test(web): Playwright e2e harness with auth-gate and dashboard specs (#76)

Closes #74

## Summary

Adds a Playwright e2e harness for `@gsd/web` that runs against the
production build (`vite build` + `vite preview`) with every `/api/*`
call stubbed at the network layer. The Nest server is never started —
this is the **stubs-only** tier (#74); the full-stack tier with a real
Nest server lands separately in #75.

- New scripts: `npm run app:test:e2e` (root) → `playwright test` in
`@gsd/web`.
- New CI job (`.github/workflows/e2e.yml`) installs the Chromium browser
with system deps, runs the suite on every PR, and uploads
`playwright-report/` (traces + videos) as an artifact on failure.
- Co-located fixtures and stubs under `app/packages/web/e2e/fixtures/`;
specs under `e2e/specs/`.
- A custom `authedPage` Playwright fixture pre-seeds
`localStorage.apiToken` so most specs start authenticated; auth-gate
specs use the base `test` to exercise the 401-trigger path.
- A catch-all `page.route('**/api/**')` returns 404 for any endpoint not
explicitly stubbed so missing stubs surface as fast test failures rather
than hangs.

## Spec coverage delivered with this PR

**Auth gate** (`auth-gate.spec.ts`):
- `should show token modal when API returns 401`
- `should load dashboard when valid token is already stored`
- `should save token and show dashboard after reload`

**Dashboard** (`dashboard.spec.ts`):
- `should render a game card for a stopped game` / `for a running game
with IP`
- `should render multiple game cards`
- `should show empty-state message when no games are configured`
- `should fire POST /api/start/:game when Start is clicked`
- `should disable Start button for a running game`
- Sidebar nav specs for `/logs`, `/discord`, `/settings`

Per-surface specs (Costs panel, Stop confirmation, polling indicator,
etc.) follow with their respective UI issues (#60–#68) — the harness is
now in place to plug them in.

## Acceptance criteria from #74

- [x] `npm run app:test:e2e` runs the suite locally and in CI against
the production build.
- [x] CI fails the PR when a spec breaks; traces + videos uploaded as
artifacts on failure.
- [x] At least the auth-gate and dashboard Start specs land with this
issue.
- [x] `docs/docs/components/management-app.md` gains a \"Running e2e
tests\" section.
- [x] No real AWS / Discord calls — every external request is stubbed.
- [x] `npm run app:test` continues to pass; e2e suite runs as a separate
command.
- [x] `CLAUDE.md`'s \"Code & Test Conventions\" section now describes
the two-tier strategy (#74 stubs vs #75 real Nest) and when to add specs
to each tier.

## Implementation notes

- Chose **Playwright** over Vitest browser mode (per the issue's open
question) for the trace viewer, parallel projects, and first-class CI
artifacts story. Vitest unit tests remain on Vitest — only
browser-driven specs use Playwright.
- The webServer command is `npm run build && npm run preview`;
Playwright polls until `http://localhost:4173` responds.
`reuseExistingServer` is true locally so re-runs are fast if `vite
preview` is already running.
- Cleanup: added `app/packages/web/test-results/`, `playwright-report/`,
and `playwright/.cache/` to `.gitignore` so local artifacts don't get
committed.

## Test plan

- [ ] CI: e2e workflow runs and all 12 specs pass (Chromium, Ubuntu).
- [ ] Local: `sudo npx playwright install-deps chromium` once, then `npm
run app:test:e2e` from repo root passes.
- [ ] `npm run app:test` still passes (the unit-test suite is
untouched).
- [ ] Reviewer can open `app/packages/web/playwright-report/index.html`
after a local run to inspect traces/videos.

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: CoderCoco

.github/workflows/e2e.yml

@@ -0,0 +1,36 @@
+name: E2E Tests
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  e2e:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+
+      - uses: actions/setup-node@v5
+        with:
+          node-version: '24'
+          cache: npm
+          cache-dependency-path: package-lock.json
+
+      - run: npm ci
+
+      - name: Install Playwright browsers
+        run: npx playwright install chromium --with-deps
+        working-directory: app/packages/web
+
+      - run: npm run app:test:e2e
+
+      - uses: actions/upload-artifact@v4
+        if: failure()
+        with:
+          name: playwright-report
+          path: app/packages/web/playwright-report/
+          retention-days: 30

.gitignore

@@ -34,4 +34,9 @@ Thumbs.db
 # be committed (contains AWS ARNs/account IDs).
 app/packages/server/src/generated/tfstate.ts
 
+# Playwright artifacts (traces, videos, screenshots) and HTML report.
+app/packages/web/test-results/
+app/packages/web/playwright-report/
+app/packages/web/playwright/.cache/
+
 .make

CLAUDE.md

@@ -154,11 +154,29 @@ Any time you add or remove Terraform variables, update **all four** of these in
 
 ## Code & Test Conventions
 
-- **Test names**: every `it(...)` case must read as a natural-language sentence starting with "should" — e.g. `it('should return null when state file is missing')`, not `it('returns null...')`.
+- **Test names**: every `it(...)` / `test(...)` case must read as a natural-language sentence starting with "should" — e.g. `it('should return null when state file is missing')`, not `it('returns null...')`.
 - **TSDoc comments**: document non-trivial functions, helpers, and notable constants/variables with TSDoc (`/** ... */`) so their intent is clear later. This applies to test-file helpers (stub factories, fixtures) as well as production code.
 - **Typing in tests**: avoid `as unknown as SomeType` casts. Prefer `vi.mocked(fn)` for mocked modules and `Partial<T>` + a single `as T` for service-shaped stubs.
 - **No raw `process.env` in business logic**: wrap environment access behind a service method so tests can stub it via `vi.spyOn` instead of mutating `process.env` (which is flaky and leaks across tests).
 
+### Two-tier browser testing strategy
+
+The test suite has two complementary tiers:
+
+| Tier | Command | What runs | When to add specs |
+|------|---------|-----------|-------------------|
+| **Unit / integration** | `npm run app:test` | Vitest — server-side logic, hooks, helpers. No browser, no real network. AWS SDK mocked via `aws-sdk-client-mock`. | Pure logic, hook behaviour, server controllers. |
+| **E2E (tier 1 — #74)** | `npm run app:test:e2e` | Playwright against `vite build` + `vite preview`. Nest server never runs; every `/api/*` call is stubbed at the network layer via `page.route()`. | User-visible flows: routing, auth gate, button interactions, status-badge rendering, optimistic updates. |
+
+A planned **tier 2** (#75) will add full-stack specs (real Nest + mocked AWS SDK) for scenarios that require real HTTP contract validation between the client and server. Until that lands, all browser-facing specs belong in tier 1.
+
+**Playwright conventions:**
+- Specs live under `app/packages/web/e2e/specs/`.
+- Shared stub helpers and fixtures are in `app/packages/web/e2e/fixtures/`.
+- Import `{ test, expect, stubApis }` from `../fixtures/index.js` for authenticated specs; use `@playwright/test` directly for auth-gate specs.
+- Use the `authedPage` fixture (token pre-seeded in localStorage) for any spec that is not testing the auth flow itself.
+- Stubs must cover every `/api/*` endpoint the page hits, or the catch-all returns 404 and the test will surface the missing stub quickly.
+
 ## Git & Branch Workflow
 
 `main` is a protected branch — direct pushes are blocked. All changes go through a PR, including trivial chores (`.gitignore` entries, config tweaks). Never commit directly to `main`.

app/eslint.config.js

@@ -49,6 +49,7 @@ export default tseslint.config(
   },
   {
     files: ['packages/web/**/*.{ts,tsx}'],
+    ignores: ['packages/web/e2e/**'],
     ...react.configs.flat.recommended,
     languageOptions: {
       ...react.configs.flat.recommended.languageOptions,
@@ -62,16 +63,18 @@ export default tseslint.config(
   },
   {
     files: ['packages/web/**/*.{ts,tsx}'],
+    ignores: ['packages/web/e2e/**'],
     ...react.configs.flat['jsx-runtime'],
   },
   {
     files: ['packages/web/**/*.{ts,tsx}'],
+    ignores: ['packages/web/e2e/**'],
     plugins: { 'react-hooks': reactHooks },
     rules: reactHooks.configs.recommended.rules,
   },
   {
-    // TypeScript already enforces prop types; disable the runtime-only rule.
     files: ['packages/web/**/*.{ts,tsx}'],
+    ignores: ['packages/web/e2e/**'],
     rules: { 'react/prop-types': 'off' },
   },
   {

app/packages/web/e2e/fixtures/game-data.ts

@@ -0,0 +1,50 @@
+import type { GameStatus, CostEstimates, EnvInfo, WatchdogConfig } from '../../src/api.js';
+
+/** Stub response for `GET /api/env`. */
+export const ENV_DATA: EnvInfo = {
+  region: 'us-east-1',
+  domain: 'example.com',
+  environment: 'dev',
+};
+
+/** A single stopped game — use as the default single-game fixture. */
+export const STOPPED_GAME: GameStatus = {
+  game: 'minecraft',
+  state: 'stopped',
+};
+
+/** A single running game with a public IP. */
+export const RUNNING_GAME: GameStatus = {
+  game: 'minecraft',
+  state: 'running',
+  publicIp: '1.2.3.4',
+  hostname: 'minecraft.example.com',
+  taskArn: 'arn:aws:ecs:us-east-1:123:task/minecraft/abc',
+};
+
+/** Two-game fixture covering stopped + running states. */
+export const MULTI_GAME_STATUSES: GameStatus[] = [
+  STOPPED_GAME,
+  { game: 'valheim', state: 'running', publicIp: '5.6.7.8' },
+];
+
+/** Stub response for `GET /api/config` (the watchdog tuning panel). */
+export const WATCHDOG_CONFIG: WatchdogConfig = {
+  watchdog_interval_minutes: 15,
+  watchdog_idle_checks: 4,
+  watchdog_min_packets: 100,
+};
+
+/** Stub response for `GET /api/costs/estimate`. */
+export const COST_DATA: CostEstimates = {
+  games: {
+    minecraft: {
+      vcpu: 1,
+      memoryGb: 2,
+      costPerHour: 0.08,
+      costPerDay24h: 1.92,
+      costPerMonth4hpd: 9.6,
+    },
+  },
+  totalPerHourIfAllOn: 0.08,
+};

app/packages/web/e2e/fixtures/index.ts

@@ -0,0 +1,86 @@
+import { test as base, type Page } from '@playwright/test';
+import type { GameStatus, CostEstimates, EnvInfo, ActionResult, WatchdogConfig } from '../../src/api.js';
+import { ENV_DATA, STOPPED_GAME, COST_DATA, WATCHDOG_CONFIG } from './game-data.js';
+
+export type { GameStatus, CostEstimates, EnvInfo, WatchdogConfig };
+export { ENV_DATA, STOPPED_GAME, RUNNING_GAME, MULTI_GAME_STATUSES, COST_DATA, WATCHDOG_CONFIG } from './game-data.js';
+
+/** Per-spec overrides for the default `/api/*` stubs registered by `stubApis`. */
+export interface StubOptions {
+  /** Game statuses returned by `GET /api/status`. Defaults to `[STOPPED_GAME]`. */
+  statuses?: GameStatus[];
+  /** Cost estimates returned by `GET /api/costs/estimate`. */
+  costs?: CostEstimates;
+  /** Env info returned by `GET /api/env`. */
+  env?: EnvInfo;
+  /** Watchdog config returned by `GET /api/config`. */
+  config?: WatchdogConfig;
+  /** Override for `POST /api/start/:game` response. */
+  startResult?: ActionResult;
+}
+
+/**
+ * Registers Playwright route intercepts for all `/api/*` endpoints used by the
+ * dashboard. Call before `page.goto()` in each spec that needs a running UI.
+ *
+ * Playwright matches routes in REVERSE registration order (last-registered
+ * wins), so we register the catch-all FIRST and the specific stubs after —
+ * that way `/api/status` hits the specific handler, while `/api/anything-else`
+ * falls through to the catch-all 404 so missing stubs surface as fast failures
+ * instead of hangs.
+ */
+export async function stubApis(page: Page, opts: StubOptions = {}): Promise<void> {
+  const statuses = opts.statuses ?? [STOPPED_GAME];
+  const costs = opts.costs ?? COST_DATA;
+  const env = opts.env ?? ENV_DATA;
+  const config = opts.config ?? WATCHDOG_CONFIG;
+  const startResult: ActionResult = opts.startResult ?? { success: true, message: 'Started' };
+
+  await page.route('**/api/**', (route) =>
+    route.fulfill({ status: 404, json: { error: 'not stubbed' } })
+  );
+
+  await page.route('**/api/env', (route) => route.fulfill({ json: env }));
+
+  await page.route('**/api/status', (route) => route.fulfill({ json: statuses }));
+
+  await page.route('**/api/status/*', (route) => {
+    const game = new URL(route.request().url()).pathname.split('/').pop()!;
+    const s = statuses.find((x) => x.game === game) ?? statuses[0];
+    return route.fulfill({ json: s });
+  });
+
+  await page.route('**/api/costs/estimate', (route) => route.fulfill({ json: costs }));
+
+  await page.route('**/api/config', (route) => {
+    if (route.request().method() === 'POST') {
+      return route.fulfill({ json: { success: true, config } });
+    }
+    return route.fulfill({ json: config });
+  });
+
+  await page.route('**/api/start/*', (route) => route.fulfill({ json: startResult }));
+
+  await page.route('**/api/stop/*', (route) =>
+    route.fulfill({ json: { success: true, message: 'Stopped' } as ActionResult })
+  );
+}
+
+type E2EFixtures = {
+  /**
+   * A page with `apiToken` pre-seeded in localStorage so every navigation
+   * starts authenticated. Use this in all specs except auth-gate tests.
+   */
+  authedPage: Page;
+};
+
+export const test = base.extend<E2EFixtures>({
+  authedPage: async ({ page }, use) => {
+    await page.addInitScript(() => {
+      localStorage.setItem('apiToken', 'test-token');
+    });
+    await use(page);
+  },
+});
+
+export { expect } from '@playwright/test';

app/packages/web/e2e/specs/auth-gate.spec.ts

@@ -0,0 +1,72 @@
+import { test, expect } from '@playwright/test';
+import { stubApis, ENV_DATA, COST_DATA } from '../fixtures/index.js';
+
+/**
+ * Auth-gate specs use the base Playwright `test` (no pre-seeded token) so
+ * they can verify the 401 → modal and token-save → reload flows in isolation.
+ */
+
+test.describe('auth gate', () => {
+  test('should show token modal when API returns 401', async ({ page }) => {
+    await page.route('**/api/**', (route) =>
+      route.fulfill({ status: 401, body: 'Unauthorized' })
+    );
+    await page.goto('/');
+    await expect(page.getByRole('heading', { name: 'API token required' })).toBeVisible();
+  });
+
+  test('should load dashboard when valid token is already stored', async ({ page }) => {
+    await page.addInitScript(() => {
+      localStorage.setItem('apiToken', 'test-token');
+    });
+    await stubApis(page, { statuses: [] });
+    await page.goto('/');
+    // Top-bar heading is the dashboard shell; modal should not appear.
+    await expect(page.getByRole('heading', { name: 'Game Server Manager' })).toBeVisible();
+    await expect(page.getByRole('heading', { name: 'API token required' })).not.toBeVisible();
+  });
+
+  test('should save token and show dashboard after reload', async ({ page }) => {
+    // Playwright matches routes in REVERSE registration order, so register the
+    // catch-all 404 FIRST and the specific 401/200 handlers after — otherwise
+    // the catch-all takes precedence and the modal never triggers.
+    await page.route('**/api/**', (route) =>
+      route.fulfill({ status: 404, json: { error: 'not stubbed' } })
+    );
+    // Return 401 for unauthenticated requests, 200 once the token is present.
+    await page.route('**/api/env', async (route) => {
+      const auth = route.request().headers()['authorization'] ?? '';
+      if (auth.startsWith('Bearer ')) {
+        await route.fulfill({ json: ENV_DATA });
+      } else {
+        await route.fulfill({ status: 401, body: 'Unauthorized' });
+      }
+    });
+    await page.route('**/api/status', async (route) => {
+      const auth = route.request().headers()['authorization'] ?? '';
+      if (auth.startsWith('Bearer ')) {
+        await route.fulfill({ json: [] });
+      } else {
+        await route.fulfill({ status: 401, body: 'Unauthorized' });
+      }
+    });
+    await page.route('**/api/costs/estimate', async (route) => {
+      const auth = route.request().headers()['authorization'] ?? '';
+      if (auth.startsWith('Bearer ')) {
+        await route.fulfill({ json: COST_DATA });
+      } else {
+        await route.fulfill({ status: 401, body: 'Unauthorized' });
+      }
+    });
+
+    await page.goto('/');
+    await expect(page.getByRole('heading', { name: 'API token required' })).toBeVisible();
+
+    await page.getByPlaceholder('API token').fill('my-test-token');
+    await page.getByRole('button', { name: 'Save & reload' }).click();
+
+    // After reload the stored token is sent; the modal must be gone.
+    await expect(page.getByRole('heading', { name: 'Game Server Manager' })).toBeVisible();
+    await expect(page.getByRole('heading', { name: 'API token required' })).not.toBeVisible();
+  });
+});