@open-mercato/core 0.4.9-develop-e55592929f → 0.4.9-develop-97d4cca067

package/dist/testing/integration/index.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/testing/integration/index.ts"],
+  "sourcesContent": ["export { getAuthToken, apiRequest, postForm } from '../../helpers/integration/api'\nexport { DEFAULT_CREDENTIALS, type Role } from '../../helpers/integration/auth'\nexport { createUserViaUi } from '../../helpers/integration/authUi'\nexport {\n  createCompanyFixture,\n  createPersonFixture,\n  createDealFixture,\n  createPipelineFixture,\n  createPipelineStageFixture,\n  deleteEntityByBody,\n  deleteEntityIfExists,\n} from '../../helpers/integration/crmFixtures'\nexport {\n  readJsonSafe,\n  getTokenContext,\n  getTokenScope,\n  expectId,\n  deleteEntityByPathIfExists,\n  deleteGeneralEntityIfExists,\n} from '../../helpers/integration/generalFixtures'\nexport { createDictionaryFixture } from '../../helpers/integration/dictionariesFixtures'\nexport { createRoleFixture, deleteRoleIfExists, createUserFixture, deleteUserIfExists } from '../../helpers/integration/authFixtures'\n"],
+  "mappings": "AAAA,SAAS,cAAc,YAAY,gBAAgB;AACnD,SAAS,2BAAsC;AAC/C,SAAS,uBAAuB;AAChC;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AACP;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AACP,SAAS,+BAA+B;AACxC,SAAS,mBAAmB,oBAAoB,mBAAmB,0BAA0B;",
+  "names": []
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@open-mercato/core",
-  "version": "0.4.9-develop-e55592929f",
+  "version": "0.4.9-develop-97d4cca067",
   "type": "module",
   "main": "./dist/index.js",
   "scripts": {
@@ -25,6 +25,14 @@
   },
   "exports": {
     ".": "./dist/index.js",
+    "./testing/integration": {
+      "types": "./src/testing/integration/index.ts",
+      "default": "./dist/testing/integration/index.js"
+    },
+    "./helpers/integration/*": {
+      "types": "./src/helpers/integration/*.ts",
+      "default": "./dist/helpers/integration/*.js"
+    },
     "./modules/customers": {
       "types": "./src/modules/customers/index.ts",
       "default": "./dist/modules/customers/index.js"
@@ -217,10 +225,10 @@
     "semver": "^7.6.3"
   },
   "peerDependencies": {
-    "@open-mercato/shared": "0.4.9-develop-e55592929f"
+    "@open-mercato/shared": "0.4.9-develop-97d4cca067"
   },
   "devDependencies": {
-    "@open-mercato/shared": "0.4.9-develop-e55592929f",
+    "@open-mercato/shared": "0.4.9-develop-97d4cca067",
     "@testing-library/dom": "^10.4.1",
     "@testing-library/jest-dom": "^6.9.1",
     "@testing-library/react": "^16.3.1",

package/src/helpers/integration/api.ts

@@ -0,0 +1,87 @@
+import { type APIRequestContext } from '@playwright/test';
+import { DEFAULT_CREDENTIALS, type Role } from './auth';
+
+const BASE_URL = process.env.BASE_URL?.trim() || null;
+
+function resolveUrl(path: string): string {
+  return BASE_URL ? `${BASE_URL}${path}` : path;
+}
+
+export async function getAuthToken(
+  request: APIRequestContext,
+  roleOrEmail: Role | string = 'admin',
+  password?: string,
+): Promise<string> {
+  const role = roleOrEmail in DEFAULT_CREDENTIALS ? (roleOrEmail as Role) : null;
+  const credentialAttempts: Array<{ email: string; password: string }> = [];
+
+  if (role) {
+    const configured = DEFAULT_CREDENTIALS[role];
+    credentialAttempts.push({ email: configured.email, password: password ?? configured.password });
+    if (!password) {
+      credentialAttempts.push({ email: `${role}@acme.com`, password: 'secret' });
+    }
+  } else {
+    credentialAttempts.push({ email: roleOrEmail, password: password ?? 'secret' });
+  }
+
+  let lastStatus = 0;
+
+  for (const attempt of credentialAttempts) {
+    const form = new URLSearchParams();
+    form.set('email', attempt.email);
+    form.set('password', attempt.password);
+
+    const response = await request.post(resolveUrl('/api/auth/login'), {
+      headers: {
+        'content-type': 'application/x-www-form-urlencoded',
+      },
+      data: form.toString(),
+    });
+
+    const raw = await response.text();
+    let body: Record<string, unknown> | null = null;
+    try {
+      body = raw ? (JSON.parse(raw) as Record<string, unknown>) : null;
+    } catch {
+      body = null;
+    }
+
+    lastStatus = response.status();
+    if (response.ok() && body && typeof body.token === 'string' && body.token) {
+      return body.token;
+    }
+  }
+
+  throw new Error(`Failed to obtain auth token (status ${lastStatus})`);
+}
+
+export async function apiRequest(
+  request: APIRequestContext,
+  method: string,
+  path: string,
+  options: { token: string; data?: unknown },
+) {
+  const headers = {
+    Authorization: `Bearer ${options.token}`,
+    'Content-Type': 'application/json',
+  };
+  return request.fetch(resolveUrl(path), { method, headers, data: options.data });
+}
+
+export async function postForm(
+  request: APIRequestContext,
+  path: string,
+  data: Record<string, string>,
+  options?: { headers?: Record<string, string> },
+) {
+  const form = new URLSearchParams();
+  for (const [key, value] of Object.entries(data)) form.set(key, value);
+  return request.post(resolveUrl(path), {
+    headers: {
+      'content-type': 'application/x-www-form-urlencoded',
+      ...(options?.headers ?? {}),
+    },
+    data: form.toString(),
+  });
+}

package/src/helpers/integration/apiKeysFixtures.ts

@@ -0,0 +1,17 @@
+import { expect, type APIRequestContext } from '@playwright/test';
+import { apiRequest } from './api';
+
+export async function createApiKeyFixture(
+  request: APIRequestContext,
+  token: string,
+  name: string,
+): Promise<{ id: string; secret: string }> {
+  const response = await apiRequest(request, 'POST', '/api/api_keys/keys', {
+    token,
+    data: { name },
+  });
+  expect(response.ok(), `Failed to create API key fixture: ${response.status()}`).toBeTruthy();
+  const body = (await response.json()) as { id?: string; secret?: string };
+  expect(typeof body.id === 'string' && body.id.length > 0).toBeTruthy();
+  return { id: body.id as string, secret: body.secret ?? '' };
+}

package/src/helpers/integration/attachmentsFixtures.ts

@@ -0,0 +1,114 @@
+import { expect, type APIRequestContext } from '@playwright/test';
+import { apiRequest } from './api';
+import { expectId, readJsonSafe } from './generalFixtures';
+
+const BASE_URL = process.env.BASE_URL?.trim() || 'http://localhost:3000';
+
+type AttachmentAssignment = {
+  type: string;
+  id: string;
+  href?: string | null;
+  label?: string | null;
+};
+
+type MultipartFieldValue =
+  | string
+  | number
+  | boolean
+  | {
+      name: string;
+      mimeType: string;
+      buffer: Buffer;
+    };
+
+function resolveApiUrl(path: string): string {
+  return `${BASE_URL}${path}`;
+}
+
+export async function uploadAttachmentFixture(
+  request: APIRequestContext,
+  token: string,
+  input: {
+    entityId: string;
+    recordId: string;
+    fileName: string;
+    mimeType: string;
+    buffer: Buffer;
+    partitionCode?: string;
+    tags?: string[];
+    assignments?: AttachmentAssignment[];
+  },
+): Promise<{
+  id: string;
+  partitionCode: string;
+  fileName: string;
+  tags: string[];
+  assignments: AttachmentAssignment[];
+}> {
+  const multipart: Record<string, MultipartFieldValue> = {
+    entityId: input.entityId,
+    recordId: input.recordId,
+    file: {
+      name: input.fileName,
+      mimeType: input.mimeType,
+      buffer: input.buffer,
+    },
+  };
+  if (input.partitionCode) multipart.partitionCode = input.partitionCode;
+  if (input.tags) multipart.tags = JSON.stringify(input.tags);
+  if (input.assignments) multipart.assignments = JSON.stringify(input.assignments);
+
+  const response = await request.fetch(resolveApiUrl('/api/attachments'), {
+    method: 'POST',
+    headers: {
+      Authorization: `Bearer ${token}`,
+    },
+    multipart,
+  });
+  const body = await readJsonSafe<{
+    ok?: boolean;
+    item?: {
+      id?: string;
+      partitionCode?: string;
+      fileName?: string;
+      tags?: string[];
+      assignments?: AttachmentAssignment[];
+    };
+  }>(response);
+  expect(response.status(), 'POST /api/attachments should return 200').toBe(200);
+  return {
+    id: expectId(body?.item?.id, 'Attachment upload response should include item.id'),
+    partitionCode: String(body?.item?.partitionCode ?? ''),
+    fileName: String(body?.item?.fileName ?? ''),
+    tags: body?.item?.tags ?? [],
+    assignments: body?.item?.assignments ?? [],
+  };
+}
+
+export async function deleteAttachmentIfExists(
+  request: APIRequestContext,
+  token: string | null,
+  attachmentId: string | null,
+): Promise<void> {
+  if (!token || !attachmentId) return;
+  await apiRequest(
+    request,
+    'DELETE',
+    `/api/attachments?id=${encodeURIComponent(attachmentId)}`,
+    { token },
+  ).catch(() => undefined);
+}
+
+export async function deleteAttachmentPartitionIfExists(
+  request: APIRequestContext,
+  token: string | null,
+  partitionId: string | null,
+): Promise<void> {
+  if (!token || !partitionId) return;
+  await apiRequest(
+    request,
+    'DELETE',
+    `/api/attachments/partitions?id=${encodeURIComponent(partitionId)}`,
+    { token },
+  ).catch(() => undefined);
+}

package/src/helpers/integration/auth.ts

@@ -0,0 +1,208 @@
+import { type Page } from '@playwright/test';
+import { readFileSync } from 'fs';
+import { resolve } from 'path';
+
+function loadEnvFileContent(): string | null {
+  const candidatePaths = [
+    resolve(process.cwd(), 'apps/mercato/.env'),
+    resolve(process.cwd(), '.env'),
+  ];
+
+  for (const envPath of candidatePaths) {
+    try {
+      const content = readFileSync(envPath, 'utf-8');
+      if (content.trim().length > 0) {
+        return content;
+      }
+    } catch {
+      continue;
+    }
+  }
+
+  return null;
+}
+
+function loadEnvValue(key: string): string | undefined {
+  if (process.env[key]) return process.env[key];
+  const content = loadEnvFileContent();
+  if (!content) return undefined;
+  const match = content.match(new RegExp(`^${key}=(.+)$`, 'm'));
+  return match?.[1]?.trim();
+}
+
+export const DEFAULT_CREDENTIALS: Record<string, { email: string; password: string }> = {
+  superadmin: {
+    email: loadEnvValue('OM_INIT_SUPERADMIN_EMAIL') || 'superadmin@acme.com',
+    password: loadEnvValue('OM_INIT_SUPERADMIN_PASSWORD') || 'secret',
+  },
+  admin: { email: 'admin@acme.com', password: 'secret' },
+  employee: { email: 'employee@acme.com', password: 'secret' },
+};
+
+export type Role = 'superadmin' | 'admin' | 'employee';
+
+function decodeJwtClaims(token: string): { tenantId?: string; orgId?: string | null } | null {
+  const parts = token.split('.');
+  if (parts.length < 2) return null;
+  try {
+    const normalized = parts[1].replace(/-/g, '+').replace(/_/g, '/');
+    const padded = normalized.padEnd(Math.ceil(normalized.length / 4) * 4, '=');
+    const payload = JSON.parse(Buffer.from(padded, 'base64').toString('utf8')) as {
+      tenantId?: string;
+      orgId?: string | null;
+    };
+    return payload;
+  } catch {
+    return null;
+  }
+}
+
+async function acknowledgeGlobalNotices(page: Page): Promise<void> {
+  const baseUrl = process.env.BASE_URL || 'http://localhost:3000';
+  await page.context().addCookies([
+    {
+      name: 'om_demo_notice_ack',
+      value: 'ack',
+      url: baseUrl,
+      sameSite: 'Lax',
+    },
+    {
+      name: 'om_cookie_notice_ack',
+      value: 'ack',
+      url: baseUrl,
+      sameSite: 'Lax',
+    },
+  ]);
+}
+
+async function dismissGlobalNoticesIfPresent(page: Page): Promise<void> {
+  const cookieAcceptButton = page.getByRole('button', { name: /accept cookies/i }).first();
+  if (await cookieAcceptButton.isVisible().catch(() => false)) {
+    await cookieAcceptButton.click();
+  }
+
+  const demoNotice = page.getByText(/this instance is provided for demo purposes only/i).first();
+  if (await demoNotice.isVisible().catch(() => false)) {
+    const noticeContainer = demoNotice.locator('xpath=ancestor::div[contains(@class,"pointer-events-auto")]').first();
+    const dismissButton = noticeContainer.locator('button').first();
+    if (await dismissButton.isVisible().catch(() => false)) {
+      await dismissButton.click();
+    }
+  }
+}
+
+async function recoverClientSideErrorPageIfPresent(page: Page): Promise<void> {
+  const clientErrorHeading = page
+    .getByRole('heading', { name: /Application error: a client-side exception has occurred/i })
+    .first();
+  if (!(await clientErrorHeading.isVisible().catch(() => false))) return;
+  await page.reload({ waitUntil: 'domcontentloaded' });
+  await dismissGlobalNoticesIfPresent(page);
+}
+
+async function recoverGenericErrorPageIfPresent(page: Page): Promise<void> {
+  const errorHeading = page.getByRole('heading', { name: /^Something went wrong$/i }).first();
+  if (!(await errorHeading.isVisible().catch(() => false))) return;
+  const retryButton = page.getByRole('button', { name: /Try again/i }).first();
+  if (await retryButton.isVisible().catch(() => false)) {
+    await retryButton.click().catch(() => {});
+    await page.waitForLoadState('domcontentloaded').catch(() => {});
+    await page.waitForTimeout(500).catch(() => {});
+  } else {
+    await page.reload({ waitUntil: 'domcontentloaded' });
+  }
+  await dismissGlobalNoticesIfPresent(page);
+}
+
+export async function login(page: Page, role: Role = 'admin'): Promise<void> {
+  const creds = DEFAULT_CREDENTIALS[role];
+  const loginReadySelector = 'form[data-auth-ready="1"]';
+  const hasBackendUrl = (): boolean => /\/backend(?:\/.*)?$/.test(page.url());
+  const waitForBackend = async (timeout: number): Promise<boolean> => {
+    try {
+      await page.waitForURL(/\/backend(?:\/.*)?$/, { timeout });
+      return true;
+    } catch {
+      return hasBackendUrl();
+    }
+  };
+
+  await acknowledgeGlobalNotices(page);
+  const apiLoginForm = new URLSearchParams();
+  apiLoginForm.set('email', creds.email);
+  apiLoginForm.set('password', creds.password);
+  const apiLoginResponse = await page.request.post('/api/auth/login', {
+    headers: {
+      'content-type': 'application/x-www-form-urlencoded',
+    },
+    data: apiLoginForm.toString(),
+  }).catch(() => null);
+  if (apiLoginResponse?.ok()) {
+    const apiLoginBody = (await apiLoginResponse.json().catch(() => null)) as { token?: string } | null;
+    const claims = typeof apiLoginBody?.token === 'string' ? decodeJwtClaims(apiLoginBody.token) : null;
+    const baseUrl = process.env.BASE_URL || 'http://localhost:3000';
+    const cookies = [];
+    if (claims?.tenantId) {
+      cookies.push({
+        name: 'om_selected_tenant',
+        value: claims.tenantId,
+        url: baseUrl,
+        sameSite: 'Lax' as const,
+      });
+    }
+    if (claims?.orgId) {
+      cookies.push({
+        name: 'om_selected_org',
+        value: claims.orgId,
+        url: baseUrl,
+        sameSite: 'Lax' as const,
+      });
+    }
+    if (cookies.length > 0) {
+      await page.context().addCookies(cookies);
+    }
+    await page.goto('/backend', { waitUntil: 'domcontentloaded' });
+    if (await waitForBackend(8_000)) return;
+  }
+
+  for (let attempt = 0; attempt < 4; attempt += 1) {
+    await page.goto('/login', { waitUntil: 'domcontentloaded' });
+    await dismissGlobalNoticesIfPresent(page);
+    await recoverClientSideErrorPageIfPresent(page);
+    await recoverGenericErrorPageIfPresent(page);
+    await page.waitForSelector(loginReadySelector, { state: 'visible', timeout: 3_000 }).catch(() => null);
+    if (await page.getByLabel('Email').isVisible().catch(() => false)) break;
+    if (attempt === 3) {
+      throw new Error(`Login form is unavailable for role: ${role}; current URL: ${page.url()}`);
+    }
+  }
+  await page.getByLabel('Email').fill(creds.email);
+
+  const passwordInput = page.getByLabel('Password').first();
+  if (await passwordInput.isVisible().catch(() => false)) {
+    await passwordInput.fill(creds.password);
+    await passwordInput.press('Enter');
+  } else {
+    const submitButton = page.getByRole('button', { name: /login|sign in|continue with sso/i }).first();
+    await submitButton.click();
+  }
+
+  if (await waitForBackend(7_000)) return;
+
+  const loginForm = page.locator('form').first();
+  if (await loginForm.isVisible().catch(() => false)) {
+    await loginForm.evaluate((element) => {
+      const form = element as HTMLFormElement
+      form.requestSubmit()
+    }).catch(() => {})
+  }
+  if (await waitForBackend(5_000)) return;
+
+  const loginButton = page.getByRole('button', { name: /login|sign in|continue with sso/i }).first();
+  if (await loginButton.isVisible().catch(() => false)) {
+    await loginButton.click({ force: true });
+  }
+  if (await waitForBackend(8_000)) return;
+
+  throw new Error(`Login did not reach backend for role: ${role}; current URL: ${page.url()}`);
+}

package/src/helpers/integration/authFixtures.ts

@@ -0,0 +1,52 @@
+import { expect, type APIRequestContext } from '@playwright/test';
+import { apiRequest } from './api';
+import { expectId, readJsonSafe } from './generalFixtures';
+
+export async function createRoleFixture(
+  request: APIRequestContext,
+  token: string,
+  input: { name: string; tenantId?: string | null },
+): Promise<string> {
+  const response = await apiRequest(request, 'POST', '/api/auth/roles', {
+    token,
+    data: {
+      name: input.name,
+      tenantId: input.tenantId ?? null,
+    },
+  });
+  const body = await readJsonSafe<{ id?: string }>(response);
+  expect(response.status(), 'POST /api/auth/roles should return 201').toBe(201);
+  return expectId(body?.id, 'Role creation response should include id');
+}
+
+export async function deleteRoleIfExists(
+  request: APIRequestContext,
+  token: string | null,
+  roleId: string | null,
+): Promise<void> {
+  if (!token || !roleId) return;
+  await apiRequest(request, 'DELETE', `/api/auth/roles?id=${encodeURIComponent(roleId)}`, { token }).catch(() => undefined);
+}
+
+export async function createUserFixture(
+  request: APIRequestContext,
+  token: string,
+  input: { email: string; password: string; organizationId: string; roles: string[] },
+): Promise<string> {
+  const response = await apiRequest(request, 'POST', '/api/auth/users', {
+    token,
+    data: input,
+  });
+  const body = await readJsonSafe<{ id?: string }>(response);
+  expect(response.status(), 'POST /api/auth/users should return 201').toBe(201);
+  return expectId(body?.id, 'User creation response should include id');
+}
+
+export async function deleteUserIfExists(
+  request: APIRequestContext,
+  token: string | null,
+  userId: string | null,
+): Promise<void> {
+  if (!token || !userId) return;
+  await apiRequest(request, 'DELETE', `/api/auth/users?id=${encodeURIComponent(userId)}`, { token }).catch(() => undefined);
+}

package/src/helpers/integration/authUi.ts

@@ -0,0 +1,33 @@
+import { expect, type Page } from '@playwright/test';
+
+export async function createUserViaUi(page: Page, input: { email: string; password: string; role?: string }) {
+  const role = input.role ?? 'employee';
+
+  await page.goto('/backend/users/create');
+  await expect(page.getByText('Create User')).toBeVisible();
+
+  await page.getByRole('textbox').nth(0).fill(input.email);
+  await page.getByRole('textbox').nth(1).fill(input.password);
+
+  const orgSelect = page.locator('main').locator('select').first();
+  await expect(orgSelect).toBeEnabled();
+  const orgValue = await orgSelect.evaluate((element) => {
+    const select = element as HTMLSelectElement;
+    for (const option of Array.from(select.options)) {
+      if (option.value && option.value.trim().length > 0) return option.value;
+    }
+    return '';
+  });
+  if (orgValue) {
+    await orgSelect.selectOption(orgValue);
+  }
+
+  const rolesInput = page.getByRole('textbox', { name: /add tag and press enter/i });
+  await rolesInput.fill(role);
+  await rolesInput.press('Enter');
+
+  await page.getByRole('button', { name: 'Create' }).first().click();
+  await expect(page).toHaveURL(/\/backend\/users(?:\?.*)?$/);
+  await page.getByRole('textbox', { name: 'Search' }).fill(input.email);
+  await expect(page.getByRole('row', { name: new RegExp(input.email, 'i') })).toBeVisible();
+}

package/src/helpers/integration/businessRulesFixtures.ts

@@ -0,0 +1,53 @@
+import { expect, type APIRequestContext } from '@playwright/test';
+import { apiRequest } from './api';
+import { expectId, readJsonSafe } from './generalFixtures';
+
+export async function createRuleSetFixture(
+  request: APIRequestContext,
+  token: string,
+  data: Record<string, unknown>,
+): Promise<string> {
+  const response = await apiRequest(request, 'POST', '/api/business_rules/sets', { token, data });
+  const body = await readJsonSafe<{ id?: string }>(response);
+  expect(response.status(), 'POST /api/business_rules/sets should return 201').toBe(201);
+  return expectId(body?.id, 'Rule set creation response should include id');
+}
+
+export async function deleteRuleSetIfExists(
+  request: APIRequestContext,
+  token: string | null,
+  ruleSetId: string | null,
+): Promise<void> {
+  if (!token || !ruleSetId) return;
+  await apiRequest(
+    request,
+    'DELETE',
+    `/api/business_rules/sets?id=${encodeURIComponent(ruleSetId)}`,
+    { token },
+  ).catch(() => undefined);
+}
+
+export async function createBusinessRuleFixture(
+  request: APIRequestContext,
+  token: string,
+  data: Record<string, unknown>,
+): Promise<string> {
+  const response = await apiRequest(request, 'POST', '/api/business_rules/rules', { token, data });
+  const body = await readJsonSafe<{ id?: string }>(response);
+  expect(response.status(), 'POST /api/business_rules/rules should return 201').toBe(201);
+  return expectId(body?.id, 'Business rule creation response should include id');
+}
+
+export async function deleteBusinessRuleIfExists(
+  request: APIRequestContext,
+  token: string | null,
+  ruleId: string | null,
+): Promise<void> {
+  if (!token || !ruleId) return;
+  await apiRequest(
+    request,
+    'DELETE',
+    `/api/business_rules/rules?id=${encodeURIComponent(ruleId)}`,
+    { token },
+  ).catch(() => undefined);
+}

package/src/helpers/integration/catalogFixtures.ts

@@ -0,0 +1,73 @@
+import { expect, type APIRequestContext } from '@playwright/test';
+import { apiRequest } from './api';
+
+type ProductFixtureInput = {
+  title: string;
+  sku: string;
+};
+
+export async function createProductFixture(
+  request: APIRequestContext,
+  token: string,
+  input: ProductFixtureInput,
+): Promise<string> {
+  const response = await apiRequest(request, 'POST', '/api/catalog/products', {
+    token,
+    data: {
+      title: input.title,
+      sku: input.sku,
+      description:
+        'Long enough description for SEO checks in QA automation flows. This text keeps the create validation satisfied.',
+    },
+  });
+  expect(response.ok(), `Failed to create product fixture: ${response.status()}`).toBeTruthy();
+  const body = (await response.json()) as { id?: string };
+  expect(typeof body.id === 'string' && body.id.length > 0).toBeTruthy();
+  return body.id as string;
+}
+
+type CategoryFixtureInput = {
+  name: string;
+};
+
+export async function createCategoryFixture(
+  request: APIRequestContext,
+  token: string,
+  input: CategoryFixtureInput,
+): Promise<string> {
+  const response = await apiRequest(request, 'POST', '/api/catalog/categories', {
+    token,
+    data: { name: input.name },
+  });
+  expect(response.ok(), `Failed to create category fixture: ${response.status()}`).toBeTruthy();
+  const body = (await response.json()) as { id?: string };
+  expect(typeof body.id === 'string' && body.id.length > 0).toBeTruthy();
+  return body.id as string;
+}
+
+export async function deleteCatalogCategoryIfExists(
+  request: APIRequestContext,
+  token: string | null,
+  categoryId: string | null,
+): Promise<void> {
+  if (!token || !categoryId) return;
+  try {
+    await apiRequest(request, 'DELETE', `/api/catalog/categories?id=${encodeURIComponent(categoryId)}`, { token });
+  } catch {
+    return;
+  }
+}
+
+export async function deleteCatalogProductIfExists(
+  request: APIRequestContext,
+  token: string | null,
+  productId: string | null,
+): Promise<void> {
+  if (!token || !productId) return;
+  try {
+    await apiRequest(request, 'DELETE', `/api/catalog/products?id=${encodeURIComponent(productId)}`, { token });
+  } catch {
+    return;
+  }
+}
+