e2e/tests/m0-smoke.spec.ts

import { test, expect, type Request } from '@playwright/test';

/**
 * M0 — Bootstrap smoke checks.
 * Validates what M0 actually delivers:
 *   1. The 3-container stack is reachable (front + api proxy).
 *   2. The home page renders the RTOps design system primitives.
 *   3. Self-hosted webfonts (no Google Fonts CDN — spec §7).
 *   4. No JS console errors on first load.
 *   5. API health endpoint returns the expected JSON.
 */

test.describe('M0 — bootstrap smoke', () => {
  const consoleErrors: string[] = [];
  const externalRequests: string[] = [];

  test.beforeEach(({ page }) => {
    consoleErrors.length = 0;
    externalRequests.length = 0;

    page.on('console', (msg) => {
      if (msg.type() === 'error') consoleErrors.push(msg.text());
    });
    page.on('pageerror', (err) => consoleErrors.push(`pageerror: ${err.message}`));
    page.on('request', (req: Request) => {
      const url = req.url();
      if (
        url.includes('fonts.googleapis.com') ||
        url.includes('fonts.gstatic.com') ||
        url.includes('cdn.jsdelivr.net') ||
        url.includes('unpkg.com')
      ) {
        externalRequests.push(url);
      }
    });
  });

  test('home page loads and renders the RTOps header', async ({ page }) => {
    const resp = await page.goto('/');
    expect(resp?.status(), 'home page should respond 200').toBe(200);
    await expect(page).toHaveTitle(/Metamorph/);

    const h1 = page.getByRole('heading', { level: 1 });
    await expect(h1).toContainText('Metamorph');
    await expect(h1).toContainText('Purple Team Platform');
  });

  test('API health card eventually shows OK', async ({ page }) => {
    await page.goto('/');
    // The "API" card binds the health probe; wait for the green-accent state.
    const apiCard = page.locator('h3', { hasText: /^API$/ }).locator('..');
    await expect(apiCard).toContainText(/version\s+\d+/i, { timeout: 10_000 });
    await expect(apiCard).toContainText('ok');
  });

  test('design system primitives render with the expected accent classes', async ({ page }) => {
    await page.goto('/');
    // Tags from the demo row.
    await expect(page.getByText('EVASION', { exact: true })).toBeVisible();
    await expect(page.getByText('C2', { exact: true })).toBeVisible();
    await expect(page.getByText('LATERAL', { exact: true })).toBeVisible();
    // Flow nodes.
    await expect(page.getByText('recon', { exact: true })).toBeVisible();
    await expect(page.getByText('impact', { exact: true })).toBeVisible();
    // Buttons.
    await expect(page.getByRole('button', { name: /primary/i })).toBeVisible();
  });

  test('body uses self-hosted IBM Plex Sans, no Google Fonts requests', async ({ page }) => {
    await page.goto('/');
    // Wait for fonts to settle.
    await page.evaluate(() => document.fonts.ready);

    const bodyFont = await page.evaluate(() =>
      window.getComputedStyle(document.body).fontFamily.toLowerCase(),
    );
    expect(bodyFont).toContain('ibm plex sans');

    // Header is mono.
    const h1Font = await page.evaluate(() => {
      const h1 = document.querySelector('h1');
      return h1 ? window.getComputedStyle(h1).fontFamily.toLowerCase() : '';
    });
    expect(h1Font).toContain('jetbrains mono');

    // No request must hit Google Fonts or any other CDN — see spec §7.
    expect(externalRequests, `unexpected CDN traffic: ${externalRequests.join(', ')}`).toEqual([]);
  });

  test('background uses the RTOps deep navy token', async ({ page }) => {
    await page.goto('/');
    const bg = await page.evaluate(() => window.getComputedStyle(document.body).backgroundColor);
    // tasks/design.md: --bg = #0a0e1a → rgb(10, 14, 26)
    expect(bg).toBe('rgb(10, 14, 26)');
  });

  test('no JS console errors on first load', async ({ page }) => {
    await page.goto('/');
    await page.waitForLoadState('networkidle');
    // The auth provider attempts a silent /auth/refresh at mount; without a
    // refresh cookie the server returns 401 and the browser logs a generic
    // "Failed to load resource" warning. That's expected for unauthenticated
    // visitors and doesn't constitute a real error.
    const realErrors = consoleErrors.filter(
      (e) => !/Failed to load resource.*401/i.test(e),
    );
    expect(realErrors, `console errors: ${realErrors.join(' | ')}`).toEqual([]);
  });

  test('API health endpoint returns the expected JSON shape', async ({ request }) => {
    const resp = await request.get('/api/v1/health');
    expect(resp.status()).toBe(200);
    const body = (await resp.json()) as { status: string; version: string };
    expect(body.status).toBe('ok');
    expect(body.version).toMatch(/^\d+\.\d+\.\d+/);
  });

  test('CORS headers are set when the SPA origin asks for them', async ({ request }) => {
    const resp = await request.get('/api/v1/health', {
      headers: { Origin: 'http://localhost:8080' },
    });
    expect(resp.status()).toBe(200);
    // flask-cors echoes back the configured origin when allowed.
    const allowed = resp.headers()['access-control-allow-origin'];
    expect(allowed === 'http://localhost:8080' || allowed === '*').toBeTruthy();
  });
});
feat(m0): bootstrap repo, design system, compose stack - Repo scaffolding: .gitignore, .env.example, Makefile, docker-compose.yml, README.md, CHANGELOG.md, pre-commit config. - Three-service stack: api (Flask 3), db (postgres:16-alpine), front (nginx serving the Vite bundle). Named volumes metamorph_db + metamorph_evidence. - Backend skeleton: Flask app factory, JSON structured logging on stdout, GET /api/v1/health, multi-stage Dockerfile, pyproject.toml driven by uv, Pydantic Settings with secret guard rails (refuses to boot in non-dev with placeholders), APP_ENV gating. - Frontend skeleton: Vite + React 18 + TypeScript strict + TailwindCSS, RTOps design tokens from tasks/design.md, self-hosted JetBrains Mono / IBM Plex Sans via @fontsource, base UI primitives (Card/Tag/SectionHeader/FlowNode/ Button), home page wired to /api/v1/health. - Engine-agnostic Makefile: auto-detects docker or podman, picks the matching compose driver. Targets: up/down/build/rebuild/dev/lint/fmt/test/migrate/ seed-mitre/print-install-token/e2e/inspect-health. - Playwright suite: e2e/tests/m0-smoke.spec.ts (8 tests) + HTML + JUnit reports + traces on retry. - Docs: tasks/spec.md (finalized after Q&A), tasks/design.md, tasks/todo.md (14 milestones), tasks/testing-m0.md, tasks/lessons.md. DoD: make up + make health + make e2e all pass on podman 5.x (Fedora) and docker. TLS terminated by external reverse proxy (spec §6 NF-network). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-11 06:16:00 +02:00			`import { test, expect, type Request } from '@playwright/test';`

			`/**`
			`* M0 — Bootstrap smoke checks.`
			`* Validates what M0 actually delivers:`
			`* 1. The 3-container stack is reachable (front + api proxy).`
			`* 2. The home page renders the RTOps design system primitives.`
			`* 3. Self-hosted webfonts (no Google Fonts CDN — spec §7).`
			`* 4. No JS console errors on first load.`
			`* 5. API health endpoint returns the expected JSON.`
			`*/`

			`test.describe('M0 — bootstrap smoke', () => {`
			`const consoleErrors: string[] = [];`
			`const externalRequests: string[] = [];`

			`test.beforeEach(({ page }) => {`
			`consoleErrors.length = 0;`
			`externalRequests.length = 0;`

			`page.on('console', (msg) => {`
			`if (msg.type() === 'error') consoleErrors.push(msg.text());`
			`});`
			page.on('pageerror', (err) => consoleErrors.push(`pageerror: ${err.message}`));
			`page.on('request', (req: Request) => {`
			`const url = req.url();`
			`if (`
			`url.includes('fonts.googleapis.com') \|\|`
			`url.includes('fonts.gstatic.com') \|\|`
			`url.includes('cdn.jsdelivr.net') \|\|`
			`url.includes('unpkg.com')`
			`) {`
			`externalRequests.push(url);`
			`}`
			`});`
			`});`

			`test('home page loads and renders the RTOps header', async ({ page }) => {`
			`const resp = await page.goto('/');`
			`expect(resp?.status(), 'home page should respond 200').toBe(200);`
			`await expect(page).toHaveTitle(/Metamorph/);`

			`const h1 = page.getByRole('heading', { level: 1 });`
			`await expect(h1).toContainText('Metamorph');`
			`await expect(h1).toContainText('Purple Team Platform');`
			`});`

			`test('API health card eventually shows OK', async ({ page }) => {`
			`await page.goto('/');`
			`// The "API" card binds the health probe; wait for the green-accent state.`
			`const apiCard = page.locator('h3', { hasText: /^API$/ }).locator('..');`
			`await expect(apiCard).toContainText(/version\s+\d+/i, { timeout: 10_000 });`
			`await expect(apiCard).toContainText('ok');`
			`});`

			`test('design system primitives render with the expected accent classes', async ({ page }) => {`
			`await page.goto('/');`
			`// Tags from the demo row.`
			`await expect(page.getByText('EVASION', { exact: true })).toBeVisible();`
			`await expect(page.getByText('C2', { exact: true })).toBeVisible();`
			`await expect(page.getByText('LATERAL', { exact: true })).toBeVisible();`
			`// Flow nodes.`
			`await expect(page.getByText('recon', { exact: true })).toBeVisible();`
			`await expect(page.getByText('impact', { exact: true })).toBeVisible();`
			`// Buttons.`
			`await expect(page.getByRole('button', { name: /primary/i })).toBeVisible();`
			`});`

			`test('body uses self-hosted IBM Plex Sans, no Google Fonts requests', async ({ page }) => {`
			`await page.goto('/');`
			`// Wait for fonts to settle.`
			`await page.evaluate(() => document.fonts.ready);`

			`const bodyFont = await page.evaluate(() =>`
			`window.getComputedStyle(document.body).fontFamily.toLowerCase(),`
			`);`
			`expect(bodyFont).toContain('ibm plex sans');`

			`// Header is mono.`
			`const h1Font = await page.evaluate(() => {`
			`const h1 = document.querySelector('h1');`
			`return h1 ? window.getComputedStyle(h1).fontFamily.toLowerCase() : '';`
			`});`
			`expect(h1Font).toContain('jetbrains mono');`

			`// No request must hit Google Fonts or any other CDN — see spec §7.`
			expect(externalRequests, `unexpected CDN traffic: ${externalRequests.join(', ')}`).toEqual([]);
			`});`

			`test('background uses the RTOps deep navy token', async ({ page }) => {`
			`await page.goto('/');`
			`const bg = await page.evaluate(() => window.getComputedStyle(document.body).backgroundColor);`
			`// tasks/design.md: --bg = #0a0e1a → rgb(10, 14, 26)`
			`expect(bg).toBe('rgb(10, 14, 26)');`
			`});`

			`test('no JS console errors on first load', async ({ page }) => {`
			`await page.goto('/');`
			`await page.waitForLoadState('networkidle');`
			`// The auth provider attempts a silent /auth/refresh at mount; without a`
			`// refresh cookie the server returns 401 and the browser logs a generic`
			`// "Failed to load resource" warning. That's expected for unauthenticated`
			`// visitors and doesn't constitute a real error.`
			`const realErrors = consoleErrors.filter(`
			`(e) => !/Failed to load resource.*401/i.test(e),`
			`);`
			expect(realErrors, `console errors: ${realErrors.join(' \| ')}`).toEqual([]);
			`});`

			`test('API health endpoint returns the expected JSON shape', async ({ request }) => {`
			`const resp = await request.get('/api/v1/health');`
			`expect(resp.status()).toBe(200);`
			`const body = (await resp.json()) as { status: string; version: string };`
			`expect(body.status).toBe('ok');`
			`expect(body.version).toMatch(/^\d+\.\d+\.\d+/);`
			`});`

			`test('CORS headers are set when the SPA origin asks for them', async ({ request }) => {`
			`const resp = await request.get('/api/v1/health', {`
			`headers: { Origin: 'http://localhost:8080' },`
			`});`
			`expect(resp.status()).toBe(200);`
			`// flask-cors echoes back the configured origin when allowed.`
			`const allowed = resp.headers()['access-control-allow-origin'];`
			`expect(allowed === 'http://localhost:8080' \|\| allowed === '*').toBeTruthy();`
			`});`
			`});`