test(e2e): add deep Playwright Electron process-flow coverage

[Mehdi-Bl]

Summary

• add a dedicated Playwright config for Electron E2E under tests/e2e
• add full process-flow Electron tests covering markdown/xml processing, refresh-after-edit, and save-to-file
• isolate Electron user data per test via ELECTRON_USER_DATA_PATH to prevent cross-test state bleed
• add npm scripts for Playwright E2E runs and exclude E2E specs from Jest discovery
• run Linux Playwright Electron E2E in QA matrix and upload Playwright artifacts
• document Playwright E2E command and mapping in tests/catalog.md

Why

This adds deterministic, full-process coverage in a self-contained app context, closes major gaps around true end-to-end processing behavior, and hardens CI signal beyond screenshot-only checks.

Validation

• npm run lint
• npm test -- --runInBand
• npm run qa:screenshot
• npm run e2e:playwright

All commands passed locally.

Summary by Sourcery

Add Playwright-based Electron end-to-end test coverage for the full application process flow and wire it into local tooling and CI.

New Features:

• Introduce Playwright Electron E2E tests verifying end-to-end process flow, including markdown/XML export, refresh-after-edit, and save-to-file behavior.

Enhancements:

• Allow overriding Electron user data directory via ELECTRON_USER_DATA_PATH to isolate per-test state.
• Add Playwright configuration and npm scripts for running Electron E2E suites locally in headless or headed modes.
• Document Electron Playwright E2E coverage and commands in the tests catalog for easier discovery and maintenance.

CI:

• Extend the QA matrix workflow to run Electron Playwright E2E tests on Linux and upload Playwright reports and artifacts.

Tests:

• Add a dedicated Electron process-flow Playwright spec under tests/e2e exercising renderer, preload, and main-process wiring, file-tree interaction, and export behaviors.
• Exclude tests in tests/e2e from Jest discovery to keep E2E execution separated from the Jest test suite.

Summary by CodeRabbit

• New Features

  • Optional configurable Electron user data directory via environment variable.

• Tests

  • Added Playwright end-to-end test suite covering full Electron workflows, file processing, format options, hot-refresh and save-to-disk scenarios.
  • Test catalog updated and unit test discovery configured to ignore E2E directories.

• Chores

  • Added npm scripts to run Playwright E2E (including headed mode).
  • Integrated Linux-targeted E2E steps into CI with artifact collection.

[sourcery-ai]

Reviewer's Guide

Adds Playwright-based Electron end-to-end tests for full process-flow coverage, wires them into npm scripts and the QA CI matrix, introduces isolated Electron userData per test via an environment override, and documents the new E2E layer in the test catalog while excluding these specs from Jest.

Sequence diagram for Playwright Electron E2E with isolated userData

sequenceDiagram
  actor Developer
  participant CI as GitHubActions_QA_Matrix
  participant NPM as NpmScripts
  participant PW as PlaywrightRunner
  participant Electron as ElectronApp
  participant Main as MainProcess_index_ts

  Developer->>NPM: run e2e:playwright
  NPM->>PW: playwright test -c playwright.config.ts
  PW->>PW: Discover tests in tests/e2e
  PW->>PW: For each test set ELECTRON_USER_DATA_PATH
  PW->>Electron: Launch app with env ELECTRON_USER_DATA_PATH
  Electron->>Main: Execute main index.ts
  Main->>Main: Read process.env.ELECTRON_USER_DATA_PATH
  Main->>Main: Resolve path and mkdirSync(recursive)
  Main->>Electron: app.setPath userData to resolved path
  Electron->>PW: Render UI and process markdown/xml
  PW->>PW: Perform assertions and save artifacts

  CI->>NPM: xvfb-run -a npm run e2e:playwright (Linux)
  PW->>CI: Exit code and Playwright artifacts
  CI->>CI: Upload dist/qa/playwright-report and dist/qa/playwright-results

Loading

Flow diagram for Electron userData override in main process

flowchart TD
  Start[Electron main process start] --> CheckEnv{Is ELECTRON_USER_DATA_PATH a non-empty string?}

  CheckEnv -- No --> DefaultUserData[Use default Electron userData path]
  DefaultUserData --> Continue[Continue app startup]

  CheckEnv -- Yes --> ResolvePath[Resolve absolute userData path]
  ResolvePath --> EnsureDir[fs.mkdirSync path with recursive true]
  EnsureDir --> SetUserData[app.setPath userData to resolved path]
  SetUserData --> Continue

  Continue --> WindowCreate[Create browser window and load renderer]
  WindowCreate --> End[App ready for Playwright E2E tests]

Loading

File-Level Changes

Change	Details	Files
Introduce Playwright Electron E2E test suite that drives the full renderer/main process flow, including file selection, markdown/XML export, refresh, and save-to-disk behaviors.	Create a dedicated Playwright Electron spec that builds a temporary fixture project on disk, stubs native dialogs, and exercises folder selection, file-tree interaction, processing, and output verification. Add helpers for configuring default flow options, selecting files in the tree, triggering processing, and asserting on processed markdown and XML output. Cover scenarios for markdown export, XML export, refresh-after-edit by mutating source on disk, and saving processed output via the native save flow.	tests/e2e/electron-process-flow.spec.ts
Add Playwright configuration and npm scripts to run Electron E2E tests locally and in CI, with artifacts captured for inspection.	Define a Playwright config targeting the tests/e2e directory with parallelism, timeouts, retries, and HTML report and artifacts output under dist/qa. Add npm scripts for prebuilding assets before E2E, running Playwright headless/headed with the shared config. Wire the Electron E2E run into the QA GitHub Actions matrix on Linux using xvfb-run, and upload Playwright reports/results as artifacts.	playwright.config.ts .github/workflows/qa-matrix.yml package.json
Isolate Electron app userData per E2E test run via a configurable path to avoid cross-test state contamination.	Read ELECTRON_USER_DATA_PATH in the main process, resolve it to an absolute path, ensure the directory exists, and set Electron's userData path accordingly before window creation. Ensure E2E tests launch Electron with a unique temp user-data directory per test fixture and clean it up after the run.	src/main/index.ts tests/e2e/electron-process-flow.spec.ts
Adjust Jest configuration and testing documentation to accommodate the new E2E layer and point reviewers to it for renderer flow changes.	Exclude tests/e2e from Jest discovery so Playwright owns those specs. Document the new Electron E2E command and spec in the test catalog, including its primary targets and when to consult it for renderer flow changes.	jest.config.js tests/catalog.md

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[gemini-code-assist]

Summary of Changes

Hello @Mehdi-Bl, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the testing infrastructure by introducing robust end-to-end tests for the Electron application using Playwright. The changes aim to provide deterministic, full-process coverage within a self-contained app context, addressing critical gaps in testing the application's core processing behavior and improving the reliability of CI signals beyond basic UI checks.

Highlights

• Playwright E2E Setup: A dedicated Playwright configuration has been added for Electron end-to-end tests under tests/e2e.
• Comprehensive Electron Tests: Full process-flow Electron tests have been introduced, covering markdown/XML processing, refresh-after-edit functionality, and save-to-file operations.
• Test Isolation: Electron user data is now isolated per test run using ELECTRON_USER_DATA_PATH to prevent state bleed between tests.
• NPM Scripts and Jest Exclusion: New npm scripts have been added for running Playwright E2E tests, and E2E specs are now excluded from Jest's test discovery.
• Documentation Update: The tests/catalog.md file has been updated to document the new Playwright E2E commands and their mapping.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• jest.config.js
  • Excluded the new Playwright E2E test directory from Jest's test path ignore patterns.
• package.json
  • Added pree2e:playwright, e2e:playwright, and e2e:playwright:headed npm scripts for running Playwright E2E tests.
• playwright.config.ts
  • Created a new Playwright configuration file, defining the test directory, parallelization, retries, timeouts, and reporters for E2E tests.
• src/main/index.ts
  • Implemented logic to allow overriding the Electron user data path via the ELECTRON_USER_DATA_PATH environment variable, ensuring test isolation.
• tests/catalog.md
  • Added an entry for the new Electron E2E Playwright command.
  • Included a new section detailing the electron-process-flow.spec.ts test file and its comprehensive coverage.
  • Added tests/e2e/electron-process-flow.spec.ts to the list of files related to 'Renderer flow changes'.
• tests/e2e/electron-process-flow.spec.ts
  • Added a comprehensive Playwright E2E test suite for the Electron application.
  • Included fixtures for project setup, native dialog stubbing, and test data management.
  • Implemented tests for end-to-end markdown processing, XML export format handling, refreshing output after source file changes, and saving processed output to disk.

Ignored Files

• Ignored by pattern: .github/workflows/** (1)
  • .github/workflows/qa-matrix.yml

Activity

• No human activity has been recorded on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[qodo-free-for-open-source-projects]

Review Summary by Qodo

Add deep Playwright Electron E2E process-flow coverage

🧪 Tests ✨ Enhancement

Walkthroughs

Description

• Add comprehensive Playwright E2E tests for Electron app process flows
  - Covers markdown/XML export, file selection, refresh, and save operations
  - Isolates test state via dedicated user data directories per test
• Implement Playwright configuration with HTML reporting and artifact capture
• Integrate E2E tests into CI/CD pipeline for Linux with artifact uploads
• Exclude E2E specs from Jest discovery and document test coverage mapping

Diagram

flowchart LR
  A["Playwright Config"] -->|defines test setup| B["E2E Test Suite"]
  C["Main Process"] -->|accepts ELECTRON_USER_DATA_PATH| D["Isolated User Data"]
  B -->|runs full flows| E["Markdown/XML Export"]
  B -->|tests interactions| F["File Selection & Refresh"]
  B -->|validates save| G["Disk Output"]
  H["CI/CD Pipeline"] -->|runs on Linux| B
  H -->|uploads artifacts| I["Playwright Reports"]

Loading

File Changes

1. playwright.config.ts ⚙️ Configuration changes +22/-0

Playwright E2E test configuration setup

• New Playwright configuration file for E2E test execution
• Configures test directory, parallelization, timeouts, and retry logic
• Sets up HTML reporting to dist/qa/playwright-report with failure screenshots and videos
• Enables trace collection on first retry for debugging

playwright.config.ts

---

2. src/main/index.ts ✨ Enhancement +7/-0

Support isolated user data paths for E2E tests

• Add support for ELECTRON_USER_DATA_PATH environment variable
• Create user data directory if specified and set it as Electron app path
• Enables test isolation by allowing per-test user data directories

src/main/index.ts

---

3. tests/e2e/electron-process-flow.spec.ts 🧪 Tests +286/-0

Full Electron process-flow E2E test suite

• Comprehensive E2E test suite with 4 test cases covering full application workflows
• Tests include markdown/XML export formats, file selection, refresh-from-disk, and save-to-file
 operations
• Custom Playwright fixtures for isolated project directories, user data, and Electron app lifecycle
• Helper functions for fixture project creation, native dialog stubbing, and UI interaction patterns

tests/e2e/electron-process-flow.spec.ts

---

View more (4)

4. jest.config.js ⚙️ Configuration changes +1/-1

Exclude E2E tests from Jest configuration

• Add /tests/e2e/ to testPathIgnorePatterns to exclude Playwright tests from Jest discovery
• Prevents E2E specs from interfering with unit/integration test runs

jest.config.js

---

5. .github/workflows/qa-matrix.yml ⚙️ Configuration changes +15/-0

Integrate Playwright E2E into CI/CD pipeline

• Add Linux-only Playwright E2E test execution step using xvfb-run for headless display
• Upload Playwright HTML report and test results artifacts with 14-day retention
• Artifacts uploaded even on test failure to preserve debugging information

.github/workflows/qa-matrix.yml

---

6. package.json ⚙️ Configuration changes +3/-0

Add npm scripts for Playwright E2E execution

• Add pree2e:playwright script to build TypeScript, CSS, and webpack before tests
• Add e2e:playwright script to run Playwright tests with config reference
• Add e2e:playwright:headed script for local debugging with browser UI visible

package.json

---

7. tests/catalog.md 📝 Documentation +8/-0

Document Playwright E2E tests in catalog

• Document npm run e2e:playwright command in quick reference section
• Add new "Electron E2E Tests" section with table mapping test file to coverage areas
• Update "Renderer flow changes" section to reference E2E test file

tests/catalog.md

---

[coderabbitai]

Warning

Rate limit exceeded

@Mehdi-Bl has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 12 minutes and 2 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📝 Walkthrough

Walkthrough

Adds Playwright-based Electron E2E tests with CI steps (Linux/xvfb), Playwright config and npm scripts, a new comprehensive E2E test file, and optional Electron userData redirection via ELECTRON_USER_DATA_PATH. Jest ignores the E2E tests during unit runs.

Changes

Cohort / File(s)	Summary
CI Workflow .github/workflows/qa-matrix.yml	Added Linux-only xvfb-run step to execute Playwright E2E and an always()-conditioned artifact upload for dist/qa/playwright-report and dist/qa/playwright-results.
Test Config & Runners jest.config.js, playwright.config.ts	Added /tests/e2e/ to Jest ignore patterns; introduced playwright.config.ts with testDir ./tests/e2e, reporters (HTML -> dist/qa/playwright-report), results dir dist/qa/playwright-results, CI-specific retries/forbidOnly, timeouts, and trace/video/screenshot policies.
NPM Scripts & Build package.json	Added pree2e:playwright, e2e:playwright, and e2e:playwright:headed scripts to build assets and run Playwright tests.
Electron Startup src/main/index.ts	Optional redirection of Electron userData to path resolved from ELECTRON_USER_DATA_PATH, creating the directory when set.
Docs / Test Catalog tests/catalog.md	Documented new Electron E2E tests, added spec reference tests/e2e/electron-process-flow.spec.ts and npm run e2e:playwright entry.
E2E Test Suite tests/e2e/electron-process-flow.spec.ts	New comprehensive Playwright E2E tests: fixtures, helpers, stubbing native dialogs, project fixtures, and tests covering processing, export formats (markdown/xml), live refresh, and native save persistence.

Sequence Diagram(s)

sequenceDiagram
  participant CI as CI (qa-matrix)
  participant Runner as Linux Runner
  participant Xvfb as xvfb-run
  participant Playwright as Playwright Test
  participant Electron as Electron App
  participant FS as Filesystem (dist/qa)

  CI->>Runner: schedule job (Linux matrix)
  Runner->>Xvfb: run `xvfb-run npm run e2e:playwright`
  Xvfb->>Playwright: start tests (playwright.config.ts)
  Playwright->>Electron: launch Electron (electronApp)
  Playwright->>Electron: interact with UI, stub dialogs
  Electron->>FS: write artifacts / saved outputs
  Playwright->>FS: emit report to `dist/qa/playwright-report` and results to `dist/qa/playwright-results`
  Runner->>CI: upload artifacts (always())

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• fix: restore UI resizing and filtering + add cross-platform QA gate #24: Modifies the same CI workflow and Playwright/QA-related CI infrastructure, overlapping with the QA matrix and Playwright additions.

Poem

🐰 I hopped into the CI tree,
Spawned Electron, mocked a key,
Playwright danced in xvfb light,
Reports and results tucked in tight,
A carrot-chip of tests — all green tonight!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title directly and accurately describes the main change: adding comprehensive Playwright-based end-to-end tests for Electron's process flow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/playwright-deep-e2e

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[sourcery-ai]

Hey - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: dee696e7bd

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Restrict userData override to test-only execution

This startup block runs in every environment and performs fs.mkdirSync on ELECTRON_USER_DATA_PATH without a safety fallback; if that variable is inherited with an invalid or unwritable path, the call throws before app.whenReady() and the app fails to launch. Because this variable was introduced for Playwright isolation, it should be gated to test runs (or wrapped with fallback handling) so production launches are not broken by ambient shell/CI environment state.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Remove hardcoded token literal from E2E fixture

The fixture writes a token-shaped credential string into a .env file (LOCAL_SECRET_TOKEN=abc123), which conflicts with the repository’s review policy in /workspace/ai-code-fusion/AGENTS.md to reject hardcoded secret/token exposure in committed code. Even as test data, this pattern can trip secret-scanning workflows and create avoidable security review noise; use a clearly non-credential placeholder instead.

Useful? React with 👍 / 👎.

[qodo-free-for-open-source-projects]

Code Review by Qodo

🐞 Bugs (2) 📘 Rule violations (2) 📎 Requirement gaps (0)

1. Hardcoded token-like .env value 📘 Rule violation ⛨ Security

Description

The E2E test writes a token-looking value (LOCAL_SECRET_TOKEN=abc123) in tracked test code, which
violates the prohibition on committing credentials/tokens in the repository. Even if intended as a
fixture, it still constitutes a hardcoded token string in source.

Code

tests/e2e/electron-process-flow.spec.ts[R73-76]

+  writeFixtureFile(projectDir, 'README.md', '# Fixture Project\n\nUsed for Electron E2E coverage.\n');
+  writeFixtureFile(projectDir, '.gitignore', 'dist/\n*.log\n!important.log\n');
+  writeFixtureFile(projectDir, '.env', 'LOCAL_SECRET_TOKEN=abc123\n');
+  writeFixtureFile(projectDir, 'dist/bundle.js', 'console.log("should be excluded");\n');

Evidence

The checklist forbids secrets/tokens/credentials from appearing in any tracked files; the test code
includes a hardcoded token-like env assignment string.

AGENTS.md
tests/e2e/electron-process-flow.spec.ts[73-76]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
A token-like value is hardcoded in a tracked test file (`LOCAL_SECRET_TOKEN=abc123`), which is disallowed by the no-hardcoded-secrets requirement.
## Issue Context
The `.env` file appears to be used only as a fixture file that should be excluded from selection; the content does not need to resemble a real token.
## Fix Focus Areas
- tests/e2e/electron-process-flow.spec.ts[73-76]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

✅ 2. ELECTRON_USER_DATA_PATH not restricted 📘 Rule violation ⛨ Security

Description

The app will honor ELECTRON_USER_DATA_PATH in any runtime without validating the location or
limiting it to test-only usage, which can redirect app state to arbitrary filesystem locations. This
is an external-input handling gap that can lead to unsafe data handling or unexpected writes.

Code

src/main/index.ts[R62-68]

+const e2eUserDataPath = process.env.ELECTRON_USER_DATA_PATH;
+
+if (typeof e2eUserDataPath === 'string' && e2eUserDataPath.trim().length > 0) {
+  const resolvedUserDataPath = path.resolve(e2eUserDataPath);
+  fs.mkdirSync(resolvedUserDataPath, { recursive: true });
+  app.setPath('userData', resolvedUserDataPath);
+}

Evidence

The checklist requires external inputs to be validated/sanitized; the new env-var override accepts
any non-empty string and uses it to create directories and redirect Electron userData without
validation or environment gating.

Rule 6: Generic: Security-First Input Validation and Data Handling
src/main/index.ts[62-68]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`ELECTRON_USER_DATA_PATH` is treated as a trusted path and can redirect Electron `userData` to any resolved location, with a directory creation side effect.
## Issue Context
This was added for Playwright E2E isolation, but the code currently applies in all environments.
## Fix Focus Areas
- src/main/index.ts[62-68]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

✅ 3. Screenshot artifact skipped 🐞 Bug ✓ Correctness

Description

On Linux, if the new Playwright E2E step fails, the subsequent UI screenshot upload step will be
skipped under the default GitHub Actions step condition (success-only), losing an important
debugging artifact even though the screenshot was already captured earlier in the job.

Code

.github/workflows/qa-matrix.yml[R65-75]

+      - name: Run Electron E2E (Playwright)
+        if: runner.os == 'Linux'
+        run: xvfb-run -a npm run e2e:playwright
+
     - name: Upload UI screenshot
       uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
       with:
         name: ui-screenshot-${{ runner.os }}
         path: dist/qa/screenshots/*.png
         if-no-files-found: error
         retention-days: 14

Evidence

The workflow captures the screenshot before E2E, but the upload happens after the E2E step and does
not use an always() condition; only the Playwright artifact upload step is explicitly guarded with
always(), implying the intent to upload artifacts even on failure. The screenshot script’s default
output is under dist/qa/screenshots, matching the upload path, so the artifact should be available
even when E2E fails—if the upload step runs.

.github/workflows/qa-matrix.yml[60-86]
scripts/capture-ui-screenshot.js[8-14]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The UI screenshot is captured before the E2E step, but the upload step occurs after E2E and lacks an `always()` guard. If E2E fails, the upload is skipped and the screenshot artifact is lost.
### Issue Context
The Playwright artifact upload step already uses `always()`, suggesting the intent is to preserve debugging artifacts on failure.
### Fix Focus Areas
- .github/workflows/qa-matrix.yml[60-86]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

✅ 4. Duplicated CI builds 🐞 Bug ➹ Performance

Description

The workflow already runs build steps (TS/CSS/webpack) before the E2E step, but `npm run
e2e:playwright triggers pree2e:playwright` which repeats those builds, increasing CI time and
variability for the Linux job.

Code

package.json[R37-39]

+    "pree2e:playwright": "npm run build:ts && npm run build:css && npm run build:webpack",
+    "e2e:playwright": "playwright test -c playwright.config.ts",
+    "e2e:playwright:headed": "playwright test -c playwright.config.ts --headed",

Evidence

The workflow runs npm run build:ts, npm run build:css, and npm run build:webpack explicitly
before invoking npm run e2e:playwright. Because npm automatically runs pree2e:playwright before
e2e:playwright, the same build pipeline executes again.

.github/workflows/qa-matrix.yml[40-68]
package.json[34-39]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
CI runs build steps explicitly and then runs `npm run e2e:playwright`, which triggers `pree2e:playwright` and rebuilds the same artifacts.
### Issue Context
This adds time and can introduce flakiness if build outputs are sensitive to timing/ordering.
### Fix Focus Areas
- package.json[34-39]
- .github/workflows/qa-matrix.yml[40-68]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[qodo-free-for-open-source-projects]

1. Hardcoded token-like .env value 📘 Rule violation ⛨ Security

The E2E test writes a token-looking value (LOCAL_SECRET_TOKEN=abc123) in tracked test code, which
violates the prohibition on committing credentials/tokens in the repository. Even if intended as a
fixture, it still constitutes a hardcoded token string in source.

Agent Prompt

## Issue description
A token-like value is hardcoded in a tracked test file (`LOCAL_SECRET_TOKEN=abc123`), which is disallowed by the no-hardcoded-secrets requirement.

## Issue Context
The `.env` file appears to be used only as a fixture file that should be excluded from selection; the content does not need to resemble a real token.

## Fix Focus Areas
- tests/e2e/electron-process-flow.spec.ts[73-76]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[gemini-code-assist]

Code Review

This pull request introduces comprehensive Playwright Electron end-to-end tests, significantly enhancing the test coverage for the application's core process flow. The setup for isolating user data and project directories per test is excellent, ensuring deterministic and reliable test runs. The new npm scripts and Playwright configuration are well-integrated, and the documentation updates in tests/catalog.md are clear and helpful. Overall, this is a robust and well-executed addition to the testing suite.

[Mehdi-Bl]

Addressed the actionable review points in latest commit ():

1. Replaced token-like fixture value in E2E seed ().
2. Hardened handling to test mode only and temp-root-bounded paths.
3. Updated QA workflow to always upload screenshots when capture succeeds, even if later E2E fails.
4. Removed duplicate CI rebuilds by running in QA (no npm pre-hook rebuild).

Re-running CI now.

[Mehdi-Bl]

Addressed the actionable review points in latest commit (4314a66):

1. Replaced token-like fixture value in E2E .env seed (LOCAL_TEST_VALUE=fixture).
2. Hardened ELECTRON_USER_DATA_PATH handling to test mode only and temp-root-bounded paths.
3. Updated QA workflow to always upload screenshots when capture succeeds, even if later E2E fails.
4. Removed duplicate CI rebuilds by running e2e:playwright:ci in QA (no npm pre-hook rebuild).

Re-running CI now.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud