test: E2E tests for login redirect flow (#1564)

* test: add E2E tests for login redirect flow

Verify the complete login lifecycle: unauthenticated redirect to /login,
login page rendering, post-login dashboard loading, auth state persistence
across navigation, and version endpoint stability.

* fix: show dev login buttons in VITE_E2E_MODE builds

The dev login buttons were only rendered when `import.meta.env.DEV` is
true, but E2E CI builds are compiled with VITE_E2E_MODE=true (not in
dev mode). This caused the 'login page shows dev login buttons in dev
mode' E2E test to fail because the buttons were absent in the preview
build.

Also merges origin/develop to pick up lint fixes in test files
(unused vi import, import() type annotation).

---------

Co-authored-by: Ben Coombs <bjcoombs@users.noreply.github.com>

Author: bjcoombs

frontend/e2e/login-redirect.spec.ts

@@ -0,0 +1,107 @@
+import { test, expect } from '@playwright/test'
+import { test as authTest, expect as authExpect, navigateTo } from './fixtures'
+
+/**
+ * Login redirect flow E2E tests.
+ *
+ * Verifies the complete login lifecycle:
+ * - Unauthenticated users are redirected to /login
+ * - Login page renders correctly
+ * - After authentication, dashboard loads successfully
+ * - API calls succeed post-login (stat cards resolve, version endpoint)
+ * - Auth state persists across client-side navigation
+ *
+ * These tests run against the Vite dev server. Tenant subdomain redirect
+ * (TenantSubdomainEnforcer) is skipped on localhost by design, so
+ * subdomain-specific redirect logic is not exercised here.
+ */
+
+test.describe('Login redirect - unauthenticated', () => {
+  test('bare domain redirects to /login', async ({ page }) => {
+    await page.goto('/')
+    await expect(page).toHaveURL('/login')
+  })
+
+  test('protected route redirects to /login', async ({ page }) => {
+    await page.goto('/accounts')
+    // ProtectedRoute redirects unauthenticated requests to /login
+    await expect(page).toHaveURL('/login')
+  })
+
+  test('login page renders sign-in heading', async ({ page }) => {
+    await page.goto('/login')
+    await expect(page.getByRole('heading', { name: 'Meridian Operations Console' })).toBeVisible()
+    await expect(page.getByText('Please sign in to continue.')).toBeVisible()
+  })
+
+  test('login page shows dev login buttons in dev mode', async ({ page }) => {
+    await page.goto('/login')
+    await expect(page.getByRole('button', { name: /platform.admin/i })).toBeVisible()
+    await expect(page.getByRole('button', { name: /tenant.user/i })).toBeVisible()
+  })
+})
+
+test.describe('Post-login flow - tenant user', () => {
+  authTest('dashboard heading renders after login', async ({ authenticatedPage: page }) => {
+    await authExpect(page.getByRole('heading', { name: 'Dashboard' })).toBeVisible()
+  })
+
+  authTest('dashboard shows tenant context', async ({ authenticatedPage: page }) => {
+    await authExpect(page.getByText(/Overview for dev-tenant/)).toBeVisible({ timeout: 15_000 })
+  })
+
+  authTest('stat cards resolve from loading state', async ({ authenticatedPage: page }) => {
+    // Stat card skeletons disappear once API calls complete (success or error)
+    await authExpect(page.getByTestId('stat-card-skeleton')).toHaveCount(0, { timeout: 15_000 })
+  })
+
+  authTest('navigation preserves auth after login', async ({ authenticatedPage: page }) => {
+    // Navigate away from dashboard
+    await navigateTo(page, '/accounts')
+    await authExpect(page.getByRole('heading', { name: 'Accounts' })).toBeVisible({
+      timeout: 10_000,
+    })
+
+    // Navigate back to dashboard
+    await navigateTo(page, '/')
+    await authExpect(page.getByRole('heading', { name: 'Dashboard' })).toBeVisible()
+    // Tenant context must still be present
+    await authExpect(page.getByText(/Overview for dev-tenant/)).toBeVisible({ timeout: 15_000 })
+  })
+})
+
+test.describe('Post-login flow - platform admin', () => {
+  authTest('dashboard renders for platform admin', async ({ platformAdminPage: page }) => {
+    await authExpect(page.getByRole('heading', { name: 'Dashboard' })).toBeVisible()
+  })
+
+  authTest('platform admin can access tenant list', async ({ platformAdminPage: page }) => {
+    await navigateTo(page, '/tenants')
+    await authExpect(
+      page.getByRole('heading', { level: 1 }).filter({ hasText: /Tenant/i }),
+    ).toBeVisible({ timeout: 10_000 })
+  })
+})
+
+test.describe('Version check', () => {
+  authTest('version endpoint is reachable after login', async ({ authenticatedPage: page }) => {
+    // BuildInfo component fetches /version on mount. In dev mode without a backend,
+    // the fetch will fail gracefully. We verify the fetch attempt doesn't cause errors
+    // by checking the app shell remains stable.
+    await authExpect(page.locator('main')).toBeVisible()
+    // No error boundary should be shown
+    await authExpect(page.getByText(/Something went wrong/i)).not.toBeVisible()
+  })
+})
+
+test.describe('Login page does not render for authenticated users', () => {
+  authTest('authenticated user at / sees dashboard, not login', async ({
+    authenticatedPage: page,
+  }) => {
+    // The fixture injects auth and navigates to /. Verify we see dashboard, not login.
+    await authExpect(page.getByRole('heading', { name: 'Dashboard' })).toBeVisible()
+    await authExpect(
+      page.getByRole('heading', { name: 'Meridian Operations Console' }),
+    ).not.toBeVisible()
+  })
+})

frontend/src/App.tsx

@@ -232,8 +232,8 @@ function LoginPage() {
           </>
         )}
 
-        {/* Dev-only fake JWT buttons */}
-        {import.meta.env.DEV && (
+        {/* Dev-only fake JWT buttons (also shown in E2E mode) */}
+        {(import.meta.env.DEV || import.meta.env.VITE_E2E_MODE === 'true') && (
           <div className="space-y-2">
             <p className="text-xs text-muted-foreground uppercase tracking-wider text-center">
               Development Login