test: close three real coverage gaps surfaced by the review

Three small, well-scoped additions filling gaps the parallel-agent review
flagged:

1. cgateConnectionPool: end-to-end cascade-exhaustion test. The pool's
   execute() path that walks every healthy connection, marks each one bad,
   and ultimately surfaces "No healthy connections available in pool"
   wasn't exercised end-to-end (existing tests covered the pre-emptied-set
   path and the single-failure-then-skip path, but not the drain). Test
   also advances fake timers so the deferred health-check actually prunes
   the healthy set, proving the cleanup path runs.

2. webServer CORS: OPTIONS preflight from a disallowed origin. Existing
   tests cover GET-from-disallowed and OPTIONS-from-allowed; this fills in
   the most security-relevant remaining cell of the matrix - the preflight
   denial path that browsers actually rely on.

3. webServer rate-limit: GET / read traffic must NOT be rate-limited even
   when the mutation budget is exhausted. Also tightens the 429 assertion
   to verify the error body shape, not just status.

Author: dougrathbone

tests/cgateConnectionPool.test.js

@@ -482,6 +482,37 @@ describe('CgateConnectionPool', () => {
             await expect(pool.execute('cmd\n')).rejects.toThrow();
             expect(markSpy).toHaveBeenCalled();
         });
+
+        it('drains the pool when every connection fails during a single execute()', async () => {
+            // Walk the cascading-failure path end-to-end: start fully healthy,
+            // make every connection refuse the send, assert execute() rejects
+            // and every healthy connection was marked unhealthy in turn.
+            // _markConnectionUnhealthy defers the actual removal via setTimeout;
+            // we advance fake timers so _checkConnectionHealth then prunes the
+            // unwritable/destroyed connections from the healthy set, and a
+            // follow-up execute surfaces the canonical "No healthy connections"
+            // error - proving the cascade path drains the pool, not just the
+            // first failed connection.
+            const connections = await startWithConnections();
+            const poolSize = connections.length;
+            expect(poolSize).toBeGreaterThan(0);
+            for (const c of connections) {
+                c.sendWithBackpressure = jest.fn().mockResolvedValue(false);
+                c.isWritable = false;
+                c.isDestroyed = true;
+            }
+            const markSpy = jest.spyOn(pool, '_markConnectionUnhealthy');
+
+            await expect(pool.execute('cmd\n')).rejects.toThrow();
+
+            expect(markSpy).toHaveBeenCalledTimes(poolSize);
+
+            // Drive the deferred health checks queued by _markConnectionUnhealthy.
+            jest.advanceTimersByTime(1100);
+            expect(pool.healthyConnections.size).toBe(0);
+
+            await expect(pool.execute('cmd\n')).rejects.toThrow('No healthy connections available in pool');
+        });
     });
 
     describe('Health monitoring', () => {

tests/webServer.test.js

@@ -385,6 +385,40 @@ describe('WebServer', () => {
             expect(res.status).toBe(204);
             expect(res.headers['access-control-allow-origin']).toBe('https://ha.local');
         });
+
+        it('should omit Access-Control-Allow-Origin on OPTIONS preflight from a disallowed origin', async () => {
+            const corsServer = new WebServer({
+                port: 0,
+                labelLoader,
+                allowedOrigins: ['https://ha.local'],
+                getStatus: () => ({})
+            });
+            await corsServer.start();
+            const corsPort = corsServer._server.address().port;
+
+            try {
+                const res = await new Promise((resolve, reject) => {
+                    const req = http.request({
+                        hostname: '127.0.0.1',
+                        port: corsPort,
+                        path: '/api/labels',
+                        method: 'OPTIONS',
+                        headers: { Origin: 'https://evil.example' }
+                    }, (response) => {
+                        resolve({ status: response.statusCode, headers: response.headers });
+                    });
+                    req.on('error', reject);
+                    req.end();
+                });
+
+                // Browsers treat a missing Allow-Origin header on the preflight
+                // response as a hard CORS denial. Server should NEVER reflect an
+                // origin that is not in the allowlist.
+                expect(res.headers['access-control-allow-origin']).toBeUndefined();
+            } finally {
+                await corsServer.close();
+            }
+        });
     });
 
     describe('API key protection', () => {
@@ -556,6 +590,38 @@ describe('WebServer', () => {
 
             const second = await doPatch();
             expect(second.status).toBe(429);
+            expect(second.body).toEqual({ error: 'Too many requests' });
+        });
+
+        it('does not rate-limit GET / read traffic regardless of frequency', async () => {
+            // Mutation budget is 1 per window, but reads must never be capped -
+            // a noisy dashboard polling /api/labels shouldn't lock itself out.
+            limitedServer = new WebServer({
+                port: 0,
+                labelLoader,
+                allowUnauthenticatedMutations: true,
+                maxMutationRequestsPerWindow: 1,
+                getStatus: () => ({})
+            });
+            await limitedServer.start();
+            limitedPort = limitedServer._server.address().port;
+
+            const doGet = () => new Promise((resolve, reject) => {
+                http.get({
+                    hostname: '127.0.0.1',
+                    port: limitedPort,
+                    path: '/api/labels'
+                }, (res) => {
+                    res.on('data', () => {});
+                    res.on('end', () => resolve({ status: res.statusCode }));
+                }).on('error', reject);
+            });
+
+            // Fire well past the mutation budget on GET - none should 429.
+            for (let i = 0; i < 5; i++) {
+                const r = await doGet();
+                expect(r.status).toBe(200);
+            }
         });
 
         it('removes dormant source entries after the rate limit window passes', () => {