test(console-ui): Playwright E2E — shell, hydration + authenticated user flows

[anupsv]

Summary

Adds the real-browser test layer for console-ui — it didn't exist before (no Playwright/Cypress/Puppeteer; only jsdom Vitest unit tests, which can't see SSR hydration or App Router navigation, which is exactly why the nav/hydration regressions rotted silently).

This boots the app and drives Chromium, asserting both the shell and real authenticated user flows (incl. error/retry paths) actually work in a browser.

Hermetic auth + API mocking

• The app runs with Privy unconfigured + NEXT_PUBLIC_E2E_AUTH=1 (set only by the Playwright server), so mock-auth returns a usable token+user.
• Every coordinator call (/api/*) is route-mocked with seeded data in e2e/fixtures.ts, including a stateful API-key store (GET/POST/PATCH/DELETE/rotate) and SSE chat.
• No Privy tenant, coordinator, or secrets required. Production builds leave the hook off (NEXT_PUBLIC_E2E_AUTH unset → behaviour identical to today).

Coverage (33 tests)

e2e/navigation.spec.ts — shell + hydration:

• every shell route (/, /stats, /providers, /providers/setup, /providers/earnings, /earn, /api-console, /models, /billing, /settings) loads with no React hydration error;
• clean hydration with a persisted technical verification-mode preference;
• sidebar links switch routes; provider dashboard hides Setup/Earnings tabs until a machine is linked (fix(console-ui): repair provider dashboard tab navigation + gate post-install tabs #462).

e2e/flows.spec.ts — authenticated user flows:

• provider onboarding — empty fleet → onboarding + "Set up a provider" nav; a linked machine renders and unlocks the Setup/Earnings tabs;
• API-key management — create, edit (spend cap), disable, rotate (one-time secret reveal), revoke (confirm dialog), and the empty-list state;
• chat — typing + Enter renders the streamed SSE assistant response; switching the model via the composer selector flips the active model; Stop cancels an in-flight generation back to the idle state;
• billing — the balance renders from /api/payments/balance, and Buy Credits → Continue completes a (mocked) Stripe checkout round-trip through to the success toast;
• invite codes — redeeming a valid code shows the credited confirmation; an invalid code surfaces an error;
• error + retry — provider fleet load failure → error state → Retry recovers; chat send failure → inline error bubble → Retry streams successfully.

Real defect found by the E2E

A pricing payload lacking a prices array crashed two pages from one endpoint's shape: /models hard-crashed the root error boundary (prices is not iterable, during render), and /earn threw the same way inside a fetch .then() (an unhandled rejection that broke the earnings calculator). Hardened both buildPricingLookups with Array.isArray (src/app/models/page.tsx, src/app/earn/calc.ts), and added "page resilience" regression tests (each page × two malformed shapes: missing prices and a non-array prices) — verified red without the guards, green with them, covering both the render-boundary and async-rejection failure modes.

Determinism

The Playwright webServer runs a production build + start (not next dev). Dev compiled routes on-demand and served SSR single-threaded, which raced the heavy /models page under parallel workers; a prod build pre-compiles + serves static/optimized output. Result: 72/72 under --repeat-each=3, zero flakes.

Plumbing

• vitest.config.ts excludes e2e/; npm scripts test:e2e / test:e2e:ui.
• CI: Console UI E2E (Playwright) job (installs Chromium, builds, runs the suite on PRs).

Test plan

• npm run test:e2e — 33/33 in Chromium; stable under --repeat-each=3.
• npx eslint src/ clean; npm run build passes (hook gated off in prod).
• npx vitest run — e2e specs correctly excluded.

Made with Cursor

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
d-inference	Ready	Preview	Jun 25, 2026 4:27am
d-inference-console-ui-dev	Ready	Preview	Jun 25, 2026 4:27am
d-inference-landing	Ready	Preview	Jun 25, 2026 4:27am

[blacksmith-sh]

Found 1 test failure on Blacksmith runners:

Failure

Test	View Logs
github.com/eigeninference/d-inference/e2e/TestIntegration_ConcurrentRequests	View Logs

^{Need help on this PR? Tag /codesmith with what you need.}

[github-actions]

This PR improves E2E test infrastructure for the mock-auth path but introduces a new production attack surface via a client-side env-var gate that has the same shape as the existing T-020 misconfiguration risk.

---

Trust boundaries touched

• TB-004 – Browser ↔ Coordinator (console UI auth state)

---

Threat analysis

T-020 — Mock auth active in production due to missing Privy config

⚠️ Weakens the mitigation (partially)

The original MOCK_AUTH was unconditionally authenticated: true with a null user and a noopToken. This PR keeps authenticated: true unconditionally in MOCK_AUTH but now conditionally populates a non-null user object and a non-null token string when NEXT_PUBLIC_E2E_AUTH === "1".

The concern is two-fold:

1. NEXT_PUBLIC_ prefix means the value is baked into the JS bundle at build time by Next.js and shipped to the browser. It is not a server-side secret. If a CI/CD pipeline, staging environment, or developer accidentally produces a build with NEXT_PUBLIC_E2E_AUTH=1 set, every visitor will receive authenticated: true with a valid-looking token string ("e2e-mock-token") and a user object. The coordinator will reject that token, but the UI will present a fully authenticated state — exactly the T-020 scenario.

2. "e2e-mock-token" is a static, hardcoded string. If any route or component passes getAccessToken() output to a coordinator request without checking the coordinator's response, or if a future BFF route is added that does something with the token before forwarding it, the blast radius of a mistaken build grows.

The mitigating factor noted in the comment ("unset in every real build") is a process control, not a code control — there is no if (process.env.NODE_ENV === 'production') throw guard, no CI enforcement visible in this diff, and no assertion at startup that prevents a production Next.js bundle from carrying this flag.

Recommended hardening at PrivyClientProvider.tsx line 24:

const E2E_AUTH =
  process.env.NEXT_PUBLIC_E2E_AUTH === "1" &&
  process.env.NODE_ENV !== "production";

This makes the gate fail-closed in production builds regardless of what env vars CI accidentally passes, and costs nothing at runtime.

---

New attack surface not covered by an existing threat

Hardcoded credential string in a client-side bundle.
"e2e-mock-token" at line 35 is a static string that ships in the browser bundle whenever E2E_AUTH is true. If any logging, analytics, or error-reporting integration (Sentry, Datadog RUM, etc.) captures getAccessToken() output, this string will appear in those systems. More importantly, it creates a false sense that a "token" is present, which can mask missing-auth bugs in new routes during E2E development. This isn't covered by T-020 (which is about the UI presenting an authenticated state, not about a concrete token string being emitted). No existing threat ID maps to "hardcoded test credential leaking into production bundle analytics." Severity is low in isolation but worth noting.

---

SEC-* findings resolved

None — this PR does not close any open SEC-* findings. SEC-026 (the tracking issue for T-020) remains open; this change makes the code path more capable when accidentally triggered, not less.

---

Summary of recommended changes

Location	Change
PrivyClientProvider.tsx line 24	Add && process.env.NODE_ENV !== "production" guard
PrivyClientProvider.tsx line 35	Consider a non-token-shaped value (e.g. "e2e-mock-token-not-valid") to make misuse obvious
CI (.github/workflows/ci.yml)	Verify NEXT_PUBLIC_E2E_AUTH is absent from any workflow that produces or deploys a production artifact

---

🔐 Threat model: docs/threat-model.yaml · Updates on each push to this PR

[ethenotethan]

Automated Code Review — Layr-Labs/d-inference#

Verdict: COMMENT

Security — ✅ No issues found

Performance — ✅ No issues found

Type_diligence — ✅ No issues found

Additive_complexity — ✅ No issues found

✅ All four passes clean. No issues found.

🤖 Automated review by Centaur · DAR-186

[ethenotethan]

Automated Code Review — Layr-Labs/d-inference#

Verdict: COMMENT

Security — ✅ No issues found

Performance — ✅ No issues found

Type_diligence — ✅ No issues found

Additive_complexity — ✅ No issues found

✅ All four passes clean. No issues found.

🤖 Automated review by Centaur · DAR-186

[ethenotethan]

Automated Code Review — Layr-Labs/d-inference#

Verdict: COMMENT

Security — ✅ No issues found

Performance — ✅ No issues found

Type_diligence — ✅ No issues found

Additive_complexity — ✅ No issues found

✅ All four passes clean. No issues found.

🤖 Automated review by Centaur · DAR-186

[ethenotethan]

Automated Code Review — Layr-Labs/d-inference#

Verdict: COMMENT

Security — ✅ No issues found

Performance — ✅ No issues found

Type_diligence — ✅ No issues found

Additive_complexity — ✅ No issues found

✅ All four passes clean. No issues found.

🤖 Automated review by Centaur · DAR-186

[ethenotethan]

Automated Code Review — Layr-Labs/d-inference#

Verdict: COMMENT

Security — ✅ No issues found

Performance — ✅ No issues found

Type_diligence — ✅ No issues found

Additive_complexity — ✅ No issues found

✅ All four passes clean. No issues found.

🤖 Automated review by Centaur · DAR-186

[ethenotethan]

Automated Code Review — Layr-Labs/d-inference#

Verdict: COMMENT

Security — ✅ No issues found

Performance — ✅ No issues found

Type_diligence — ✅ No issues found

Additive_complexity — ✅ No issues found

✅ All four passes clean. No issues found.

🤖 Automated review by Centaur · DAR-186

[ethenotethan]

Automated Code Review — Layr-Labs/d-inference#

Verdict: COMMENT

Security — ✅ No issues found

Performance — ✅ No issues found

Type_diligence — ✅ No issues found

Additive_complexity — ✅ No issues found

✅ All four passes clean. No issues found.

🤖 Automated review by Centaur · DAR-186

[ethenotethan]

Automated Code Review — Layr-Labs/d-inference#

Verdict: COMMENT

Security — ✅ No issues found

Performance — ✅ No issues found

Type_diligence — ✅ No issues found

Additive_complexity — ✅ No issues found

✅ All four passes clean. No issues found.

🤖 Automated review by Centaur · DAR-186