minutework 0.1.39 → 0.1.41

package/assets/templates/vuilder-shell/src/features/dashboard/components/tenant-dashboard.tsx

@@ -0,0 +1,134 @@
+import Link from "next/link";
+import { ArrowRight, Database, ShieldCheck, UserRound } from "lucide-react";
+
+import { PanelFrame } from "@/design-system/patterns/panel-frame";
+import { StatusBadge } from "@/design-system/patterns/status-badge";
+import { Button } from "@/design-system/primitives/button";
+import { appRoutes } from "@/lib/app-routes";
+import type { AuthenticatedPlatformSession } from "@/lib/platform/contracts";
+import type { SessionMembership } from "@/lib/platform/contracts";
+import { preferredWorkspace } from "@/lib/platform/contracts";
+
+function DashboardMetric({
+  label,
+  value,
+}: {
+  label: string;
+  value: string;
+}) {
+  return (
+    <PanelFrame tone="raised" radius="xl" padding="md" className="space-y-2">
+      <p className="text-xs font-semibold uppercase tracking-wide text-muted-foreground">
+        {label}
+      </p>
+      <p className="text-sm font-semibold text-foreground">{value}</p>
+    </PanelFrame>
+  );
+}
+
+export function TenantDashboard({
+  appName,
+  membership: resolvedMembership,
+  session,
+}: {
+  appName: string;
+  membership?: SessionMembership | null;
+  session: AuthenticatedPlatformSession;
+}) {
+  const membership = resolvedMembership ?? preferredWorkspace(session);
+
+  return (
+    <div className="grid gap-6">
+      <PanelFrame tone="floating" radius="xl" padding="lg" className="space-y-6">
+        <div className="space-y-2">
+          <h2 className="text-3xl font-semibold tracking-tight">
+            {appName} workspace
+          </h2>
+          <p className="max-w-3xl text-sm leading-7 text-muted-foreground">
+            Customer workspace state is loaded through the platform member
+            session established by central SSO.
+          </p>
+        </div>
+
+        <div className="grid gap-3 md:grid-cols-3">
+          <DashboardMetric
+            label="Customer"
+            value={session.user?.display_name || session.user?.email || "Customer"}
+          />
+          <DashboardMetric
+            label="Tenant"
+            value={membership?.workspace_name || membership?.tenant_name || "Workspace"}
+          />
+          <DashboardMetric
+            label="Role"
+            value={
+              membership?.roles.map((role) => role.name).join(", ") ||
+              membership?.role ||
+              "member"
+            }
+          />
+        </div>
+      </PanelFrame>
+
+      <section className="grid gap-6 xl:grid-cols-[1fr,1fr]">
+        <PanelFrame tone="raised" radius="xl" padding="lg" className="space-y-4">
+          <div className="flex items-center gap-2">
+            <ShieldCheck className="size-5 text-primary" />
+            <h3 className="text-xl font-semibold tracking-tight">
+              Platform SSO
+            </h3>
+          </div>
+          <div className="flex flex-wrap gap-3">
+            <StatusBadge tone="primary">shell token</StatusBadge>
+            <StatusBadge tone="info">HttpOnly cookies</StatusBadge>
+            <StatusBadge tone="success">CSRF protected</StatusBadge>
+          </div>
+          <p className="text-sm leading-7 text-muted-foreground">
+            The shell consumes a platform member session and leaves identity,
+            provisioning, and install authority on platform-owned APIs.
+          </p>
+        </PanelFrame>
+
+        <PanelFrame tone="raised" radius="xl" padding="lg" className="space-y-4">
+          <div className="flex items-center gap-2">
+            <Database className="size-5 text-primary" />
+            <h3 className="text-xl font-semibold tracking-tight">
+              Gateway surfaces
+            </h3>
+          </div>
+          <p className="text-sm leading-7 text-muted-foreground">
+            Runtime data and agent surfaces should be added through approved
+            app-pack and platform gateway contracts, not browser-held runtime
+            credentials.
+          </p>
+          <Button asChild className="w-fit">
+            <Link href={appRoutes.demo}>
+              Open demo
+              <ArrowRight className="size-4" />
+            </Link>
+          </Button>
+        </PanelFrame>
+      </section>
+
+      <PanelFrame tone="raised" radius="xl" padding="lg" className="space-y-4">
+        <div className="flex items-center gap-2">
+          <UserRound className="size-5 text-primary" />
+          <h3 className="text-xl font-semibold tracking-tight">
+            Session payload
+          </h3>
+        </div>
+        <pre className="overflow-auto rounded-md bg-muted p-4 text-xs text-muted-foreground">
+          {JSON.stringify(
+            {
+              principal_kind: "tenant_member",
+              tenant_id: membership?.tenant_id,
+              workspace_slug: membership?.workspace_slug,
+            },
+            null,
+            2,
+          )}
+        </pre>
+      </PanelFrame>
+    </div>
+  );
+}

package/assets/templates/vuilder-shell/src/features/public-shell/components/static-public-page.tsx

@@ -0,0 +1,58 @@
+import Link from "next/link";
+import { ArrowRight } from "lucide-react";
+
+import { Button } from "@/design-system/primitives/button";
+import { appRoutes } from "@/lib/app-routes";
+
+export function StaticPublicPage({
+  eyebrow,
+  title,
+  body,
+}: {
+  eyebrow: string;
+  title: string;
+  body: string;
+}) {
+  return (
+    <main className="min-h-screen bg-background text-foreground">
+      <div className="mx-auto flex min-h-screen max-w-6xl flex-col px-6 py-6">
+        <nav className="flex items-center justify-between">
+          <Link className="text-sm font-semibold text-foreground" href={appRoutes.publicHome}>
+            Vuilder Shell
+          </Link>
+          <div className="flex items-center gap-2">
+            <Button asChild variant="ghost">
+              <Link href={appRoutes.pricing}>Pricing</Link>
+            </Button>
+            <Button asChild variant="ghost">
+              <Link href={appRoutes.docsIndex}>Docs</Link>
+            </Button>
+            <Button asChild>
+              <Link href={appRoutes.login}>Log in</Link>
+            </Button>
+          </div>
+        </nav>
+
+        <section className="grid flex-1 content-center gap-8 py-16">
+          <div className="max-w-3xl space-y-5">
+            <p className="text-sm font-semibold uppercase tracking-widest text-muted-foreground">
+              {eyebrow}
+            </p>
+            <h1 className="text-5xl font-semibold tracking-tight text-balance sm:text-6xl">
+              {title}
+            </h1>
+            <p className="max-w-2xl text-lg leading-8 text-muted-foreground">
+              {body}
+            </p>
+            <Button asChild className="w-fit">
+              <Link href={appRoutes.login}>
+                Continue
+                <ArrowRight className="size-4" />
+              </Link>
+            </Button>
+          </div>
+        </section>
+      </div>
+    </main>
+  );
+}

package/assets/templates/vuilder-shell/src/features/shell/components/authenticated-app-layout-shell.tsx

@@ -0,0 +1,84 @@
+"use client";
+
+import type { ReactNode } from "react";
+import Link from "next/link";
+import { useRouter } from "next/navigation";
+import { LayoutDashboard, LogOut, PlaySquare } from "lucide-react";
+
+import { ThemeModeToggle } from "@/design-system/patterns/theme-mode-toggle";
+import { Button } from "@/design-system/primitives/button";
+import { appRoutes } from "@/lib/app-routes";
+import type {
+  AuthenticatedPlatformSession,
+  SessionMembership,
+} from "@/lib/platform/contracts";
+
+export function AuthenticatedAppLayoutShell({
+  appName,
+  membership,
+  session,
+  children,
+}: {
+  appName: string;
+  membership: SessionMembership;
+  session: AuthenticatedPlatformSession;
+  children: ReactNode;
+}) {
+  const router = useRouter();
+
+  async function handleLogout() {
+    await fetch("/api/auth/logout", { method: "POST" }).catch(() => undefined);
+    router.replace(appRoutes.loginForWorkspace(membership.workspace_slug));
+    router.refresh();
+  }
+
+  return (
+    <main className="min-h-screen bg-background text-foreground">
+      <div className="mx-auto flex min-h-screen max-w-7xl flex-col gap-6 px-6 py-8">
+        <header className="flex flex-col gap-6 xl:flex-row xl:items-start xl:justify-between">
+          <div className="space-y-2">
+            <p className="text-sm font-semibold uppercase tracking-widest text-muted-foreground">
+              {membership.workspace_name || membership.tenant_name}
+            </p>
+            <h1 className="max-w-3xl text-4xl font-semibold tracking-tight text-balance sm:text-5xl">
+              {appName}
+            </h1>
+            <p className="max-w-3xl text-base leading-7 text-muted-foreground sm:text-lg">
+              Signed in as {session.user?.email || session.user?.username}.
+            </p>
+          </div>
+
+          <div className="flex flex-col gap-3 sm:flex-row sm:items-start">
+            <ThemeModeToggle className="w-full sm:w-72" />
+            <Button
+              type="button"
+              variant="outline"
+              className="gap-2"
+              onClick={handleLogout}
+            >
+              <LogOut className="size-4" />
+              Log out
+            </Button>
+          </div>
+        </header>
+
+        <nav className="flex flex-wrap gap-2">
+          <Button asChild variant="default">
+            <Link href={appRoutes.workspaceShell(membership.workspace_slug)}>
+              <LayoutDashboard className="size-4" />
+              Dashboard
+            </Link>
+          </Button>
+          <Button asChild variant="outline">
+            <Link href={appRoutes.demo}>
+              <PlaySquare className="size-4" />
+              Demo
+            </Link>
+          </Button>
+        </nav>
+
+        {children}
+      </div>
+    </main>
+  );
+}

package/assets/templates/vuilder-shell/src/features/shell/components/private-app-shell.tsx

@@ -0,0 +1,22 @@
+import { TenantDashboard } from "@/features/dashboard/components/tenant-dashboard";
+import { VuilderConnectScreen } from "@/features/vuilder-shell/components/vuilder-connect-screen";
+import type {
+  PlatformSession,
+  SessionMembership,
+} from "@/lib/platform/contracts";
+
+export function PrivateAppShell({
+  appName,
+  membership,
+  session,
+}: {
+  appName: string;
+  membership: SessionMembership | null;
+  session: PlatformSession;
+}) {
+  if (!session.authenticated || !membership) {
+    return <VuilderConnectScreen session={session} workspaceSlug="workspace" />;
+  }
+
+  return <TenantDashboard appName={appName} membership={membership} session={session} />;
+}

package/assets/templates/vuilder-shell/src/features/vuilder-shell/components/vuilder-connect-screen.tsx

@@ -0,0 +1,89 @@
+import Link from "next/link";
+import { ArrowRight, CheckCircle2, ServerCog } from "lucide-react";
+
+import { PanelFrame } from "@/design-system/patterns/panel-frame";
+import { StatusBadge } from "@/design-system/patterns/status-badge";
+import { Button } from "@/design-system/primitives/button";
+import { appRoutes } from "@/lib/app-routes";
+import type { PlatformSession } from "@/lib/platform/contracts";
+import { workspaceMembershipForSession } from "@/lib/platform/contracts";
+
+export function VuilderConnectScreen({
+  session,
+  workspaceSlug,
+}: {
+  session: PlatformSession;
+  workspaceSlug: string;
+}) {
+  const membership = workspaceMembershipForSession(session, workspaceSlug);
+  const tenantName = membership?.workspace_name || membership?.tenant_name || workspaceSlug;
+  const hasWorkspaceMembership = Boolean(membership);
+  const isAuthenticated = session.authenticated;
+
+  return (
+    <main className="min-h-screen bg-background text-foreground">
+      <div className="mx-auto flex min-h-screen max-w-5xl items-center px-6 py-10">
+        <PanelFrame tone="floating" radius="xl" padding="lg" className="w-full space-y-6">
+          <div className="flex items-center gap-3 text-primary">
+            {hasWorkspaceMembership ? (
+              <CheckCircle2 className="size-5" />
+            ) : (
+              <ServerCog className="size-5" />
+            )}
+            <p className="text-sm font-semibold uppercase tracking-widest">
+              Vuilder Shell
+            </p>
+          </div>
+
+          <div className="space-y-3">
+            <h1 className="text-4xl font-semibold tracking-tight text-balance">
+              {hasWorkspaceMembership
+                ? `${tenantName} is ready to open.`
+                : isAuthenticated
+                  ? "Workspace access is not available."
+                  : "Sign in to open this customer workspace."}
+            </h1>
+            <p className="max-w-2xl text-base leading-7 text-muted-foreground">
+              Runtime provisioning and app-pack installation are owned by the
+              platform onboarding intent. This shell opens the branded tenant
+              experience after the customer session is available.
+            </p>
+          </div>
+
+          <div className="grid gap-3 sm:grid-cols-3">
+            <StatusBadge tone={isAuthenticated ? "success" : "default"}>
+              Identity
+            </StatusBadge>
+            <StatusBadge tone="primary">Runtime</StatusBadge>
+            <StatusBadge tone="primary">App Pack</StatusBadge>
+          </div>
+
+          <div className="flex flex-col gap-3 sm:flex-row">
+            {hasWorkspaceMembership ? (
+              <Button asChild className="gap-2">
+                <Link href={appRoutes.workspaceShell(workspaceSlug)}>
+                  Open Workspace
+                  <ArrowRight className="size-4" />
+                </Link>
+              </Button>
+            ) : !isAuthenticated ? (
+              <Button asChild className="gap-2">
+                <Link href={appRoutes.loginForWorkspaceConnect(workspaceSlug)}>
+                  Open Login
+                  <ArrowRight className="size-4" />
+                </Link>
+              </Button>
+            ) : (
+              <Button asChild variant="outline" className="gap-2">
+                <Link href={appRoutes.appHome}>
+                  Workspace Home
+                  <ArrowRight className="size-4" />
+                </Link>
+              </Button>
+            )}
+          </div>
+        </PanelFrame>
+      </div>
+    </main>
+  );
+}

package/assets/templates/vuilder-shell/src/features/vuilder-shell/components/vuilder-workspace-screen.tsx

@@ -0,0 +1,49 @@
+import { Building2, Package, ServerCog } from "lucide-react";
+
+import { PanelFrame } from "@/design-system/patterns/panel-frame";
+import { StatusBadge } from "@/design-system/patterns/status-badge";
+import { TenantDashboard } from "@/features/dashboard/components/tenant-dashboard";
+import type {
+  AuthenticatedPlatformSession,
+  SessionMembership,
+} from "@/lib/platform/contracts";
+
+export function VuilderWorkspaceScreen({
+  appName,
+  membership,
+  session,
+  workspaceSlug,
+}: {
+  appName: string;
+  membership: SessionMembership;
+  session: AuthenticatedPlatformSession;
+  workspaceSlug: string;
+}) {
+  return (
+    <div className="grid gap-6">
+      <PanelFrame tone="floating" radius="xl" padding="lg" className="space-y-4">
+        <div className="flex flex-wrap gap-3">
+          <StatusBadge tone="primary">
+            <Building2 className="mr-1 size-3" />
+            {membership.workspace_slug || workspaceSlug}
+          </StatusBadge>
+          <StatusBadge tone="primary">
+            <ServerCog className="mr-1 size-3" />
+            {membership.runtime_status || "Runtime status"}
+          </StatusBadge>
+          <StatusBadge tone="primary">
+            <Package className="mr-1 size-3" />
+            App pack status
+          </StatusBadge>
+        </div>
+        <p className="max-w-3xl text-sm leading-7 text-muted-foreground">
+          This branded shell renders the tenant experience for the active
+          customer session. Identity, provisioning, and install authority remain
+          on the MinuteWork platform path.
+        </p>
+      </PanelFrame>
+
+      <TenantDashboard appName={appName} membership={membership} session={session} />
+    </div>
+  );
+}

package/assets/templates/vuilder-shell/src/lib/app-routes.test.ts

@@ -0,0 +1,37 @@
+import { describe, expect, it } from "vitest";
+
+import { appRoutes } from "@/lib/app-routes";
+
+describe("appRoutes", () => {
+  it("builds a blog route from a single slug segment", () => {
+    expect(appRoutes.blogPost("launching-the-combined-web-starter")).toBe(
+      "/blog/launching-the-combined-web-starter",
+    );
+    expect(appRoutes.blogPost(["launching-the-combined-web-starter"])).toBe(
+      "/blog/launching-the-combined-web-starter",
+    );
+  });
+
+  it("rejects multi-segment blog slugs instead of truncating them", () => {
+    expect(() => appRoutes.blogPost(["release", "v1"])).toThrow(
+      "Blog routes require exactly one slug segment.",
+    );
+  });
+
+  it("builds branded workspace shell routes", () => {
+    expect(appRoutes.workspaceConnect("fleet-alpha")).toBe("/w/fleet-alpha/connect");
+    expect(appRoutes.workspaceShell(["fleet alpha"])).toBe("/w/fleet%20alpha");
+    expect(appRoutes.loginForWorkspace("fleet-alpha")).toBe(
+      "/login?return_to=%2Fw%2Ffleet-alpha",
+    );
+    expect(appRoutes.loginForWorkspaceConnect("fleet-alpha")).toBe(
+      "/login?return_to=%2Fw%2Ffleet-alpha%2Fconnect",
+    );
+  });
+
+  it("rejects ambiguous workspace route segments", () => {
+    expect(() => appRoutes.workspaceShell(["fleet", "alpha"])).toThrow(
+      "Workspace routes require exactly one slug segment.",
+    );
+  });
+});

package/assets/templates/vuilder-shell/src/lib/app-routes.ts

@@ -0,0 +1,86 @@
+import type { Route } from "next";
+
+function joinRouteSegments(segments: readonly string[]) {
+  return segments.map((segment) => encodeURIComponent(segment)).join("/");
+}
+
+function requireSingleRouteSegment(
+  slug: string | readonly string[],
+  routeLabel: string,
+) {
+  if (typeof slug === "string") {
+    const segment = slug.trim();
+
+    if (segment.length === 0) {
+      throw new Error(`${routeLabel} require a non-empty slug segment.`);
+    }
+
+    return segment;
+  }
+
+  if (slug.length !== 1) {
+    throw new Error(`${routeLabel} require exactly one slug segment.`);
+  }
+
+  const [segment] = slug;
+  const normalizedSegment = segment?.trim();
+
+  if (!normalizedSegment) {
+    throw new Error(`${routeLabel} require a non-empty slug segment.`);
+  }
+
+  return normalizedSegment;
+}
+
+const publicHomeRoute: Route = "/";
+const pricingRoute: Route = "/pricing";
+const docsIndexRoute: Route = "/docs";
+const blogIndexRoute: Route = "/blog";
+const loginRoute: Route = "/login";
+const appHomeRoute: Route = "/app";
+const demoRoute = "/app/demo" as Route;
+
+function loginWithReturnTo(returnTo: Route) {
+  const params = new URLSearchParams({ return_to: returnTo });
+  return `${loginRoute}?${params.toString()}` as Route;
+}
+
+function workspaceShellRoute(workspaceSlug: string | readonly string[]) {
+  return `/w/${encodeURIComponent(
+    requireSingleRouteSegment(workspaceSlug, "Workspace routes"),
+  )}` as Route;
+}
+
+function workspaceConnectRoute(workspaceSlug: string | readonly string[]) {
+  return `${workspaceShellRoute(workspaceSlug)}/connect` as Route;
+}
+
+export const appRoutes = {
+  publicHome: publicHomeRoute,
+  pricing: pricingRoute,
+  docsIndex: docsIndexRoute,
+  docsPage(slugParts: readonly string[]) {
+    return `/docs/${joinRouteSegments(slugParts)}` as Route;
+  },
+  blogIndex: blogIndexRoute,
+  blogPost(slug: string | readonly string[]) {
+    return `/blog/${encodeURIComponent(
+      requireSingleRouteSegment(slug, "Blog routes"),
+    )}` as Route;
+  },
+  login: loginRoute,
+  loginForWorkspace(workspaceSlug: string | readonly string[]) {
+    return loginWithReturnTo(workspaceShellRoute(workspaceSlug));
+  },
+  loginForWorkspaceConnect(workspaceSlug: string | readonly string[]) {
+    return loginWithReturnTo(workspaceConnectRoute(workspaceSlug));
+  },
+  appHome: appHomeRoute,
+  demo: demoRoute,
+  workspaceShell(workspaceSlug: string | readonly string[]) {
+    return workspaceShellRoute(workspaceSlug);
+  },
+  workspaceConnect(workspaceSlug: string | readonly string[]) {
+    return workspaceConnectRoute(workspaceSlug);
+  },
+};

package/assets/templates/vuilder-shell/src/lib/auth-routes.server.test.ts

@@ -0,0 +1,26 @@
+import { describe, expect, it } from "vitest";
+
+import { buildCentralSsoLoginUrl, buildShellAbsoluteUrl } from "@/lib/auth-routes.server";
+
+describe("auth route helpers", () => {
+  it("builds an SSO login URL that returns to the requested workspace path", () => {
+    expect(buildCentralSsoLoginUrl("/w/fleet-alpha/connect", "state-1")).toBe(
+      "http://127.0.0.1:3400/login?returnTo=http%3A%2F%2F127.0.0.1%3A3301%2Fw%2Ffleet-alpha%2Fconnect%3Fmw_shell_state%3Dstate-1",
+    );
+  });
+
+  it("normalizes bare workspace returns to the connect route for shell handoff", () => {
+    expect(buildCentralSsoLoginUrl("/w/fleet-alpha", "state-1")).toBe(
+      "http://127.0.0.1:3400/login?returnTo=http%3A%2F%2F127.0.0.1%3A3301%2Fw%2Ffleet-alpha%2Fconnect%3Fmw_shell_state%3Dstate-1",
+    );
+  });
+
+  it("falls back to /app for unsafe return paths", () => {
+    expect(buildShellAbsoluteUrl("https://evil.example.com")).toBe(
+      "http://127.0.0.1:3301/app",
+    );
+    expect(buildShellAbsoluteUrl("//evil.example.com")).toBe(
+      "http://127.0.0.1:3301/app",
+    );
+  });
+});

package/assets/templates/vuilder-shell/src/lib/auth-routes.server.ts

@@ -0,0 +1,53 @@
+import "server-only";
+
+import type { Route } from "next";
+
+import { appRoutes } from "@/lib/app-routes";
+import { getEnv } from "@/lib/platform/env.server";
+
+const SHELL_HANDOFF_STATE_PARAM = "mw_shell_state";
+
+function normalizeShellReturnPath(value?: string | null): Route {
+  const candidate = String(value ?? "").trim();
+  if (!candidate || !candidate.startsWith("/") || candidate.startsWith("//")) {
+    return appRoutes.appHome;
+  }
+
+  try {
+    const parsed = new URL(candidate, "http://localhost");
+    if (parsed.origin !== "http://localhost" || !parsed.pathname.startsWith("/")) {
+      return appRoutes.appHome;
+    }
+    const segments = parsed.pathname.split("/").filter(Boolean);
+    if (segments.length === 2 && segments[0] === "w") {
+      const workspaceSlug = decodeURIComponent(segments[1] ?? "");
+      return `${appRoutes.workspaceConnect(workspaceSlug)}${parsed.search}${parsed.hash}` as Route;
+    }
+    return `${parsed.pathname}${parsed.search}${parsed.hash}` as Route;
+  } catch {
+    return appRoutes.appHome;
+  }
+}
+
+export function buildShellAbsoluteUrl(
+  path: string | null | undefined,
+  handoffState?: string | null,
+) {
+  const { MW_PUBLIC_BASE_URL } = getEnv();
+  const url = new URL(normalizeShellReturnPath(path), MW_PUBLIC_BASE_URL);
+  const normalizedState = String(handoffState ?? "").trim();
+  if (normalizedState) {
+    url.searchParams.set(SHELL_HANDOFF_STATE_PARAM, normalizedState);
+  }
+  return url.toString();
+}
+
+export function buildCentralSsoLoginUrl(
+  returnPath?: string | null,
+  handoffState?: string | null,
+) {
+  const { MW_AUTH_BASE_URL } = getEnv();
+  const url = new URL("/login", MW_AUTH_BASE_URL);
+  url.searchParams.set("returnTo", buildShellAbsoluteUrl(returnPath, handoffState));
+  return url.toString();
+}

package/assets/templates/vuilder-shell/src/lib/http/same-origin.test.ts

@@ -0,0 +1,23 @@
+import { describe, expect, it } from "vitest";
+
+import { hasTrustedBrowserOrigin } from "@/lib/http/same-origin";
+
+describe("hasTrustedBrowserOrigin", () => {
+  it("accepts a same-origin browser POST", () => {
+    const request = new Request("https://shell.example.com/api/auth/logout", {
+      method: "POST",
+      headers: { origin: "https://shell.example.com" },
+    });
+
+    expect(hasTrustedBrowserOrigin(request)).toBe(true);
+  });
+
+  it("rejects a cross-origin browser POST", () => {
+    const request = new Request("https://shell.example.com/api/auth/logout", {
+      method: "POST",
+      headers: { origin: "https://evil.example.com" },
+    });
+
+    expect(hasTrustedBrowserOrigin(request)).toBe(false);
+  });
+});