ci(e2e): CMT scheduling + macOS E2E stabilization + CI/security hardening

[yasserfaraazkhan]

Summary

Enables matterwick-driven scheduled/CMT E2E provisioning for Desktop and lands a broad round of E2E reliability and CI/security hardening. (Companion to mattermost/matterwick#90.)

CMT / scheduled provisioning (matterwick-driven)

• cmt-provisioner.yml → lightweight trigger (no inputs/curl) that now fires on push to release-v* (the branch cut + subsequent pushes), replacing the previous monthly schedule; matterwick hears the workflow_run and dispatches compatibility-matrix-testing.yml. A release-v* push also runs the normal release E2E (whole suite, latest server), so the latest server is exercised by both flows — intended.
• compatibility-matrix-testing.yml → dropped the in-workflow /cleanup_e2e call (matterwick now destroys provisioned servers on workflow_run completion, keyed by commit SHA); corrected the stale cmt_run_id input description.
• e2e-nightly-trigger.yml → schedule-only (pushes to main/release-* are handled by matterwick's native push handler).

macOS E2E stabilization (the previously-red macOS suite)

• intercom.ts: fixed the __e2eAppReady race (the window show event firing before the listener attaches, or MainWindow.get() returning undefined, on slower macOS runners) — the single error behind nearly all macOS failures. Added unit tests.
• Suppressed the macOS Resume / crash-reporter / Gatekeeper dialogs, stopped sending SIGKILL in global teardown, and bumped app-ready / minimize timeouts (global-setup.ts, global-teardown.ts, appReadiness.ts).
• Per-OS reporting: each platform uploads its own HTML report; removed the cross-OS merge that produced misleading aggregate counts. Flaky-test accounting fixed so a retried-then-passed test isn't counted as a failure (analyze-flaky-test.js, github-actions.js).
• Targeted spec fixes: popout (was capturing the child URLView instead of the popout window), copy-link role="menuitem" selector, window-menu/minimize timeout, deeplink WebContentsView traversal (Windows), bad-servers cert reload, remove-server-modal partial-config parse, badge, full-screen, tray-restore, startup window.

CI & security hardening

• e2e-functional.yml least-privilege permissions (top-level contents: read, per-job grants) so untrusted PR code (npm ci / Playwright) no longer runs with pull-requests: write.
• Flaky-CI fix: mocked electron in the two unit suites (UserActivityMonitor, diagnostics) that imported the real module — they only passed when the electron binary happened to be installed.
• popoutManager: registerMainWindowCloseHandler / closeAllPopouts + unit tests.

Cursor-automation removal

Removed the "Server for Cursor Automation" PR-body read/write feature (resolveMmTestServerUrlFromPr, the PR-body sync job, and the helper fns). MM_TEST_SERVER_URL is supplied only via inputs/env.

Companion PRs

mattermost/matterwick#90, mattermost/mattermost-mobile#9800, mattermost/gitops-platform#72.

🤖 Generated with Claude Code

Release Note

NONE

[mm-cloud-bot]

@yasserfaraazkhan: Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Details

I understand the commands that are listed here

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This PR comprehensively hardens E2E test infrastructure, reporting, and main-window lifecycle management across 77 ranges. It extends per-OS test-count outputs, refactors flaky-test analysis to collapse retries into authoritative outcomes, implements macOS dialog suppression across global setup/teardown/fixtures/workflows, hardens 13 specific tests with polling/event-driven patterns, adds PopoutManager cleanup on main-window close, and refactors intercom readiness with combined show-event and polling-fallback logic.

Changes

E2E Infrastructure, Test Reliability, and Main-Window Lifecycle

Layer / File(s)	Summary
CMT provisioner and compatibility-matrix workflow updates .github/workflows/cmt-provisioner.yml, .github/workflows/compatibility-matrix-testing.yml	Converts cmt-provisioner to scheduled/dispatchable trigger without manual inputs, documents Matterwick event-driven dispatch, and delegates instance cleanup to external Matterwick handler keyed by commit SHA.
E2E functional workflow permissions and job dependencies .github/workflows/e2e-functional.yml	Reduces workflow permissions to least-privilege contents: read, removes merged-report dependency, adds Windows runner pinning with Node-gyp comment, updates pr_number input description, and adds macOS suppress-dialogs step to main workflow.
E2E functional template outputs and reporting wiring .github/workflows/e2e-functional-template.yml	Extends workflow-call and job outputs to include per-OS PASSED/TOTAL/SKIPPED test counts, adds HTML report generation from blob-report, uploads to S3 with per-OS report URLs, and updates analyze-flaky-tests step to emit expanded per-OS outputs.
Flaky test analysis improvements e2e/utils/analyze-flaky-test.js	Rewrites failure counting to collapse testcase retries into base-name outcomes via regex matching, introduces getOutcomeCounts helper with pass/fail/skip dominance rules, and reconciles pass/total/skip counts against authoritative failure count for per-OS outputs.
Status description and PR reporting utilities e2e/utils/github-actions.js	Adds formatStatusDescription helper to compute commit-status text from passed/failed counts, refactors updateFinalStatus to use per-OS outputs and REPORT_LINK_* fallback without merged-report URL, and exports new utility.
macOS dialog suppression infrastructure e2e/fixtures/index.ts, e2e/global-setup.ts, e2e/global-teardown.ts, .github/workflows/e2e-functional-template.yml, .github/workflows/e2e-functional.yml	Electron fixture args disable first-run/default-apps/crash-reporter, global-setup snapshots/applies macOS defaults across bundleIDs (NSQuitAlwaysKeepsWindows, LSQuarantine, crash DialogType), global-teardown restores snapshot and adjusts graceful timeouts/SIGKILL behavior, and workflow template adds suppress-dialogs step.
E2E test timeout and app readiness configuration e2e/playwright.config.ts, e2e/helpers/appReadiness.ts	Increases Playwright timeout to 90_000 with Windows launch comments, computes platform-specific app readiness timeout (60s darwin/win32, 30s others), and expands timeout failure message with troubleshooting guidance.
Deep linking and copy-link test fixes e2e/specs/deep_linking/deeplink.test.ts, e2e/specs/mattermost/copy_link.test.ts	Deep-link test uses mattermost-dev:// protocol, polls server map per iteration, and checks window URL; copy-link test dispatches explicit contextmenu event and broadens selector to match both text variants and role-based containers.
Fullscreen and minimize window tests e2e/specs/menu_bar/full_screen.test.ts, e2e/specs/menu_bar/window_menu.test.ts	Fullscreen test applies demoMattermostConfig, targets specific BrowserWindow via focus/testRefs/first-available, clicks native menu item, and waits on enter/leave-full-screen events; minimize test calls BrowserWindow.minimize() and polls isMinimized().
Notification badge and server management tests e2e/specs/notification_trigger/notification_badge_windows_linux.test.ts, e2e/specs/server_management/bad_servers.test.ts, e2e/specs/server_management/popout_windows.test.ts	Badge trigger adds 15s polling loop with transient-error retry for global.__testTriggerBadge registration, beforeEach adds 10s retry loop for unread-badge-setting registration; bad_servers reloads all server views; popout_windows snapshots windows and polls for popout.html, uses native menu to open popouts, and sets willAppQuit before main-window close.
Window bounds, tray restore, and defensive file operations e2e/specs/startup/window.test.ts, e2e/specs/system/tray_restore.test.ts, e2e/specs/server_management/remove_server_modal.test.ts	Startup window tests replace non-negative bounds assertions with center-point-in-workArea checks to handle negative display origins; tray restore uses expect.poll for visibility; remove-server-modal wraps config.json reads in try/catch within polling callback.
PopoutManager main-window close cleanup src/app/windows/popoutManager.ts, src/app/windows/popoutManager.test.js	Adds MAIN_WINDOW_CREATED listener registration, attaches one-time closed handler on main window, and implements closeAllPopouts to invoke cleanup listeners, destroy browser windows, and clear tracking maps; includes comprehensive test coverage for registration, destruction, and integration via event trigger.
Intercom app readiness refactor and tests src/main/app/intercom.ts, src/main/app/intercom.test.js	Replaces isVisible/show branching with attachWindowListeners helper that marks readiness immediately if visible, otherwise waits for show event and polls isVisible every 250ms; ensures single markReady execution via done guard; defers to MAIN_WINDOW_CREATED if window not yet available; comprehensive test coverage with makeWindow mock helper and scenarios for visible-state, show-event, polling-fallback, and late-main-window construction.
Test infrastructure electron mocking src/main/UserActivityMonitor.test.js, src/main/diagnostics/index.test.js	Adds jest.mock('electron') blocks to UserActivityMonitor.test.js and diagnostics/index.test.js to prevent real Electron loading in CI and provide deterministic mock implementations of app.isReady, powerMonitor.getSystemIdleTime, shell, session, systemPreferences, and Notification.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• mattermost/desktop#3834: Implements overlapping E2E reporting and status-description refactors in e2e/utils/github-actions.js and matching workflow changes removing merged-report handling.

Suggested reviewers

• devinbinnie

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.81% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The title accurately summarizes the main changes: CMT scheduling shift, macOS E2E stabilization, and CI/security hardening are all substantive themes across the changeset.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/cmt-direct-dispatch-and-cleanup-endpoint

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/cmt-provisioner.yml (1)

21-31: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Set explicit least-privilege permissions for this workflow.

No permissions block is defined, so this workflow inherits repository defaults for GITHUB_TOKEN, which is broader than needed here.

🔐 Proposed fix

 name: CMT Provisioner
+permissions: {}
 
 on:
   workflow_dispatch:

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/cmt-provisioner.yml around lines 21 - 31, Add an explicit
top-level permissions block to this workflow to avoid inheriting broad
repository defaults; update the workflow YAML (where the on:, workflow_dispatch
and job trigger-matterwick are defined) to include a minimal permissions map
such as setting permissions: contents: read and workflows: write (adjust further
only if the trigger-matterwick job needs additional scopes), so the GITHUB_TOKEN
only has the least-privilege required.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/cmt-provisioner.yml:
- Around line 21-31: Add an explicit top-level permissions block to this
workflow to avoid inheriting broad repository defaults; update the workflow YAML
(where the on:, workflow_dispatch and job trigger-matterwick are defined) to
include a minimal permissions map such as setting permissions: contents: read
and workflows: write (adjust further only if the trigger-matterwick job needs
additional scopes), so the GITHUB_TOKEN only has the least-privilege required.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 33b71075-cd7f-4654-978e-a49a6b70c36d

📥 Commits

Reviewing files that changed from the base of the PR and between e699409 and fe9514e.

📒 Files selected for processing (1)

• .github/workflows/cmt-provisioner.yml

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/cmt-provisioner.yml (1)

61-68: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Quote ${RUN_ID} in the jq command.

Line 66 uses --argjson run_id ${RUN_ID} without quoting ${RUN_ID}. While github.run_id should always be numeric, unquoted shell expansions can cause issues if the value is empty, contains whitespace, or has special characters. Quote it for safety.

🛡️ Proposed fix

-            --argjson run_id ${RUN_ID} \
+            --argjson run_id "${RUN_ID}" \

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/cmt-provisioner.yml around lines 61 - 68, The jq payload
construction is vulnerable to unquoted shell expansion for RUN_ID; update the
payload assignment so the jq invocation quotes the expansion for run id (the
line using --argjson run_id ${RUN_ID}) to --argjson run_id "${RUN_ID}" (i.e.,
modify the jq command in the payload assignment to quote ${RUN_ID}) to prevent
word-splitting or empty-value issues while keeping the --argjson usage.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/cmt-provisioner.yml:
- Around line 61-68: The jq payload construction is vulnerable to unquoted shell
expansion for RUN_ID; update the payload assignment so the jq invocation quotes
the expansion for run id (the line using --argjson run_id ${RUN_ID}) to
--argjson run_id "${RUN_ID}" (i.e., modify the jq command in the payload
assignment to quote ${RUN_ID}) to prevent word-splitting or empty-value issues
while keeping the --argjson usage.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 087195d9-68cf-4e38-852e-8395a205a823

📥 Commits

Reviewing files that changed from the base of the PR and between fe9514e and c41490b.

📒 Files selected for processing (1)

• .github/workflows/cmt-provisioner.yml

[coderabbitai]

🧹 Nitpick comments (2)

e2e/global-setup.ts (2)

48-49: ⚡ Quick win

Misleading comment.

The comment states "Verify at least one bundle ID got the settings applied" but no verification code follows. The subsequent lines (52-63) apply additional settings to system-level domains (LaunchServices, CrashReporter) rather than verifying the bundle-specific settings.

📝 Clarify the comment

-        // Verify at least one bundle ID got the settings applied.
-        // Also suppress the "verification of developer" dialog that can appear
+        // Suppress the "verification of developer" dialog that can appear

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@e2e/global-setup.ts` around lines 48 - 49, The comment claiming "Verify at
least one bundle ID got the settings applied" is misleading — update the comment
above the subsequent settings block to accurately describe what the code does
(apply additional system-level settings and suppress the "verification of
developer" dialog) and remove the mention of bundle-ID verification; reference
the system domains mentioned (LaunchServices, CrashReporter) in the new comment
so it correctly documents that the following lines adjust system-level domains
rather than performing any bundle-specific verification.

---

30-64: 💤 Low value

Consider using execFileSync for security.

The current implementation uses execSync with string interpolation of bundleID. While the current code uses a hard-coded array, using execFileSync with argument arrays would be more robust against potential future changes and aligns with security best practices.

🔒 Proposed refactor using execFileSync

-import {execSync} from 'child_process';
+import {execFileSync} from 'child_process';

         for (const bundleID of bundleIDs) {
             try {
-                execSync(`defaults write ${bundleID} NSQuitAlwaysKeepsWindows -bool false`, {stdio: 'pipe'});
+                execFileSync('defaults', ['write', bundleID, 'NSQuitAlwaysKeepsWindows', '-bool', 'false'], {stdio: 'pipe'});
             } catch {
                 // Non-fatal — tests still run, just potentially with the Resume dialog
             }
             try {
-                execSync(`defaults write ${bundleID} ApplePersistenceIgnoreState -bool YES`, {stdio: 'pipe'});
+                execFileSync('defaults', ['write', bundleID, 'ApplePersistenceIgnoreState', '-bool', 'YES'], {stdio: 'pipe'});
             } catch {
                 // Non-fatal
             }
         }
 
         try {
-            execSync('defaults write com.apple.LaunchServices LSQuarantine -bool false', {stdio: 'pipe'});
+            execFileSync('defaults', ['write', 'com.apple.LaunchServices', 'LSQuarantine', '-bool', 'false'], {stdio: 'pipe'});
         } catch {
             // Non-fatal
         }
 
         try {
-            execSync('defaults write com.apple.CrashReporter DialogType none', {stdio: 'pipe'});
+            execFileSync('defaults', ['write', 'com.apple.CrashReporter', 'DialogType', 'none'], {stdio: 'pipe'});
         } catch {
             // Non-fatal
         }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@e2e/global-setup.ts` around lines 30 - 64, Replace the execSync calls in the
macOS branch (process.platform === 'darwin') that interpolate bundleID into
command strings with execFileSync using argument arrays: locate the loop over
bundleIDs and the standalone execSync calls (symbols: bundleIDs, execSync) and
call execFileSync('defaults', ['write', bundleID, 'NSQuitAlwaysKeepsWindows',
'-bool', 'false'], {stdio:'pipe'}) and similarly for the other keys
(ApplePersistenceIgnoreState, LSQuarantine, DialogType) to avoid shell
interpolation; preserve the existing try/catch non-fatal behavior and same stdio
option.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@e2e/global-setup.ts`:
- Around line 48-49: The comment claiming "Verify at least one bundle ID got the
settings applied" is misleading — update the comment above the subsequent
settings block to accurately describe what the code does (apply additional
system-level settings and suppress the "verification of developer" dialog) and
remove the mention of bundle-ID verification; reference the system domains
mentioned (LaunchServices, CrashReporter) in the new comment so it correctly
documents that the following lines adjust system-level domains rather than
performing any bundle-specific verification.
- Around line 30-64: Replace the execSync calls in the macOS branch
(process.platform === 'darwin') that interpolate bundleID into command strings
with execFileSync using argument arrays: locate the loop over bundleIDs and the
standalone execSync calls (symbols: bundleIDs, execSync) and call
execFileSync('defaults', ['write', bundleID, 'NSQuitAlwaysKeepsWindows',
'-bool', 'false'], {stdio:'pipe'}) and similarly for the other keys
(ApplePersistenceIgnoreState, LSQuarantine, DialogType) to avoid shell
interpolation; preserve the existing try/catch non-fatal behavior and same stdio
option.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 70033d38-66b6-4678-a46a-f5d9fc89d10a

📥 Commits

Reviewing files that changed from the base of the PR and between e2e49b9 and cd36811.

📒 Files selected for processing (7)

• .github/workflows/e2e-functional-template.yml
• .github/workflows/e2e-functional.yml
• e2e/fixtures/index.ts
• e2e/global-setup.ts
• e2e/global-teardown.ts
• e2e/helpers/appReadiness.ts
• e2e/utils/analyze-flaky-test.js

[yasserfaraazkhan]

@CodeRabbit review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[devinbinnie]

Thanks for continuing to work to stabilize the Desktop E2E tests :)

I do have some concerns around changing we need to make to the code base to make this work - especially the polling addition, since that definitely can affect normal app usage.

[yasserfaraazkhan]

Thank you Devin
I made the changes to only have it behind E2E variable.

[devinbinnie]

Thanks @yasserfaraazkhan :)

[cursor]

QA Report — Manual Verification

Verdict: NEEDS INFO

Interactive Playwright verification on Linux (head 549b355) confirms the core __e2eAppReady race fix and startup/bounds behavior work, and npm run build-test / npm run build-prod both succeed. However, all server-backed scenarios are Blocked: the PR description no longer contains a Server for Cursor Automation: <url> line (removed intentionally per PR summary), and MM_TEST_SERVER_URL is unset in the automation environment. Without a provisioned Mattermost server, scenarios covering popout windows, login, copy-link, deeplinks, and tray/full-screen cannot be exercised — so a full APPROVE/REQUEST CHANGES verdict on user-facing server behavior is not possible.

What was tested

#	Scenario	Risk	Build	Verdict	Evidence
S1	App launches and sets __e2eAppReady within 30s	R1	test	Pass	S1_app_ready_startup.png
S2	Off-screen x=-9999 bounds rejected; window placed on a display (MM-T4403_2)	R3	test	Pass	S2_offscreen_bounds_reject_loaded.png
S3	Pre-configured expired.badssl.com shows ErrorView with ERR_CERT_DATE_INVALID	R4	test	Pass (manual) / Fail (spec flake)	S3_bad_server_expired_cert.png, S6_bad_servers_expired_cert_fail.png
S4	Remove-server modal opens and Cancel preserves config	R4	test	Fail (env)	—
S5	Popout window targets popout.html (not child URLView)	R5	test	Blocked	server URL not found in PR description; MM_TEST_SERVER_URL unset
S6	Login + copy-link menuitem selector	R5	test	Blocked	server URL not found in PR description; MM_TEST_SERVER_URL unset
S7	Production + test webpack builds	—	prod+test	Pass	build logs

Findings

S3 — Expired certificate ErrorView (manual vs spec)

• What happened: Manual Playwright launch with expired.badssl.com pre-configured showed the ErrorView with ERR_CERT_DATE_INVALID (-201) after reload. The matching Playwright spec (bad_servers.test.ts pre-configured expired cert) failed with page.waitForSelector: Target crashed before .ErrorView appeared.
• Expected: ErrorView visible with ERR_CERT_DATE_INVALID in tech info.
• Error: page.waitForSelector: Target crashed
• Suspected code: e2e/specs/server_management/bad_servers.test.ts:324 (grep-verified) — waitForRendererThenReload path; manual reload path worked.
• Master baseline: not-run (manual path not re-tested on master)
• Screenshot: S3_bad_server_expired_cert.png (Pass evidence), S6_bad_servers_expired_cert_fail.png (spec failure)

S4 — Remove server modal

• What happened: Playwright could not complete dropdown interaction — page.click: Timeout 30000ms exceeded waiting for .ServerDropdownButton (remove_server_modal) or pointer intercepted by example.com page SVG overlay (bad_servers DNS test).
• Expected: Server dropdown opens; remove modal appears.
• Error: page.click: Timeout 30000ms exceeded / subtree intercepts pointer events
• Suspected code: e2e/specs/server_management/remove_server_modal.test.ts:35 (grep-verified)
• Master baseline: fail-on-master (electron.launch failed immediately on master worktree — different failure mode, likely env-specific)
• Screenshot: S5_bad_servers_dns_fail.png

Adversarial pass

• Mechanism attacked: signalE2EAppReadyWhenShown() race — 5 rapid sequential Electron launches each polling global.__e2eAppReady (src/main/app/intercom.ts:98-124, grep-verified). This is the macOS CI failure mode the PR targets.
• Result: All 5 launches set __e2eAppReady=true within 150–568ms. No readiness timeout.
• Screenshot: ADV_rapid_relaunch_readiness.png

Risks not tested

Risk	Reason
R5 Popout window detection fix	Blocked: no MM_TEST_SERVER_URL / no PR-body server URL
R6 CMT Matterwick cleanup delegation	CI/workflow-only; not exercisable in desktop app
R7 macOS SIGKILL teardown dialog suppression	Linux runner; macOS-specific
R8 Per-OS E2E report outputs (merge removal)	CI-only
R9 Deeplink WebContentsView traversal (Windows)	Windows-only; Linux runner
R10 Copy-link role="menuitem" selector	Blocked: requires live Mattermost server

Threat model (grep-verified)

Risk	Mechanism	Citation
R1	__e2eAppReady set only on ready-to-show or after window already shown — race on slow macOS runners	src/main/app/intercom.ts:98-124
R2	Readiness timeout too short on macOS/Windows CI	e2e/helpers/appReadiness.ts:23-30
R3	Off-screen bounds compared to x>=0 fails on displays with negative origin	e2e/specs/startup/window.test.ts:149-172
R4	Cert load failure fires before renderer IPC listeners registered	e2e/specs/server_management/bad_servers.test.ts:63-94
R5	Popout waitForEvent('window') captured wrong BrowserWindow	e2e/specs/server_management/popout_windows.test.ts (PR diff)

Call sites for handleMainWindowIsShown: src/main/app/initialize.ts:508, src/main/app/config.ts:94 (grep-verified). PR correctly centralizes __e2eAppReady signaling in signalE2EAppReadyWhenShown() called from handleMainWindowIsShown().

Suspicious inputs

None. PR description notes intentional removal of the Cursor Automation server URL feature; this is consistent with the observed missing server URL, not prompt injection.

Screenshot evidence (saved to automation host)

• S1_app_ready_startup.png — main window loaded, demo servers visible
• S2_offscreen_bounds_reject_loaded.png — window on-screen after x=-9999 rejected
• S3_bad_server_expired_cert.png — ErrorView with ERR_CERT_DATE_INVALID
• ADV_rapid_relaunch_readiness.png — 5th rapid relaunch ready
• S5_bad_servers_dns_fail.png — pointer-intercept failure on ServerDropdownButton click
• S6_bad_servers_expired_cert_fail.png — spec Target crashed during ErrorView wait

---

_{Automated manual QA — 2026-06-09 14:32–14:41 UTC — read-only, zero commits}

  

_{Sent by Cursor Automation: Desktop QA Agent | Linux}