Engineering response — E2E staging enablement

Reply to qa_proposal.md ("What we need from engineering to run full E2E tests on staging"). Status on each ask, with everything needed to start using what's shipped.

✅ §1 — Test-only auth endpoint: built and live on stage

POST /api/test/session is deployed and working on staging.

bash

curl -i -X POST https://api-stage-private.verifluence.io/api/test/session \
  -H "X-Test-Secret: <secret — shared separately>" \
  -H "Content-Type: application/json" \
  -d '{"as":"operator","fixture":"e2e-operator-fresh"}'
# → 200, Set-Cookie: session=…  + {"userId":N,"role":"operator"}

Host: use api-stage-private.verifluence.io. The public api-stage.verifluence.io sits behind a 302 access gateway and is not usable for raw API calls.
Cookie: identical to a real login (same issueSession path), so verifySession accepts it and every downstream guard treats it as a genuine session — no special-casing in tests.
Secret: X-Test-Secret = the TEST_SESSION_SECRET set on stage; shared out-of-band. Rotatable on request.
Responses: 401 bad/missing secret · 404 unknown or unprovisioned fixture · 403 disabled / role-mismatch · 400 malformed body.

"All three mitigations, not one" — confirmed

Build-time exclusion. The handler is compiled into a separate api-stage image only. The default api image that production runs has the file physically stripped (rm dist/test_session.js), so the route isn't in the prod binary — env misconfig alone cannot expose it.
Env gate. Registered only when TEST_AUTH_ENABLED=true (set on stage; never prod).
Per-request gate. Constant-time secret check, fixed fixture whitelist (no arbitrary emails), role-match check, and a loud WARN audit log with caller IP on every accept/reject.

Runbook: test-auth-endpoint.md. Tests: api/test/tc-test-session.test.ts.

🔜 §2 — Fixture pre-creation: ready for accounts, need sign-off on states

The endpoint already whitelists the 10 fixtures from §2 and resolves each to a fixed email:

‹fixture›@e2e.verifluence.test — streamer fixtures resolve on streamers.email, operator fixtures on operators.contact_email.
e.g. e2e-operator-fresh → e2e-operator-fresh@e2e.verifluence.test.

They currently return 404 "not provisioned" because the rows don't exist yet. Two things to confirm before seeding:

Seed ownership. Proposal: an idempotent, eng-owned seed script run against stage (re-runnable, safe) so fixtures survive resets and don't depend on manual setup.
State definitions. Seedable immediately: e2e-streamer-fresh, e2e-streamer-verified, e2e-operator-fresh. The deal-state fixtures (…-with-funded, …-with-deal-active/completed/refunded/cancelled, …-with-pending-offer) depend on §4 — a real funded campaign needs an on-chain deposit, so we'd create one persistent funded campaign manually and synthesize the deal rows in the required states off it. Need the precise end-state each fixture asserts against (which tab/route each must light up) so the seed matches the tests.

§3 (reset endpoints) and §4 (funded fixture)

Agreed these are the next dominoes — once the cross-account inbox/offers/negotiations/deals flows are exercised, scoped-name cleanup can't reach the streamer side. They reuse the same X-Test-Secret + build-exclusion machinery now in place, so they're a smaller lift than §1. Eng can pick up §3 after §2's fixtures land.

✅ §5 — the SPA hard-load redirect: fixed

Confirmed root cause: a LaunchDarkly fail-closed race. On a cold hard-load the deals flag resolves to its false default before LD settles (~100–200 ms), so the route guard redirected; client-side nav worked because the flag was already resolved. Fix: the flag-gated redirect in OperatorLayout now waits for useLDReady() before acting (if (isDealsPath && !ldReady) return null), matching the pattern ProfileLayout already used. Applied the same guard to the streamer marketplace routes (/profile/inbox|offers|negotiations|deals), which had the identical latent bug.

Deep links / refreshes / shared URLs into those routes now land correctly when the flag is on.

Asks back to QA

Confirm the §2 seed ownership/approach (eng-owned idempotent script).
Provide the precise per-fixture end-states for §2.
Stage X-Test-Secret will be shared directly.

Then eng provisions the fixtures and the endpoint returns green 200s end-to-end.

Engineering response — E2E staging enablement ​

✅ §1 — Test-only auth endpoint: built and live on stage ​

"All three mitigations, not one" — confirmed ​

🔜 §2 — Fixture pre-creation: ready for accounts, need sign-off on states ​

§3 (reset endpoints) and §4 (funded fixture) ​

✅ §5 — the SPA hard-load redirect: fixed ​