Key boundary: this console never sends API keys, JWT secrets, or worker secrets from the browser. All sensitive values live in worker bindings (server-side only). Browser tests use public-or-CORS-permitted endpoints only. CORS / 401 / 405 errors are expected when the worker requires server-to-server auth and are reported honestly — they do not mean the worker is absent.