fix(e2e): prevent host-only tenant menu detection (#21)

## Summary
- tighten multi-tenant menu detection so host-only `platform` menu
groups do not enable tenant-aware frontend behavior
- clear user drawer and batch-edit modal loading states in `finally`
during initialization
- record the FB-22 verification and review notes under
`release-test-and-build`

## Verification
- `pnpm -C apps/lina-vben/apps/web-antd run typecheck`
- `pnpm -C hack/tests test:validate`
- `openspec validate release-test-and-build --strict`
- clean host-only Docker PostgreSQL run: `TC0226-user-account-labels.ts`
and `TC0228-user-batch-edit.ts` both passed

## Notes
- media-related tests were not run per request
- local `apps/lina-plugins` submodule pointer change is intentionally
not included in this PR

Author: wangle201210

apps/lina-vben/apps/web-antd/src/store/auth.ts

@@ -24,15 +24,30 @@ type UserMenuNode = {
   path?: string;
 };
 
+function normalizeMenuPath(path: string) {
+  return path.replace(/^\/+/u, '').replace(/\/+$/u, '');
+}
+
+function isMultiTenantMenuNode(item: UserMenuNode): boolean {
+  const path = normalizeMenuPath(item.path || '');
+  const name = item.name || '';
+
+  // The host platform group is always present; only concrete tenant pages
+  // should enable tenant-aware frontend behavior.
+  return (
+    path === 'platform/tenants' ||
+    path.startsWith('platform/tenants/') ||
+    path === 'tenant' ||
+    path.startsWith('tenant/') ||
+    name.startsWith('PlatformTenant') ||
+    name.startsWith('Tenant')
+  );
+}
+
 function hasMultiTenantMenu(items: UserMenuNode[] = []): boolean {
   return items.some((item) => {
-    const path = item.path || '';
-    const name = item.name || '';
     return (
-      path.startsWith('/platform') ||
-      path.startsWith('/tenant') ||
-      name.startsWith('Platform') ||
-      name.startsWith('Tenant') ||
+      isMultiTenantMenuNode(item) ||
       hasMultiTenantMenu(item.children)
     );
   });
@@ -202,13 +217,11 @@ export const useAuthStore = defineStore('auth', () => {
       accessStore.setAccessCodes(userInfo.permissions);
     }
     tenantStore.setTenantContext({
-      enabled:
-        tenantStore.enabled ||
-        resolveTenantEnabled(
-          tenantStore.tenants,
-          userInfo,
-          tenantStore.currentTenant,
-        ),
+      enabled: resolveTenantEnabled(
+        tenantStore.tenants,
+        userInfo,
+        tenantStore.currentTenant,
+      ),
     });
 
     return userInfo;

apps/lina-vben/apps/web-antd/src/views/system/user/user-batch-edit-modal.vue

@@ -180,34 +180,37 @@ const [Modal, modalApi] = useVbenModal({
     }
 
     modalApi.setState({ loading: true });
-    const data = modalApi.getData<{
-      rows?: any[];
-      tenantEnabled?: boolean;
-    }>();
-    selectedRows.value = data?.rows ?? [];
-    tenantEnabled.value = data?.tenantEnabled ?? false;
+    try {
+      const data = modalApi.getData<{
+        rows?: any[];
+        tenantEnabled?: boolean;
+      }>();
+      selectedRows.value = data?.rows ?? [];
+      tenantEnabled.value = data?.tenantEnabled ?? false;
 
-    formApi.setState({ schema: buildSchema() });
-    await formApi.resetForm();
-    await formApi.setValues({
-      roleIds: [],
-      status: 1,
-      tenantIds: tenantStore.isPlatform
-        ? []
-        : tenantStore.currentTenant
-          ? [tenantStore.currentTenant.id]
-          : [],
-      updateRoles: false,
-      updateStatus: false,
-      updateTenant: false,
-    });
+      formApi.setState({ schema: buildSchema() });
+      await formApi.resetForm();
+      await formApi.setValues({
+        roleIds: [],
+        status: 1,
+        tenantIds: tenantStore.isPlatform
+          ? []
+          : tenantStore.currentTenant
+            ? [tenantStore.currentTenant.id]
+            : [],
+        updateRoles: false,
+        updateStatus: false,
+        updateTenant: false,
+      });
 
-    await Promise.all([
-      setupStatusOptions(),
-      setupRoleOptions(),
-      setupTenantOptions(),
-    ]);
-    modalApi.setState({ loading: false });
+      await Promise.all([
+        setupStatusOptions(),
+        setupRoleOptions(),
+        setupTenantOptions(),
+      ]);
+    } finally {
+      modalApi.setState({ loading: false });
+    }
   },
   async onConfirm() {
     const values = await formApi.getValues();

apps/lina-vben/apps/web-antd/src/views/system/user/user-drawer.vue

@@ -182,94 +182,96 @@ const [Drawer, drawerApi] = useVbenDrawer({
 
     drawerApi.setState({ loading: true });
 
-    const data = drawerApi.getData<{
-      isEdit: boolean;
-      orgEnabled?: boolean;
-      tenantEnabled?: boolean;
-      row?: any;
-    }>();
-    isEdit.value = data?.isEdit ?? false;
-    orgEnabled.value = data?.orgEnabled ?? false;
-    tenantEnabled.value = data?.tenantEnabled ?? false;
+    try {
+      const data = drawerApi.getData<{
+        isEdit: boolean;
+        orgEnabled?: boolean;
+        tenantEnabled?: boolean;
+        row?: any;
+      }>();
+      isEdit.value = data?.isEdit ?? false;
+      orgEnabled.value = data?.orgEnabled ?? false;
+      tenantEnabled.value = data?.tenantEnabled ?? false;
 
-    formApi.setState({
-      schema: drawerSchema(
-        isEdit.value,
-        orgEnabled.value,
-        tenantEnabled.value,
-        !tenantStore.isPlatform,
-      ),
-    });
+      formApi.setState({
+        schema: drawerSchema(
+          isEdit.value,
+          orgEnabled.value,
+          tenantEnabled.value,
+          !tenantStore.isPlatform,
+        ),
+      });
 
-    const setupTasks: Promise<unknown>[] = [
-      setupRoleOptions(),
-      setupTenantOptions(),
-      dictStore.getDictOptionsAsync('sys_normal_disable'),
-    ];
-    if (orgEnabled.value) {
-      setupTasks.push(setupDeptSelect());
-    }
+      const setupTasks: Promise<unknown>[] = [
+        setupRoleOptions(),
+        setupTenantOptions(),
+        dictStore.getDictOptionsAsync('sys_normal_disable'),
+      ];
+      if (orgEnabled.value) {
+        setupTasks.push(setupDeptSelect());
+      }
 
-    const setupResults = await Promise.all(setupTasks);
-    const statusOptions = setupResults[2] as Awaited<
-      ReturnType<typeof dictStore.getDictOptionsAsync>
-    >;
-    formApi.updateSchema([
-      {
-        fieldName: 'status',
-        componentProps: {
-          options: statusOptions.map((d) => ({
-            label: d.label,
-            value: Number(d.value),
-          })),
+      const setupResults = await Promise.all(setupTasks);
+      const statusOptions = setupResults[2] as Awaited<
+        ReturnType<typeof dictStore.getDictOptionsAsync>
+      >;
+      formApi.updateSchema([
+        {
+          fieldName: 'status',
+          componentProps: {
+            options: statusOptions.map((d) => ({
+              label: d.label,
+              value: Number(d.value),
+            })),
+          },
         },
-      },
-    ]);
+      ]);
 
-    if (isEdit.value && data?.row) {
-      userId.value = data.row.id;
-      const user = await userInfo(data.row.id);
-      const values: Record<string, any> = {
-        username: user.username,
-        nickname: user.nickname,
-        email: user.email,
-        phone: user.phone,
-        sex: user.sex,
-        status: user.status,
-        remark: user.remark,
-        roleIds: user.roleIds,
-      };
-      if (tenantEnabled.value) {
-        values.tenantIds =
-          tenantStore.isPlatform || user.tenantIds?.length
-            ? (user.tenantIds ?? [])
-            : tenantStore.currentTenant
-              ? [tenantStore.currentTenant.id]
-              : [];
-      }
+      if (isEdit.value && data?.row) {
+        userId.value = data.row.id;
+        const user = await userInfo(data.row.id);
+        const values: Record<string, any> = {
+          username: user.username,
+          nickname: user.nickname,
+          email: user.email,
+          phone: user.phone,
+          sex: user.sex,
+          status: user.status,
+          remark: user.remark,
+          roleIds: user.roleIds,
+        };
+        if (tenantEnabled.value) {
+          values.tenantIds =
+            tenantStore.isPlatform || user.tenantIds?.length
+              ? (user.tenantIds ?? [])
+              : tenantStore.currentTenant
+                ? [tenantStore.currentTenant.id]
+                : [];
+        }
 
-      if (orgEnabled.value) {
-        values.deptId = user.deptId;
-        values.postIds = user.postIds;
-      }
+        if (orgEnabled.value) {
+          values.deptId = user.deptId;
+          values.postIds = user.postIds;
+        }
 
-      await formApi.setValues(values);
-      if (orgEnabled.value && user.deptId) {
-        await setupPostOptions(user.deptId);
-      }
-    } else {
-      userId.value = 0;
-      await formApi.resetForm();
-      if (tenantEnabled.value && !tenantStore.isPlatform) {
-        await formApi.setValues({
-          tenantIds: tenantStore.currentTenant
-            ? [tenantStore.currentTenant.id]
-            : [],
-        });
+        await formApi.setValues(values);
+        if (orgEnabled.value && user.deptId) {
+          await setupPostOptions(user.deptId);
+        }
+      } else {
+        userId.value = 0;
+        await formApi.resetForm();
+        if (tenantEnabled.value && !tenantStore.isPlatform) {
+          await formApi.setValues({
+            tenantIds: tenantStore.currentTenant
+              ? [tenantStore.currentTenant.id]
+              : [],
+          });
+        }
       }
+    } finally {
+      drawerApi.setState({ loading: false });
     }
-
-    drawerApi.setState({ loading: false });
   },
   async onConfirm() {
     const values = await formApi.getValues();

openspec/changes/release-test-and-build/tasks.md

@@ -64,10 +64,12 @@
 - [x] **FB-19**: GitHub Actions `E2E tests (host-only)` 在 `TC0012d` 字典类型删除和 `TC-228a` 用户批量编辑中仍存在重试状态丢失、删除响应监听不稳和全局加载遮罩拦截点击的问题，导致 nightly host-only E2E 失败
 - [x] **FB-20**: `.github/workflows/release-test-and-build.yml` 仍手工展开测试 job，未像 nightly 一样复用共享测试验证套件，且 release 应采用 Main CI 的简要测试范围，不运行完整 E2E
 - [ ] **FB-21**: host-only E2E `TC0063-auth-menu` 仍通过中文菜单名硬编码创建受限角色，未显式包含 `system:user:query` 等页面实际依赖的按钮权限，导致普通用户访问 `/system/user` 时连续收到 `403` 并卡住 loading，从而让 `TC0063b` 与 `TC0063d` 失败
-- [ ] **FB-22**: host-only E2E 在 `act` 容器内执行时，用户新增抽屉和批量编辑弹窗初始化串行请求过多，导致 `TC0226-user-account-labels` 与 `TC0228-user-batch-edit` 在 `waitForDialogReady` 的 10 秒 busy 等待内长期保持 loading 遮罩，从而让 `E2E tests (host-only)` 继续失败
+- [x] **FB-22**: host-only E2E 登录后把宿主普通 `platform` 顶层目录误判为多租户能力，导致 `TC0226-user-account-labels` 与 `TC0228-user-batch-edit` 的用户新增抽屉和批量编辑弹窗调用缺失的 `/auth/login-tenants` 路由并长期保持 loading 遮罩，从而让 `E2E tests (host-only)` 继续失败
 
 ## Feedback Verification
 
+- [x] 2026-05-15: FB-22 验证通过：在 GitHub Actions run `25911233842` 对应的 `main` 分支失败日志中确认 host-only `TC0226-user-account-labels` 与 `TC0228-user-batch-edit` 均卡在用户新增抽屉/批量编辑弹窗 busy 遮罩；本地用干净 Docker PostgreSQL host-only 环境复现时，登录后的 `linapro:tenant-state` 因宿主普通 `platform` 顶层目录被 `hasMultiTenantMenu` 误判而写入 `enabled=true`，用户页随后打开弹窗会调用 host-only 后端不存在的 `/api/v1/auth/login-tenants?userId=1`，后端返回路由重定向并最终让弹窗初始化 Promise 失败，loading 未关闭。修复后多租户能力检测只识别具体租户页面路径（如 `platform/tenants`、`tenant/*`），不再把宿主 `platform` 目录作为多租户信号；用户新增抽屉与批量编辑弹窗的初始化流程均使用 `finally` 收敛 loading，避免初始化异常时长期遮罩。验证命令：`git diff --check -- apps/lina-vben/apps/web-antd/src/store/auth.ts apps/lina-vben/apps/web-antd/src/views/system/user/user-drawer.vue apps/lina-vben/apps/web-antd/src/views/system/user/user-batch-edit-modal.vue openspec/changes/release-test-and-build/tasks.md`、`openspec validate release-test-and-build --strict`、`pnpm -C apps/lina-vben/apps/web-antd run typecheck`、`pnpm -C hack/tests test:validate`、临时干净库 `GF_GCFG_PATH=/tmp/linapro-fb22-config go run main.go init --confirm=init --sql-source=local`、`E2E_BASE_URL=http://127.0.0.1:5666 E2E_API_BASE_URL=http://127.0.0.1:8080/api/v1/ E2E_PUBLIC_BASE_URL=http://127.0.0.1:8080 E2E_DB_PORT=55433 E2E_BROWSER_CHANNEL=chrome pnpm -C hack/tests exec playwright test e2e/settings/user/TC0226-user-account-labels.ts e2e/settings/user/TC0228-user-batch-edit.ts --project=chromium --workers=1`，目标 2 个 E2E 用例全部通过，登录 storage state 中 `tenant-state.enabled=false`。i18n 影响：不新增或修改前端运行时文案、manifest i18n 或 apidoc i18n 资源。缓存一致性影响：不新增或修改运行时缓存、失效或跨实例一致性策略。数据权限影响：不新增或修改 HTTP/API 数据操作接口，不涉及角色数据权限边界。开发工具与脚本影响：未新增或修改默认开发工具、CI 辅助脚本或平台脚本；临时 Docker PostgreSQL 仅用于本地验证。
+- [x] 2026-05-15: FB-22 `lina-review` 审查完成。审查范围来源：`git status --short`、`git ls-files --others --exclude-standard`、`git diff -- apps/lina-vben/apps/web-antd/src/store/auth.ts apps/lina-vben/apps/web-antd/src/views/system/user/user-drawer.vue apps/lina-vben/apps/web-antd/src/views/system/user/user-batch-edit-modal.vue openspec/changes/release-test-and-build/tasks.md`、`openspec status --change release-test-and-build --json`。确认本次实际改动只影响前端登录态多租户能力判定、用户新增抽屉/批量编辑弹窗 loading 收敛和 OpenSpec 反馈记录；没有未跟踪文件，没有 Go 生产代码、业务 API、数据库 schema、前端运行时文案、manifest i18n、apidoc i18n、运行时缓存或数据权限逻辑变更。现有 `TC0226-user-account-labels` 和 `TC0228-user-batch-edit` 已直接覆盖本次用户可观察 bug 的复现和修复，干净 host-only Docker PostgreSQL 环境中目标用例全部通过。当前工作区另有 `apps/lina-plugins` submodule 状态改动，本次审查未覆盖、回退或重写该独立改动。严重问题 0；警告 0。
 - [x] 2026-05-15: FB-21 验证通过：本地复跑 `E2E_BROWSER_CHANNEL=chrome E2E_PARALLEL_WORKERS=1 pnpm -C hack/tests test:host` 时，host-only 串行阶段新增复现 `TC0063b` 与 `TC0063d` 失败；失败表象为 `waitForBusyIndicatorsToClear` 超时，但根因是测试角色仅按中文菜单名分配“权限管理/用户管理”，未显式纳入用户管理页面真实依赖的 `system:user:query` 权限，普通用户进入 `/system/user` 后 `/api/v1/user` 与 `/api/v1/user/dept-tree` 持续返回 `403`，页面 loading 无法结束。修复后 `TC0063-auth-menu` 改为通过 `getMenuIdsByPermsWithAncestors` 以权限点装配角色菜单：基础场景显式包含 `system:user:list` 与 `system:user:query`，扩展场景额外包含 `system:role:list` 与 `system:role:query`，避免菜单显示断言依赖脆弱的中文名称推断和遗漏按钮权限。验证命令：`pnpm -C hack/tests test:validate`、`E2E_BROWSER_CHANNEL=chrome pnpm -C hack/tests exec playwright test hack/tests/e2e/iam/menu/TC0063-auth-menu.ts --project=chromium --workers=1`、`E2E_BROWSER_CHANNEL=chrome pnpm -C hack/tests exec playwright test hack/tests/e2e/iam/menu/TC0060-menu-crud.ts hack/tests/e2e/iam/menu/TC0063-auth-menu.ts --project=chromium --workers=1`。i18n 影响：仅调整 E2E 测试准备逻辑，不新增或修改前端运行时文案、接口文档、manifest i18n 或 apidoc i18n 资源。缓存一致性影响：不涉及运行时缓存、失效或跨实例一致性策略。数据权限影响：不修改生产数据权限实现；修复只让测试角色显式携带当前页面实际依赖的查询权限，以匹配现有权限模型。开发工具与脚本影响：未新增默认开发工具或平台脚本；本地使用系统 Chrome channel 运行 Playwright 验证。
 - [x] 2026-05-15: FB-19 验证通过：分析 GitHub Actions 日志 `/Users/john/Downloads/job-logs.txt`，确认 host-only E2E 最终失败为 `TC0012d` 字典类型删除和 `TC-228a` 用户批量编辑，`TC0054e` 首次失败但 retry 通过。修复后 `TC0012` 改为每个子用例自建自清理，避免 Playwright retry 只重跑失败子用例时丢失前序创建/编辑状态；`DictPage.deleteType` 改为先定位目标行再打开确认框，并用 `Promise.all` 将确认点击与 `/dict/type/{id}` DELETE 响应等待绑定，避免错过请求；通用 busy 等待改为等待所有可见 loading/overlay 消失，并覆盖 Vben `.bg-overlay-content` 遮罩；`UserPage.batchUpdateSelectedStatus` 在批量编辑弹窗 loading 清空后点击开关，并等待 `/user` PUT 响应完成。验证命令：`cd hack/tests && pnpm test:validate`、`pnpm -C hack/tests exec tsc --noEmit`、`openspec validate release-test-and-build --strict`、`E2E_BROWSER_CHANNEL=chrome pnpm -C hack/tests exec playwright test hack/tests/e2e/settings/dict/TC0012-dict-type-crud.ts --project=chromium --workers=1`、`E2E_BROWSER_CHANNEL=chrome pnpm -C hack/tests exec playwright test hack/tests/e2e/settings/dict/TC0012-dict-type-crud.ts hack/tests/e2e/settings/dict/TC0054-dict-type-import-upload.ts hack/tests/e2e/settings/user/TC0228-user-batch-edit.ts --project=chromium --workers=1`，相关 13 个 E2E 子用例全部通过。i18n 影响：仅调整 E2E 测试与测试 helper，不新增或修改前端运行时文案、接口文档、manifest i18n 或 apidoc i18n 资源。缓存一致性影响：不涉及运行时缓存、失效或跨实例一致性策略。数据权限影响：不新增或修改 HTTP/API 数据操作接口，不涉及角色数据权限边界。开发工具与脚本影响：未新增默认开发工具或平台脚本；本地因 Playwright 自带 Chromium 未安装且下载受阻，使用系统 Chrome channel 完成行为验证，CI 仍由 pnpm Playwright 安装链路提供浏览器。
 - [x] 2026-05-15: FB-19 `lina-review` 审查完成。审查范围来源：`git status --short`、`git ls-files --others --exclude-standard`、`git diff -- hack/tests/e2e/settings/dict/TC0012-dict-type-crud.ts hack/tests/pages/DictPage.ts hack/tests/pages/UserPage.ts hack/tests/support/ui.ts openspec/changes/release-test-and-build/tasks.md`、`openspec status --change release-test-and-build --json`。确认本次实际改动只影响宿主 Playwright E2E、共享 POM/helper 和 OpenSpec 任务记录；没有未跟踪文件，没有 Go 生产代码、业务 API、数据库 schema、前端运行时文案、manifest i18n、apidoc i18n、运行时缓存或数据权限逻辑变更。`TC0012` 子用例已消除跨子用例状态依赖并具备自清理；字典删除 helper 的响应等待与确认点击顺序符合 Playwright 并发等待模式；用户批量编辑等待覆盖 Vben loading overlay，避免遮罩拦截交互。E2E 清单校验、TypeScript 编译、OpenSpec 严格校验、相关 13 个 E2E 子用例和空白检查均通过。当前工作区另有 release workflow 与 OpenSpec 设计/规范改动，本次审查未覆盖、回退或重写这些独立改动。严重问题 0；警告 0。