start-vibing 4.4.0 → 4.4.2

package/template/.claude/skills/e2e-audit/e2e/utils/security-helpers.ts

@@ -1,114 +0,0 @@
-import { type Page, expect } from '@playwright/test'
-
-export const XSS_PAYLOADS = [
-	'<script>alert("xss")</script>',
-	'<img src=x onerror=alert("xss")>',
-	'"><script>alert("xss")</script>',
-	"javascript:alert('xss')",
-	'<svg onload=alert("xss")>',
-	"'; DROP TABLE users; --",
-	'{{constructor.constructor("return this")()}}',
-	'${7*7}',
-]
-
-export const REQUIRED_SECURITY_HEADERS = [
-	'x-frame-options',
-	'x-content-type-options',
-	'referrer-policy',
-]
-
-/**
- * Test XSS payloads against a text input.
- * Fills each payload and verifies no dialog (alert/confirm/prompt) fires.
- */
-export async function testXssOnInput(
-	page: Page,
-	inputLocator: ReturnType<Page['getByRole']>,
-) {
-	const dialogFired: string[] = []
-	const handler = (dialog: { message: () => string; dismiss: () => Promise<void> }) => {
-		dialogFired.push(dialog.message())
-		void dialog.dismiss()
-	}
-	page.on('dialog', handler)
-
-	for (const payload of XSS_PAYLOADS) {
-		await inputLocator.clear()
-		await inputLocator.fill(payload)
-		// Trigger potential execution (blur, submit)
-		await inputLocator.press('Tab')
-	}
-
-	page.off('dialog', handler)
-
-	if (dialogFired.length > 0) {
-		throw new Error(
-			`XSS detected! Dialog(s) fired with: ${dialogFired.join(', ')}`,
-		)
-	}
-}
-
-/**
- * Verify required security headers are present on a response.
- */
-export async function assertSecurityHeaders(page: Page, url: string) {
-	const response = await page.goto(url)
-	if (!response) throw new Error(`No response for ${url}`)
-
-	const headers = response.headers()
-
-	for (const header of REQUIRED_SECURITY_HEADERS) {
-		expect(
-			headers[header],
-			`Missing security header: ${header}`,
-		).toBeDefined()
-	}
-
-	// X-Content-Type-Options should be nosniff
-	if (headers['x-content-type-options']) {
-		expect(headers['x-content-type-options']).toBe('nosniff')
-	}
-}
-
-/**
- * Verify that error responses don't contain stack traces.
- */
-export async function assertNoStackTraceInResponse(page: Page) {
-	const content = await page.content()
-	const stackTraceIndicators = [
-		'at Object.',
-		'at Module.',
-		'at Function.',
-		'node_modules/',
-		'.js:',
-		'webpack-internal',
-		'__next',
-	]
-
-	for (const indicator of stackTraceIndicators) {
-		expect(content).not.toContain(indicator)
-	}
-}
-
-/**
- * Test RBAC by navigating to a URL and checking if access is denied.
- */
-export async function assertAccessDenied(
-	page: Page,
-	url: string,
-	expectedRedirect?: string,
-) {
-	await page.goto(url)
-	const currentUrl = page.url()
-
-	if (expectedRedirect) {
-		expect(currentUrl).toContain(expectedRedirect)
-	} else {
-		// Should redirect to /unauthorized or /auth
-		const denied =
-			currentUrl.includes('/unauthorized') ||
-			currentUrl.includes('/auth') ||
-			currentUrl.includes('/login')
-		expect(denied).toBe(true)
-	}
-}

package/template/.claude/skills/e2e-audit/e2e/utils/test-data.ts

@@ -1,64 +0,0 @@
-/**
- * Shared test data constants for E2E tests.
- * Keep this minimal — only data used across multiple test files.
- */
-
-export const ROUTES = {
-	// Dashboard (authenticated)
-	home: '/dashboard/home',
-	knowledge: '/dashboard/knowledge',
-	knowledgeDetail: (id: string) => `/dashboard/knowledge/${id}`,
-	chat: '/dashboard/chat',
-	integrations: '/dashboard/integrations',
-	integrationDetail: (id: string) => `/dashboard/integrations/${id}`,
-	integrationsNew: '/dashboard/integrations/new',
-	integrationsSuccess: '/dashboard/integrations/success',
-	teams: '/dashboard/teams',
-	profile: '/dashboard/profile',
-	admin: '/dashboard/admin',
-	billing: '/dashboard/billing',
-	ontology: '/dashboard/ontology',
-	transcripts: '/dashboard/transcripts',
-	transcriptDetail: (id: string) => `/dashboard/transcripts/${id}`,
-	transcriptDocument: (id: string) => `/dashboard/transcripts/documents/${id}`,
-
-	// Auth
-	root: '/',
-	authDesktop: '/auth/desktop',
-	authError: '/auth/error',
-	logout: '/auth/logout',
-	popupCallback: '/auth/popup-callback',
-	integrationCallbackSuccess: '/auth/integration/callback/success',
-	integrationCallbackError: '/auth/integration/callback/error',
-
-	// Other
-	unauthorized: '/unauthorized',
-	freeTrial: '/freetrial',
-} as const
-
-export const RBAC_ROUTES = {
-	/** Routes accessible only by ADMIN+ */
-	admin: [ROUTES.admin],
-	/** Routes accessible only by OWNER */
-	owner: [ROUTES.billing],
-	/** Routes accessible only by MANAGER+ */
-	manager: [ROUTES.integrationsNew],
-	/** Routes accessible by any authenticated user */
-	member: [
-		ROUTES.home,
-		ROUTES.knowledge,
-		ROUTES.chat,
-		ROUTES.integrations,
-		ROUTES.teams,
-		ROUTES.profile,
-		ROUTES.ontology,
-		ROUTES.transcripts,
-	],
-} as const
-
-export const TIMEOUTS = {
-	navigation: 30_000,
-	action: 10_000,
-	toast: 5_000,
-	animation: 500,
-} as const

package/template/.claude/skills/e2e-audit/runbook.md

@@ -1,115 +0,0 @@
-# E2E Audit Runbook
-
-## Setup
-
-### 1. Install Playwright
-
-```bash
-bun add -D @playwright/test
-bunx playwright install chromium
-```
-
-### 2. Start the dev server
-
-```bash
-bun run dev
-```
-
-### 3. Run tests
-
-```bash
-# All E2E tests
-bun run test:e2e
-
-# With UI mode (visual debugger)
-bunx playwright test --ui
-
-# Specific test file
-bunx playwright test tests/e2e/specs/dashboard-home.spec.ts
-
-# By tag
-bunx playwright test --grep @smoke
-bunx playwright test --grep @security
-bunx playwright test --grep @ux
-```
-
-## Test Organization
-
-```
-tests/e2e/
-├── fixtures/          # Auth + base fixtures
-│   ├── auth.ts        # Per-role authentication setup
-│   ├── base.ts        # Extended test fixture (authenticatedPage)
-│   └── storage/       # Generated auth state files (gitignored)
-├── pages/             # Page Object Models (1 per page)
-├── specs/             # Test specs (1 per page + security/)
-│   └── security/      # Cross-cutting security tests
-└── utils/             # Shared helpers
-    ├── console-collector.ts  # Console message interceptor
-    ├── security-helpers.ts   # XSS, header, RBAC helpers
-    └── test-data.ts          # Routes, timeouts, test constants
-```
-
-## Adding Tests for a New Page
-
-1. **Create Page Object** in `tests/e2e/pages/{page-name}.page.ts`
-2. **Create Test Spec** in `tests/e2e/specs/{page-name}.spec.ts`
-3. **Create Page Spec** in `docs/e2e-audit/page-specs/{page-name}.md`
-4. **Run and fix**: `bunx playwright test tests/e2e/specs/{page-name}.spec.ts`
-5. **Update master audit** in `docs/e2e-audit/reports/master-audit.md`
-
-## Updating Tests After App Changes
-
-1. Run the e2e-audit skill to re-discover elements on changed pages
-2. Compare new page spec with existing
-3. Update POM, test spec, and page spec
-4. Run tests: `bun run test:e2e`
-5. Fix failures
-
-## Auth Setup
-
-Tests use `storageState` for pre-authenticated sessions. The auth fixture at
-`tests/e2e/fixtures/auth.ts` needs real login flows implemented per role.
-
-For local development with OAuth, you may need to:
-1. Use the Cloudflare tunnel (`https://dev.hakutaku.ai`)
-2. Set `BASE_URL=https://dev.hakutaku.ai` when running tests
-3. Or mock auth via direct cookie/session injection
-
-## CI Integration
-
-```yaml
-# Example GitHub Actions step
-- name: E2E Tests
-  run: |
-    bunx playwright install chromium
-    bun run test:e2e
-  env:
-    BASE_URL: http://localhost:3000
-```
-
-## Debugging Failed Tests
-
-```bash
-# View trace from failed test
-bunx playwright show-trace test-results/{test-name}/trace.zip
-
-# Run with headed browser
-bunx playwright test --headed
-
-# Run with slow motion
-bunx playwright test --headed --slow-mo 500
-
-# Debug specific test
-bunx playwright test --debug tests/e2e/specs/dashboard-home.spec.ts
-```
-
-## Tags Reference
-
-| Tag | Purpose | When to run |
-|-----|---------|-------------|
-| `@smoke` | Critical paths | Every PR |
-| `@regression` | Full suite | Main merges |
-| `@security` | Security tests | Weekly + before release |
-| `@a11y` | Accessibility | Weekly |
-| `@ux` | UX/UI validation | After UI changes |