RBAC tests: shared-container test harness for the comprehensive auth suite (TRI-8732)

Foundation for TRI-8731. The smoke api-auth.e2e.test.ts spins up its own
webapp + Postgres container per test file (~30s startup each). The
comprehensive matrix would have 12+ files, so per-file startup would
dominate runtime. Instead this harness boots one container for the whole
suite and rapid-fires tests across multiple files.

Layout:

- vitest.e2e.full.config.ts — globalSetup + pool: forks. Picks up
  test/**/*.e2e.full.test.ts.
- test/setup/global-e2e-full-setup.ts — calls startTestServer() once,
  provides baseUrl + databaseUrl to test workers via vitest's
  provide()/inject() API. Tears down on suite end.
- test/helpers/sharedTestServer.ts — getTestServer() pulls the provided
  values, constructs a per-worker PrismaClient, exposes
  { webapp, prisma } matching the existing TestServer shape.
- test/helpers/seedTestSession.ts — produces a Cookie header value
  compatible with the webapp's createCookieSessionStorage config so
  dashboard tests (TRI-8742) can authenticate as a seeded user.
- test/auth-api.e2e.full.test.ts, test/auth-dashboard.e2e.full.test.ts,
  test/auth-cross-cutting.e2e.full.test.ts — three file shells with
  top-level describe blocks. Family subtasks (TRI-8733+) add nested
  describes inside.
- .github/workflows/e2e-webapp-auth-full.yml — workflow_dispatch +
  nightly schedule + pull_request paths-filtered (only triggers on PRs
  touching auth-relevant files).
- test/README.md — documents the unit / smoke-e2e / full-e2e split.

Touching @internal/testcontainers:

- TestServer interface gains databaseUrl so per-worker PrismaClient
  reconstruction has the connection string without going through the
  serialised prisma instance (which can't cross worker boundaries).
- utils.ts — assertNonNullable's vitest import was previously eager at
  module load. globalSetup runs outside any vitest worker, so that
  eager init crashed (createExpect needs worker state). Switched to a
  lazy require('vitest') inside the function body. The function still
  runs in test workers where worker state exists.
- logs.ts — TaskContext changed to type-only import for the same
  module-load-time concern (transitively imported by webapp.ts).

Verification:

- pnpm run typecheck across @internal/testcontainers + webapp — clean.
- pnpm exec vitest run --config vitest.e2e.full.config.ts —
  3/3 tests pass in 19.37s with one observed container startup.
  Subsequent family subtasks add describes with no per-file container
  cost.

The placeholder it() in each file (just hits /healthcheck or counts
users) gets removed by the family subtasks as they add real coverage.

Author: matt-aitken

.github/workflows/e2e-webapp-auth-full.yml

@@ -0,0 +1,116 @@
+name: "🛡️ E2E Tests: Webapp Auth (full)"
+
+# Comprehensive RBAC auth test suite — see TRI-8731. Runs separately from
+# the smoke e2e-webapp.yml because it covers every route family with a
+# pass/fail matrix and would otherwise dominate per-PR CI time.
+#
+# Triggered:
+#   - Manually via workflow_dispatch.
+#   - Nightly via schedule.
+#   - On pull requests touching auth-relevant files only (paths filter).
+
+permissions:
+  contents: read
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 4 * * *" # 04:00 UTC daily
+  pull_request:
+    paths:
+      - "apps/webapp/app/services/routeBuilders/**"
+      - "apps/webapp/app/services/rbac.server.ts"
+      - "apps/webapp/app/services/apiAuth.server.ts"
+      - "apps/webapp/app/services/personalAccessToken.server.ts"
+      - "apps/webapp/app/services/sessionStorage.server.ts"
+      - "apps/webapp/app/routes/api.v*.**"
+      - "apps/webapp/app/routes/realtime.v*.**"
+      - "apps/webapp/test/**/*.e2e.full.test.ts"
+      - "apps/webapp/test/setup/global-e2e-full-setup.ts"
+      - "apps/webapp/test/helpers/sharedTestServer.ts"
+      - "apps/webapp/test/helpers/seedTestSession.ts"
+      - "apps/webapp/vitest.e2e.full.config.ts"
+      - "internal-packages/rbac/**"
+      - "packages/plugins/**"
+      - ".github/workflows/e2e-webapp-auth-full.yml"
+
+jobs:
+  e2eAuthFull:
+    name: "🛡️ E2E Auth Tests (full)"
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    env:
+      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+    steps:
+      - name: 🔧 Disable IPv6
+        run: |
+          sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1
+          sudo sysctl -w net.ipv6.conf.default.disable_ipv6=1
+          sudo sysctl -w net.ipv6.conf.lo.disable_ipv6=1
+
+      - name: 🔧 Configure docker address pool
+        run: |
+          CONFIG='{
+            "default-address-pools" : [
+              {
+                "base" : "172.17.0.0/12",
+                "size" : 20
+              },
+              {
+                "base" : "192.168.0.0/16",
+                "size" : 24
+              }
+            ]
+          }'
+          mkdir -p /etc/docker
+          echo "$CONFIG" | sudo tee /etc/docker/daemon.json
+
+      - name: 🔧 Restart docker daemon
+        run: sudo systemctl restart docker
+
+      - name: ⬇️ Checkout repo
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: ⎔ Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 10.23.0
+
+      - name: ⎔ Setup node
+        uses: buildjet/setup-node@v4
+        with:
+          node-version: 20.20.0
+          cache: "pnpm"
+
+      - name: 🐳 Login to DockerHub
+        if: ${{ env.DOCKERHUB_USERNAME }}
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: 🐳 Skipping DockerHub login (no secrets available)
+        if: ${{ !env.DOCKERHUB_USERNAME }}
+        run: echo "DockerHub login skipped because secrets are not available."
+
+      - name: 🐳 Pre-pull testcontainer images
+        if: ${{ env.DOCKERHUB_USERNAME }}
+        run: |
+          docker pull postgres:14
+          docker pull redis:7.2
+          docker pull testcontainers/ryuk:0.11.0
+
+      - name: 📥 Download deps
+        run: pnpm install --frozen-lockfile
+
+      - name: 📀 Generate Prisma Client
+        run: pnpm run generate
+
+      - name: 🏗️ Build Webapp
+        run: pnpm run build --filter webapp
+
+      - name: 🛡️ Run Webapp Full Auth E2E Tests
+        run: cd apps/webapp && pnpm exec vitest run --config vitest.e2e.full.config.ts --reporter=default
+        env:
+          WEBAPP_TEST_VERBOSE: "1"

apps/webapp/test/README.md

@@ -0,0 +1,65 @@
+# Webapp tests
+
+Three suites live in this directory.
+
+## Unit tests — `*.test.ts`
+
+Run with `pnpm test` from `apps/webapp`. Default vitest pickup. No
+container setup. Run on every PR via `unit-tests-webapp.yml`.
+
+## Smoke e2e — `*.e2e.test.ts`
+
+End-to-end auth baseline that proves the route auth plumbing is wired up.
+Each file spins up its own webapp + Postgres + Redis container in
+`beforeAll` (~30s startup). Vitest config: `vitest.e2e.config.ts`. Run on
+every PR via `e2e-webapp.yml`.
+
+```bash
+cd apps/webapp
+pnpm exec vitest --config vitest.e2e.config.ts
+```
+
+## Comprehensive auth e2e — `*.e2e.full.test.ts`
+
+The full RBAC auth matrix — every route family with explicit pass/fail
+scenarios. See TRI-8731 for the parent ticket and TRI-8732 onwards for
+each family's coverage spec.
+
+**Architecture**: one container reused across the whole suite via
+`vitest.e2e.full.config.ts`'s `globalSetup`. Test files share the server
+through `getTestServer()` from `helpers/sharedTestServer.ts`. Each test
+seeds its own resources so order doesn't matter.
+
+**Layout**:
+
+| File | Top-level describe | Family subtasks |
+|---|---|---|
+| `auth-api.e2e.full.test.ts` | `API` | TRI-8733 trigger, TRI-8734 run resource, TRI-8735 run mutations, TRI-8736 run lists, TRI-8737 batches, TRI-8738 prompts, TRI-8739 deployments + query, TRI-8740 waitpoints + input streams, TRI-8741 PAT |
+| `auth-dashboard.e2e.full.test.ts` | `Dashboard` | TRI-8742 admin pages |
+| `auth-cross-cutting.e2e.full.test.ts` | `Cross-cutting` | TRI-8743 deleted projects / revoked keys / expired JWTs / env mismatch / force-fallback toggle |
+
+**Adding a new family**: pick the relevant file, add a nested `describe`
+block. Inside, seed your own fixtures via the helpers and hit the shared
+server.
+
+```ts
+describe("Trigger task", () => {
+  const server = getTestServer();
+
+  it("missing Authorization → 401", async () => {
+    const res = await server.webapp.fetch("/api/v1/tasks/x/trigger", { method: "POST", body: "{}" });
+    expect(res.status).toBe(401);
+  });
+});
+```
+
+**CI**: `e2e-webapp-auth-full.yml`. Triggers on `workflow_dispatch`,
+nightly schedule, and PRs touching auth-relevant paths (route builders,
+rbac.server.ts, apiAuth.server.ts, apiroutes, the suite itself).
+
+**Run locally**:
+
+```bash
+cd apps/webapp
+pnpm exec vitest --config vitest.e2e.full.config.ts
+```

apps/webapp/test/auth-api.e2e.full.test.ts

@@ -0,0 +1,24 @@
+// Comprehensive API auth tests — uses the shared TestServer started by
+// vitest.e2e.full.config.ts's globalSetup. Family subtasks under TRI-8731
+// add nested describe blocks here:
+//
+//   describe("API", () => {
+//     describe("Trigger task", () => { ... })   // TRI-8733
+//     describe("Runs — resource routes", () => { ... }) // TRI-8734
+//     ...
+//   })
+//
+// See test/helpers/sharedTestServer.ts for `getTestServer()`.
+
+import { describe, expect, it } from "vitest";
+import { getTestServer } from "./helpers/sharedTestServer";
+
+describe("API", () => {
+  // Placeholder until family subtasks add their describes (TRI-8733+).
+  // Verifies the shared container is reachable from this worker.
+  it("shared webapp container responds to /healthcheck", async () => {
+    const server = getTestServer();
+    const res = await server.webapp.fetch("/healthcheck");
+    expect(res.ok).toBe(true);
+  });
+});

apps/webapp/test/auth-cross-cutting.e2e.full.test.ts

@@ -0,0 +1,15 @@
+// Cross-cutting auth-layer behaviours that aren't tied to a specific route
+// family — see TRI-8743. Soft-deleted projects, revoked keys, expired JWTs,
+// cross-env mismatch, force-fallback toggle.
+
+import { describe, expect, it } from "vitest";
+import { getTestServer } from "./helpers/sharedTestServer";
+
+describe("Cross-cutting", () => {
+  // Placeholder until TRI-8743 adds the actual matrix.
+  it("shared prisma client can read from the postgres container", async () => {
+    const server = getTestServer();
+    const count = await server.prisma.user.count();
+    expect(count).toBeGreaterThanOrEqual(0);
+  });
+});

apps/webapp/test/auth-dashboard.e2e.full.test.ts

@@ -0,0 +1,15 @@
+// Comprehensive dashboard session-auth tests — see TRI-8742.
+// Each test seeds a User + session cookie via seedTestUser / seedTestSession
+// (helpers/seedTestSession.ts) and hits the shared webapp container.
+
+import { describe, expect, it } from "vitest";
+import { getTestServer } from "./helpers/sharedTestServer";
+
+describe("Dashboard", () => {
+  // Placeholder until TRI-8742+ adds the actual matrix.
+  it("shared webapp container redirects /admin/concurrency to /login when unauthenticated", async () => {
+    const server = getTestServer();
+    const res = await server.webapp.fetch("/admin/concurrency", { redirect: "manual" });
+    expect(res.status).toBe(302);
+  });
+});

apps/webapp/test/helpers/seedTestSession.ts

@@ -0,0 +1,58 @@
+// Produces a `Cookie:` header value for an authenticated session that the
+// webapp under test will accept. Mirrors the webapp's
+// `services/sessionStorage.server.ts` config exactly — the SESSION_SECRET
+// must match what the webapp container was started with (see
+// `internal-packages/testcontainers/src/webapp.ts` — currently
+// "test-session-secret-for-e2e-tests").
+//
+// Used by dashboard auth tests (TRI-8742). Each test seeds its own user +
+// session so test order doesn't matter.
+
+import { createCookieSessionStorage } from "@remix-run/node";
+import type { PrismaClient } from "@trigger.dev/database";
+import { randomBytes } from "node:crypto";
+
+// Must match SESSION_SECRET in internal-packages/testcontainers/src/webapp.ts.
+const SESSION_SECRET = "test-session-secret-for-e2e-tests";
+
+// Shape of the session config in apps/webapp/app/services/sessionStorage.server.ts.
+const sessionStorage = createCookieSessionStorage({
+  cookie: {
+    name: "__session",
+    sameSite: "lax",
+    path: "/",
+    httpOnly: true,
+    secrets: [SESSION_SECRET],
+    secure: false, // NODE_ENV is "test" in the spawned webapp.
+    maxAge: 60 * 60 * 24 * 365,
+  },
+});
+
+export async function seedTestUser(
+  prisma: PrismaClient,
+  overrides?: { admin?: boolean; email?: string }
+) {
+  const suffix = randomBytes(6).toString("hex");
+  return prisma.user.create({
+    data: {
+      email: overrides?.email ?? `e2e-${suffix}@test.local`,
+      authenticationMethod: "MAGIC_LINK",
+      admin: overrides?.admin ?? false,
+    },
+  });
+}
+
+// Builds the `Cookie:` header value for a given user. Set this on test
+// requests to the webapp to authenticate as that user.
+//
+// remix-auth's default sessionKey is "user" and stores AuthUser as
+// { userId } — see apps/webapp/app/services/authUser.ts.
+export async function seedTestSession(opts: { userId: string }): Promise<string> {
+  const session = await sessionStorage.getSession();
+  session.set("user", { userId: opts.userId });
+  const setCookie = await sessionStorage.commitSession(session);
+  // commitSession returns "__session=<value>; Path=/; ...". The Cookie
+  // header only needs the name=value pair.
+  const firstSegment = setCookie.split(";")[0];
+  return firstSegment;
+}

apps/webapp/test/helpers/sharedTestServer.ts

@@ -0,0 +1,53 @@
+// Per-worker access to the shared TestServer started by globalSetup. Each
+// test file imports `getTestServer()` once at module top-level; the returned
+// value is a singleton within that worker process.
+//
+// `webapp.fetch(path)` prepends the shared baseUrl. The PrismaClient is
+// constructed lazily and disconnected on test-suite end via afterAll in the
+// importing file (or left to the worker shutting down).
+
+import { PrismaClient } from "@trigger.dev/database";
+import { afterAll, inject } from "vitest";
+
+interface SharedWebapp {
+  baseUrl: string;
+  fetch(path: string, init?: RequestInit): Promise<Response>;
+}
+
+interface SharedTestServer {
+  webapp: SharedWebapp;
+  prisma: PrismaClient;
+}
+
+let cached: SharedTestServer | undefined;
+
+export function getTestServer(): SharedTestServer {
+  if (cached) return cached;
+
+  const baseUrl = inject("baseUrl");
+  const databaseUrl = inject("databaseUrl");
+
+  if (!baseUrl || !databaseUrl) {
+    throw new Error(
+      "globalSetup didn't provide baseUrl/databaseUrl — run via vitest.e2e.full.config.ts"
+    );
+  }
+
+  const prisma = new PrismaClient({ datasources: { db: { url: databaseUrl } } });
+
+  cached = {
+    webapp: {
+      baseUrl,
+      fetch: (path, init) => fetch(`${baseUrl}${path}`, init),
+    },
+    prisma,
+  };
+
+  // Disconnect the PrismaClient when the worker is done. globalSetup's
+  // teardown stops the container; this just releases the per-worker pool.
+  afterAll(async () => {
+    await prisma.$disconnect().catch(() => {});
+  });
+
+  return cached;
+}

apps/webapp/test/setup/global-e2e-full-setup.ts

@@ -0,0 +1,28 @@
+// vitest globalSetup — runs once for the whole *.e2e.full.test.ts suite.
+// Boots one Postgres + Redis + webapp; tests connect to it via the
+// `baseUrl` / `databaseUrl` values provided to test workers below.
+//
+// Each test file recreates its own PrismaClient connected to the shared DB
+// (PrismaClient instances aren't serialisable across worker boundaries).
+
+import type { TestProject } from "vitest/node";
+import { startTestServer, type TestServer } from "@internal/testcontainers/webapp";
+
+let server: TestServer | undefined;
+
+export default async function setup(project: TestProject) {
+  server = await startTestServer();
+  project.provide("baseUrl", server.webapp.baseUrl);
+  project.provide("databaseUrl", server.databaseUrl);
+
+  return async () => {
+    await server?.stop().catch(() => {});
+  };
+}
+
+declare module "vitest" {
+  export interface ProvidedContext {
+    baseUrl: string;
+    databaseUrl: string;
+  }
+}