tests/e2e/smoke/02-crud-spine.spec.ts

import { test, expect } from '@playwright/test';
import { login, navigateTo, waitForSheet, PORT_SLUG } from './helpers';

const TEST_CLIENT_NAME = `E2E Client ${Date.now()}`;

test.describe('CRUD Spine', () => {
  test.beforeEach(async ({ page }) => {
    await login(page, 'super_admin');
  });

  test('create a new client', async ({ page }) => {
    await navigateTo(page, '/clients');

    // Click "New Client" button (use first() in case of duplicates in empty state)
    await page
      .getByRole('button', { name: /new client/i })
      .first()
      .click();
    await waitForSheet(page);

    const sheet = page.locator('[role="dialog"]');
    await sheet.locator('input[name="fullName"]').fill(TEST_CLIENT_NAME);
    await sheet.locator('input[name="nationality"]').fill('British');
    await sheet.locator('input[name="contacts.0.value"]').fill('e2e@test.com');

    await sheet.getByRole('button', { name: /create client/i }).click();
    await expect(sheet).not.toBeVisible({ timeout: 10_000 });
    await page.waitForTimeout(2000);
  });

  test('new client appears in the list', async ({ page }) => {
    await navigateTo(page, '/clients');

    // Wait for table to load
    await expect(page.locator('table').first()).toBeVisible({ timeout: 15_000 });
    await page.waitForTimeout(2000);

    // The client name should appear somewhere in the table or page
    const hasClient = await page
      .getByText(TEST_CLIENT_NAME)
      .isVisible({ timeout: 5_000 })
      .catch(() => false);
    if (!hasClient) {
      // Maybe the table loaded empty and we need to wait for data
      await page.waitForTimeout(3000);
    }
    await expect(page.getByText(TEST_CLIENT_NAME).first()).toBeVisible({ timeout: 10_000 });
  });

  test('filter and click into client detail', async ({ page }) => {
    await navigateTo(page, '/clients');
    await expect(page.locator('table').first()).toBeVisible({ timeout: 15_000 });
    await page.waitForTimeout(2000);

    // Find the client row and click the link (the name should be a link)
    const clientLink = page.locator('a').filter({ hasText: TEST_CLIENT_NAME }).first();
    const isLink = await clientLink.isVisible({ timeout: 5_000 }).catch(() => false);

    if (isLink) {
      await clientLink.click();
    } else {
      // Try clicking the table cell with the name
      await page.getByText(TEST_CLIENT_NAME).first().click();
    }

    // Should navigate to client detail
    await page.waitForTimeout(3000);
    const url = page.url();
    const isDetailPage = url.includes('/clients/') && !url.endsWith('/clients');
    expect(isDetailPage || url.includes(PORT_SLUG)).toBeTruthy();
  });

  test('archive and restore client', async ({ page }) => {
    await navigateTo(page, '/clients');
    await expect(page.locator('table').first()).toBeVisible({ timeout: 15_000 });
    await page.waitForTimeout(2000);

    // Find the row with our client
    const row = page.locator('table tbody tr').filter({ hasText: TEST_CLIENT_NAME }).first();
    const rowVisible = await row.isVisible({ timeout: 5_000 }).catch(() => false);

    if (rowVisible) {
      // Click the actions menu (usually a "..." or dropdown trigger button)
      const actionsBtn = row.locator('button[aria-haspopup]').or(row.locator('button').last());
      await actionsBtn.click();
      await page.waitForTimeout(500);

      const archiveOption = page.getByRole('menuitem', { name: /archive/i });
      if (await archiveOption.isVisible({ timeout: 2_000 }).catch(() => false)) {
        await archiveOption.click();

        // Wait for confirm dialog
        const confirmDialog = page.locator('[role="alertdialog"], [role="dialog"]').last();
        if (await confirmDialog.isVisible({ timeout: 3_000 }).catch(() => false)) {
          await confirmDialog.getByRole('button', { name: /confirm|archive|yes/i }).click();
        }
        await page.waitForTimeout(2000);

        // Client should disappear from active list
        const stillVisible = await page
          .getByText(TEST_CLIENT_NAME)
          .isVisible({ timeout: 3_000 })
          .catch(() => false);
        if (!stillVisible) {
          console.log('  ✓ Client archived and removed from list');
        }
      }
    }
  });
});
Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-26 11:52:51 +01:00			`import { test, expect } from '@playwright/test';`
			`import { login, navigateTo, waitForSheet, PORT_SLUG } from './helpers';`

			const TEST_CLIENT_NAME = `E2E Client ${Date.now()}`;

			`test.describe('CRUD Spine', () => {`
			`test.beforeEach(async ({ page }) => {`
			`await login(page, 'super_admin');`
			`});`

			`test('create a new client', async ({ page }) => {`
			`await navigateTo(page, '/clients');`

			`// Click "New Client" button (use first() in case of duplicates in empty state)`
feat(portal): replace magic-link with email/password + admin-initiated activation The client portal no longer uses passwordless / magic-link sign-in. Each client now has a `portal_users` row with a scrypt-hashed password, created by an admin from the client detail page; the admin's invite mails an activation link that the client uses to set their own password. Forgot-password is wired through the same token mechanism. Schema (migration `0009_outgoing_rumiko_fujikawa.sql`): - `portal_users` — one per client account, separate from the CRM `users` table (better-auth) so the auth realms stay isolated. Email is globally unique, password is null until activation. - `portal_auth_tokens` — single-use activation / reset tokens. Stores only the SHA-256 hash so a DB compromise never leaks live tokens. Services: - `src/lib/portal/passwords.ts` — scrypt hash/verify (no new deps; uses node:crypto), token mint+hash helpers. - `src/lib/services/portal-auth.service.ts` — createPortalUser, resendActivation, activateAccount, signIn (timing-safe), requestPasswordReset, resetPassword. Auth failures throw the new UnauthorizedError (401); enumeration-safe behaviour everywhere. Routes: - POST /api/portal/auth/sign-in — sets the existing portal JWT cookie. - POST /api/portal/auth/forgot-password — always 200. - POST /api/portal/auth/reset-password — token + new password. - POST /api/portal/auth/activate — token + initial password. - POST /api/v1/clients/:id/portal-user — admin invite (and `?action=resend`). - Removed: /api/portal/auth/request, /api/portal/auth/verify (magic link). UI: - /portal/login — replaced email-only magic-link form with email + password + "forgot password" link. - /portal/forgot-password, /portal/reset-password, /portal/activate — new. - New shared `PasswordSetForm` component used by activate + reset. - New `PortalInviteButton` rendered on the client detail header. Email send: - `createTransporter` now wires SMTP auth when SMTP_USER+SMTP_PASS are set (gmail app-password or marina-server creds, configured via env). - `SMTP_FROM` env var lets the sender address be overridden without pinning it to `noreply@${SMTP_HOST}`. Tests: - Smoke spec 17 (client-portal) updated to the new flow: 7/7 green. - Smoke specs 02-crud-spine, 05-invoices, 20-critical-path updated to match the post-refactor client + invoice forms (drop companyName, use OwnerPicker + billingEmail). - Vitest 652/652 still green; type-check clean. Drops the dead `requestMagicLink` from portal.service.ts. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-04-26 15:34:02 +02:00			`await page`
			`.getByRole('button', { name: /new client/i })`
			`.first()`
			`.click();`
Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-26 11:52:51 +01:00			`await waitForSheet(page);`

			`const sheet = page.locator('[role="dialog"]');`
			`await sheet.locator('input[name="fullName"]').fill(TEST_CLIENT_NAME);`
			`await sheet.locator('input[name="nationality"]').fill('British');`
			`await sheet.locator('input[name="contacts.0.value"]').fill('e2e@test.com');`

			`await sheet.getByRole('button', { name: /create client/i }).click();`
			`await expect(sheet).not.toBeVisible({ timeout: 10_000 });`
			`await page.waitForTimeout(2000);`
			`});`

			`test('new client appears in the list', async ({ page }) => {`
			`await navigateTo(page, '/clients');`

			`// Wait for table to load`
			`await expect(page.locator('table').first()).toBeVisible({ timeout: 15_000 });`
			`await page.waitForTimeout(2000);`

			`// The client name should appear somewhere in the table or page`
feat(portal): replace magic-link with email/password + admin-initiated activation The client portal no longer uses passwordless / magic-link sign-in. Each client now has a `portal_users` row with a scrypt-hashed password, created by an admin from the client detail page; the admin's invite mails an activation link that the client uses to set their own password. Forgot-password is wired through the same token mechanism. Schema (migration `0009_outgoing_rumiko_fujikawa.sql`): - `portal_users` — one per client account, separate from the CRM `users` table (better-auth) so the auth realms stay isolated. Email is globally unique, password is null until activation. - `portal_auth_tokens` — single-use activation / reset tokens. Stores only the SHA-256 hash so a DB compromise never leaks live tokens. Services: - `src/lib/portal/passwords.ts` — scrypt hash/verify (no new deps; uses node:crypto), token mint+hash helpers. - `src/lib/services/portal-auth.service.ts` — createPortalUser, resendActivation, activateAccount, signIn (timing-safe), requestPasswordReset, resetPassword. Auth failures throw the new UnauthorizedError (401); enumeration-safe behaviour everywhere. Routes: - POST /api/portal/auth/sign-in — sets the existing portal JWT cookie. - POST /api/portal/auth/forgot-password — always 200. - POST /api/portal/auth/reset-password — token + new password. - POST /api/portal/auth/activate — token + initial password. - POST /api/v1/clients/:id/portal-user — admin invite (and `?action=resend`). - Removed: /api/portal/auth/request, /api/portal/auth/verify (magic link). UI: - /portal/login — replaced email-only magic-link form with email + password + "forgot password" link. - /portal/forgot-password, /portal/reset-password, /portal/activate — new. - New shared `PasswordSetForm` component used by activate + reset. - New `PortalInviteButton` rendered on the client detail header. Email send: - `createTransporter` now wires SMTP auth when SMTP_USER+SMTP_PASS are set (gmail app-password or marina-server creds, configured via env). - `SMTP_FROM` env var lets the sender address be overridden without pinning it to `noreply@${SMTP_HOST}`. Tests: - Smoke spec 17 (client-portal) updated to the new flow: 7/7 green. - Smoke specs 02-crud-spine, 05-invoices, 20-critical-path updated to match the post-refactor client + invoice forms (drop companyName, use OwnerPicker + billingEmail). - Vitest 652/652 still green; type-check clean. Drops the dead `requestMagicLink` from portal.service.ts. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-04-26 15:34:02 +02:00			`const hasClient = await page`
			`.getByText(TEST_CLIENT_NAME)`
			`.isVisible({ timeout: 5_000 })`
			`.catch(() => false);`
Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-26 11:52:51 +01:00			`if (!hasClient) {`
			`// Maybe the table loaded empty and we need to wait for data`
			`await page.waitForTimeout(3000);`
			`}`
			`await expect(page.getByText(TEST_CLIENT_NAME).first()).toBeVisible({ timeout: 10_000 });`
			`});`

			`test('filter and click into client detail', async ({ page }) => {`
			`await navigateTo(page, '/clients');`
			`await expect(page.locator('table').first()).toBeVisible({ timeout: 15_000 });`
			`await page.waitForTimeout(2000);`

			`// Find the client row and click the link (the name should be a link)`
			`const clientLink = page.locator('a').filter({ hasText: TEST_CLIENT_NAME }).first();`
			`const isLink = await clientLink.isVisible({ timeout: 5_000 }).catch(() => false);`

			`if (isLink) {`
			`await clientLink.click();`
			`} else {`
			`// Try clicking the table cell with the name`
			`await page.getByText(TEST_CLIENT_NAME).first().click();`
			`}`

			`// Should navigate to client detail`
			`await page.waitForTimeout(3000);`
			`const url = page.url();`
			`const isDetailPage = url.includes('/clients/') && !url.endsWith('/clients');`
			`expect(isDetailPage \|\| url.includes(PORT_SLUG)).toBeTruthy();`
			`});`

			`test('archive and restore client', async ({ page }) => {`
			`await navigateTo(page, '/clients');`
			`await expect(page.locator('table').first()).toBeVisible({ timeout: 15_000 });`
			`await page.waitForTimeout(2000);`

			`// Find the row with our client`
			`const row = page.locator('table tbody tr').filter({ hasText: TEST_CLIENT_NAME }).first();`
			`const rowVisible = await row.isVisible({ timeout: 5_000 }).catch(() => false);`

			`if (rowVisible) {`
			`// Click the actions menu (usually a "..." or dropdown trigger button)`
			`const actionsBtn = row.locator('button[aria-haspopup]').or(row.locator('button').last());`
			`await actionsBtn.click();`
			`await page.waitForTimeout(500);`

			`const archiveOption = page.getByRole('menuitem', { name: /archive/i });`
			`if (await archiveOption.isVisible({ timeout: 2_000 }).catch(() => false)) {`
			`await archiveOption.click();`

			`// Wait for confirm dialog`
			`const confirmDialog = page.locator('[role="alertdialog"], [role="dialog"]').last();`
			`if (await confirmDialog.isVisible({ timeout: 3_000 }).catch(() => false)) {`
			`await confirmDialog.getByRole('button', { name: /confirm\|archive\|yes/i }).click();`
			`}`
			`await page.waitForTimeout(2000);`

			`// Client should disappear from active list`
feat(portal): replace magic-link with email/password + admin-initiated activation The client portal no longer uses passwordless / magic-link sign-in. Each client now has a `portal_users` row with a scrypt-hashed password, created by an admin from the client detail page; the admin's invite mails an activation link that the client uses to set their own password. Forgot-password is wired through the same token mechanism. Schema (migration `0009_outgoing_rumiko_fujikawa.sql`): - `portal_users` — one per client account, separate from the CRM `users` table (better-auth) so the auth realms stay isolated. Email is globally unique, password is null until activation. - `portal_auth_tokens` — single-use activation / reset tokens. Stores only the SHA-256 hash so a DB compromise never leaks live tokens. Services: - `src/lib/portal/passwords.ts` — scrypt hash/verify (no new deps; uses node:crypto), token mint+hash helpers. - `src/lib/services/portal-auth.service.ts` — createPortalUser, resendActivation, activateAccount, signIn (timing-safe), requestPasswordReset, resetPassword. Auth failures throw the new UnauthorizedError (401); enumeration-safe behaviour everywhere. Routes: - POST /api/portal/auth/sign-in — sets the existing portal JWT cookie. - POST /api/portal/auth/forgot-password — always 200. - POST /api/portal/auth/reset-password — token + new password. - POST /api/portal/auth/activate — token + initial password. - POST /api/v1/clients/:id/portal-user — admin invite (and `?action=resend`). - Removed: /api/portal/auth/request, /api/portal/auth/verify (magic link). UI: - /portal/login — replaced email-only magic-link form with email + password + "forgot password" link. - /portal/forgot-password, /portal/reset-password, /portal/activate — new. - New shared `PasswordSetForm` component used by activate + reset. - New `PortalInviteButton` rendered on the client detail header. Email send: - `createTransporter` now wires SMTP auth when SMTP_USER+SMTP_PASS are set (gmail app-password or marina-server creds, configured via env). - `SMTP_FROM` env var lets the sender address be overridden without pinning it to `noreply@${SMTP_HOST}`. Tests: - Smoke spec 17 (client-portal) updated to the new flow: 7/7 green. - Smoke specs 02-crud-spine, 05-invoices, 20-critical-path updated to match the post-refactor client + invoice forms (drop companyName, use OwnerPicker + billingEmail). - Vitest 652/652 still green; type-check clean. Drops the dead `requestMagicLink` from portal.service.ts. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-04-26 15:34:02 +02:00			`const stillVisible = await page`
			`.getByText(TEST_CLIENT_NAME)`
			`.isVisible({ timeout: 3_000 })`
			`.catch(() => false);`
Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-26 11:52:51 +01:00			`if (!stillVisible) {`
			`console.log(' ✓ Client archived and removed from list');`
			`}`
			`}`
			`}`
			`});`
			`});`