test(e2e): fix dev-system test suite — storageState + strict-mode + signout

Fixes 8 failures from the first test run:

1. Rate limiter exhaustion (5/8 failures)
   Admin was logged in 9× across the suite, hitting the 5/15min auth
   limit. Fix: global-setup.ts logs in once per role and saves storage
   state; all non-login tests use storageState so they skip the form.
   Total admin logins per suite run: 3 (global setup + 2 explicit tests).

2. Strict-mode violations (2/8 failures)
   toBeVisible() matched 3 email cells / 2 permission-error nodes.
   Fix: .first() on both locators.

3. Auth.js v5 signout confirmation page (1/8 failures)
   GET /auth/signout renders a confirm form rather than immediately
   redirecting. Fix: signOut() helper clicks the submit button.

Note: running the suite right after a previous run may fail if the
in-memory rate limit hasn't reset (15-min window). Restart the dev
server, or add E2E_TEST_MODE=true to apps/web/.env.local to bypass.

Co-Authored-By: claude-flow <ruv@ruv.net>

apps/web/e2e/dev-system/rbac-permissions.spec.ts

@@ -4,17 +4,25 @@
  * Validates that role-based access control is enforced correctly
  * against the running dev server with real seed data.
  *
+ * All tests reuse pre-authenticated storage states from global setup
+ * so they don't trigger the auth rate limiter.
+ *
  * Role hierarchy:
  *   ADMIN   — full access including all /admin/* routes
  *   MANAGER — can view allocations, cannot access /admin/users etc.
  *   VIEWER  — limited read-only; allocations are forbidden (TRPC FORBIDDEN)
  */
 import { expect, test } from "@playwright/test";
-import { DEV_USERS, signIn } from "./helpers.js";
+import { STORAGE_STATE } from "../../playwright.dev.config.js";
+
+// ---------------------------------------------------------------------------
+// Admin routes — admin session
+// ---------------------------------------------------------------------------
+
+test.describe("RBAC — admin routes (admin session)", () => {
+  test.use({ storageState: STORAGE_STATE.admin });
 
-test.describe("RBAC — admin routes", () => {
   test("admin can access /admin/users and sees user rows", async ({ page }) => {
-    await signIn(page, DEV_USERS.admin.email, DEV_USERS.admin.password);
     await page.goto("/admin/users");
     await page.waitForLoadState("networkidle");
 
@@ -26,45 +34,35 @@ test.describe("RBAC — admin routes", () => {
   });
 
   test("admin can access /admin/system-roles without errors", async ({ page }) => {
-    await signIn(page, DEV_USERS.admin.email, DEV_USERS.admin.password);
     await page.goto("/admin/system-roles");
     await page.waitForLoadState("networkidle");
 
-    // Page should render a heading, not a blank screen or error
     await expect(page.locator("h1,h2").first()).toBeVisible({ timeout: 10000 });
   });
 
   test("admin can access /admin/blueprints without errors", async ({ page }) => {
-    await signIn(page, DEV_USERS.admin.email, DEV_USERS.admin.password);
     await page.goto("/admin/blueprints");
     await page.waitForLoadState("networkidle");
 
     await expect(page.locator("h1,h2,h3").first()).toBeVisible({ timeout: 10000 });
   });
+});
+
+// ---------------------------------------------------------------------------
+// Admin routes — non-admin sessions should be blocked
+// ---------------------------------------------------------------------------
+
+test.describe("RBAC — /admin/users blocked for manager", () => {
+  test.use({ storageState: STORAGE_STATE.manager });
 
   test("manager is redirected or sees an error on /admin/users", async ({ page }) => {
-    await signIn(page, DEV_USERS.manager.email, DEV_USERS.manager.password);
-    await page.goto("/admin/users");
-    await page.waitForLoadState("networkidle");
-
-    // Expect either: redirect away from /admin/users, or a permission-denied message
-    const isRedirected = !page.url().includes("/admin/users");
-    const hasForbiddenText = await page
-      .locator("text=/forbidden|permission|access denied|not authorized|unauthorized/i")
-      .isVisible()
-      .catch(() => false);
-
-    expect(isRedirected || hasForbiddenText).toBe(true);
-  });
-
-  test("viewer is redirected or sees an error on /admin/users", async ({ page }) => {
-    await signIn(page, DEV_USERS.viewer.email, DEV_USERS.viewer.password);
     await page.goto("/admin/users");
     await page.waitForLoadState("networkidle");
 
     const isRedirected = !page.url().includes("/admin/users");
     const hasForbiddenText = await page
       .locator("text=/forbidden|permission|access denied|not authorized|unauthorized/i")
+      .first()
       .isVisible()
       .catch(() => false);
 
@@ -72,20 +70,45 @@ test.describe("RBAC — admin routes", () => {
   });
 });
 
-test.describe("RBAC — allocations access", () => {
+test.describe("RBAC — /admin/users blocked for viewer", () => {
+  test.use({ storageState: STORAGE_STATE.viewer });
+
+  test("viewer is redirected or sees an error on /admin/users", async ({ page }) => {
+    await page.goto("/admin/users");
+    await page.waitForLoadState("networkidle");
+
+    const isRedirected = !page.url().includes("/admin/users");
+    const hasForbiddenText = await page
+      .locator("text=/forbidden|permission|access denied|not authorized|unauthorized/i")
+      .first()
+      .isVisible()
+      .catch(() => false);
+
+    expect(isRedirected || hasForbiddenText).toBe(true);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Allocations access by role
+// ---------------------------------------------------------------------------
+
+test.describe("RBAC — allocations permitted for admin", () => {
+  test.use({ storageState: STORAGE_STATE.admin });
+
   test("admin can view /allocations without permission errors", async ({ page }) => {
-    await signIn(page, DEV_USERS.admin.email, DEV_USERS.admin.password);
     await page.goto("/allocations");
     await page.waitForLoadState("networkidle");
 
-    // Should NOT show the FORBIDDEN/permission-denied overlay
     await expect(
       page.locator("text=/do not have permission to view allocations/i"),
     ).toHaveCount(0, { timeout: 8000 });
   });
+});
+
+test.describe("RBAC — allocations permitted for manager", () => {
+  test.use({ storageState: STORAGE_STATE.manager });
 
   test("manager can view /allocations without permission errors", async ({ page }) => {
-    await signIn(page, DEV_USERS.manager.email, DEV_USERS.manager.password);
     await page.goto("/allocations");
     await page.waitForLoadState("networkidle");
 
@@ -93,30 +116,56 @@ test.describe("RBAC — allocations access", () => {
       page.locator("text=/do not have permission to view allocations/i"),
     ).toHaveCount(0, { timeout: 8000 });
   });
+});
+
+test.describe("RBAC — allocations forbidden for viewer", () => {
+  test.use({ storageState: STORAGE_STATE.viewer });
 
   test("viewer sees a permission error on /allocations", async ({ page }) => {
-    await signIn(page, DEV_USERS.viewer.email, DEV_USERS.viewer.password);
     await page.goto("/allocations");
     await page.waitForLoadState("networkidle");
 
-    // AllocationsClient renders a permission-denied message when tRPC returns FORBIDDEN
+    // AllocationsClient renders the message in both the page subtitle and the card body;
+    // use .first() to avoid strict-mode violation.
     await expect(
-      page.locator("text=/permission|forbidden|not have permission/i"),
+      page.locator("text=/permission|forbidden|not have permission/i").first(),
     ).toBeVisible({ timeout: 10000 });
   });
 });
 
-test.describe("RBAC — dashboard loads for all roles", () => {
-  for (const [role, creds] of Object.entries(DEV_USERS)) {
-    test(`${role} dashboard loads without errors`, async ({ page }) => {
-      await signIn(page, creds.email, creds.password);
-      await page.goto("/dashboard");
-      await page.waitForLoadState("networkidle");
+// ---------------------------------------------------------------------------
+// Dashboard loads for every role
+// ---------------------------------------------------------------------------
 
-      // Should be on dashboard, not bounced to sign-in
-      await expect(page).not.toHaveURL(/\/auth\/signin/, { timeout: 5000 });
-      // No unhandled error overlay
-      await expect(page.locator("text=/500|Internal Server Error/i")).toHaveCount(0);
-    });
-  }
+test.describe("RBAC — dashboard (admin)", () => {
+  test.use({ storageState: STORAGE_STATE.admin });
+
+  test("admin dashboard loads without errors", async ({ page }) => {
+    await page.goto("/dashboard");
+    await page.waitForLoadState("networkidle");
+    await expect(page).not.toHaveURL(/\/auth\/signin/, { timeout: 5000 });
+    await expect(page.locator("text=/500|Internal Server Error/i")).toHaveCount(0);
+  });
+});
+
+test.describe("RBAC — dashboard (manager)", () => {
+  test.use({ storageState: STORAGE_STATE.manager });
+
+  test("manager dashboard loads without errors", async ({ page }) => {
+    await page.goto("/dashboard");
+    await page.waitForLoadState("networkidle");
+    await expect(page).not.toHaveURL(/\/auth\/signin/, { timeout: 5000 });
+    await expect(page.locator("text=/500|Internal Server Error/i")).toHaveCount(0);
+  });
+});
+
+test.describe("RBAC — dashboard (viewer)", () => {
+  test.use({ storageState: STORAGE_STATE.viewer });
+
+  test("viewer dashboard loads without errors", async ({ page }) => {
+    await page.goto("/dashboard");
+    await page.waitForLoadState("networkidle");
+    await expect(page).not.toHaveURL(/\/auth\/signin/, { timeout: 5000 });
+    await expect(page.locator("text=/500|Internal Server Error/i")).toHaveCount(0);
+  });
 });