@mars-stack/cli 7.0.5 → 7.0.6

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mars-stack/cli",
-  "version": "7.0.5",
+  "version": "7.0.6",
   "description": "MARS CLI: scaffold, configure, and maintain SaaS apps",
   "license": "MIT",
   "repository": {

package/template/e2e/README.md

@@ -2,6 +2,26 @@
 
 Browser-level tests for user-visible behaviour. Run: `yarn test:e2e` from the project root (`playwright.config.ts`).
 
+## Smoke (MARS-044)
+
+| Spec | What it covers |
+|------|----------------|
+| `smoke.spec.ts` | Seeded user (`user@example.com` from `scripts/seed.ts`) sign-in → `/settings` → PATCH display name (CSRF); PATCH without CSRF returns 403; mobile viewport sign-in |
+
+Monorepo CI runs this on pull requests via the `template-e2e` job in `.github/workflows/ci.yml` (Postgres service + `E2E_USE_CI_SERVER=1` + `scripts/start-e2e-server.mjs`).
+
+### CI recipe for generated apps
+
+Copy the **`template-e2e`** job from the Mars repo’s `.github/workflows/ci.yml` into your project workflow, or mirror its steps:
+
+1. **Postgres service** (or your own `DATABASE_URL` to a disposable DB).
+2. **Build:** `yarn build` from the app root (after `yarn install`).
+3. **Env for Playwright:** `CI=true`, `E2E_USE_CI_SERVER=1`, `JWT_SECRET` (≥32 chars), `DATABASE_URL`, `NODE_ENV=production`.
+4. **Browsers:** `npx playwright install --with-deps chromium` in the app directory.
+5. **Tests:** `yarn test:e2e` in the app directory (uses `scripts/start-e2e-server.mjs` to `db push`, `db seed`, then `next start`).
+
+If `DATABASE_URL` is missing or wrong, API routes fail at runtime and mutations can surface as 500s instead of deterministic CSRF 403s — fix env before interpreting smoke failures.
+
 ## Monorepo constraint (MARS-041)
 
 The Mars **template package** in this repo is the pre-generator baseline. Most `mars generate` features are **not** present under `template/src/features/` until generators run (as in `scripts/test-scaffold-matrix.ts` with the **kitchen-sink** fixture). Full CLI catalog E2E in CI therefore requires **Option A** from MARS-041: scaffold a max-feature app to a working directory, provision `JWT_SECRET` / `DATABASE_URL`, then run Playwright from **that** tree. Specs in this folder exercise whatever the committed template actually contains (today: auth, public, API baseline); the README inventory below tracks **target** coverage once the scaffolded-app E2E job exists.

package/template/e2e/smoke.spec.ts

@@ -0,0 +1,54 @@
+import { test, expect } from '@playwright/test';
+
+/**
+ * Created by `template/scripts/seed.ts` (run in CI via `start-e2e-server.mjs` before `next start`).
+ * Local: run `yarn db:seed` after schema is applied, or use `yarn dev` (ensure-db) then seed.
+ */
+const SEEDED_USER_EMAIL = 'user@example.com';
+const SEEDED_USER_PASSWORD = 'Password123!';
+
+async function signInWithSeededUser(page: import('@playwright/test').Page): Promise<void> {
+  await page.goto('/sign-in');
+  await page.getByLabel('Email Address').fill(SEEDED_USER_EMAIL);
+  await page.getByLabel('Password', { exact: true }).fill(SEEDED_USER_PASSWORD);
+  await page.getByRole('button', { name: /^sign in$/i }).click();
+  await expect(page).toHaveURL(/\/dashboard/);
+}
+
+test.describe('Critical path smoke (MARS-044)', () => {
+  test.describe.configure({ timeout: 120_000 });
+
+  test('sign-in → settings PATCH display name with CSRF (protected mutation)', async ({ page }) => {
+    await signInWithSeededUser(page);
+
+    await page.goto('/settings');
+    await expect(page.getByRole('heading', { name: 'Settings' })).toBeVisible();
+
+    const uniqueName = `Smoke User ${Date.now()}`;
+    await page.locator('#display-name').fill(uniqueName);
+    await page.getByRole('button', { name: 'Save Name' }).click();
+    await expect(page.getByText('Display name updated.')).toBeVisible();
+  });
+
+  test('PATCH profile without CSRF headers returns 403', async ({ page }) => {
+    await signInWithSeededUser(page);
+
+    const status = await page.evaluate(async () => {
+      const response = await fetch('/api/protected/user/profile', {
+        method: 'PATCH',
+        credentials: 'include',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ name: 'Should Not Apply' }),
+      });
+      return response.status;
+    });
+
+    expect(status).toBe(403);
+  });
+
+  test('sign-in path is usable at ~375px width', async ({ page }) => {
+    await page.setViewportSize({ width: 375, height: 667 });
+    await signInWithSeededUser(page);
+    await expect(page.getByRole('heading', { name: 'Dashboard' })).toBeVisible();
+  });
+});

package/template/playwright.config.ts

@@ -1,4 +1,15 @@
 import { defineConfig, devices } from '@playwright/test';
+import dotenv from 'dotenv';
+import { dirname, resolve } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+
+/** So `next start` (production) sees DATABASE_URL from local dev setup; CI uses explicit env. */
+if (!process.env.CI && process.env.E2E_USE_CI_SERVER !== '1') {
+  dotenv.config({ path: resolve(__dirname, '.env.development.local') });
+  dotenv.config({ path: resolve(__dirname, '.env.local') });
+}
 
 export default defineConfig({
   testDir: './e2e',
@@ -22,10 +33,20 @@ export default defineConfig({
       use: { ...devices['iPhone 14'] },
     },
   ],
-  webServer: {
-    command: 'yarn build && yarn start',
-    url: 'http://localhost:3000',
-    reuseExistingServer: !process.env.CI,
-    timeout: 120_000,
-  },
+  webServer:
+    process.env.E2E_USE_CI_SERVER === '1'
+      ? {
+          command: 'node scripts/start-e2e-server.mjs',
+          url: 'http://localhost:3000',
+          reuseExistingServer: false,
+          timeout: 180_000,
+          env: { ...process.env, MARS_CI_TEMPLATE_E2E: '1' },
+        }
+      : {
+          command: 'node scripts/playwright-web-server.mjs',
+          url: 'http://localhost:3000',
+          // Always boot a fresh server so DATABASE_URL from ensure-db is not shadowed by an old `next start`.
+          reuseExistingServer: false,
+          timeout: 300_000,
+        },
 });

package/template/scripts/playwright-web-server.mjs

@@ -0,0 +1,20 @@
+#!/usr/bin/env node
+/**
+ * Playwright webServer for local `yarn test:e2e` (not CI).
+ * Runs ensure-db then `yarn dev` so Next loads `.env.development.local`.
+ * CI uses `E2E_USE_CI_SERVER=1` and `start-e2e-server.mjs` instead.
+ */
+import { spawn } from 'node:child_process';
+import { dirname, resolve } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const ROOT = resolve(dirname(fileURLToPath(import.meta.url)), '..');
+
+const child = spawn('sh', ['-c', 'node scripts/ensure-db.mjs && yarn dev'], {
+  cwd: ROOT,
+  stdio: 'inherit',
+  shell: false,
+  env: process.env,
+});
+
+child.on('exit', (code) => process.exit(code ?? 0));

package/template/scripts/start-e2e-server.mjs

@@ -0,0 +1,35 @@
+#!/usr/bin/env node
+/**
+ * Production server bootstrap for Playwright E2E in CI.
+ * Local runs use `yarn build && yarn start` from playwright.config (DB already provisioned via `yarn dev` or manual db push).
+ */
+import { spawnSync } from 'node:child_process';
+import { fileURLToPath } from 'node:url';
+import { dirname, resolve } from 'node:path';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const ROOT = resolve(__dirname, '..');
+
+function run(cmd, args) {
+  const r = spawnSync(cmd, args, {
+    cwd: ROOT,
+    stdio: 'inherit',
+    env: {
+      ...process.env,
+      NODE_ENV: 'production',
+      MARS_CI_TEMPLATE_E2E: '1',
+    },
+  });
+  if (r.status !== 0) {
+    process.exit(r.status ?? 1);
+  }
+}
+
+if (!process.env.DATABASE_URL?.trim()) {
+  console.error('start-e2e-server: DATABASE_URL must be set for CI E2E.');
+  process.exit(1);
+}
+
+run('npx', ['prisma', 'db', 'push']);
+run('npx', ['prisma', 'db', 'seed']);
+run('npx', ['next', 'start', '-p', '3000']);