start-vibing 4.3.3 → 4.4.0

package/template/.claude/skills/e2e-audit/e2e/pages/dashboard-teams.page.ts

@@ -0,0 +1,123 @@
+import type { Page, Locator } from '@playwright/test'
+
+export class DashboardTeamsPage {
+	readonly page: Page
+
+	// Page Header
+	readonly heading: Locator
+	readonly subtitle: Locator
+
+	// Stats Grid
+	readonly statDepartments: Locator
+	readonly statTeams: Locator
+	readonly statMembers: Locator
+	readonly statMemberships: Locator
+
+	// Tabs
+	readonly tabMembers: Locator
+	readonly tabDepartments: Locator
+	readonly tabTeams: Locator
+	readonly tabKnowledge: Locator
+
+	// Members Tab
+	readonly addMemberButton: Locator
+	readonly memberSearchInput: Locator
+	readonly roleFilterCombobox: Locator
+	readonly statusFilterCombobox: Locator
+
+	// Departments Tab
+	readonly newDepartmentButton: Locator
+	readonly departmentSearchInput: Locator
+	readonly departmentsTable: Locator
+
+	// Teams Tab
+	readonly newTeamButton: Locator
+	readonly teamSearchInput: Locator
+	readonly teamsTable: Locator
+
+	// Knowledge Tab
+	readonly knowledgeTitle: Locator
+	readonly addPermissionsButton: Locator
+
+	constructor(page: Page) {
+		this.page = page
+		const main = page.getByRole('main')
+
+		// Page Header
+		this.heading = main.getByRole('heading', { name: /equipes e departamentos|teams and departments/i })
+		this.subtitle = main.getByText(/gerencie equipes, departamentos e membros/i)
+
+		// Stats — scoped to main to avoid matching sidebar nav text
+		this.statDepartments = main.getByText('Departamentos').first()
+		this.statTeams = main.getByText('Equipes').first()
+		this.statMembers = main.getByText('Membros').first()
+		this.statMemberships = main.getByText(/participações em equipes|team memberships/i)
+
+		// Tabs
+		this.tabMembers = page.getByRole('tab', { name: 'Members' })
+		this.tabDepartments = page.getByRole('tab', { name: 'Departments' })
+		this.tabTeams = page.getByRole('tab', { name: 'Teams' })
+		this.tabKnowledge = page.getByRole('tab', { name: 'Knowledge' })
+
+		// Members Tab
+		this.addMemberButton = page.getByRole('button', { name: /adicionar membro|add member/i })
+		this.memberSearchInput = page.getByRole('textbox', { name: /buscar membros|search members/i })
+		this.roleFilterCombobox = page.getByRole('combobox').first()
+		this.statusFilterCombobox = page.getByRole('combobox').nth(1)
+
+		// Departments Tab
+		this.newDepartmentButton = page.getByRole('button', { name: /novo departamento|new department/i })
+		this.departmentSearchInput = page.getByRole('textbox', { name: /buscar departamentos|search departments/i })
+		this.departmentsTable = page.getByRole('table')
+
+		// Teams Tab
+		this.newTeamButton = page.getByRole('button', { name: /nova equipe|new team/i })
+		this.teamSearchInput = page.getByRole('textbox', { name: /buscar equipes|search teams/i })
+		this.teamsTable = page.getByRole('table')
+
+		// Knowledge Tab
+		this.knowledgeTitle = page.getByText(/permissões de conhecimento|knowledge permissions/i)
+		this.addPermissionsButton = page.getByRole('button', { name: /adicionar permissões|add permissions/i })
+	}
+
+	async goto() {
+		await this.page.goto('/dashboard/teams')
+	}
+
+	async waitForLoad() {
+		await this.heading.waitFor({ timeout: 30000 })
+		// Wait for member data to load (first h4 heading = member card)
+		await this.page.getByRole('heading', { level: 4 }).first().waitFor({ timeout: 15000 })
+	}
+
+	async switchToTab(tab: 'members' | 'departments' | 'teams' | 'knowledge') {
+		const tabMap = {
+			members: this.tabMembers,
+			departments: this.tabDepartments,
+			teams: this.tabTeams,
+			knowledge: this.tabKnowledge,
+		}
+		await tabMap[tab].click()
+	}
+
+	async selectRoleFilter(role: string) {
+		await this.roleFilterCombobox.click()
+		await this.page.getByRole('option', { name: role }).click()
+	}
+
+	async selectStatusFilter(status: string) {
+		await this.statusFilterCombobox.click()
+		await this.page.getByRole('option', { name: status }).click()
+	}
+
+	async clickMemberByName(name: string) {
+		await this.page.getByRole('heading', { level: 4, name }).click()
+	}
+
+	async openRowMenu(index = 0) {
+		const buttons = await this.page.getByRole('button', { name: /abrir menu|open menu/i }).all()
+		if (buttons[index]) {
+			await buttons[index].click()
+		}
+	}
+}

package/template/.claude/skills/e2e-audit/e2e/pages/dashboard-transcripts.page.ts

@@ -0,0 +1,109 @@
+import type { Page, Locator } from '@playwright/test'
+
+export class DashboardTranscriptsPage {
+	readonly page: Page
+
+	// Page header
+	readonly heading: Locator
+	readonly description: Locator
+	readonly windowsDownloadLink: Locator
+	readonly macDownloadLink: Locator
+
+	// Stats cards
+	readonly totalTranscriptsStat: Locator
+	readonly totalDurationStat: Locator
+	readonly documentsStat: Locator
+	readonly conflictsStat: Locator
+
+	// Tabs
+	readonly meetingsTab: Locator
+	readonly documentsTab: Locator
+	readonly conflictsTab: Locator
+
+	// --- Meetings Tab ---
+	readonly meetingsSearchInput: Locator
+	readonly meetingsStatusFilter: Locator
+	readonly meetingsTable: Locator
+	readonly paginationText: Locator
+	readonly paginationPrevButton: Locator
+	readonly paginationNextButton: Locator
+
+	// --- Documents Tab ---
+	readonly documentsEmptyHeading: Locator
+
+	// --- Conflicts Tab ---
+	readonly conflictsHeading: Locator
+	readonly conflictsEmptyHeading: Locator
+
+	// --- Detail Page ---
+	readonly detailBackButton: Locator
+	readonly detailHeading: Locator
+	readonly detailStatusBadge: Locator
+
+	constructor(page: Page) {
+		this.page = page
+
+		// Page header
+		this.heading = page.getByRole('heading', { level: 1 })
+		this.description = page.getByText(/Visualize transcrições/i)
+		this.windowsDownloadLink = page.getByRole('link', { name: /Windows/i })
+		this.macDownloadLink = page.getByRole('link', { name: /macOS/i })
+
+		// Stats cards
+		this.totalTranscriptsStat = page.getByText(/Total de Transcrições/i)
+		this.totalDurationStat = page.getByText(/Duração Total/i)
+		this.documentsStat = page.getByText(/Documentos/i).first()
+		this.conflictsStat = page.getByText(/Conflitos Ativos/i)
+
+		// Tabs
+		this.meetingsTab = page.getByRole('tab', { name: /Reuniões/i })
+		this.documentsTab = page.getByRole('tab', { name: /Documentos/i })
+		this.conflictsTab = page.getByRole('tab', { name: /Conflitos/i })
+
+		// --- Meetings Tab ---
+		this.meetingsSearchInput = page.getByRole('textbox', { name: /Buscar transcrições/i })
+		this.meetingsStatusFilter = page.getByRole('combobox')
+		this.meetingsTable = page.getByRole('table')
+		this.paginationText = page.getByText(/Exibindo \d+ - \d+ de \d+/)
+		this.paginationPrevButton = page.locator('button:has(img)').filter({ hasText: '' }).nth(-2)
+		this.paginationNextButton = page.locator('button:has(img)').filter({ hasText: '' }).last()
+
+		// --- Documents Tab ---
+		this.documentsEmptyHeading = page.getByRole('heading', { name: /Nenhum documento/i })
+
+		// --- Conflicts Tab ---
+		this.conflictsHeading = page.getByRole('heading', { name: /Todos os Conflitos/i })
+		this.conflictsEmptyHeading = page.getByRole('heading', { name: /Nenhum conflito/i })
+
+		// --- Detail Page ---
+		this.detailBackButton = page.locator('main button').first()
+		this.detailHeading = page.getByRole('heading', { level: 1 })
+		this.detailStatusBadge = page.getByText(/Concluído|Pendente|Processando|Falhou/i).first()
+	}
+
+	async goto(tab?: 'meetings' | 'documents' | 'conflicts') {
+		const url = tab ? `/dashboard/transcripts?tab=${tab}` : '/dashboard/transcripts'
+		await this.page.goto(url)
+	}
+
+	async waitForLoad() {
+		await this.heading.waitFor({ timeout: 15000 })
+	}
+
+	async switchTab(tab: 'meetings' | 'documents' | 'conflicts') {
+		const tabLocator = {
+			meetings: this.meetingsTab,
+			documents: this.documentsTab,
+			conflicts: this.conflictsTab,
+		}[tab]
+		await tabLocator.click()
+	}
+
+	async clickTranscriptRow(titleSubstring: string) {
+		await this.page.getByRole('row').filter({ hasText: titleSubstring }).first().click()
+	}
+
+	async getMeetingRowCount() {
+		return this.meetingsTable.getByRole('row').count() - 1 // subtract header row
+	}
+}

package/template/.claude/skills/e2e-audit/e2e/specs/auth/login.spec.ts

@@ -0,0 +1,59 @@
+import { test, expect } from '@playwright/test'
+import { ROUTES } from '../../utils/test-data'
+
+test.describe('Auth - Login Page @smoke', () => {
+	test('landing page loads', async ({ page }) => {
+		await page.goto(ROUTES.root)
+		await page.waitForLoadState('networkidle')
+		// Should show login/landing page
+		await expect(page).toHaveURL(ROUTES.root)
+	})
+
+	test('has sign-in options visible', async ({ page }) => {
+		await page.goto(ROUTES.root)
+		await page.waitForLoadState('networkidle')
+
+		// Check for OAuth buttons
+		const googleBtn = page.getByRole('button', { name: /google/i })
+		const microsoftBtn = page.getByRole('button', { name: /microsoft/i })
+
+		const hasGoogle = await googleBtn.isVisible().catch(() => false)
+		const hasMicrosoft = await microsoftBtn.isVisible().catch(() => false)
+
+		// At least one auth provider should be visible
+		expect(hasGoogle || hasMicrosoft).toBe(true)
+	})
+})
+
+test.describe('Auth - Error Page @smoke', () => {
+	test('auth error page loads', async ({ page }) => {
+		await page.goto(ROUTES.authError)
+		await page.waitForLoadState('networkidle')
+		// Should display some error content
+		const heading = page.getByRole('heading').first()
+		await expect(heading).toBeVisible()
+	})
+})
+
+test.describe('Auth - Unauthorized Page @smoke', () => {
+	test('unauthorized page loads', async ({ page }) => {
+		await page.goto(ROUTES.unauthorized)
+		await page.waitForLoadState('networkidle')
+		const heading = page.getByRole('heading').first()
+		await expect(heading).toBeVisible()
+	})
+})
+
+test.describe('Auth - Logout @smoke', () => {
+	test('logout page redirects', async ({ page }) => {
+		await page.goto(ROUTES.logout)
+		await page.waitForLoadState('networkidle')
+		// Should redirect to login or show logout confirmation
+		const url = page.url()
+		const handled =
+			url.includes('/auth') ||
+			url === 'http://localhost:3000/' ||
+			url.includes('/logout')
+		expect(handled).toBe(true)
+	})
+})

package/template/.claude/skills/e2e-audit/e2e/specs/dashboard-admin.spec.ts

@@ -0,0 +1,233 @@
+import { test, expect } from '../fixtures/base'
+import { DashboardAdminPage } from '../pages/dashboard-admin.page'
+import { createConsoleCollector } from '../utils/console-collector'
+
+test.describe('Dashboard Admin @smoke', () => {
+	let admin: DashboardAdminPage
+
+	test.beforeEach(async ({ authenticatedPage, apiErrors: _apiErrors }) => {
+		admin = new DashboardAdminPage(authenticatedPage)
+		await admin.goto()
+		await admin.waitForLoad()
+	})
+
+	test('page loads with heading, badge, and welcome text', async ({ authenticatedPage }) => {
+		await expect(authenticatedPage, 'Should navigate to admin page').toHaveURL(/dashboard\/admin/)
+		await expect(admin.heading, 'Admin heading should be visible').toBeVisible()
+		await expect(admin.adminBadge).toBeVisible()
+		await expect(admin.welcomeText).toBeVisible()
+	})
+
+	test('shows three tabs', async () => {
+		await expect(admin.organizationsTab).toBeVisible()
+		await expect(admin.usersTab).toBeVisible()
+		await expect(admin.systemOverviewTab).toBeVisible()
+	})
+
+	test('organizations tab is selected by default', async () => {
+		await expect(admin.organizationsTab).toHaveAttribute('aria-selected', 'true')
+	})
+
+	test('tabs switch via URL', async ({ authenticatedPage }) => {
+		await admin.switchTab('users')
+		await expect(authenticatedPage).toHaveURL(/tab=users/)
+		await expect(admin.usersHeading).toBeVisible()
+
+		await admin.switchTab('system')
+		await expect(authenticatedPage).toHaveURL(/tab=system/)
+	})
+})
+
+test.describe('Dashboard Admin - Organizations Tab', () => {
+	let admin: DashboardAdminPage
+
+	test.beforeEach(async ({ authenticatedPage, apiErrors: _apiErrors }) => {
+		admin = new DashboardAdminPage(authenticatedPage)
+		await admin.goto('organizations')
+		await admin.waitForLoad()
+	})
+
+	test('displays org management heading and controls', async () => {
+		await expect(admin.orgHeading).toBeVisible()
+		await expect(admin.orgSearchInput).toBeVisible()
+		await expect(admin.newOrgButton).toBeVisible()
+	})
+
+	test('org table has rows with data', async () => {
+		await admin.orgTable.waitFor()
+		const rowCount = await admin.getOrgRowCount()
+		expect(rowCount).toBeGreaterThan(0)
+	})
+
+	test('clicking org row opens detail dialog', async () => {
+		await admin.orgTable.waitFor()
+		await admin.clickOrgRow('Hakutaku')
+		await expect(admin.orgDetailDialog).toBeVisible()
+		await expect(admin.orgDetailOverviewTab).toBeVisible()
+		await expect(admin.orgDetailMembersTab).toBeVisible()
+		await expect(admin.orgDetailSettingsTab).toBeVisible()
+	})
+
+	test('org detail overview tab shows info sections', async () => {
+		await admin.orgTable.waitFor()
+		await admin.clickOrgRow('Hakutaku')
+		await expect(admin.orgDetailDialog).toBeVisible()
+		await expect(admin.orgDetailEditButton).toBeVisible()
+		await expect(admin.orgDetailDialog.getByText(/Informações da Organização/i)).toBeVisible()
+		await expect(admin.orgDetailDialog.getByText(/Membros/i).first()).toBeVisible()
+	})
+
+	test('org detail members tab shows member list', async () => {
+		await admin.orgTable.waitFor()
+		await admin.clickOrgRow('Hakutaku')
+		await admin.orgDetailMembersTab.click()
+		await expect(admin.orgDetailDialog.getByText(/Membros da Equipe/i)).toBeVisible()
+		await expect(admin.orgDetailDialog.getByRole('button', { name: /Convidar Membro/i })).toBeVisible()
+	})
+
+	test('org detail settings tab shows danger zone', async () => {
+		await admin.orgTable.waitFor()
+		await admin.clickOrgRow('Hakutaku')
+		await admin.orgDetailSettingsTab.click()
+		await expect(admin.orgDetailDialog.getByText(/Zona de Perigo/i)).toBeVisible()
+		await expect(admin.orgDetailDeleteButton).toBeVisible()
+	})
+
+	test('new organization button opens wizard dialog', async () => {
+		await admin.newOrgButton.click()
+		await expect(admin.newOrgNameInput).toBeVisible()
+		await expect(admin.newOrgSubdomainInput).toBeDisabled()
+		await expect(admin.newOrgPrevButton).toBeDisabled()
+		await expect(admin.newOrgNextButton).toBeDisabled()
+	})
+
+	test('search filters organizations', async () => {
+		await admin.orgSearchInput.fill('Hakutaku')
+		await expect(admin.orgTable.getByText('Hakutaku').first()).toBeVisible()
+		const rowCount = await admin.getOrgRowCount()
+		expect(rowCount).toBe(1)
+	})
+
+	test('new org wizard advances through all 5 steps', async ({ authenticatedPage }) => {
+		await admin.newOrgButton.click()
+
+		// Step 1: fill name, subdomain auto-fills
+		await admin.newOrgNameInput.fill('E2E Wizard Test')
+		await expect(admin.newOrgSubdomainInput).toHaveValue('e2e-wizard-test')
+		await expect(admin.newOrgNextButton).toBeEnabled()
+		await admin.newOrgNextButton.click()
+
+		// Step 2: Configurações (timezone pre-selected)
+		await expect(authenticatedPage.getByText(/Configurações da Organização/i)).toBeVisible()
+		await expect(admin.newOrgNextButton).toBeEnabled()
+		await admin.newOrgNextButton.click()
+
+		// Step 3: Proprietário (fill email)
+		await expect(authenticatedPage.getByText(/Informações do Proprietário/i)).toBeVisible()
+		const ownerEmail = authenticatedPage.getByRole('textbox', { name: /E-mail do Proprietário/i })
+		await ownerEmail.fill('wizard-test@hakutaku.ai')
+		await expect(admin.newOrgNextButton).toBeEnabled()
+		await admin.newOrgNextButton.click()
+
+		// Step 4: Recursos (defaults pre-filled)
+		await expect(authenticatedPage.getByText(/Limites de Recursos/i)).toBeVisible()
+		await expect(admin.newOrgNextButton).toBeEnabled()
+		await admin.newOrgNextButton.click()
+
+		// Step 5: Revisão (final step with create button)
+		await expect(authenticatedPage.getByText(/Assinatura e Status/i)).toBeVisible()
+		const createButton = authenticatedPage.getByRole('button', { name: /Criar Organização/i })
+		await expect(createButton).toBeVisible()
+
+		// Close without creating
+		await admin.closeDialog()
+	})
+})
+
+test.describe('Dashboard Admin - Users Tab', () => {
+	let admin: DashboardAdminPage
+
+	test.beforeEach(async ({ authenticatedPage, apiErrors: _apiErrors }) => {
+		admin = new DashboardAdminPage(authenticatedPage)
+		await admin.goto('users')
+		await admin.waitForLoad()
+	})
+
+	test('displays user management heading and controls', async () => {
+		await expect(admin.usersHeading).toBeVisible()
+		await expect(admin.usersSearchInput).toBeVisible()
+	})
+
+	test('users table has rows with data', async () => {
+		await admin.usersTable.waitFor()
+		const rowCount = await admin.getUserRowCount()
+		expect(rowCount).toBeGreaterThan(0)
+	})
+
+	test('clicking user row opens edit dialog', async () => {
+		await admin.usersTable.waitFor()
+		await admin.clickUserRow('João Lima')
+		await expect(admin.userEditNameInput).toBeVisible()
+		await expect(admin.userEditStatusCombobox).toBeVisible()
+		await expect(admin.userEditSaveButton).toBeVisible()
+	})
+
+	test('user edit dialog pre-fills user name', async () => {
+		await admin.usersTable.waitFor()
+		await admin.clickUserRow('João Lima')
+		await expect(admin.userEditNameInput).toHaveValue('João Lima')
+	})
+
+	test('search filters users', async () => {
+		await admin.usersSearchInput.fill('João')
+		await expect(admin.usersTable.getByText('João Lima').first()).toBeVisible()
+		const rowCount = await admin.getUserRowCount()
+		expect(rowCount).toBe(1)
+	})
+})
+
+test.describe('Dashboard Admin - System Overview Tab', () => {
+	let admin: DashboardAdminPage
+
+	test.beforeEach(async ({ authenticatedPage, apiErrors: _apiErrors }) => {
+		admin = new DashboardAdminPage(authenticatedPage)
+		await admin.goto('system')
+		await admin.waitForLoad()
+	})
+
+	test('displays system overview heading', async () => {
+		await expect(admin.systemHeading).toBeVisible()
+	})
+
+	test('shows error state with retry button (known bug)', async () => {
+		// BUG-ADMIN-001: useAdminStats passes take:1000, Zod limits to <=100
+		await expect(admin.systemErrorHeading).toBeVisible()
+		await expect(admin.systemRetryButton).toBeVisible()
+	})
+})
+
+test.describe('Dashboard Admin - Security @security', () => {
+	test('no sensitive data in console on organizations tab', async ({ authenticatedPage, apiErrors: _apiErrors }) => {
+		const collector = createConsoleCollector(authenticatedPage)
+		const admin = new DashboardAdminPage(authenticatedPage)
+		await admin.goto('organizations')
+		await admin.waitForLoad()
+		collector.assertNoSensitiveLeaks()
+	})
+
+	test('XSS in user names is escaped', async ({ authenticatedPage, apiErrors: _apiErrors }) => {
+		const admin = new DashboardAdminPage(authenticatedPage)
+		await admin.goto('users')
+		await admin.waitForLoad()
+		await admin.usersTable.waitFor()
+
+		// Verify XSS test data is displayed as escaped text
+		const xssRow = authenticatedPage.getByRole('row').filter({ hasText: 'xss@test.com' })
+		await expect(xssRow).toBeVisible()
+
+		// The script tag should be rendered as text, not executed
+		const cellText = await xssRow.getByRole('gridcell').first().textContent()
+		expect(cellText).toContain('<script>')
+		expect(cellText).not.toContain('[object')
+	})
+})

package/template/.claude/skills/e2e-audit/e2e/specs/dashboard-billing.spec.ts

@@ -0,0 +1,44 @@
+import { test, expect } from '../fixtures/base'
+import { DashboardBillingPage } from '../pages/dashboard-billing.page'
+import { createConsoleCollector } from '../utils/console-collector'
+
+test.describe('Dashboard Billing @smoke', () => {
+	let billing: DashboardBillingPage
+
+	test.beforeEach(async ({ authenticatedPage, apiErrors: _apiErrors }) => {
+		billing = new DashboardBillingPage(authenticatedPage)
+		await billing.goto()
+		await billing.waitForLoad()
+	})
+
+	test('page loads with heading and description', async ({ authenticatedPage }) => {
+		await expect(authenticatedPage, 'Should navigate to billing page').toHaveURL(/dashboard\/billing/)
+		await expect(billing.heading, 'Billing heading should be visible').toBeVisible()
+		await expect(billing.description).toBeVisible()
+	})
+
+	test('shows subscription card with plan info', async () => {
+		await expect(billing.planName).toBeVisible()
+		await expect(billing.planLabel).toBeVisible()
+		await expect(billing.activeUsersLabel).toBeVisible()
+		await expect(billing.statusLabel).toBeVisible()
+	})
+
+	test('shows subscribe button', async () => {
+		await expect(billing.subscribeButton).toBeVisible()
+	})
+
+	test('shows Stripe security text', async () => {
+		await expect(billing.stripeSecurityText).toBeVisible()
+	})
+})
+
+test.describe('Dashboard Billing - Security @security', () => {
+	test('no sensitive data in console', async ({ authenticatedPage, apiErrors: _apiErrors }) => {
+		const collector = createConsoleCollector(authenticatedPage)
+		const billing = new DashboardBillingPage(authenticatedPage)
+		await billing.goto()
+		await billing.waitForLoad()
+		collector.assertNoSensitiveLeaks()
+	})
+})

package/template/.claude/skills/e2e-audit/e2e/specs/dashboard-chat.spec.ts

@@ -0,0 +1,50 @@
+import { test, expect } from '../fixtures/base'
+import { DashboardChatPage } from '../pages/dashboard-chat.page'
+import { createConsoleCollector } from '../utils/console-collector'
+import { testXssOnInput } from '../utils/security-helpers'
+
+test.describe('Dashboard Chat @smoke', () => {
+	let chat: DashboardChatPage
+
+	test.beforeEach(async ({ authenticatedPage, apiErrors: _apiErrors }) => {
+		chat = new DashboardChatPage(authenticatedPage)
+		await chat.goto()
+		await chat.waitForLoad()
+	})
+
+	test('page loads successfully', async ({ authenticatedPage }) => {
+		await expect(authenticatedPage, 'Should navigate to chat page').toHaveURL(/dashboard\/chat/)
+	})
+
+	test('displays page heading', async () => {
+		await expect(chat.heading).toBeVisible()
+	})
+
+	test('message input is visible and enabled', async () => {
+		const inputVisible = await chat.messageInput.isVisible().catch(() => false)
+		if (inputVisible) {
+			await expect(chat.messageInput).toBeEnabled()
+		}
+	})
+})
+
+test.describe('Dashboard Chat - Security @security', () => {
+	test('no sensitive data in console', async ({ authenticatedPage, apiErrors: _apiErrors }) => {
+		const collector = createConsoleCollector(authenticatedPage)
+		const chat = new DashboardChatPage(authenticatedPage)
+		await chat.goto()
+		await chat.waitForLoad()
+		collector.assertNoSensitiveLeaks()
+	})
+
+	test('message input resists XSS', async ({ authenticatedPage, apiErrors: _apiErrors }) => {
+		const chat = new DashboardChatPage(authenticatedPage)
+		await chat.goto()
+		await chat.waitForLoad()
+
+		const inputVisible = await chat.messageInput.isVisible().catch(() => false)
+		if (inputVisible) {
+			await testXssOnInput(authenticatedPage, chat.messageInput)
+		}
+	})
+})