- Replace Server.App() with Server.Default() for internal server access
- Extract server app creation into Server.createApp(opts) for testability
- Move CORS whitelist from module-level variable to function parameter
- Update all tests to use Server.Default() instead of Server.App()
Adds test cases for filtering sessions by directory, root sessions only,
start time, search terms, and result limits to ensure the listing
functionality works correctly for all filter combinations.
