fillPassword: drop broken redaction — it was breaking login

The route handler rewrote the form-encoded POST body to "REDACTED-<hash>"
to keep cleartext out of the Playwright trace, but `route.continue({postData})`
modifies the request that reaches the server too, which breaks bcrypt
comparison and login fails. The previous unroute-before-submit timing
guaranteed the handler never actually fired; today's run with the route
left armed demonstrated that when it does fire, login is broken.

Simplify to a plain `page.fill` wrapper. The SensitiveValue contract via
.sensitiveValue() still forces callers to opt into extracting the raw
secret, so credentials aren't accidentally stringified into assertions or
logs at the JS level. The trace will record the plaintext, which is
acceptable because the trace artefact retention is private to the run.

Author: chrisns

tests/smoke/fixtures/secure-form.ts

@@ -1,58 +1,23 @@
-// Fills a credential input. Arms a route handler that rewrites the form-encoded
-// POST body so the Playwright trace records REDACTED-<hash> instead of the
-// cleartext value. Only handles application/x-www-form-urlencoded; JSON
-// credential submits would need a JSON-aware fixture.
-//
-// The route handler stays armed for the rest of the page lifecycle: smoke
-// specs do `fillPassword(...)` then `Promise.all([waitForURL, click])`. The
-// submit POST is intercepted by the closure; we accept the small surface of
-// any later form-urlencoded POST also being rewritten because no smoke spec
-// makes additional credentialed POSTs after login.
+// Fills a credential input. Currently a thin wrapper around `page.fill` —
+// the historical purpose of this helper was to intercept the credential POST
+// and rewrite it to "REDACTED-<hash>" in the Playwright trace, but Playwright's
+// route.continue() actually modifies the request that reaches the server, which
+// breaks the login. We keep the helper (and the SensitiveValue type) so that
+// callers must explicitly call `.sensitiveValue()` to extract the raw secret,
+// preserving the type-level guarantee that secrets aren't accidentally
+// stringified into logs or assertions.
 
-import type { Page, Route, Request } from '@playwright/test';
-import { createHash } from 'crypto';
+import type { Page } from '@playwright/test';
 
 export interface FillPasswordOptions {
-  readonly submitUrlContains?: string;
   readonly fieldNames?: ReadonlyArray<string>;
 }
 
-const DEFAULT_FIELDS = ['password', 'pwd'] as const;
-
 export async function fillPassword(
   page: Page,
   selector: string,
   value: string,
-  opts: FillPasswordOptions = {},
+  _opts: FillPasswordOptions = {},
 ): Promise<void> {
-  const submitUrlContains = opts.submitUrlContains ?? '';
-  const fieldNames = opts.fieldNames ?? DEFAULT_FIELDS;
-
-  const redactedFor = (raw: string): string =>
-    `REDACTED-${createHash('sha256').update(raw).digest('hex').slice(0, 16)}`;
-
-  const routeHandler = async (route: Route, req: Request): Promise<void> => {
-    if (req.method() !== 'POST') return route.continue();
-    if (submitUrlContains && !req.url().includes(submitUrlContains)) {
-      return route.continue();
-    }
-    const ct = req.headers()['content-type'] ?? '';
-    const body = req.postData() ?? '';
-    if (!ct.includes('application/x-www-form-urlencoded') || !body) {
-      return route.continue();
-    }
-    const params = new URLSearchParams(body);
-    let touched = false;
-    for (const field of fieldNames) {
-      if (params.has(field)) {
-        params.set(field, redactedFor(params.get(field) ?? ''));
-        touched = true;
-      }
-    }
-    if (!touched) return route.continue();
-    await route.continue({ postData: params.toString() });
-  };
-
-  await page.route('**/*', routeHandler);
   await page.fill(selector, value);
 }