test(e2e): scaffold Playwright with smoke specs + CI workflow

Adds a Playwright harness so user-journey regressions can be caught in
CI instead of on customer calls. This is the second tier of the
ui-testing-framework work.

New:
* playwright.config.ts — chromium-only, baseURL via PLAYWRIGHT_BASE_URL,
  trace/screenshot/video retained on failure, 30s timeout. Default target
  is http://localhost:8080 (df-docker-dev); CI can override for a nightly
  canary against crucible.
* e2e/fixtures/admin-login.ts — UI-based login helper. (localStorage seed
  does not work — the app hydrates userData from a cookie + the /session
  roundtrip.)
* e2e/smoke.spec.ts — PASSING. Covers: login + app shell paint, no
  uncaught JS exceptions, no raw transloco keys leaking (nav.ai.nav),
  ace-builds asset 200s, top-nav entries navigate without 5xx.
* e2e/event-scripts.spec.ts — `test.fixme`. Full intent is laid out;
  selector work around lazy-loaded routes via hash navigation needs
  follow-up.
* e2e/api-connections.spec.ts, e2e/roles.spec.ts, e2e/mcp-service.spec.ts
  — `test.fixme` stubs with intent comments.
* .github/workflows/e2e.yml — runs on push/PR to develop against a
  spun-up df-docker-dev stack, plus nightly cron against a configurable
  URL, plus manual dispatch.
* npm scripts: e2e, e2e:ui, e2e:smoke.
* jest.config.js: testPathIgnorePatterns exclude e2e/ so Jest doesn't
  try to run Playwright specs.

Author: nicdavidson

.github/workflows/e2e.yml

@@ -0,0 +1,78 @@
+name: E2E (Playwright)
+
+on:
+  push:
+    branches: ['develop']
+  pull_request:
+    branches: ['develop']
+  schedule:
+    # Nightly canary against crucible so drift is caught before a customer does.
+    - cron: '0 7 * * *'
+  workflow_dispatch:
+    inputs:
+      target_url:
+        description: 'Base URL to run E2E against'
+        required: false
+        default: ''
+
+jobs:
+  smoke:
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22.x
+          cache: 'npm'
+
+      - run: npm ci
+
+      - name: Install Playwright Browsers
+        run: npx playwright install chromium --with-deps
+
+      # For PRs and pushes we spin up a minimal DreamFactory stack so the
+      # smoke specs run against a real API. The stack is provided by the
+      # df-docker-dev sibling repo checked out into the runner.
+      - name: Check out df-docker-dev
+        if: github.event_name == 'push' || github.event_name == 'pull_request'
+        uses: actions/checkout@v4
+        with:
+          repository: dreamfactorysoftware/df-docker-dev
+          path: df-docker-dev
+          fetch-depth: 1
+
+      - name: Start DreamFactory stack
+        if: github.event_name == 'push' || github.event_name == 'pull_request'
+        working-directory: df-docker-dev
+        run: |
+          docker compose up -d web mysql redis
+          # wait for /system/environment to come back 200
+          timeout 120 bash -c 'until curl -fsS http://localhost:8080/api/v2/system/environment > /dev/null; do sleep 2; done'
+
+      - name: Resolve target URL
+        id: target
+        run: |
+          if [ -n "${{ github.event.inputs.target_url }}" ]; then
+            echo "url=${{ github.event.inputs.target_url }}" >> "$GITHUB_OUTPUT"
+          elif [ "${{ github.event_name }}" = "schedule" ]; then
+            echo "url=${{ secrets.E2E_NIGHTLY_URL }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "url=http://localhost:8080" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Run Playwright tests
+        env:
+          PLAYWRIGHT_BASE_URL: ${{ steps.target.outputs.url }}
+          DF_ADMIN_EMAIL: ${{ secrets.E2E_ADMIN_EMAIL || 'admin@dreamfactory.com' }}
+          DF_ADMIN_PASSWORD: ${{ secrets.E2E_ADMIN_PASSWORD || 'passwordpassword' }}
+        run: npm run e2e
+
+      - uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: playwright-report
+          path: playwright-report/
+          retention-days: 7

.gitignore

@@ -42,3 +42,9 @@ testem.log
 Thumbs.db
 
 .config/
+
+# Playwright
+/test-results/
+/playwright-report/
+/blob-report/
+/playwright/.cache/

e2e/api-connections.spec.ts

@@ -0,0 +1,22 @@
+import { test } from '@playwright/test';
+import { loginAsAdmin, waitForAppReady } from './fixtures/admin-login';
+
+/**
+ * API connection (database) CRUD.
+ *
+ * TODO — flesh out once the sidenav navigation pattern is stable
+ * (see the TODO in event-scripts.spec.ts). Intent:
+ *  1. Navigate to API Connections → Database
+ *  2. Click +, pick "SQL Server" or "SQLite"
+ *  3. Fill out the minimum config fields, save
+ *  4. Assert the service appears in the list
+ *  5. Click the row, edit label, save
+ *  6. Delete, assert it's gone
+ */
+test.fixme('API Connections: create → edit → delete a database service', async ({
+  page,
+}) => {
+  await loginAsAdmin(page);
+  await waitForAppReady(page);
+  // TODO
+});

e2e/event-scripts.spec.ts

@@ -0,0 +1,96 @@
+import { test, expect } from '@playwright/test';
+import { loginAsAdmin, waitForAppReady } from './fixtures/admin-login';
+
+/**
+ * End-to-end regression for the Event Scripts create flow — the path that
+ * was broken for the Triskele customer on 2026-04-22.
+ *
+ * Covers the entire chain that broke during that fire-drill:
+ *  - form opens without a stuck spinner (loading-spinner race fix)
+ *  - Service dropdown populates with raw service names (/system/event
+ *    services_only fast path + case-interceptor exemption)
+ *  - Script Type dropdown populates (response lookup uses raw key)
+ *  - Script Method dropdown populates
+ *  - Save produces a 201/200, not a 400 "No record(s) detected"
+ */
+test.describe('Event Scripts — create flow', () => {
+  // TODO: this spec navigates via hash-routing, which doesn't reliably
+  // trigger the lazy-loaded route resolver on `page.goto('#/event-scripts')`.
+  // Need to either click through the sidenav (resolved reliably by role
+  // selectors once the welcome/license flow is accounted for) or switch
+  // the app to path-based routing. Keeping the spec scaffolded so the
+  // intent is visible and fixing the navigation is small follow-up work.
+  test.fixme('create an event script end-to-end', async ({ page }) => {
+    await loginAsAdmin(page);
+    await waitForAppReady(page);
+
+    // Navigate into Event Scripts. Use a hard reload of the full URL so
+    // the hash router definitely re-evaluates (in-app hash-only changes
+    // from page.goto don't always trigger lazy-loaded route resolvers).
+    await page.goto('/dreamfactory/dist/#/event-scripts', {
+      waitUntil: 'networkidle',
+      timeout: 15_000,
+    });
+
+    // Click the + button. DfManageTable renders a mat-mini-fab with class
+    // .save-btn for the "New Entry" action.
+    const addBtn = page.locator('button.save-btn').first();
+    await expect(addBtn).toBeVisible({ timeout: 15_000 });
+    await addBtn.click();
+
+    // Spinner must clear. If the loading-spinner race is back, this
+    // waits forever until the test timeout.
+    await expect(
+      page.locator('mat-progress-spinner, .loading-spinner')
+    ).toHaveCount(0, { timeout: 20_000 });
+
+    // Service dropdown
+    const serviceSelect = page.getByLabel(/^service$/i);
+    await serviceSelect.click();
+    // `db` is always present in a dev-docker setup; any underscore service
+    // also exercises the case-interceptor exemption.
+    const dbOption = page.getByRole('option', { name: /^db$/ });
+    await expect(dbOption).toBeVisible({ timeout: 10_000 });
+    await dbOption.click();
+
+    // Script Type dropdown must populate. Empty = the pre-fix bug.
+    const typeSelect = page.getByLabel(/script\s*type/i);
+    await typeSelect.click();
+    const firstType = page.getByRole('option').first();
+    await expect(firstType).toBeVisible({ timeout: 10_000 });
+    // Pick a type without {table_name} templating so selectedRoute()
+    // alone produces a valid completeScriptName.
+    const dbType = page.getByRole('option', { name: /^db$/ });
+    await dbType.click();
+
+    // Script Method
+    const methodSelect = page.getByLabel(/script\s*method/i);
+    await methodSelect.click();
+    const firstMethod = page
+      .getByRole('option', { name: /\.get\.pre_process$/ })
+      .first();
+    await expect(firstMethod).toBeVisible({ timeout: 10_000 });
+    await firstMethod.click();
+
+    // Grab the method text we picked so we can clean up after save.
+    // At this point completeScriptName === selectedRouteItem.
+
+    // Activate the script and add a one-line body.
+    const isActiveToggle = page.getByLabel(/active/i).first();
+    await isActiveToggle.click();
+
+    // Save
+    const saveBtn = page.getByRole('button', { name: /^save$/i });
+    const savePromise = page.waitForResponse(
+      r =>
+        r.url().includes('/api/v2/system/event_script') &&
+        r.request().method() === 'POST'
+    );
+    await saveBtn.click();
+    const resp = await savePromise;
+    expect(
+      [200, 201].includes(resp.status()),
+      `expected save to succeed, got ${resp.status()}: ${await resp.text()}`
+    ).toBe(true);
+  });
+});

e2e/fixtures/admin-login.ts

@@ -0,0 +1,46 @@
+import { Page, expect } from '@playwright/test';
+
+export const ADMIN_EMAIL =
+  process.env.DF_ADMIN_EMAIL ?? 'admin@dreamfactory.com';
+export const ADMIN_PASSWORD =
+  process.env.DF_ADMIN_PASSWORD ?? 'passwordpassword';
+
+/**
+ * Log in via the actual UI. The admin UI keeps the session in a cookie
+ * and userData in-memory; a synthetic localStorage seed does not work
+ * because no code path hydrates userData from storage at bootstrap.
+ */
+export async function loginAsAdmin(page: Page) {
+  await page.goto('/dreamfactory/dist/#/auth/login');
+  // Labels come from the userManagement i18n bundle — "Enter Email" /
+  // "Enter Password" in English. Use type-based selectors to stay
+  // language-agnostic.
+  const email = page.locator('input[type="email"]').first();
+  await expect(email).toBeVisible({ timeout: 15_000 });
+  await email.fill(ADMIN_EMAIL);
+  await page.locator('input[type="password"]').first().fill(ADMIN_PASSWORD);
+
+  const loginReq = page.waitForResponse(
+    r =>
+      r.url().includes('/api/v2/system/admin/session') &&
+      r.request().method() === 'POST'
+  );
+  await page.getByRole('button', { name: /^login$/i }).click();
+  const resp = await loginReq;
+  expect(
+    resp.ok(),
+    `admin login HTTP ${resp.status()}: ${await resp.text()}`
+  ).toBe(true);
+
+  // After login the router navigates off /auth/login to the home route.
+  await page.waitForURL(url => !url.toString().includes('/auth/login'), {
+    timeout: 15_000,
+  });
+}
+
+/** Wait for the admin UI shell to be fully painted. */
+export async function waitForAppReady(page: Page) {
+  await page.waitForSelector('mat-toolbar, mat-sidenav, nav', {
+    timeout: 15_000,
+  });
+}

e2e/mcp-service.spec.ts

@@ -0,0 +1,25 @@
+import { test } from '@playwright/test';
+import { loginAsAdmin, waitForAppReady } from './fixtures/admin-login';
+
+/**
+ * MCP service + custom function tool round-trip.
+ *
+ * TODO — pending stable sidenav navigation (see event-scripts.spec.ts).
+ * Intent:
+ *  1. Create an MCP service via the admin UI (type = MCP)
+ *  2. Add a custom function tool with a simple body: `return a + b;`
+ *  3. Save — assert the tool row lands in mcp_custom_tools (via API)
+ *  4. Invoke the tool via /mcp/{service} tools/call and assert result
+ *
+ * This journey previously had three silently-dropped save bugs (see
+ * df-mcp-server PR #35 "persist custom tools on service create and on
+ * re-save without ids"). End-to-end coverage would have caught them
+ * before a customer install.
+ */
+test.fixme('MCP: create service with custom function tool + invoke it', async ({
+  page,
+}) => {
+  await loginAsAdmin(page);
+  await waitForAppReady(page);
+  // TODO
+});

e2e/roles.spec.ts

@@ -0,0 +1,21 @@
+import { test } from '@playwright/test';
+import { loginAsAdmin, waitForAppReady } from './fixtures/admin-login';
+
+/**
+ * Roles CRUD.
+ *
+ * TODO — pending stable sidenav navigation (see event-scripts.spec.ts).
+ * Intent:
+ *  1. Navigate to Role Based Access → Roles
+ *  2. Create a role with restricted service access
+ *  3. Assign a service + verb matrix
+ *  4. Save, reload, assert persisted
+ *  5. Delete
+ */
+test.fixme('Roles: create a role with restricted service access', async ({
+  page,
+}) => {
+  await loginAsAdmin(page);
+  await waitForAppReady(page);
+  // TODO
+});

e2e/smoke.spec.ts

@@ -0,0 +1,65 @@
+import { test, expect } from '@playwright/test';
+import { loginAsAdmin, waitForAppReady } from './fixtures/admin-login';
+
+test.describe('Admin UI smoke', () => {
+  test('admin login + app shell loads without console errors', async ({
+    page,
+  }) => {
+    // Track uncaught JS exceptions only. Generic "Failed to load resource"
+    // notices (4xx/5xx fetches) are covered separately by the network
+    // assertions below and are too noisy for a smoke check.
+    const jsErrors: string[] = [];
+    page.on('pageerror', err => jsErrors.push(err.message));
+
+    await loginAsAdmin(page);
+    await waitForAppReady(page);
+
+    // Every nav label should be translated — raw Transloco keys like
+    // "nav.ai.nav" mean the i18n bundle didn't load. This was the
+    // clearest tell of the stale public/ issue on the Triskele install.
+    const body = await page.textContent('body');
+    expect(body, 'raw transloco key leaked through').not.toMatch(
+      /\bnav\.[a-z]+\.(nav|title)\b/
+    );
+
+    // Static assets under /dreamfactory/dist/assets must resolve. A 404
+    // here is the original ace-builds + fonts bug class.
+    const aceModeResponse = await page.request.get(
+      '/dreamfactory/dist/assets/ace-builds/mode-javascript.js'
+    );
+    expect(aceModeResponse.ok(), 'ace mode asset must 200').toBe(true);
+
+    expect(jsErrors, 'page threw uncaught JS exceptions').toEqual([]);
+  });
+
+  test('top-nav entries navigate without errors', async ({ page }) => {
+    await loginAsAdmin(page);
+    await waitForAppReady(page);
+
+    // Paths taken from routes.ts. Each should render without throwing.
+    const paths = [
+      '/api-connections/api-types',
+      '/api-connections/roles',
+      '/api-connections/api-keys',
+      '/event-scripts',
+      '/system-settings/config',
+    ];
+
+    for (const p of paths) {
+      const url = `/dreamfactory/dist/#${p}`;
+      const responses: number[] = [];
+      page.on('response', r => {
+        if (r.url().includes('/api/v2/')) responses.push(r.status());
+      });
+      await page.goto(url);
+      // Wait for any xhr to land or for the page to settle.
+      await page.waitForLoadState('networkidle', { timeout: 15_000 });
+
+      // No 5xx on any backend call triggered by the navigation.
+      expect(
+        responses.filter(s => s >= 500),
+        `${p} produced 5xx responses`
+      ).toEqual([]);
+    }
+  });
+});

jest.config.js

@@ -4,6 +4,8 @@ module.exports = {
   moduleNameMapper: {
     '^src/(.*)$': '<rootDir>/src/$1',
   },
+  // Playwright specs live under e2e/ and must never be picked up by Jest.
+  testPathIgnorePatterns: ['/node_modules/', '<rootDir>/e2e/'],
   transformIgnorePatterns: [
     'node_modules/(?!@angular|swagger-ui|react-syntax-highlighter|swagger-client|@ngneat|@fortawesome)',
   ],