start-vibing 4.3.3 → 4.4.0

package/template/.claude/skills/e2e-audit/e2e/specs/dashboard-teams.spec.ts

@@ -0,0 +1,247 @@
+import { test, expect } from '../fixtures/base'
+import { DashboardTeamsPage } from '../pages/dashboard-teams.page'
+import { createConsoleCollector } from '../utils/console-collector'
+
+test.describe('Dashboard Teams @smoke', () => {
+	let teams: DashboardTeamsPage
+
+	test.beforeEach(async ({ authenticatedPage, apiErrors: _apiErrors }) => {
+		teams = new DashboardTeamsPage(authenticatedPage)
+		await teams.goto()
+		await teams.waitForLoad()
+	})
+
+	test('page loads with correct heading and stats', async ({ authenticatedPage }) => {
+		await expect(authenticatedPage, 'Should navigate to teams page').toHaveURL(/dashboard\/teams/)
+		await expect(teams.heading).toBeVisible()
+		await expect(teams.subtitle).toBeVisible()
+		await expect(teams.statDepartments).toBeVisible()
+		await expect(teams.statTeams).toBeVisible()
+		await expect(teams.statMembers).toBeVisible()
+		await expect(teams.statMemberships).toBeVisible()
+	})
+
+	test('displays 4 tabs', async () => {
+		await expect(teams.tabMembers).toBeVisible()
+		await expect(teams.tabDepartments).toBeVisible()
+		await expect(teams.tabTeams).toBeVisible()
+		await expect(teams.tabKnowledge).toBeVisible()
+	})
+
+	test('Members tab is selected by default', async () => {
+		await expect(teams.tabMembers).toHaveAttribute('data-state', 'active')
+	})
+})
+
+test.describe('Dashboard Teams - Members Tab @smoke', () => {
+	let teams: DashboardTeamsPage
+
+	test.beforeEach(async ({ authenticatedPage, apiErrors: _apiErrors }) => {
+		teams = new DashboardTeamsPage(authenticatedPage)
+		await teams.goto()
+		await teams.waitForLoad()
+	})
+
+	test('shows add member button and filters', async () => {
+		await expect(teams.addMemberButton).toBeVisible()
+		await expect(teams.memberSearchInput).toBeVisible()
+		await expect(teams.roleFilterCombobox).toBeVisible()
+		await expect(teams.statusFilterCombobox).toBeVisible()
+	})
+
+	test('displays member cards', async () => {
+		const memberHeadings = await teams.page.getByRole('heading', { level: 4 }).all()
+		expect(memberHeadings.length).toBeGreaterThanOrEqual(1)
+	})
+
+	test('role filter has 5 options', async ({ authenticatedPage }) => {
+		await teams.roleFilterCombobox.click()
+		const options = await authenticatedPage.getByRole('option').all()
+		expect(options.length).toBe(5)
+	})
+
+	test('role filter correctly filters members', async ({ authenticatedPage }) => {
+		await teams.selectRoleFilter('Proprietário')
+
+		// After filtering by Owner, should show only owner members
+		await expect(authenticatedPage.getByRole('heading', { level: 4, name: 'João Lima' })).toBeVisible()
+		const memberHeadings = await authenticatedPage.getByRole('heading', { level: 4 }).all()
+		expect(memberHeadings.length).toBeGreaterThanOrEqual(1)
+	})
+
+	test('search filters members by name', async ({ authenticatedPage }) => {
+		await teams.memberSearchInput.fill('João')
+		await authenticatedPage.waitForTimeout(500)
+		await expect(authenticatedPage.getByRole('heading', { level: 4, name: 'João Lima' })).toBeVisible()
+	})
+
+	test('role filter Administrador shows only admins', async ({ authenticatedPage }) => {
+		await teams.selectRoleFilter('Administrador')
+		await authenticatedPage.waitForTimeout(500)
+
+		await expect(authenticatedPage.getByRole('heading', { level: 4, name: 'Patrick Miranda' })).toBeVisible()
+		await expect(authenticatedPage.getByRole('heading', { level: 4, name: 'Guilherme Moura' })).toBeVisible()
+	})
+
+	test('status filter has 4 options', async ({ authenticatedPage }) => {
+		await teams.statusFilterCombobox.click()
+		const options = await authenticatedPage.getByRole('option').all()
+		expect(options.length).toBe(4)
+	})
+
+	test('clicking member opens detail modal', async ({ authenticatedPage }) => {
+		await teams.clickMemberByName('João Lima')
+		const dialog = authenticatedPage.getByRole('dialog').first()
+		await expect(dialog).toBeVisible()
+		await expect(dialog.getByText('joao.lima@hakutaku.ai')).toBeVisible()
+
+		// Close modal
+		await dialog.getByRole('button', { name: 'Close' }).click()
+	})
+
+	test('member detail modal has Detalhes and Equipes tabs', async ({ authenticatedPage }) => {
+		await teams.clickMemberByName('João Lima')
+		await expect(authenticatedPage.getByRole('tab', { name: 'Detalhes' })).toBeVisible()
+		await expect(authenticatedPage.getByRole('tab', { name: 'Equipes' })).toBeVisible()
+
+		// Switch to Equipes tab
+		await authenticatedPage.getByRole('tab', { name: 'Equipes' }).click()
+		await expect(authenticatedPage.getByText(/equipes do membro/i)).toBeVisible()
+
+		await authenticatedPage.getByRole('button', { name: 'Close' }).click()
+	})
+
+	test('add member modal opens with required fields', async ({ authenticatedPage }) => {
+		await teams.addMemberButton.click()
+		const dialog = authenticatedPage.getByRole('dialog').first()
+		await expect(dialog).toBeVisible()
+		await expect(dialog.getByRole('textbox').first()).toBeVisible()
+		await expect(dialog.getByRole('combobox').first()).toBeVisible()
+
+		await authenticatedPage.getByRole('button', { name: 'Close' }).click()
+	})
+})
+
+test.describe('Dashboard Teams - Departments Tab @smoke', () => {
+	let teams: DashboardTeamsPage
+
+	test.beforeEach(async ({ authenticatedPage, apiErrors: _apiErrors }) => {
+		teams = new DashboardTeamsPage(authenticatedPage)
+		await teams.goto()
+		await teams.waitForLoad()
+		await teams.switchToTab('departments')
+	})
+
+	test('URL updates to ?tab=departments', async ({ authenticatedPage }) => {
+		await expect(authenticatedPage).toHaveURL(/tab=departments/)
+	})
+
+	test('shows department table with columns', async ({ authenticatedPage }) => {
+		await expect(teams.departmentsTable).toBeVisible()
+
+		// Verify sortable column headers
+		await expect(authenticatedPage.getByRole('button', { name: /departamento/i })).toBeVisible()
+		await expect(authenticatedPage.getByRole('button', { name: /equipes/i })).toBeVisible()
+		await expect(authenticatedPage.getByRole('button', { name: /membros/i })).toBeVisible()
+	})
+
+	test('department row menu has correct options', async ({ authenticatedPage }) => {
+		await teams.departmentsTable.waitFor({ timeout: 10000 })
+		await authenticatedPage.getByRole('button', { name: /abrir menu|open menu/i }).first().waitFor({ timeout: 5000 })
+		await teams.openRowMenu(0)
+		await expect(authenticatedPage.getByRole('menuitem', { name: /ver detalhes|view details/i })).toBeVisible()
+		await expect(authenticatedPage.getByRole('menuitem', { name: /editar departamento|edit department/i })).toBeVisible()
+		await expect(authenticatedPage.getByRole('menuitem', { name: /excluir departamento|delete department/i })).toBeVisible()
+	})
+
+	test('department detail modal opens from menu', async ({ authenticatedPage }) => {
+		await teams.departmentsTable.waitFor({ timeout: 10000 })
+		await authenticatedPage.getByRole('button', { name: /abrir menu|open menu/i }).first().waitFor({ timeout: 5000 })
+		await teams.openRowMenu(0)
+		await authenticatedPage.getByRole('menuitem', { name: /ver detalhes|view details/i }).click()
+		await expect(authenticatedPage.getByRole('dialog').first()).toBeVisible()
+
+		await authenticatedPage.getByRole('button', { name: 'Close' }).click()
+	})
+})
+
+test.describe('Dashboard Teams - Teams Tab @smoke', () => {
+	let teams: DashboardTeamsPage
+
+	test.beforeEach(async ({ authenticatedPage, apiErrors: _apiErrors }) => {
+		teams = new DashboardTeamsPage(authenticatedPage)
+		await teams.goto()
+		await teams.waitForLoad()
+		await teams.switchToTab('teams')
+	})
+
+	test('URL updates to ?tab=teams', async ({ authenticatedPage }) => {
+		await expect(authenticatedPage).toHaveURL(/tab=teams/)
+	})
+
+	test('shows teams table with data', async ({ authenticatedPage }) => {
+		await expect(teams.teamsTable).toBeVisible()
+
+		const rows = await authenticatedPage.getByRole('row').all()
+		// At least 1 header row + 1 data row
+		expect(rows.length).toBeGreaterThan(1)
+	})
+})
+
+test.describe('Dashboard Teams - Knowledge Tab @smoke', () => {
+	let teams: DashboardTeamsPage
+
+	test.beforeEach(async ({ authenticatedPage, apiErrors: _apiErrors }) => {
+		teams = new DashboardTeamsPage(authenticatedPage)
+		await teams.goto()
+		await teams.waitForLoad()
+		await teams.switchToTab('knowledge')
+	})
+
+	test('URL updates to ?tab=knowledge', async ({ authenticatedPage }) => {
+		await expect(authenticatedPage).toHaveURL(/tab=knowledge/)
+	})
+
+	test('shows knowledge permissions with empty state', async ({ authenticatedPage }) => {
+		await expect(teams.knowledgeTitle).toBeVisible()
+		await expect(authenticatedPage.getByText(/nenhuma permissão atribuída|no permissions assigned/i)).toBeVisible()
+		await expect(teams.addPermissionsButton).toBeVisible()
+	})
+})
+
+test.describe('Dashboard Teams - Security @security', () => {
+	test('no sensitive data in console', async ({ authenticatedPage, apiErrors: _apiErrors }) => {
+		const collector = createConsoleCollector(authenticatedPage)
+		const teams = new DashboardTeamsPage(authenticatedPage)
+		await teams.goto()
+		await teams.waitForLoad()
+		collector.assertNoSensitiveLeaks()
+	})
+
+	test('XSS payloads in member names are escaped', async ({ authenticatedPage, apiErrors: _apiErrors }) => {
+		const teams = new DashboardTeamsPage(authenticatedPage)
+		await teams.goto()
+		await teams.waitForLoad()
+
+		// Verify XSS payload is rendered as text, not executed
+		const xssHeading = authenticatedPage.getByRole('heading', { level: 4, name: '<script>alert(1)</script>' })
+		await expect(xssHeading.first()).toBeVisible()
+
+		// Verify no alert dialog was triggered
+		let dialogTriggered = false
+		authenticatedPage.on('dialog', () => {
+			dialogTriggered = true
+		})
+		expect(dialogTriggered).toBe(false)
+	})
+
+	test('XSS payloads in team names are escaped', async ({ authenticatedPage, apiErrors: _apiErrors }) => {
+		const teams = new DashboardTeamsPage(authenticatedPage)
+		await teams.goto()
+		await teams.waitForLoad()
+		await teams.switchToTab('teams')
+
+		// Verify XSS team name is rendered as text
+		await expect(authenticatedPage.getByText('<img src=x onerror=alert(1)>')).toBeVisible()
+	})
+})

package/template/.claude/skills/e2e-audit/e2e/specs/dashboard-transcripts.spec.ts

@@ -0,0 +1,122 @@
+import { test, expect } from '../fixtures/base'
+import { DashboardTranscriptsPage } from '../pages/dashboard-transcripts.page'
+import { createConsoleCollector } from '../utils/console-collector'
+
+test.describe('Dashboard Transcripts @smoke', () => {
+	let transcripts: DashboardTranscriptsPage
+
+	test.beforeEach(async ({ authenticatedPage, apiErrors: _apiErrors }) => {
+		transcripts = new DashboardTranscriptsPage(authenticatedPage)
+		await transcripts.goto()
+		await transcripts.waitForLoad()
+	})
+
+	test('page loads with heading, description, and download links', async ({ authenticatedPage }) => {
+		await expect(authenticatedPage, 'Should navigate to transcripts page').toHaveURL(/dashboard\/transcripts/)
+		await expect(transcripts.heading, 'Transcripts heading should be visible').toBeVisible()
+		await expect(transcripts.description).toBeVisible()
+		await expect(transcripts.windowsDownloadLink).toBeVisible()
+		await expect(transcripts.macDownloadLink).toBeVisible()
+	})
+
+	test('shows stats cards', async () => {
+		await expect(transcripts.totalTranscriptsStat).toBeVisible()
+		await expect(transcripts.totalDurationStat).toBeVisible()
+	})
+
+	test('shows three tabs with meetings selected by default', async () => {
+		await expect(transcripts.meetingsTab).toBeVisible()
+		await expect(transcripts.documentsTab).toBeVisible()
+		await expect(transcripts.conflictsTab).toBeVisible()
+		await expect(transcripts.meetingsTab).toHaveAttribute('aria-selected', 'true')
+	})
+
+	test('tabs switch via URL', async ({ authenticatedPage }) => {
+		await transcripts.switchTab('documents')
+		await expect(authenticatedPage).toHaveURL(/tab=documents/)
+
+		await transcripts.switchTab('conflicts')
+		await expect(authenticatedPage).toHaveURL(/tab=conflicts/)
+	})
+})
+
+test.describe('Dashboard Transcripts - Meetings Tab', () => {
+	let transcripts: DashboardTranscriptsPage
+
+	test.beforeEach(async ({ authenticatedPage, apiErrors: _apiErrors }) => {
+		transcripts = new DashboardTranscriptsPage(authenticatedPage)
+		await transcripts.goto()
+		await transcripts.waitForLoad()
+	})
+
+	test('displays search and status filter', async () => {
+		await expect(transcripts.meetingsSearchInput).toBeVisible()
+		await expect(transcripts.meetingsStatusFilter).toBeVisible()
+	})
+
+	test('meetings table has rows with data', async () => {
+		await transcripts.meetingsTable.waitFor()
+		const rowCount = await transcripts.getMeetingRowCount()
+		expect(rowCount).toBeGreaterThan(0)
+	})
+
+	test('pagination shows correct info', async () => {
+		await transcripts.meetingsTable.waitFor()
+		await expect(transcripts.paginationText).toBeVisible()
+	})
+
+	test('search filters transcripts', async () => {
+		await transcripts.meetingsSearchInput.fill('Google Meet')
+		await expect(transcripts.paginationText).toContainText('de 7')
+		const rowCount = await transcripts.getMeetingRowCount()
+		expect(rowCount).toBe(7)
+	})
+
+	test('clicking a transcript row navigates to detail page', async ({ authenticatedPage }) => {
+		await transcripts.meetingsTable.waitFor()
+		await transcripts.clickTranscriptRow('Meeting')
+		await expect(authenticatedPage).toHaveURL(/dashboard\/transcripts\/[0-9a-f-]+/)
+		await expect(transcripts.detailHeading).toBeVisible()
+		await expect(transcripts.detailStatusBadge).toBeVisible()
+	})
+})
+
+test.describe('Dashboard Transcripts - Documents Tab', () => {
+	test('shows empty state', async ({ authenticatedPage, apiErrors: _apiErrors }) => {
+		const transcripts = new DashboardTranscriptsPage(authenticatedPage)
+		await transcripts.goto('documents')
+		await transcripts.waitForLoad()
+		await expect(transcripts.documentsEmptyHeading, 'Documents tab should show empty state').toBeVisible()
+	})
+})
+
+test.describe('Dashboard Transcripts - Conflicts Tab', () => {
+	test('shows empty state', async ({ authenticatedPage, apiErrors: _apiErrors }) => {
+		const transcripts = new DashboardTranscriptsPage(authenticatedPage)
+		await transcripts.goto('conflicts')
+		await transcripts.waitForLoad()
+		await expect(transcripts.conflictsHeading, 'Conflicts tab heading should be visible').toBeVisible()
+		await expect(transcripts.conflictsEmptyHeading).toBeVisible()
+	})
+})
+
+test.describe('Dashboard Transcripts - Security @security', () => {
+	test('no sensitive data in console', async ({ authenticatedPage, apiErrors: _apiErrors }) => {
+		const collector = createConsoleCollector(authenticatedPage)
+		const transcripts = new DashboardTranscriptsPage(authenticatedPage)
+		await transcripts.goto()
+		await transcripts.waitForLoad()
+		collector.assertNoSensitiveLeaks()
+	})
+
+	test('download links point to expected S3 domain', async ({ authenticatedPage, apiErrors: _apiErrors }) => {
+		const transcripts = new DashboardTranscriptsPage(authenticatedPage)
+		await transcripts.goto()
+		await transcripts.waitForLoad()
+
+		const winHref = await transcripts.windowsDownloadLink.getAttribute('href')
+		const macHref = await transcripts.macDownloadLink.getAttribute('href')
+		expect(winHref).toContain('hakutaku-releases.s3.amazonaws.com')
+		expect(macHref).toContain('hakutaku-releases.s3.amazonaws.com')
+	})
+})

package/template/.claude/skills/e2e-audit/e2e/specs/security/headers.spec.ts

@@ -0,0 +1,39 @@
+import { test, expect } from '@playwright/test'
+import { REQUIRED_SECURITY_HEADERS } from '../../utils/security-helpers'
+import { ROUTES } from '../../utils/test-data'
+
+test.describe('Security Headers @security', () => {
+	const pagesToCheck = [
+		ROUTES.root,
+		ROUTES.home,
+		ROUTES.knowledge,
+		ROUTES.chat,
+	]
+
+	for (const route of pagesToCheck) {
+		test(`${route} has required security headers`, async ({ page }) => {
+			const response = await page.goto(route)
+			expect(response).not.toBeNull()
+
+			if (response) {
+				const headers = response.headers()
+
+				for (const header of REQUIRED_SECURITY_HEADERS) {
+					expect(
+						headers[header],
+						`Missing header "${header}" on ${route}`,
+					).toBeDefined()
+				}
+			}
+		})
+	}
+
+	test('API health endpoint has security headers', async ({ page }) => {
+		const response = await page.goto('/api/health')
+		expect(response).not.toBeNull()
+
+		if (response) {
+			expect(response.status()).toBe(200)
+		}
+	})
+})

package/template/.claude/skills/e2e-audit/e2e/specs/security/rbac.spec.ts

@@ -0,0 +1,92 @@
+import { test as baseTest, expect } from '@playwright/test'
+import { test } from '../../fixtures/base'
+import { assertAccessDenied } from '../../utils/security-helpers'
+import { RBAC_ROUTES } from '../../utils/test-data'
+
+test.describe('RBAC - Admin Routes @security', () => {
+	test.describe('as MEMBER', () => {
+		test.use({ role: 'member' })
+
+		for (const route of RBAC_ROUTES.admin) {
+			test(`cannot access ${route}`, async ({ authenticatedPage }) => {
+				await assertAccessDenied(authenticatedPage, route)
+			})
+		}
+	})
+
+	test.describe('as MANAGER', () => {
+		test.use({ role: 'manager' })
+
+		for (const route of RBAC_ROUTES.admin) {
+			test(`cannot access ${route}`, async ({ authenticatedPage }) => {
+				await assertAccessDenied(authenticatedPage, route)
+			})
+		}
+	})
+
+	test.describe('as ADMIN', () => {
+		test.use({ role: 'admin' })
+
+		for (const route of RBAC_ROUTES.admin) {
+			test(`can access ${route}`, async ({ authenticatedPage }) => {
+				await authenticatedPage.goto(route)
+				expect(authenticatedPage.url()).not.toContain('/unauthorized')
+			})
+		}
+	})
+})
+
+test.describe('RBAC - Owner Routes @security', () => {
+	test.describe('as MEMBER', () => {
+		test.use({ role: 'member' })
+
+		for (const route of RBAC_ROUTES.owner) {
+			test(`cannot access ${route}`, async ({ authenticatedPage }) => {
+				await assertAccessDenied(authenticatedPage, route)
+			})
+		}
+	})
+
+	test.describe('as ADMIN', () => {
+		test.use({ role: 'admin' })
+
+		for (const route of RBAC_ROUTES.owner) {
+			test(`cannot access ${route}`, async ({ authenticatedPage }) => {
+				await assertAccessDenied(authenticatedPage, route)
+			})
+		}
+	})
+
+	test.describe('as OWNER', () => {
+		test.use({ role: 'owner' })
+
+		for (const route of RBAC_ROUTES.owner) {
+			test(`can access ${route}`, async ({ authenticatedPage }) => {
+				await authenticatedPage.goto(route)
+				expect(authenticatedPage.url()).not.toContain('/unauthorized')
+			})
+		}
+	})
+})
+
+baseTest.describe('RBAC - Unauthenticated @security', () => {
+	const allProtectedRoutes = [
+		...RBAC_ROUTES.member,
+		...RBAC_ROUTES.manager,
+		...RBAC_ROUTES.admin,
+		...RBAC_ROUTES.owner,
+	]
+
+	for (const route of allProtectedRoutes) {
+		baseTest(`redirects unauthenticated from ${route}`, async ({ page }) => {
+			await page.goto(route)
+			const url = page.url()
+			const redirected =
+				url.includes('/auth') ||
+				url.includes('/unauthorized') ||
+				url === 'http://localhost:3000/' ||
+				url === 'https://dev.hakutaku.ai/'
+			expect(redirected).toBe(true)
+		})
+	}
+})

package/template/.claude/skills/e2e-audit/e2e/specs/security/xss.spec.ts

@@ -0,0 +1,74 @@
+import { test, expect } from '../../fixtures/base'
+import { XSS_PAYLOADS } from '../../utils/security-helpers'
+import { ROUTES } from '../../utils/test-data'
+
+test.describe('XSS Prevention @security', () => {
+	test('chat input sanitizes XSS payloads', async ({ authenticatedPage }) => {
+		await authenticatedPage.goto(ROUTES.chat)
+		await authenticatedPage.waitForLoadState('networkidle')
+
+		const input = authenticatedPage.getByRole('textbox').first()
+		const inputVisible = await input.isVisible().catch(() => false)
+		if (!inputVisible) return
+
+		const dialogFired: string[] = []
+		authenticatedPage.on('dialog', async (dialog) => {
+			dialogFired.push(dialog.message())
+			await dialog.dismiss()
+		})
+
+		for (const payload of XSS_PAYLOADS) {
+			await input.clear()
+			await input.fill(payload)
+			await input.press('Tab')
+		}
+
+		expect(dialogFired).toHaveLength(0)
+	})
+
+	test('knowledge search sanitizes XSS payloads', async ({ authenticatedPage }) => {
+		await authenticatedPage.goto(ROUTES.knowledge)
+		await authenticatedPage.waitForLoadState('networkidle')
+
+		const search = authenticatedPage.getByPlaceholder(/search/i)
+		const searchVisible = await search.isVisible().catch(() => false)
+		if (!searchVisible) return
+
+		const dialogFired: string[] = []
+		authenticatedPage.on('dialog', async (dialog) => {
+			dialogFired.push(dialog.message())
+			await dialog.dismiss()
+		})
+
+		for (const payload of XSS_PAYLOADS) {
+			await search.clear()
+			await search.fill(payload)
+			await search.press('Enter')
+			await authenticatedPage.waitForTimeout(200)
+		}
+
+		expect(dialogFired).toHaveLength(0)
+	})
+
+	test('URL parameters do not trigger XSS', async ({ authenticatedPage }) => {
+		const dialogFired: string[] = []
+		authenticatedPage.on('dialog', async (dialog) => {
+			dialogFired.push(dialog.message())
+			await dialog.dismiss()
+		})
+
+		// Test XSS via URL params
+		const xssUrls = [
+			`${ROUTES.knowledge}?search=<script>alert('xss')</script>`,
+			`${ROUTES.knowledge}?search="><img src=x onerror=alert('xss')>`,
+			`${ROUTES.home}?tab=<script>alert(1)</script>`,
+		]
+
+		for (const url of xssUrls) {
+			await authenticatedPage.goto(url)
+			await authenticatedPage.waitForTimeout(500)
+		}
+
+		expect(dialogFired).toHaveLength(0)
+	})
+})

package/template/.claude/skills/e2e-audit/e2e/utils/console-collector.ts

@@ -0,0 +1,89 @@
+import type { Page, ConsoleMessage } from '@playwright/test'
+
+export type CollectedMessage = {
+	type: string
+	text: string
+	url: string
+}
+
+const SENSITIVE_PATTERNS = [
+	/password/i,
+	/secret/i,
+	/token/i,
+	/api[_-]?key/i,
+	/authorization:\s*bearer/i,
+	/session[_-]?id/i,
+	/cookie/i,
+	/credential/i,
+	/private[_-]?key/i,
+]
+
+const STACK_TRACE_PATTERNS = [
+	/at\s+\S+\s+\(\S+:\d+:\d+\)/,
+	/Error:.*\n\s+at\s/,
+	/^\s+at\s+/m,
+]
+
+/**
+ * Attaches a console listener that collects all console messages.
+ * Returns helpers to assert no sensitive data or stack traces were logged.
+ */
+export function createConsoleCollector(page: Page) {
+	const messages: CollectedMessage[] = []
+
+	page.on('console', (msg: ConsoleMessage) => {
+		messages.push({
+			type: msg.type(),
+			text: msg.text(),
+			url: page.url(),
+		})
+	})
+
+	return {
+		getMessages: () => [...messages],
+
+		getSensitiveLeaks: () =>
+			messages.filter((m) =>
+				SENSITIVE_PATTERNS.some((pattern) => pattern.test(m.text)),
+			),
+
+		getStackTraces: () =>
+			messages.filter((m) =>
+				STACK_TRACE_PATTERNS.some((pattern) => pattern.test(m.text)),
+			),
+
+		getErrors: () => messages.filter((m) => m.type === 'error'),
+
+		assertNoSensitiveLeaks: () => {
+			const leaks = messages.filter((m) =>
+				SENSITIVE_PATTERNS.some((pattern) => pattern.test(m.text)),
+			)
+			if (leaks.length > 0) {
+				const details = leaks
+					.map((l) => `[${l.type}] ${l.text.substring(0, 100)}`)
+					.join('\n')
+				throw new Error(
+					`Found ${leaks.length} potential sensitive data leak(s) in console:\n${details}`,
+				)
+			}
+		},
+
+		assertNoStackTraces: () => {
+			const traces = messages.filter((m) =>
+				STACK_TRACE_PATTERNS.some((pattern) => pattern.test(m.text)),
+			)
+			if (traces.length > 0) {
+				const details = traces
+					.map((t) => `[${t.type}] ${t.text.substring(0, 200)}`)
+					.join('\n')
+				throw new Error(
+					`Found ${traces.length} stack trace(s) in console:\n${details}`,
+				)
+			}
+		},
+
+		clear: () => {
+			messages.length = 0
+		},
+	}
+}