@matware/e2e-runner 1.2.1 → 1.3.0

package/.opencode/skills/e2e-testing/references/graphql.md

@@ -0,0 +1,59 @@
+# GraphQL Action Reference
+
+The `gql` action executes GraphQL queries and mutations via browser `fetch`, with automatic auth token injection from `localStorage`. It also installs a `window.__e2eGql(query, vars)` helper for use in subsequent `evaluate` actions.
+
+## Action Fields
+
+| Action | Fields | Behavior |
+|--------|--------|----------|
+| `gql` | `value` (query string, required), `text` (variables JSON, optional), `selector` (assertion JS expression, optional) | Sends a GraphQL request to the configured endpoint. Reads auth token from localStorage. Throws on GraphQL errors. Returns `{ value: response.data }`. Stores full response on `window.__e2eLastGql`. |
+
+## Config Fields
+
+| Field | Default | Env Var | CLI Flag |
+|-------|---------|---------|----------|
+| `gqlEndpoint` | `/api/graphql` | `GQL_ENDPOINT` | `--gql-endpoint` |
+| `gqlAuthHeader` | `Authorization` | `GQL_AUTH_HEADER` | `--gql-auth-header` |
+| `gqlAuthKey` | `accessToken` | `GQL_AUTH_KEY` | `--gql-auth-key` |
+| `gqlAuthPrefix` | `Bearer ` | `GQL_AUTH_PREFIX` | `--gql-auth-prefix` |
+
+The endpoint path is appended to `location.origin`. The auth token is read from `localStorage[gqlAuthKey]` and sent as `gqlAuthHeader: gqlAuthPrefix + token`.
+
+## Examples
+
+### Basic query
+```json
+{ "type": "gql", "value": "{ users { id name } }" }
+```
+
+### With variables
+```json
+{ "type": "gql", "value": "query($id: ID, $orgId: ID) { orders(userId: $id, orgId: $orgId) { orderId status } }", "text": "{\"id\": \"abc-123\", \"orgId\": \"org-456\"}" }
+```
+
+### With inline assertion (selector field)
+```json
+// selector is a JS expression where `r` is the full GraphQL response
+{ "type": "gql", "value": "{ pendingOrders(userId: \"abc-123\") { status } }", "selector": "r.data.pendingOrders.some(o => o.status === 'CANCELLED') ? 'FAIL: cancelled order found in pending list' : 'OK: all pending'" }
+```
+
+### Using the installed helper in evaluate
+```json
+// After any gql action runs, window.__e2eGql(query, vars) is available
+{ "type": "gql", "value": "{ __typename }" }
+{ "type": "evaluate", "value": "(async () => { const r = await window.__e2eGql('query { orders(status: [PROCESSING]) { orderId } }'); for (const o of r.data.orders) await window.__e2eGql('mutation($id: ID, $input: OrderInput) { updateOrder(orderId: $id, input: $input) { orderId } }', { id: o.orderId, input: { status: 'COMPLETED' } }); return 'Updated ' + r.data.orders.length; })()" }
+```
+
+## Custom Auth Header Config
+
+If your API uses a non-standard auth header (e.g., `x-api-key` instead of `Authorization`):
+
+```js
+// e2e.config.js
+export default {
+  gqlEndpoint: '/api/graphql',
+  gqlAuthHeader: 'x-api-key',   // custom header name
+  gqlAuthKey: 'apiToken',       // localStorage key to read from
+  gqlAuthPrefix: '',             // no 'Bearer ' prefix — raw token
+};
+```

package/.opencode/skills/e2e-testing/references/issue-verification.md

@@ -0,0 +1,59 @@
+# Issue-to-Test Verification Reference
+
+Turns bug reports and feature requests into executable E2E tests.
+
+## Supported Providers
+
+- **GitHub** (`github.com`) — requires `gh` CLI (`gh auth login`)
+- **GitLab** (including self-hosted) — requires `glab` CLI (`glab auth login`)
+
+Auto-detected from URL. All external commands use `execFileSync` (no shell injection).
+
+## Two AI Modes
+
+### 1. Prompt Mode (default, no API key)
+
+`e2e_issue` MCP tool returns issue details + a structured prompt. Claude Code then uses `e2e_create_test` to create tests and `e2e_run` to execute them.
+
+### 2. Verify Mode (requires `ANTHROPIC_API_KEY`)
+
+Calls Claude API directly to generate tests, runs them, and reports whether the bug is confirmed or not reproducible.
+
+## Config Fields
+
+| Field | Description | Env Var |
+|-------|-------------|---------|
+| `anthropicApiKey` | Required for verify/generate mode | `ANTHROPIC_API_KEY` |
+| `anthropicModel` | Claude model for generation (default: `claude-sonnet-4-5-20250929`) | `ANTHROPIC_MODEL` |
+
+## Bug Verification Logic
+
+Generated tests assert **correct** behavior:
+- **Test failure** = bug confirmed (expected behavior doesn't match reality)
+- **All tests pass** = not reproducible
+
+## Test Categories (`testType`)
+
+The `--test-type` CLI flag (or `testType` MCP parameter) controls what kind of tests the AI generates:
+
+- **`e2e`** (default): UI-driven tests — navigate pages, interact with elements (click, type, select), verify visible state. Never uses `evaluate` for API calls.
+- **`api`**: Backend API tests — use `evaluate` actions for GraphQL/REST calls, assert response shapes and values. No UI interaction needed.
+
+CLI: `e2e-runner issue <url> --generate --test-type api`
+MCP: `e2e_issue({ url, testType: "api" })`
+
+## GitLab Limitations
+
+- Requires `glab` CLI installed and authenticated (`glab auth login`)
+- Self-hosted GitLab instances supported via URL detection
+- Verify mode works with GitLab issues but does NOT post comments back to the issue
+- Private repos require `glab` to be authenticated with appropriate access
+- The `authToken`/`authStorageKey` params on `e2e_issue` are for the **app under test**, not for GitLab API auth
+
+## Key Files
+
+| File | Purpose |
+|------|---------|
+| `src/issues.js` | GitHub/GitLab provider drivers |
+| `src/ai-generate.js` | AI prompt builder + Claude API |
+| `src/verify.js` | Verification orchestrator: fetch + generate + run |

package/.opencode/skills/e2e-testing/references/multi-pool.md

@@ -0,0 +1,60 @@
+# Multi-Pool Support
+
+A single runner can distribute tests across multiple Chrome pools on different machines. `src/pool-manager.js` abstracts pool selection behind a **least-pressure** strategy. `poolUrl` (singular string) remains fully backwards compatible.
+
+## Configuration
+
+```js
+// Single pool (unchanged)
+export default { poolUrl: 'ws://localhost:3333' };
+
+// Multi-pool — tests distribute across all pools
+export default {
+  poolUrls: ['ws://machine1:3333', 'ws://machine2:3333'],
+  concurrency: 15,
+};
+
+// CI environment profile
+export default {
+  poolUrl: 'ws://localhost:3333',
+  environments: {
+    ci: { poolUrls: ['ws://ci-chrome1:3333', 'ws://ci-chrome2:3333'], concurrency: 10 },
+  },
+};
+```
+
+**CLI:** `e2e-runner run --all --pool-urls ws://m1:3333,ws://m2:3333`
+**Env:** `CHROME_POOL_URLS=ws://m1:3333,ws://m2:3333` (comma-separated)
+
+## Pool Selection Algorithm (`selectPool`)
+
+1. Query all pools' `/pressure` in parallel
+2. Filter to reachable pools with `running < maxConcurrent`
+3. Sort by: lowest `running/maxConcurrent` → fewest queued → most free slots
+4. Return best candidate URL
+5. If all full, poll every 2s up to 60s, then pick least-pressured anyway
+
+## Pool-Aware Queue
+
+Before opening a browser connection, each worker checks the pool's `/pressure` endpoint. If the pool is at capacity, the worker waits (polling every 2s, up to 60s) for a free slot instead of piling requests into browserless's internal queue. This prevents memory pressure and SIGKILL of Chrome processes under heavy load.
+
+## Failure Resilience
+
+Dead pools are excluded from selection. `waitForAnyPool` succeeds if any pool responds. Failed connections trigger re-selection on the next worker.
+
+## Config Normalization in `loadConfig()`
+
+- If `poolUrls` array is set → `config._poolUrls = poolUrls`, `config.poolUrl = poolUrls[0]`
+- Else → `config._poolUrls = [config.poolUrl]`
+- `config.poolUrls` is deleted after normalization (use `config._poolUrls` internally)
+
+## Key Functions (`src/pool-manager.js`)
+
+| Function | Purpose |
+|----------|---------|
+| `getPoolUrls(config)` | Returns `config._poolUrls` (always an array) |
+| `getAllPoolStatuses(poolUrls)` | Fetches `/pressure` from all pools in parallel |
+| `getAggregatedPoolStatus(poolUrls)` | Combined view: `totalRunning`, `totalMaxConcurrent`, per-pool details |
+| `waitForAnyPool(poolUrls)` | Blocks until at least one pool is reachable + available |
+| `selectPool(poolUrls)` | Picks pool with lowest pressure ratio |
+| `selectAndConnect(config)` | Convenience: selectPool + connectToPool in one call |

package/.opencode/skills/e2e-testing/references/network-debugging.md

@@ -0,0 +1,62 @@
+# Network Debugging Reference
+
+## Network Error Handling
+
+### `assert_no_network_errors` action
+
+Checks accumulated `requestfailed` events during the test. If any network errors exist (e.g., `net::ERR_CONNECTION_REFUSED`), the test fails with details of each error URL. Place after critical page loads.
+
+### `failOnNetworkError` config option
+
+When `true`, automatically fails any test that has network errors after all actions complete. Default: `false` (opt-in).
+
+Set via: config `failOnNetworkError: true` | CLI `--fail-on-network-error` | env `FAIL_ON_NETWORK_ERROR=true` | MCP `failOnNetworkError: true`
+
+### `networkIgnoreDomains` config option
+
+Array of domain substrings to filter from network error tracking. Errors from matching URLs are silently dropped by both `assert_no_network_errors` and `failOnNetworkError`.
+
+Set via: config `networkIgnoreDomains: ['google-analytics.com', 'fonts.googleapis.com']` | CLI `--network-ignore-domains ga.com,fonts.com` | env `NETWORK_IGNORE_DOMAINS=ga.com,fonts.com` (comma-separated)
+
+## Network Request/Response Logging
+
+All XHR/fetch requests are captured with full detail regardless of status code:
+
+- `url`, `method`, `status`, `statusText`, `duration`
+- `requestHeaders` — all request headers as object
+- `requestBody` — POST body (from `req.postData()`)
+- `responseHeaders` — all response headers as object
+- `responseBody` — full response text (truncated at 50KB)
+
+Response bodies are read asynchronously and flushed via `Promise.allSettled` before the browser disconnects. Data is stored in the `network_logs` column in SQLite and displayed in the dashboard.
+
+## MCP Response Optimization
+
+The `e2e_run` MCP tool returns a compact `networkSummary` instead of full logs (~5KB vs ~400KB):
+
+```json
+{
+  "networkSummary": [{
+    "name": "test-name",
+    "totalRequests": 37,
+    "statusDistribution": { "2xx": 30, "3xx": 5, "4xx": 1, "5xx": 0, "other": 1 },
+    "avgDurationMs": 245,
+    "failedRequests": [{ "url": "/api/x", "method": "POST", "status": 500 }],
+    "slowestRequests": [{ "url": "/api/y", "method": "GET", "status": 200, "duration": 1200 }]
+  }]
+}
+```
+
+## Drill-Down Pattern
+
+The response includes `runDbId` — the SQLite row ID. Use it with `e2e_network_logs` to drill down:
+
+```
+1. e2e_run → compact summary + runDbId
+2. e2e_network_logs(runDbId) → all requests (url, method, status, duration)
+3. e2e_network_logs(runDbId, errorsOnly: true) → only failed requests
+4. e2e_network_logs(runDbId, includeHeaders: true) → with headers
+5. e2e_network_logs(runDbId, includeBodies: true) → full request/response bodies
+```
+
+Dashboard REST equivalent: `GET /api/db/runs/:id/network-logs?testName=X&errorsOnly=true&includeHeaders=true`

package/.opencode/skills/e2e-testing/references/test-json-format.md

@@ -0,0 +1,163 @@
+# Test JSON Format Reference
+
+## Basic Format (Array)
+
+A test file is a JSON array of test objects:
+
+```json
+[
+  {
+    "name": "test-name",
+    "actions": [
+      { "type": "goto", "value": "/page" },
+      { "type": "assert_text", "text": "Expected content" }
+    ]
+  }
+]
+```
+
+## Object Format (with Hooks)
+
+When hooks are needed, use the object format:
+
+```json
+{
+  "hooks": {
+    "beforeAll": [{ "type": "goto", "value": "/setup" }],
+    "beforeEach": [{ "type": "goto", "value": "/" }],
+    "afterEach": [],
+    "afterAll": []
+  },
+  "tests": [
+    { "name": "test-1", "actions": [...] }
+  ]
+}
+```
+
+**Hook lifecycle:**
+- `beforeAll` — runs once before all tests (on a separate browser page, state does NOT carry over)
+- `beforeEach` — runs before each individual test (on the test's own page)
+- `afterEach` — runs after each test
+- `afterAll` — runs once after all tests
+
+> **Warning**: `beforeAll` runs on a separate page that closes before tests start. Don't use it for browser state setup (cookies, localStorage). Use `beforeEach` instead.
+
+## Test Options
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `name` | string | **Required.** Test identifier. |
+| `actions` | array | **Required.** Sequential browser actions. |
+| `expect` | string | Visual verification description. Triggers auto-screenshot + AI judgment. |
+| `serial` | boolean | Run sequentially after all parallel tests (for shared state). |
+| `retries` | number | Per-test retry count on failure. Overrides global config. |
+| `timeout` | number | Per-test timeout in ms. Overrides global `testTimeout` (default 60000). |
+
+## Serial Tests
+
+Tests that share mutable state should be marked serial to prevent race conditions:
+
+```json
+{ "name": "create-record", "serial": true, "actions": [...] },
+{ "name": "verify-record", "serial": true, "actions": [...] }
+```
+
+Serial tests run one-at-a-time **after** all parallel tests finish.
+
+## Retry Behavior
+
+### Test-level retries
+```json
+{ "name": "flaky-test", "retries": 3, "actions": [...] }
+```
+
+Or globally: `--retries 2` / `retries: 2` in config. Each retry gets its own timeout. Flaky tests (pass after retry) are logged as "flaky".
+
+### Action-level retries
+```json
+{ "type": "click", "selector": "#dynamic-btn", "retries": 3 }
+```
+
+Or globally: `--action-retries 2`. Delay between action retries: `actionRetryDelay` (default 500ms).
+
+## Reusable Modules
+
+Create modules with `e2e_create_module`, reference them in tests:
+
+```json
+{
+  "name": "login-test",
+  "actions": [
+    { "$use": "auth-login", "params": { "email": "admin@test.com", "password": "secret" } },
+    { "type": "assert_url", "value": "/dashboard" }
+  ]
+}
+```
+
+Module definition (in `e2e/modules/auth-login.json`):
+```json
+{
+  "$module": "auth-login",
+  "description": "Log in with email/password",
+  "params": {
+    "email": { "required": true, "description": "User email" },
+    "password": { "required": true, "description": "User password" }
+  },
+  "actions": [
+    { "type": "goto", "value": "/login" },
+    { "type": "type", "selector": "#email", "value": "{{email}}" },
+    { "type": "type", "selector": "#password", "value": "{{password}}" },
+    { "type": "click", "text": "Sign In" },
+    { "type": "wait", "selector": ".dashboard" }
+  ]
+}
+```
+
+## Suite Naming & Ordering
+
+Files can have numeric prefixes for execution order:
+- `01-auth.json`, `02-dashboard.json`, `03-settings.json`
+
+The `--suite` flag strips the prefix when matching: `--suite auth` finds `01-auth.json`.
+
+## Excluding Tests
+
+Use `exclude` in config to skip files when running `--all`:
+
+```js
+// e2e.config.js
+export default {
+  exclude: ['explore-*', 'debug-*', 'draft-*']
+};
+```
+
+Individual `--suite` runs are not affected by exclude patterns.
+
+## Environment Profiles
+
+Define named profiles in config:
+
+```js
+// e2e.config.js
+export default {
+  baseUrl: 'http://host.docker.internal:3000',
+  environments: {
+    staging: { baseUrl: 'https://staging.example.com' },
+    production: { baseUrl: 'https://example.com', concurrency: 5 }
+  }
+};
+```
+
+Activate with `--env staging` or `E2E_ENV=staging`. Profile values override all other config.
+
+## CI Output Formats
+
+Use `--output <format>` to control report output: `json` (default), `junit` (JUnit XML), or `both`. JUnit XML is generated without external dependencies and saved to `{screenshotsDir}/junit.xml`. The `generateJUnitXML()` function is also exported from the programmatic API.
+
+## Config Priority (ascending)
+
+1. Hardcoded defaults
+2. `e2e.config.js` or `e2e.config.json`
+3. Environment variables (`BASE_URL`, `CONCURRENCY`, etc.)
+4. CLI flags (`--base-url`, `--concurrency`, etc.)
+5. Environment profile merge (via `--env`)

package/.opencode/skills/e2e-testing/references/troubleshooting.md

@@ -0,0 +1,224 @@
+# Troubleshooting Guide
+
+## Pool Connection Issues
+
+### "Pool not reachable" / Connection refused
+
+**Cause**: Chrome pool (browserless/chrome Docker container) is not running.
+
+**Fix**:
+```bash
+npx e2e-runner pool start
+npx e2e-runner pool status   # verify it's running
+```
+
+Pool management is CLI-only — `pool start` and `pool stop` are not available via MCP.
+
+### "Pool at capacity" / Tests queuing
+
+**Cause**: All Chrome sessions are occupied.
+
+**Fix**: Increase capacity or reduce concurrency:
+```bash
+npx e2e-runner pool stop
+npx e2e-runner pool start --max-sessions 10
+```
+Or reduce test concurrency: `--concurrency 2`
+
+The runner checks `/pressure` before each connection and waits up to 60s for a free slot.
+
+### Docker not running
+
+**Cause**: Docker daemon is not started.
+
+**Fix**: Start Docker Desktop or `sudo systemctl start docker`, then `npx e2e-runner pool start`.
+
+## React / SPA Issues
+
+### React inputs not updating state
+
+**Symptom**: `type` action enters text but React state doesn't change (form validation fails, submit disabled).
+
+**Fix**: Use `type_react` instead of `type` for React controlled inputs:
+```json
+{ "type": "type_react", "selector": "#email", "value": "user@test.com" }
+```
+
+`type_react` uses the native value setter and dispatches `input` + `change` events that React's synthetic event system recognizes.
+
+### SPA navigation not completing
+
+**Symptom**: `goto` hangs or times out on client-side route changes.
+
+**Fix**: Use `navigate` instead of `goto` for SPA route changes:
+```json
+{ "type": "navigate", "value": "/new-page" }
+```
+
+`navigate` uses a 5s race timeout and won't block if `load` doesn't fire (common in SPAs).
+
+### MUI autocomplete not opening
+
+**Symptom**: Clicking or typing in an MUI Autocomplete doesn't open the dropdown.
+
+**Fix**: Use `focus_autocomplete` to properly focus by label text:
+```json
+{ "type": "focus_autocomplete", "text": "Search by name" },
+{ "type": "type_react", "selector": "#autocomplete-input", "value": "search term" },
+{ "type": "click_option", "text": "Desired option" }
+```
+
+## Flaky Tests
+
+### Intermittent failures on dynamic content
+
+**Symptom**: Tests pass sometimes, fail others. Usually timing-related.
+
+**Fixes**:
+1. Add explicit `wait` before assertions:
+   ```json
+   { "type": "wait", "selector": ".data-loaded" },
+   { "type": "assert_text", "text": "Expected content" }
+   ```
+
+2. Use action-level retries for known flaky selectors:
+   ```json
+   { "type": "click", "selector": "#dynamic-btn", "retries": 3 }
+   ```
+
+3. Use test-level retries:
+   ```json
+   { "name": "flaky-test", "retries": 2, "actions": [...] }
+   ```
+
+4. Check the learning system for patterns:
+   ```
+   e2e_learnings("flaky") → identify consistently flaky tests
+   e2e_learnings("selectors") → find unstable selectors
+   ```
+
+### Tests interfering with each other
+
+**Symptom**: Tests pass individually but fail when run together.
+
+**Fix**: Mark tests that share mutable state as `serial`:
+```json
+{ "name": "create-item", "serial": true, "actions": [...] },
+{ "name": "verify-item", "serial": true, "actions": [...] }
+```
+
+## Timeout Issues
+
+### Test timeout (default 60s)
+
+**Fix**: Increase per-test or globally:
+```json
+{ "name": "slow-test", "timeout": 120000, "actions": [...] }
+```
+Or globally: `--test-timeout 120000`
+
+### Action timeout (default 10s)
+
+Each action's `waitForSelector` uses the default timeout. Override per-action:
+```json
+{ "type": "wait", "selector": ".slow-element", "timeout": 30000 }
+```
+Or globally: `--timeout 30000`
+
+## Network Errors
+
+### Tests passing but network requests failing
+
+**Symptom**: Tests pass but `networkSummary` shows failed requests.
+
+**Fix**: Enable strict mode to fail tests with network errors:
+```
+e2e_run({ all: true, failOnNetworkError: true })
+```
+
+Or use `assert_no_network_errors` at specific points:
+```json
+{ "type": "goto", "value": "/api-heavy-page" },
+{ "type": "wait", "selector": ".loaded" },
+{ "type": "assert_no_network_errors" }
+```
+
+### Investigating specific failures
+
+Use network log drill-down:
+```
+e2e_network_logs(runDbId, errorsOnly: true)                    → see all failed requests
+e2e_network_logs(runDbId, urlPattern: "/api/users")             → filter by URL
+e2e_network_logs(runDbId, testName: "create-user", includeBodies: true) → full request/response
+```
+
+## Common Mistakes
+
+### Using `beforeAll` for browser state
+
+`beforeAll` runs on a separate page that closes before tests. Use `beforeEach` for state setup.
+
+### Using `evaluate` for simple assertions
+
+Prefer granular assertion actions over `evaluate` with inline JS:
+```json
+// Bad: verbose, error-prone
+{ "type": "evaluate", "value": "if (!document.querySelector('h1').textContent.includes('Dashboard')) throw 'not found'" }
+
+// Good: clear, auto-waits
+{ "type": "assert_element_text", "selector": "h1", "text": "Dashboard" }
+```
+
+### Forgetting `cwd` in MCP calls
+
+All MCP tools need `cwd` to resolve config files and test directories. Always pass the project root.
+
+### Path-only `assert_url`
+
+When checking paths, use path-only format (starts with `/`):
+```json
+{ "type": "assert_url", "value": "/dashboard" }
+```
+This compares against the pathname only, ignoring the `host.docker.internal` origin.
+
+## Action Type Pre-Validation
+
+All action types are validated at **load time** (before any browser connections). If a test file contains an unknown action type (e.g., a typo like `"clik"`), loading throws immediately with the location:
+
+```
+Unknown action type(s) in auth.json: "clik" in test "login-test"
+```
+
+The `KNOWN_ACTION_TYPES` Set in `src/actions.js` is the single source of truth. Unknown actions also throw at runtime as a safety net.
+
+## Screenshot Hashes
+
+Every screenshot captured during a run is assigned a short hash (`ss:a3f2b1c9`) — the first 8 hex chars of the SHA-256 of its file path. Hashes are deterministic and computed identically on the server (Node `crypto`) and in the browser (Web Crypto API).
+
+**Flow**: screenshot saved on disk → `saveRun()` registers hash in SQLite `screenshot_hashes` table → dashboard shows `[ss:XXXXXXXX]` badge (click to copy) → user pastes hash in Claude Code → `e2e_screenshot` MCP tool looks up hash, reads file, returns the image.
+
+- Hashes are registered inside the `saveRun()` transaction (covers action, error, verification, and baseline screenshots)
+- The `ss:` prefix is optional when calling `e2e_screenshot` — stripped during lookup
+- Dashboard computes hashes client-side (Web Crypto) for the Live view (before `persistRun()` writes to DB)
+- Run detail API (`/api/db/runs/:id`) includes `screenshotHashes` map per test result
+- Dashboard endpoint `/api/screenshot-hash/:hash` serves the image by hash
+- Dashboard Screenshots view has a **search bar** — type a hash to find and display the screenshot
+
+## Web Dashboard
+
+**`src/dashboard.js`** — HTTP server, REST API, WebSocket broadcast, pool polling.
+**`templates/dashboard.html`** — SPA, dark theme, vanilla JS, safe DOM (textContent + createEl helper).
+
+**Features:**
+- Live test execution with WebSocket updates
+- Run history with inline detail expansion
+- Screenshots gallery with hash badges and hash search
+- Network request logs with clickable expandable rows (full request/response detail)
+- Pool status monitoring
+- Multi-project support via project selector
+- Variables tab with masked values, inline edit, add, and delete
+
+**CLI:** `e2e-runner dashboard [--port 8484]`
+**MCP tools:** `e2e_dashboard_start`, `e2e_dashboard_stop`
+
+Config defaults: `dashboardPort: 8484`, `maxHistoryRuns: 100`

package/.opencode/skills/e2e-testing/references/variables.md

@@ -0,0 +1,41 @@
+# Variables Reference
+
+Variables replace hardcoded sensitive values (JWT tokens, user IDs, API keys, etc.) in test JSON. Stored in SQLite (`~/.e2e-runner/dashboard.db`), scoped per project and per suite, editable from the dashboard UI.
+
+## Syntax
+
+```
+{{var.TOKEN}}        → resolves from DB (suite scope → project scope)
+{{env.MY_VAR}}       → resolves from process.env
+{{param}}            → existing module param substitution (unchanged)
+```
+
+**Resolution priority:** suite vars > project vars > error if not found.
+
+## Usage in Test JSON
+
+```json
+{ "$use": "auth-jwt", "params": { "token": "{{var.JWT_TOKEN}}", "orgId": "{{var.ORG_ID}}" } }
+{ "type": "goto", "value": "/users/{{var.USER_ID}}/profile" }
+{ "type": "gql", "value": "{ user(id: \"{{var.USER_ID}}\") { name } }" }
+```
+
+## MCP Tool (`e2e_vars`)
+
+```
+e2e_vars({ action: "set", key: "TOKEN", value: "abc123", scope: "project" })
+e2e_vars({ action: "set", key: "TOKEN", value: "xyz789", scope: "auth" })  // suite-specific override
+e2e_vars({ action: "list" })
+e2e_vars({ action: "get", key: "TOKEN" })
+e2e_vars({ action: "delete", key: "TOKEN", scope: "project" })
+```
+
+## Dashboard UI
+
+Variables tab shows all variables grouped by scope. Values are masked by default (click to reveal). Inline edit, add new, and delete are supported.
+
+## REST API
+
+- `GET /api/db/projects/:id/variables` — list all vars for project
+- `PUT /api/db/projects/:id/variables` — set a variable `{ scope, key, value }`
+- `DELETE /api/db/projects/:id/variables/:scope/:key` — delete a variable