neuron-technologies/neuron-web
2
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

test: full Playwright + API test suite for stage #73

Merged
will.anderson merged 1 commits from fix/checkout-auth-reveal into dev 2026-05-11 05:29:19 +00:00
Conversation 0 Commits 1 Files Changed 12
+859
will.anderson commented 2026-05-11 05:29:08 +00:00
Owner
Copy Link
Copy Source

Summary

  • 159 Playwright tests across three projects: api, chromium (desktop), mobile (Pixel 7)
  • Tests cover API security controls, all route endpoints, SEO/meta correctness, checkout flows, chat widget auth gate, and navigation
  • All 159 pass against https://marketing-stage-r4tfklscwq-uc.a.run.app
  • CI step added to stage.yaml — runs automatically after the smoke test on every stage deploy

Test structure

tests/
  playwright.config.ts
  api/
    security.test.ts    — headers, CORS, auth enforcement, webhook signing, path traversal, leakage
    endpoints.test.ts   — every API route shape + invariants
  e2e/
    landing.spec.ts     — homepage content, demo widget DOM
    checkout.spec.ts    — all three plan variants, auth section, payment element
    chat.spec.ts        — widget structure, auth gate, API-level rejection
    seo.spec.ts         — meta tags, canonical (no stage URL leak), noindex on checkout
    navigation.spec.ts  — 200s for all public routes, 404s for removed/old paths

Key findings from probing stage

  • /api/supabase-config rejects no-Origin requests (403) — server treats absence of Origin as unknown caller, not server-side trusted. Tests reflect actual behavior.
  • /api/soul-health response body embeds raw probe output with literal newlines (invalid JSON). Tests use text-search instead of JSON.parse.
  • GTM fires analytics.google.com XHRs that the CSP intentionally blocks — not a bug, filtered from JS error assertions.
## Summary - 159 Playwright tests across three projects: `api`, `chromium` (desktop), `mobile` (Pixel 7) - Tests cover API security controls, all route endpoints, SEO/meta correctness, checkout flows, chat widget auth gate, and navigation - All 159 pass against `https://marketing-stage-r4tfklscwq-uc.a.run.app` - CI step added to `stage.yaml` — runs automatically after the smoke test on every stage deploy ## Test structure ``` tests/ playwright.config.ts api/ security.test.ts — headers, CORS, auth enforcement, webhook signing, path traversal, leakage endpoints.test.ts — every API route shape + invariants e2e/ landing.spec.ts — homepage content, demo widget DOM checkout.spec.ts — all three plan variants, auth section, payment element chat.spec.ts — widget structure, auth gate, API-level rejection seo.spec.ts — meta tags, canonical (no stage URL leak), noindex on checkout navigation.spec.ts — 200s for all public routes, 404s for removed/old paths ``` ## Key findings from probing stage - `/api/supabase-config` rejects *no-Origin* requests (403) — server treats absence of Origin as unknown caller, not server-side trusted. Tests reflect actual behavior. - `/api/soul-health` response body embeds raw probe output with literal newlines (invalid JSON). Tests use text-search instead of `JSON.parse`. - GTM fires `analytics.google.com` XHRs that the CSP intentionally blocks — not a bug, filtered from JS error assertions.
will.anderson added 1 commit 2026-05-11 05:29:10 +00:00
test: full Playwright + API test suite for stage
Dev — Build & local smoke test / build-smoke (pull_request) Successful in 1m52s
Details
cac7bd5727 
159 tests across three Playwright projects (api, chromium, mobile):
- tests/api/security.test.ts: security headers, CORS on /api/supabase-config
  (origin allowlist enforced), auth gate on /api/demo, Stripe webhook
  signature enforcement, source file leakage, path traversal, input
  validation (8000-char message cap)
- tests/api/endpoints.test.ts: /api/health, /api/founding-count shape
  invariants, /api/supabase-config JWT shape, sitemap.xml, robots.txt,
  /llms.txt, /api/soul-health internal gate, 404 for unknown routes
- tests/e2e/landing.spec.ts: title, h1 count, meta description, OG tags,
  canonical (no stage leak), JSON-LD schema, demo widget DOM presence,
  JS error filtering (known GTM/CSP noise excluded)
- tests/e2e/seo.spec.ts: per-page title patterns, noindex on checkout,
  canonical URLs, sitemap production-URL enforcement
- tests/e2e/checkout.spec.ts: all three plan variants, auth section, payment
  element, canonical
- tests/e2e/chat.spec.ts: widget DOM structure, auth gate (send button
  disabled without session), API-level auth rejection
- tests/e2e/navigation.spec.ts: all public routes return 200, 404s for
  removed/old paths (/terms, /enterprise-terms, /gallery), static files

All 159 pass against stage. CI step added to stage.yaml after smoke test.
will.anderson merged commit 83aa7ad64f into dev 2026-05-11 05:29:19 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No labels
Milestone
No items
No Milestone
Projects
Clear projects
No projects
Assignees
Clear assignees
tim.lingo (Tim Lingo) will.anderson (Will Anderson)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: neuron-technologies/neuron-web#73
Delete Branch "fix/checkout-auth-reveal"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?