buildApp function
Composes the full request handler: CORS, JSON error mapping, then the router.
CORS is the outermost layer so every response carries the headers — including
the JSON error responses jsonErrors renders for an auth failure. If CORS sat
inside, a bearerAuth 401 would unwind past it and reach the browser without
Access-Control-Allow-Origin, surfacing a real 401 as a misleading CORS error.
This is the testable seam — drive it with shelf Requests, no socket.
Implementation
Handler buildApp(ServerDependencies deps) => const Pipeline()
.addMiddleware(corsHeaders(deps.config.corsAllowOrigins))
.addMiddleware(jsonErrors())
.addHandler(buildRouter(deps).call);