@camunda/e2e-test-suite 0.0.232 → 0.0.234

package/dist/fixtures/8.6.d.ts

@@ -26,6 +26,7 @@ import { ModelerUserInvitePage } from '../pages/8.6/ModelerUserInvitePage';
 import { SignUpPage } from '../pages/8.6/SignUpPage';
 import { PlayPage } from '../pages/8.6/PlayPage';
 import { ConnectorTemplatePage } from '../pages/8.6/ConnectorTemplatePage';
+import { ClientCredentialsDetailsPage } from '../pages/8.6/ClientCredentialsDetailsPage';
 type PlaywrightFixtures = {
     makeAxeBuilder: () => AxeBuilder;
     loginPage: LoginPage;
@@ -55,6 +56,7 @@ type PlaywrightFixtures = {
     signUpPage: SignUpPage;
     playPage: PlayPage;
     connectorTemplatePage: ConnectorTemplatePage;
+    clientCredentialsDetailsPage: ClientCredentialsDetailsPage;
     overrideTrackingScripts: void;
 };
 declare const test: import("@playwright/test").TestType<import("@playwright/test").PlaywrightTestArgs & import("@playwright/test").PlaywrightTestOptions & PlaywrightFixtures, import("@playwright/test").PlaywrightWorkerArgs & import("@playwright/test").PlaywrightWorkerOptions>;

package/dist/fixtures/8.6.js

@@ -33,6 +33,7 @@ const ModelerUserInvitePage_1 = require("../pages/8.6/ModelerUserInvitePage");
 const SignUpPage_1 = require("../pages/8.6/SignUpPage");
 const PlayPage_1 = require("../pages/8.6/PlayPage");
 const ConnectorTemplatePage_1 = require("../pages/8.6/ConnectorTemplatePage");
+const ClientCredentialsDetailsPage_1 = require("../pages/8.6/ClientCredentialsDetailsPage");
 const test = test_1.test.extend({
     makeAxeBuilder: async ({ page }, use) => {
         const makeAxeBuilder = () => new playwright_1.default({ page }).withTags([
@@ -125,6 +126,9 @@ const test = test_1.test.extend({
     connectorTemplatePage: async ({ page }, use) => {
         await use(new ConnectorTemplatePage_1.ConnectorTemplatePage(page));
     },
+    clientCredentialsDetailsPage: async ({ page }, use) => {
+        await use(new ClientCredentialsDetailsPage_1.ClientCredentialsDetailsPage(page));
+    },
     overrideTrackingScripts: [
         async ({ context }, use) => {
             await context.route('https://cmp.osano.com/16CVvwSNKHi9t1grQ/9403708a-488b-4f3b-aea6-613825dec79f/osano.js', (route) => route.fulfill({

package/dist/fixtures/8.8.d.ts

@@ -32,6 +32,7 @@ import { OCIdentityHomePage } from '../pages/8.8/OCIdentityHomePage';
 import { OCIdentityMappingRulesPage } from '../pages/8.8/OCIdentityMappingRulesPage';
 import { OCIdentityRolesPage } from '../pages/8.8/OCIdentityRolesPage';
 import { OCIdentityAuthorizationsPage } from '../pages/8.8/OCIdentityAuthorizationsPage';
+import { ClientCredentialsDetailsPage } from '../pages/8.8/ClientCredentialsDetailsPage';
 type PlaywrightFixtures = {
     makeAxeBuilder: () => AxeBuilder;
     loginPage: LoginPage;
@@ -67,6 +68,7 @@ type PlaywrightFixtures = {
     ocIdentityMappingRulesPage: OCIdentityMappingRulesPage;
     ocIdentityRolesPage: OCIdentityRolesPage;
     ocIdentityAuthorizationsPage: OCIdentityAuthorizationsPage;
+    clientCredentialsDetailsPage: ClientCredentialsDetailsPage;
     overrideTrackingScripts: void;
 };
 declare const test: import("@playwright/test").TestType<import("@playwright/test").PlaywrightTestArgs & import("@playwright/test").PlaywrightTestOptions & PlaywrightFixtures, import("@playwright/test").PlaywrightWorkerArgs & import("@playwright/test").PlaywrightWorkerOptions>;

package/dist/fixtures/8.8.js

@@ -39,6 +39,7 @@ const OCIdentityHomePage_1 = require("../pages/8.8/OCIdentityHomePage");
 const OCIdentityMappingRulesPage_1 = require("../pages/8.8/OCIdentityMappingRulesPage");
 const OCIdentityRolesPage_1 = require("../pages/8.8/OCIdentityRolesPage");
 const OCIdentityAuthorizationsPage_1 = require("../pages/8.8/OCIdentityAuthorizationsPage");
+const ClientCredentialsDetailsPage_1 = require("../pages/8.8/ClientCredentialsDetailsPage");
 const test = test_1.test.extend({
     makeAxeBuilder: async ({ page }, use) => {
         const makeAxeBuilder = () => new playwright_1.default({ page }).withTags([
@@ -150,6 +151,9 @@ const test = test_1.test.extend({
     ocIdentityGroupsPage: async ({ page }, use) => {
         await use(new OCIdentityGroupsPage_1.OCIdentityGroupsPage(page));
     },
+    clientCredentialsDetailsPage: async ({ page }, use) => {
+        await use(new ClientCredentialsDetailsPage_1.ClientCredentialsDetailsPage(page));
+    },
     overrideTrackingScripts: [
         async ({ context }, use) => {
             await context.route('https://cmp.osano.com/16CVvwSNKHi9t1grQ/9403708a-488b-4f3b-aea6-613825dec79f/osano.js', (route) => route.fulfill({

package/dist/pages/8.6/ClientCredentialsDetailsPage.d.ts

@@ -0,0 +1,12 @@
+import { Page, Locator } from '@playwright/test';
+declare class ClientCredentialsDetailsPage {
+    private page;
+    readonly operateUrlRow: Locator;
+    readonly operateUrlValue: Locator;
+    readonly clientNameHeading: (clientName: string) => Locator;
+    constructor(page: Page);
+    isOpen(clientName: string): Promise<void>;
+    getOperateUrl(): Promise<string>;
+    goBack(): Promise<void>;
+}
+export { ClientCredentialsDetailsPage };

package/dist/pages/8.6/ClientCredentialsDetailsPage.js

@@ -0,0 +1,36 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ClientCredentialsDetailsPage = void 0;
+const test_1 = require("@playwright/test");
+class ClientCredentialsDetailsPage {
+    page;
+    operateUrlRow;
+    operateUrlValue;
+    clientNameHeading;
+    constructor(page) {
+        this.page = page;
+        this.operateUrlRow = page.getByRole('cell', { name: 'Operate URL' });
+        this.operateUrlValue = this.operateUrlRow.getByRole('textbox');
+        this.clientNameHeading = (clientName) => page.getByRole('heading', { name: clientName });
+    }
+    async isOpen(clientName) {
+        await (0, test_1.expect)(this.clientNameHeading(clientName)).toBeVisible({
+            timeout: 30000,
+        });
+    }
+    async getOperateUrl() {
+        if (await this.operateUrlValue.isVisible({ timeout: 10000 }).catch(() => false)) {
+            return await this.operateUrlValue.inputValue();
+        }
+        const text = await this.page.innerText('body');
+        const match = text.match(/Operate URL\s*([\w:/.-]+\/?)/i);
+        if (!match || !match[1]) {
+            throw new Error('Operate URL not found in client credentials page');
+        }
+        return match[1];
+    }
+    async goBack() {
+        await this.page.goBack();
+    }
+}
+exports.ClientCredentialsDetailsPage = ClientCredentialsDetailsPage;

package/dist/pages/8.6/ClusterDetailsPage.d.ts

@@ -1,4 +1,5 @@
 import { Page, Locator } from '@playwright/test';
+import { ClientCredentialsDetailsPage } from '../8.6/ClientCredentialsDetailsPage';
 declare class ClusterDetailsPage {
     private page;
     readonly apiTab: Locator;
@@ -32,9 +33,12 @@ declare class ClusterDetailsPage {
     readonly createAlertButton: Locator;
     readonly rbaHeading: Locator;
     readonly rbaEnabledMessage: Locator;
+    readonly clientCredentialsLink: (clientCredentials: string) => Locator;
+    readonly clientRow: (name: string) => Locator;
+    readonly clientRowDeleteButton: (name: string) => Locator;
     constructor(page: Page);
     clickAPITab(): Promise<void>;
-    deleteAPIClientsIfExist(): Promise<void>;
+    deleteAPIClientsIfExist(name?: string): Promise<void>;
     clickAlertsTab(): Promise<void>;
     clickCreateFirstAlertButton(): Promise<void>;
     clickCreateNewAlertButton(): Promise<void>;
@@ -43,6 +47,7 @@ declare class ClusterDetailsPage {
     clickCreateAlertButton(): Promise<void>;
     deleteAlerts(): Promise<void>;
     private doDelete;
+    clickCreateClientButton(): Promise<void>;
     clickCreateFirstClientButton(): Promise<void>;
     reload(): Promise<void>;
     clickClientNameTextbox(): Promise<void>;
@@ -54,6 +59,8 @@ declare class ClusterDetailsPage {
     clickCreateButton(): Promise<void>;
     clickCloseModalButton(): Promise<void>;
     clickSettingsTab(): Promise<void>;
+    createAPIClient(name: string): Promise<void>;
+    searchAndClickClientCredentialsLink(name: string): Promise<ClientCredentialsDetailsPage>;
     enableRBA(): Promise<void>;
     disableRBA(): Promise<void>;
     assertComponentsHealth(components?: string[]): Promise<void>;

package/dist/pages/8.6/ClusterDetailsPage.js

@@ -3,6 +3,8 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.ClusterDetailsPage = void 0;
 const test_1 = require("@playwright/test");
 const sleep_1 = require("../../utils/sleep");
+const ClientCredentialsDetailsPage_1 = require("../8.6/ClientCredentialsDetailsPage");
+const clickLocatorWithRetry_1 = require("../../utils/assertionHelpers/clickLocatorWithRetry");
 class ClusterDetailsPage {
     page;
     apiTab;
@@ -36,6 +38,9 @@ class ClusterDetailsPage {
     createAlertButton;
     rbaHeading;
     rbaEnabledMessage;
+    clientCredentialsLink;
+    clientRow;
+    clientRowDeleteButton;
     constructor(page) {
         this.page = page;
         this.apiTab = page.getByRole('tab', { name: 'API' });
@@ -107,12 +112,33 @@ class ClusterDetailsPage {
             name: 'Resource-based authorizations',
         });
         this.clientsList = page.getByRole('row').filter({ hasNotText: 'Scopes' });
+        this.clientCredentialsLink = (clientCredentials) => page.getByRole('cell', { name: clientCredentials });
+        this.clientRow = (name) => this.clientsList.filter({ hasText: name });
+        this.clientRowDeleteButton = (name) => this.clientRow(name).getByRole('button', { name: 'Delete' });
     }
     async clickAPITab() {
         await (0, test_1.expect)(this.apiTab).toBeVisible({ timeout: 15000 });
         await this.apiTab.click({ timeout: 15000 });
     }
-    async deleteAPIClientsIfExist() {
+    async deleteAPIClientsIfExist(name) {
+        if (name) {
+            const row = this.clientRow(name);
+            const deleteButton = this.clientRowDeleteButton(name);
+            try {
+                await (0, test_1.expect)(deleteButton).toBeVisible({ timeout: 10000 });
+                await deleteButton.click();
+                await (0, test_1.expect)(this.dialog).toBeVisible();
+                await this.deleteSubButton.click();
+                await (0, test_1.expect)(this.page.getByText('Deleting...')).not.toBeVisible({
+                    timeout: 10000,
+                });
+                await (0, test_1.expect)(row).not.toBeVisible();
+            }
+            catch (error) {
+                console.warn(`No client row found for ${name} or deletion failed: ${error}`);
+            }
+            return;
+        }
         await this.doDelete(this.dialog, 'API clients');
     }
     async clickAlertsTab() {
@@ -189,6 +215,9 @@ class ClusterDetailsPage {
             console.error(`Error during ${text} deletion: `, error);
         }
     }
+    async clickCreateClientButton() {
+        await (0, clickLocatorWithRetry_1.clickLocatorWithRetry)(this.page, this.createFirstClientButton.or(this.createClientButton));
+    }
     async clickCreateFirstClientButton() {
         const maxRetries = 3;
         for (let retries = 0; retries < maxRetries; retries++) {
@@ -252,6 +281,36 @@ class ClusterDetailsPage {
             await this.settingsTab.click({ timeout: 120000 });
         }
     }
+    async createAPIClient(name) {
+        await this.clickCreateClientButton();
+        await (0, test_1.expect)(this.createClientCredentialsDialog).toBeVisible({
+            timeout: 60000,
+        });
+        await this.clickClientNameTextbox();
+        await this.fillClientNameTextbox(name);
+        await this.clickTasklistCheckbox();
+        await this.clickOperateCheckbox();
+        await this.clickOptimizeCheckbox();
+        await this.clickSecretsCheckbox();
+        await this.clickCreateButton();
+        await (0, test_1.expect)(this.clientCredentialsDialog).toBeVisible({
+            timeout: 20000,
+        });
+        await (0, test_1.expect)(this.clientCredentialsDialog
+            .getByText('The Client Secret will not be shown again.')
+            .first()).toBeVisible({
+            timeout: 60000,
+        });
+    }
+    async searchAndClickClientCredentialsLink(name) {
+        await (0, test_1.expect)(this.clientsList.first()).toBeVisible({ timeout: 60000 });
+        const clientLink = this.clientCredentialsLink(name);
+        await (0, test_1.expect)(clientLink).toBeVisible({ timeout: 30000 });
+        await clientLink.click();
+        const clientCredentialsDetailsPage = new ClientCredentialsDetailsPage_1.ClientCredentialsDetailsPage(this.page);
+        await clientCredentialsDetailsPage.isOpen(name);
+        return clientCredentialsDetailsPage;
+    }
     async enableRBA() {
         await (0, test_1.expect)(this.rbaHeading).toBeVisible({ timeout: 60000 });
         // Locate all elements with class .cds--toggle__text

package/dist/pages/8.8/ClientCredentialsDetailsPage.d.ts

@@ -0,0 +1,12 @@
+import { Page, Locator } from '@playwright/test';
+declare class ClientCredentialsDetailsPage {
+    private page;
+    readonly operateUrlRow: Locator;
+    readonly operateUrlValue: Locator;
+    readonly clientNameHeading: (clientName: string) => Locator;
+    constructor(page: Page);
+    isOpen(clientName: string): Promise<void>;
+    getOperateUrl(): Promise<string>;
+    goBack(): Promise<void>;
+}
+export { ClientCredentialsDetailsPage };

package/dist/pages/8.8/ClientCredentialsDetailsPage.js

@@ -0,0 +1,36 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ClientCredentialsDetailsPage = void 0;
+const test_1 = require("@playwright/test");
+class ClientCredentialsDetailsPage {
+    page;
+    operateUrlRow;
+    operateUrlValue;
+    clientNameHeading;
+    constructor(page) {
+        this.page = page;
+        this.operateUrlRow = page.getByRole('cell', { name: 'Operate URL' });
+        this.operateUrlValue = this.operateUrlRow.getByRole('textbox');
+        this.clientNameHeading = (clientName) => page.getByRole('heading', { name: clientName });
+    }
+    async isOpen(clientName) {
+        await (0, test_1.expect)(this.clientNameHeading(clientName)).toBeVisible({
+            timeout: 30000,
+        });
+    }
+    async getOperateUrl() {
+        if (await this.operateUrlValue.isVisible({ timeout: 10000 }).catch(() => false)) {
+            return await this.operateUrlValue.inputValue();
+        }
+        const text = await this.page.innerText('body');
+        const match = text.match(/Operate URL\s*([\w:/.-]+\/?)/i);
+        if (!match || !match[1]) {
+            throw new Error('Operate URL not found in client credentials page');
+        }
+        return match[1];
+    }
+    async goBack() {
+        await this.page.goBack();
+    }
+}
+exports.ClientCredentialsDetailsPage = ClientCredentialsDetailsPage;

package/dist/pages/8.8/ClusterDetailsPage.d.ts

@@ -1,4 +1,5 @@
 import { Page, Locator } from '@playwright/test';
+import { ClientCredentialsDetailsPage } from '../8.8/ClientCredentialsDetailsPage';
 declare class ClusterDetailsPage {
     private page;
     readonly apiTab: Locator;
@@ -36,6 +37,9 @@ declare class ClusterDetailsPage {
     readonly rbaEnabledMessage: Locator;
     readonly authorizationsHeading: Locator;
     readonly orchestrationClusterCheckbox: Locator;
+    readonly clientCredentialsLink: (clientCredentials: string) => Locator;
+    readonly clientRow: (name: string) => Locator;
+    readonly clientRowDeleteButton: (name: string) => Locator;
     constructor(page: Page);
     clickAPITab(): Promise<void>;
     clickCreateClientButton(): Promise<void>;
@@ -50,7 +54,8 @@ declare class ClusterDetailsPage {
     clickSettingsTab(): Promise<void>;
     enableAuthorizations(): Promise<void>;
     disableAuthorizations(): Promise<void>;
-    deleteAPIClientsIfExist(): Promise<void>;
+    searchAndClickClientCredentialsLink(name: string): Promise<ClientCredentialsDetailsPage>;
+    deleteAPIClientsIfExist(name?: string): Promise<void>;
     clickAlertsTab(): Promise<void>;
     clickExpandButton(): Promise<void>;
     clickCreateFirstAlertButton(): Promise<void>;

package/dist/pages/8.8/ClusterDetailsPage.js

@@ -5,6 +5,7 @@ const test_1 = require("@playwright/test");
 const sleep_1 = require("../../utils/sleep");
 const clickLocatorWithRetry_1 = require("../../utils/assertionHelpers/clickLocatorWithRetry");
 const expectLocatorWithRetry_1 = require("../../utils/assertionHelpers/expectLocatorWithRetry");
+const ClientCredentialsDetailsPage_1 = require("../8.8/ClientCredentialsDetailsPage");
 class ClusterDetailsPage {
     page;
     apiTab;
@@ -42,6 +43,9 @@ class ClusterDetailsPage {
     rbaEnabledMessage;
     authorizationsHeading;
     orchestrationClusterCheckbox;
+    clientCredentialsLink;
+    clientRow;
+    clientRowDeleteButton;
     constructor(page) {
         this.page = page;
         this.apiTab = page.getByRole('tab', { name: 'API' });
@@ -121,6 +125,9 @@ class ClusterDetailsPage {
         this.orchestrationClusterCheckbox = page
             .locator('label')
             .filter({ hasText: /^Orchestration Cluster API$/ });
+        this.clientCredentialsLink = (clientCredentials) => page.getByRole('cell', { name: clientCredentials });
+        this.clientRow = (name) => this.clientsList.filter({ hasText: name });
+        this.clientRowDeleteButton = (name) => this.clientRow(name).getByRole('button', { name: 'Delete' });
     }
     async clickAPITab() {
         await (0, test_1.expect)(this.apiTab).toBeVisible({ timeout: 60000 });
@@ -225,7 +232,34 @@ class ClusterDetailsPage {
             console.log('Toggle text elements not found or less than 2.');
         }
     }
-    async deleteAPIClientsIfExist() {
+    async searchAndClickClientCredentialsLink(name) {
+        await (0, test_1.expect)(this.clientsList.first()).toBeVisible({ timeout: 60000 });
+        const clientLink = this.clientCredentialsLink(name);
+        await (0, test_1.expect)(clientLink).toBeVisible({ timeout: 30000 });
+        await clientLink.click();
+        const clientCredentialsDetailsPage = new ClientCredentialsDetailsPage_1.ClientCredentialsDetailsPage(this.page);
+        await clientCredentialsDetailsPage.isOpen(name);
+        return clientCredentialsDetailsPage;
+    }
+    async deleteAPIClientsIfExist(name) {
+        if (name) {
+            const row = this.clientRow(name);
+            const deleteButton = this.clientRowDeleteButton(name);
+            try {
+                await (0, test_1.expect)(deleteButton).toBeVisible({ timeout: 10000 });
+                await deleteButton.click();
+                await (0, test_1.expect)(this.dialog).toBeVisible();
+                await this.deleteSubButton.click();
+                await (0, test_1.expect)(this.page.getByText('Deleting...')).not.toBeVisible({
+                    timeout: 10000,
+                });
+                await (0, test_1.expect)(row).not.toBeVisible();
+            }
+            catch (error) {
+                console.warn(`No client row found for ${name} or deletion failed: ${error}`);
+            }
+            return;
+        }
         await this.doDelete(this.dialog, 'API clients');
     }
     async clickAlertsTab() {

package/dist/tests/8.6/console-user-flows.spec.js

@@ -30,21 +30,7 @@ _8_6_1.test.describe('Console User Flow Tests', () => {
             await clusterPage.clickClusterLink(defaultClusterName);
             await clusterDetailsPage.clickAPITab();
             await clusterDetailsPage.deleteAPIClientsIfExist();
-            await clusterDetailsPage.clickCreateFirstClientButton();
-            await (0, test_1.expect)(clusterDetailsPage.createClientCredentialsDialog).toBeVisible({ timeout: 60000 });
-            await clusterDetailsPage.clickClientNameTextbox();
-            await clusterDetailsPage.fillClientNameTextbox(clientName);
-            await clusterDetailsPage.clickTasklistCheckbox();
-            await clusterDetailsPage.clickOperateCheckbox();
-            await clusterDetailsPage.clickOptimizeCheckbox();
-            await clusterDetailsPage.clickSecretsCheckbox();
-            await clusterDetailsPage.clickCreateButton();
-            await (0, test_1.expect)(clusterDetailsPage.clientCredentialsDialog).toBeVisible({
-                timeout: 20000,
-            });
-            await (0, test_1.expect)(clusterDetailsPage.clientCredentialsDialog
-                .getByText('The Client Secret will not be shown again.')
-                .first()).toBeVisible({ timeout: 60000 });
+            await clusterDetailsPage.createAPIClient(clientName);
             await clusterDetailsPage.clickCloseModalButton();
             await (0, test_1.expect)(clusterDetailsPage.clientsList.filter({ hasText: clientName })).toContainText('Zeebe, Tasklist, Operate, Optimize, and Secrets');
         });

package/dist/tests/8.6/operate-access-flow.spec.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/tests/8.6/operate-access-flow.spec.js

@@ -0,0 +1,57 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const test_1 = require("@playwright/test");
+const _8_6_1 = require("../../fixtures/8.6");
+const UtilitiesPage_1 = require("../../pages/8.6/UtilitiesPage");
+const _setup_1 = require("../../test-setup.js");
+const users_1 = require("../../utils/users");
+const urlHelpers_1 = require("../../utils/urlHelpers");
+const testUser = (0, users_1.getTestUser)('twentySecondUser');
+// This test covers the manual scenario: create a new API client via UI, copy the Operate URL, and verify the Operate endpoint denies unauthenticated access.
+_8_6_1.test.describe.configure({ mode: 'parallel' });
+_8_6_1.test.describe('Operate access requires authentication', () => {
+    let clientName;
+    const clusterName = 'Test Cluster';
+    _8_6_1.test.beforeEach(async ({ page, loginPage }, testInfo) => {
+        await (0, UtilitiesPage_1.loginWithRetry)(page, loginPage, testUser, (testInfo.workerIndex + 1) * 1000);
+    });
+    _8_6_1.test.afterEach(async ({ page, homePage, clusterPage, clusterDetailsPage }, testInfo) => {
+        await (0, _setup_1.captureScreenshot)(page, testInfo);
+        await (0, _setup_1.captureFailureVideo)(page, testInfo);
+        if (clientName) {
+            await homePage.clickClusters();
+            await clusterPage.clickClusterLink(clusterName);
+            await clusterDetailsPage.clickAPITab();
+            await clusterDetailsPage.deleteAPIClientsIfExist(clientName);
+        }
+    });
+    (0, _8_6_1.test)('check that POST /v1/process-definitions/search without credentials returns 403 Forbidden with JSON body', async ({ homePage, clusterPage, clusterDetailsPage, clientCredentialsDetailsPage, request, }) => {
+        clientName = `operate-deny-${await (0, _setup_1.generateRandomStringAsync)(5)}`;
+        await _8_6_1.test.step('Add API Client to Cluster', async () => {
+            await homePage.clickClusters();
+            await clusterPage.clickClusterLink(clusterName);
+            await clusterDetailsPage.clickAPITab();
+            await clusterDetailsPage.createAPIClient(clientName);
+            await clusterDetailsPage.clickCloseModalButton();
+            await (0, test_1.expect)(clusterDetailsPage.clientsList.filter({ hasText: clientName })).toBeVisible({ timeout: 6000 });
+        });
+        let operateUrl = '';
+        await _8_6_1.test.step('Capture Operate URL from client credentials page and close it', async () => {
+            await clusterDetailsPage.searchAndClickClientCredentialsLink(clientName);
+            operateUrl = await clientCredentialsDetailsPage.getOperateUrl();
+            (0, test_1.expect)(operateUrl).toMatch(/^https?:\/\//);
+            await clientCredentialsDetailsPage.goBack();
+            await clusterDetailsPage.clickAPITab();
+        });
+        await _8_6_1.test.step('POST search endpoint without auth should be rejected', async () => {
+            const sanitizedOperateUrl = (0, urlHelpers_1.sanitizeUrl)(operateUrl);
+            const response = await request.post(`${sanitizedOperateUrl}/v1/process-definitions/search`, {
+                data: { filter: {}, size: 10 },
+            });
+            (0, test_1.expect)(response.status()).toBe(403);
+            const body = await response.json();
+            (0, test_1.expect)(body.status).toBe(403);
+            (0, test_1.expect)(body.error).toBe('Forbidden');
+        });
+    });
+});

package/dist/tests/8.8/operate-access-flow.spec.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/tests/8.8/operate-access-flow.spec.js

@@ -0,0 +1,56 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const test_1 = require("@playwright/test");
+const _8_8_1 = require("../../fixtures/8.8");
+const UtilitiesPage_1 = require("../../pages/8.8/UtilitiesPage");
+const _setup_1 = require("../../test-setup.js");
+const users_1 = require("../../utils/users");
+const urlHelpers_1 = require("../../utils/urlHelpers");
+const testUser = (0, users_1.getTestUser)('twentySecondUser');
+// This test covers the manual scenario: create a new API client via UI, copy the Operate URL, and verify the Operate endpoint denies unauthenticated access.
+_8_8_1.test.describe.configure({ mode: 'parallel' });
+_8_8_1.test.describe('Operate access requires authentication @tasklistV2', () => {
+    let clientName;
+    const clusterName = 'Test Cluster';
+    _8_8_1.test.beforeEach(async ({ page, loginPage }, testInfo) => {
+        await (0, UtilitiesPage_1.loginWithRetry)(page, loginPage, testUser, (testInfo.workerIndex + 1) * 1000);
+    });
+    _8_8_1.test.afterEach(async ({ page, homePage, clusterPage, clusterDetailsPage }, testInfo) => {
+        await (0, _setup_1.captureScreenshot)(page, testInfo);
+        await (0, _setup_1.captureFailureVideo)(page, testInfo);
+        if (clientName) {
+            await homePage.clickClusters();
+            await clusterPage.clickClusterLink(clusterName);
+            await clusterDetailsPage.clickAPITab();
+            await clusterDetailsPage.deleteAPIClientsIfExist(clientName);
+        }
+    });
+    (0, _8_8_1.test)('check that request POST /v2/process-definitions/search returns 401 without credentials', async ({ homePage, clusterPage, clusterDetailsPage, clientCredentialsDetailsPage, request, }) => {
+        clientName = `operate-deny-${await (0, _setup_1.generateRandomStringAsync)(5)}`;
+        await _8_8_1.test.step('Add API Client to Cluster', async () => {
+            await homePage.clickClusters();
+            await clusterPage.clickClusterLink(clusterName);
+            await clusterDetailsPage.clickAPITab();
+            await clusterDetailsPage.createAPIClient(clientName);
+            await clusterDetailsPage.clickCloseModalButton();
+            await (0, test_1.expect)(clusterDetailsPage.clientsList.filter({ hasText: clientName })).toBeVisible({ timeout: 6000 });
+        });
+        let operateUrl = '';
+        await _8_8_1.test.step('Capture Operate URL from client credentials page and close it', async () => {
+            await clusterDetailsPage.searchAndClickClientCredentialsLink(clientName);
+            operateUrl = await clientCredentialsDetailsPage.getOperateUrl();
+            (0, test_1.expect)(operateUrl).toMatch(/^https?:\/\//);
+            await clientCredentialsDetailsPage.goBack();
+            await clusterDetailsPage.clickAPITab();
+        });
+        await _8_8_1.test.step('POST search endpoint without auth should be rejected', async () => {
+            const sanitizedOperateUrl = (0, urlHelpers_1.sanitizeUrl)(operateUrl);
+            const response = await request.post(`${sanitizedOperateUrl}/v2/process-definitions/search`, {
+                data: { filter: {}, size: 10 },
+            });
+            (0, test_1.expect)(response.status()).toBe(401);
+            const body = await response.text();
+            (0, test_1.expect)(body).toBe('');
+        });
+    });
+});

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@camunda/e2e-test-suite",
-  "version": "0.0.232",
+  "version": "0.0.234",
   "description": "End-to-end test helpers for Camunda 8",
   "repository": {
     "type": "git",