test(e2e): cover OAuth callback token handoff

[yunus-dev-codecrafter]

closes #298

test(e2e): cover OAuth callback token handoff

Summary

Adds e2e/auth-callback.spec.ts — a dedicated end-to-end test suite for the OAuth callback page (/auth/callback?token=). The callback is the only entry point for JWTs into the app; a regression here silently breaks every login flow.

Changes

File	Change
e2e/auth-callback.spec.ts	New — 5 e2e tests covering the full callback handoff
.env	Created — copied from .env.example (required by validateEnv())

Test coverage

#	Scenario	What it asserts
1	Valid token	Redirects to /dashboard/discover with dashboard content visible
2	Missing ?token= param	Shows error "No authentication token received", redirects to /signin
3	Invalid token (/me → 401)	Shows "Authentication Failed" heading, localStorage cleared, redirects to /signin
4	Extra query params	/auth/callback?token=…&state=abc&code=xyz still reaches dashboard
5	Token security	After redirect, URL contains no token= param and token string is absent from DOM

All 5 tests pass on Chromium. Existing auth.spec.ts and routing.spec.ts also remain green.

Security notes

• Token never rendered in UI — test 5 asserts the token string does not appear anywhere in the DOM after the handoff completes.
• Token never persisted in URL — test 5 asserts page.url() contains no token= query parameter after redirect.
• localStorage cleared on failure — test 3 verifies patchwork_jwt is removed when /me returns 401.

Setup note

The app's validateEnv() throws if VITE_API_BASE_URL is unset. A .env file (sourced from .env.example) was created so the dev server and e2e tests can run.

[Jagadeeshftw]

hey @yunus-dev-codecrafter, thanks for jumping in! closing this pr because the author needs to be assigned to the linked issue (#298) before opening a pr. please comment on the issue requesting assignment, wait to be assigned, then re-raise your pr. this keeps work fairly distributed across contributors. hope to see a revised pr from you soon!