Address review feedback to improve eval server behavior

delner · delner · commit 5ff574d141b2 · 2026-04-02T18:56:12.000Z
diff --git a/server/auth.go b/server/auth.go
@@ -145,6 +145,7 @@ func (c *authCache) evict(token, orgName string) {
 }
 
 // moveToEnd moves a key to the end of the LRU order.
+// O(n) scan over the order slice; fine for defaultAuthCacheMax (64).
 // Must be called with c.mu held.
 func (c *authCache) moveToEnd(key string) {
 	for i, k := range c.order {
diff --git a/server/cors.go b/server/cors.go
@@ -7,7 +7,8 @@ import (
 )
 
 // allowedOriginPattern matches braintrust.dev and braintrustdata.dev origins
-// including subdomains and preview deployments.
+// including subdomains and preview deployments. HTTP is allowed alongside HTTPS
+// to support local development proxies.
 var allowedOriginPattern = regexp.MustCompile(`^https?://([\w-]+\.)*(braintrust|braintrustdata)\.dev$`)
 
 var corsAllowHeaders = strings.Join([]string{
@@ -40,6 +41,7 @@ func corsMiddleware(next http.Handler) http.Handler {
 			w.Header().Set("Access-Control-Expose-Headers", corsAllowHeaders)
 			w.Header().Set("Access-Control-Allow-Credentials", "true")
 			w.Header().Set("Access-Control-Max-Age", corsMaxAge)
+			w.Header().Set("Vary", "Origin")
 			// Support Chrome Private Network Access
 			w.Header().Set("Access-Control-Allow-Private-Network", "true")
 		}
diff --git a/server/server.go b/server/server.go
@@ -6,14 +6,14 @@
 //
 // Example:
 //
-//	srv := server.New(server.WithAddress(":8300"))
-//
-//	server.Register(srv, "classify",
-//	    eval.T(classifyTask),
-//	    []eval.Scorer[string, string]{scorer},
-//	    server.RegisterOpts{ProjectName: "my-project"},
-//	)
+//	classify := &eval.Eval[string, string]{
+//	    Name:    "classify",
+//	    Task:    eval.T(classifyTask),
+//	    Scorers: []eval.Scorer[string, string]{scorer},
+//	}
 //
+//	srv := server.New(server.WithAddress(":8300"))
+//	server.Register(srv, classify, server.RegisterOpts{})
 //	log.Fatal(srv.Start())
 package server
 
@@ -188,14 +188,18 @@ func (s *Server) Shutdown(ctx context.Context) error {
 	srv := s.httpServer
 	s.serverMu.Unlock()
 
+	// Drain active requests before closing the default session,
+	// so in-flight evals using it can complete.
+	var err error
+	if srv != nil {
+		err = srv.Shutdown(ctx)
+	}
+
 	if s.defaultAuth != nil {
 		s.defaultAuth.session.Close()
 	}
 
-	if srv == nil {
-		return nil
-	}
-	return srv.Shutdown(ctx)
+	return err
 }
 
 // handleHealth responds to GET / with a health check.

Original file line number	Diff line number	Diff line change
`@@ -145,6 +145,7 @@ func (c *authCache) evict(token, orgName string) {`
`145`	`145`	`}`
`146`	`146`
`147`	`147`	`// moveToEnd moves a key to the end of the LRU order.`
	`148`	`+// O(n) scan over the order slice; fine for defaultAuthCacheMax (64).`
`148`	`149`	`// Must be called with c.mu held.`
`149`	`150`	`func (c *authCache) moveToEnd(key string) {`
`150`	`151`	`for i, k := range c.order {`