test(e2e): Wave 2+3 — real-backend UI journeys + PR-smoke gate; fix pause/resume-by-token#192
Merged
Merged
Conversation
…ause/resume by token
Drive the ACTUAL dashboard in the browser against the real prod api with a
multi-tier minted cohort account, then reap (rule 24, no leak). Catches the
UI-against-real-backend breakage class (login-broke) that mocked Playwright +
tsc + vitest all miss.
Wave 3 — factory + named journeys (all proven green vs api.instanode.dev):
- e2e/factory.ts: thin wrapper over POST/DELETE /internal/e2e/account —
mintUser({tier}), mintUserWithResources, mintAtDeployCap (hobby cap=1), reap;
cohort-tagged + ledger-registered for the afterAll/out-of-process backstop.
- e2e/ui-helpers.ts: same-origin preview-proxy harness. The prod api CORS
allowlist returns allow-origin ONLY for https://instanode.dev (AUTH-004), so a
direct cross-origin fetch from the preview origin is CORS-blocked. The preview
server proxies api paths to prod (vite.config.ts preview.proxy) and the SPA's
api base is pinned same-origin → real backend, no CORS wall.
- e2e/live-ui-{auth,resources,deploy,team-vault}.spec.ts: journeys
#1 auth round-trip (authed shell + /auth/me identity; magic-link form),
#2 provision→view→metrics stream→creds reveal→delete,
#3 deploy lifecycle + build-log SSE connect + make-permanent,
#4 delete-when-exhausted→replace (hobby cap=1: #1 renders → #2 hits the 402
wall → delete #1 → replacement succeeds) — the headline scenario,
#5 pause/resume + 402 tier gate, #6 vault add→reveal→delete, #7 team invite.
- Manifest: live-ui.coverage.ts + done-bar wiring; add GET /deploy/:id/logs.
Wave 2 — PR-smoke gate:
- .github/workflows/e2e-pr-smoke.yml runs the @pr-smoke subset (#1/#2/#3) on
every web PR via a minted+reaped account; no-ops cleanly on fork/secret-less
PRs; full suite stays on the e2e-prod 30-min schedule.
REAL UI bug found + fixed (PauseResumeButton): pause/resume addressed the
resource by the UUID `id`, but the api resolves :id against the TOKEN column —
so every pause/resume 404'd ("Resource not found") through the dashboard. Now
uses resource.token (matches getResource/rotate/delete). Proven via journey #5.
Verified: all 10 live-ui tests green vs prod, ledger empty, reap 200; npm run
gate green (1129 tests).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
mastermanas805
enabled auto-merge (squash)
June 5, 2026 22:45
size-limit report 📦
|
…lity) All three resource journeys use mintUserWithResources; mintUser was imported but never referenced. Flagged by github-code-quality on PR #192. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Wave 2 + Wave 3 of the CI integration design (
docs/ci/01-CI-INTEGRATION-DESIGN.md): drive the actual dashboard in a browser against the real prod api with a multi-tier minted cohort account, then reap (rule 24, no leak). This catches the UI-against-real-backend breakage class (the login-broke regression) that mocked Playwright + tsc + vitest all miss.Wave 3 — factory + named real-backend UI journeys
e2e/factory.ts— thin TS wrapper overPOST/DELETE /internal/e2e/account:mintUser({tier}),mintUserWithResources,mintAtDeployCap()(hobby, deployments_apps=1),reap(). Cohort-tagged + ledger-registered for the afterAll + out-of-process reaper backstop. Token-gated (skip-clean when unset).e2e/ui-helpers.ts— same-origin preview-proxy harness. The prod api CORS allowlist returnsallow-originonly forhttps://instanode.dev(AUTH-004), so a direct cross-origin fetch from the preview origin is CORS-blocked. The preview server proxies api paths to prod (vite.config.tspreview.proxy) and the SPA api base is pinned same-origin → exercises the real backend with no CORS wall (exactly like a user on instanode.dev).e2e/live-ui-{auth,resources,deploy,team-vault}.spec.ts— the 7 named journeys:/apprenders the authed shell (not/login) + the UserMenu shows the minted email/tier from real/auth/me(decisive anti-false-pass); magic-link form submits against real/auth/email/start.live-ui.coverage.ts+ done-bar wiring; addsGET /deploy/:id/logs(the build-log SSE).Wave 2 — UI real-backend smoke on the PR path
.github/workflows/e2e-pr-smoke.ymlruns the@pr-smokesubset (journeys feat(pricing): mark Team tier as Coming Soon #1/feat(pricing): replace unverified Team-tier promises with Coming Soon #2/feat(team-soon): drop unlimited-X promises from Billing + Team pages #3) on every web PR via a minted + reaped account. No-ops cleanly on fork / secret-less PRs (secrets aren't exposed there); gates merge on same-repo branch PRs. The full journey suite stays on the existinge2e-prod.yml30-min schedule.REAL UI-vs-backend bug found + fixed
PauseResumeButtonaddressed the resource by the UUIDid, but the api resolves:idagainst the token column — so every pause/resume 404'd ("Resource not found") through the dashboard (a never-working Pro feature). Verified live:pause by id → 404,pause by token → 200, for both seeded and fully-provisioned resources. Fixed to useresource.token(matching getResource/rotate/delete). Proven by journey #5.Verification (real prod)
api.instanode.dev; ledger empty + reap 200 every run (no leak).npm run gategreen (tsc + build + vitest, 1129 tests) incl. updated PauseResumeButton tests + the prod-coverage done-bar guard.🤖 Generated with Claude Code