
-                status: "active",
-              },
-            },
-          },
-        },
-      })
-    }),
-  )
-})

package/test/server/httpapi-control-plane.test.ts

@@ -1,63 +0,0 @@
-import { NodeHttpServer } from "@effect/platform-node"
-import { describe, expect } from "bun:test"
-import { Context, Effect, Layer, Option, Ref } from "effect"
-import { HttpBody, HttpClient, HttpClientRequest, HttpRouter } from "effect/unstable/http"
-import { HttpApiBuilder } from "effect/unstable/httpapi"
-import { MoveSession } from "@miaw/core/control-plane/move-session"
-import { AbsolutePath } from "@miaw/core/schema"
-import { SessionV2 } from "@miaw/core/session"
-import { Auth } from "../../src/auth"
-import { Config } from "../../src/config/config"
-import { Installation } from "../../src/installation"
-import { ServerAuth } from "../../src/server/auth"
-import { RootHttpApi } from "../../src/server/routes/instance/httpapi/api"
-import { controlHandlers } from "../../src/server/routes/instance/httpapi/handlers/control"
-import { controlPlaneHandlers } from "../../src/server/routes/instance/httpapi/handlers/control-plane"
-import { globalHandlers } from "../../src/server/routes/instance/httpapi/handlers/global"
-import { authorizationLayer } from "../../src/server/routes/instance/httpapi/middleware/authorization"
-import { schemaErrorLayer } from "../../src/server/routes/instance/httpapi/middleware/schema-error"
-import { testEffect } from "../lib/effect"
-
-const input = MoveSession.Input.make({
-  sessionID: SessionV2.ID.make("ses_move"),
-  destination: { directory: AbsolutePath.make("/destination") },
-  moveChanges: true,
-})
-const called = Ref.makeUnsafe<MoveSession.Input | undefined>(undefined)
-
-const apiLayer = HttpRouter.serve(
-  HttpApiBuilder.layer(RootHttpApi).pipe(
-    Layer.provide([controlHandlers, controlPlaneHandlers, globalHandlers]),
-    Layer.provide([authorizationLayer, schemaErrorLayer]),
-    // Raw HttpApi routes expose an opaque handler context at the request boundary.
-    // oxlint-disable-next-line typescript-eslint/no-unsafe-type-assertion
-    HttpRouter.provideRequest(Layer.succeedContext(Context.empty() as Context.Context<unknown>)),
-  ),
-  { disableListenLog: true, disableLogger: true },
-).pipe(
-  Layer.provideMerge(NodeHttpServer.layerTest),
-  Layer.provide(Layer.mock(Auth.Service)({})),
-  Layer.provide(Layer.mock(Config.Service)({})),
-  Layer.provide(Layer.mock(Installation.Service)({})),
-  Layer.provide(
-    Layer.mock(MoveSession.Service)({
-      moveSession: (value) => Ref.set(called, value),
-    }),
-  ),
-  Layer.provide(ServerAuth.Config.layer({ password: Option.none(), username: "miaw" })),
-)
-const it = testEffect(apiLayer)
-
-describe("control-plane HttpApi", () => {
-  it.live("moves a session through the root control-plane route", () =>
-    Effect.gen(function* () {
-      const response = yield* HttpClientRequest.post("/experimental/control-plane/move-session").pipe(
-        HttpClientRequest.setBody(HttpBody.jsonUnsafe(input)),
-        HttpClient.execute,
-      )
-
-      expect(response.status).toBe(204)
-      expect(yield* Ref.get(called)).toEqual(input)
-    }),
-  )
-})

package/test/server/httpapi-cors-vary.test.ts

@@ -1,63 +0,0 @@
-import { afterEach, describe, expect, test } from "bun:test"
-import { Server } from "../../src/server/server"
-import { resetDatabase } from "../fixture/db"
-import { disposeAllInstances } from "../fixture/fixture"
-
-afterEach(async () => {
-  await disposeAllInstances()
-  await resetDatabase()
-})
-
-function app() {
-  return Server.Default().app
-}
-
-const PREFLIGHT_HEADERS = {
-  origin: "http://localhost:3000",
-  "access-control-request-method": "POST",
-  "access-control-request-headers": "content-type, x-miaw-directory",
-}
-
-// effect-smol's HttpMiddleware.cors overwrites `Vary: Origin` with
-// `Vary: Access-Control-Request-Headers` on OPTIONS preflight responses
-// (the two share the same record key during the spread). With dynamic
-// origin echoing, missing Vary: Origin lets shared caches serve a preflight
-// cached for one origin against a different origin. corsVaryFixLayer
-// restores the merged form.
-describe("CORS preflight Vary header", () => {
-  test("HTTP API backend preflight Vary contains Origin", async () => {
-    const response = await app().request("/global/config", {
-      method: "OPTIONS",
-      headers: PREFLIGHT_HEADERS,
-    })
-
-    expect([200, 204]).toContain(response.status)
-    expect(response.headers.get("access-control-allow-origin")).toBe("http://localhost:3000")
-    expect((response.headers.get("vary") ?? "").toLowerCase()).toContain("origin")
-  })
-
-  test("HTTP API backend preflight Vary still preserves Access-Control-Request-Headers", async () => {
-    const response = await app().request("/global/config", {
-      method: "OPTIONS",
-      headers: PREFLIGHT_HEADERS,
-    })
-
-    const vary = (response.headers.get("vary") ?? "").toLowerCase()
-    expect(vary).toContain("origin")
-    expect(vary).toContain("access-control-request-headers")
-  })
-
-  test("HTTP API backend does not duplicate Origin in Vary", async () => {
-    const response = await app().request("/global/config", {
-      method: "OPTIONS",
-      headers: PREFLIGHT_HEADERS,
-    })
-
-    const vary = response.headers.get("vary") ?? ""
-    const originCount = vary
-      .split(",")
-      .map((s: string) => s.trim().toLowerCase())
-      .filter((s: string) => s === "origin").length
-    expect(originCount).toBe(1)
-  })
-})

package/test/server/httpapi-cors.test.ts

@@ -1,122 +0,0 @@
-import { NodeHttpServer, NodeServices } from "@effect/platform-node"
-import { Flag } from "@miaw/core/flag/flag"
-import { describe, expect } from "bun:test"
-import { Config, ConfigProvider, Effect, Layer } from "effect"
-import { HttpClient, HttpClientRequest, HttpRouter, HttpServer } from "effect/unstable/http"
-import * as Socket from "effect/unstable/socket/Socket"
-import { Server } from "../../src/server/server"
-import { InstancePaths } from "../../src/server/routes/instance/httpapi/groups/instance"
-import { HttpApiApp } from "../../src/server/routes/instance/httpapi/server"
-import { resetDatabase } from "../fixture/db"
-import { testEffect } from "../lib/effect"
-
-const testStateLayer = Layer.effectDiscard(
-  Effect.gen(function* () {
-    const original = {
-      MIAW_SERVER_PASSWORD: Flag.MIAW_SERVER_PASSWORD,
-    }
-    Flag.MIAW_SERVER_PASSWORD = "secret"
-    yield* Effect.promise(() => resetDatabase())
-    yield* Effect.addFinalizer(() =>
-      Effect.promise(async () => {
-        Flag.MIAW_SERVER_PASSWORD = original.MIAW_SERVER_PASSWORD
-        await resetDatabase()
-      }),
-    )
-  }),
-)
-
-const servedRoutes: Layer.Layer<never, Config.ConfigError, HttpServer.HttpServer> = HttpRouter.serve(
-  HttpApiApp.routes,
-  { disableListenLog: true, disableLogger: true },
-)
-
-const it = testEffect(
-  Layer.mergeAll(
-    testStateLayer,
-    servedRoutes.pipe(
-      Layer.provide(Socket.layerWebSocketConstructorGlobal),
-      Layer.provideMerge(NodeHttpServer.layerTest),
-      Layer.provideMerge(NodeServices.layer),
-    ),
-  ),
-)
-
-describe("HttpApi CORS", () => {
-  it.live("allows browser preflight requests without credentials", () =>
-    Effect.gen(function* () {
-      const response = yield* HttpClientRequest.options(InstancePaths.path).pipe(
-        HttpClientRequest.setHeaders({
-          origin: "http://localhost:3000",
-          "access-control-request-method": "GET",
-          "access-control-request-headers": "authorization",
-        }),
-        HttpClient.execute,
-      )
-
-      expect(response.status).toBe(204)
-      expect(response.headers["access-control-allow-origin"]).toBe("http://localhost:3000")
-      expect(response.headers["access-control-allow-headers"]).toBe("authorization")
-    }),
-  )
-
-  it.live("adds CORS headers to unauthorized responses", () =>
-    Effect.gen(function* () {
-      const handler = HttpRouter.toWebHandler(
-        HttpApiApp.createRoutes().pipe(
-          Layer.provide(ConfigProvider.layer(ConfigProvider.fromUnknown({ MIAW_SERVER_PASSWORD: "secret" }))),
-        ),
-        { disableLogger: true },
-      ).handler
-      const response = yield* Effect.promise(() =>
-        handler(
-          new Request(new URL("/global/config", "http://localhost"), {
-            headers: { origin: "https://app.miaw" },
-          }),
-          HttpApiApp.context,
-        ),
-      )
-
-      expect(response.status).toBe(401)
-      expect(response.headers.get("access-control-allow-origin")).toBe("https://app.miaw")
-    }),
-  )
-
-  it.live("uses custom CORS origins passed to the server", () =>
-    Effect.gen(function* () {
-      const listener = yield* Effect.acquireRelease(
-        Effect.promise(() => Server.listen({ hostname: "127.0.0.1", port: 0, cors: ["https://custom.example"] })),
-        (listener) => Effect.promise(() => listener.stop(true)),
-      )
-
-      const response = yield* Effect.promise(() =>
-        fetch(new URL(InstancePaths.path, listener.url), {
-          method: "OPTIONS",
-          headers: {
-            origin: "https://custom.example",
-            "access-control-request-method": "GET",
-            "access-control-request-headers": "authorization",
-          },
-        }),
-      )
-
-      expect(response.status).toBe(204)
-      expect(response.headers.get("access-control-allow-origin")).toBe("https://custom.example")
-      expect(response.headers.get("access-control-allow-headers")).toBe("authorization")
-
-      const rejected = yield* Effect.promise(() =>
-        fetch(new URL(InstancePaths.path, listener.url), {
-          method: "OPTIONS",
-          headers: {
-            origin: "https://evil.example",
-            "access-control-request-method": "GET",
-            "access-control-request-headers": "authorization",
-          },
-        }),
-      )
-
-      expect(rejected.status).toBe(204)
-      expect(rejected.headers.get("access-control-allow-origin")).not.toBe("https://evil.example")
-    }),
-  )
-})