- global-setup.ts: create reset-test@planarchy.dev directly via DB
(argon2id hash computed in Node.js, inserted via docker exec psql stdin
with correct camelCase quoted column names + createdAt/updatedAt;
ON_ERROR_STOP=1 so failures propagate rather than being swallowed)
- helpers.ts: resetPasswordViaApi now updates passwordHash directly in DB
(bypasses tRPC batch mutation format issues entirely);
getLatestEmailTo decodes MIME parts per Content-Transfer-Encoding
(quoted-printable soft line breaks were truncating 64-char tokens to ~14 chars)
- invite-flow.spec.ts: use fresh unauthenticated browser context for
the invite accept page (admin context was inheriting cookies)
- docker-compose.yml: hardcode SMTP_HOST=mailhog for Docker app service
(host .env value localhost doesn't reach Mailhog inside Docker network)
All 3 email E2E tests pass: invite flow, password reset flow, invalid token.
Co-Authored-By: claude-flow <ruv@ruv.net>
Fixes 8 failures from the first test run:
1. Rate limiter exhaustion (5/8 failures)
Admin was logged in 9× across the suite, hitting the 5/15min auth
limit. Fix: global-setup.ts logs in once per role and saves storage
state; all non-login tests use storageState so they skip the form.
Total admin logins per suite run: 3 (global setup + 2 explicit tests).
2. Strict-mode violations (2/8 failures)
toBeVisible() matched 3 email cells / 2 permission-error nodes.
Fix: .first() on both locators.
3. Auth.js v5 signout confirmation page (1/8 failures)
GET /auth/signout renders a confirm form rather than immediately
redirecting. Fix: signOut() helper clicks the submit button.
Note: running the suite right after a previous run may fail if the
in-memory rate limit hasn't reset (15-min window). Restart the dev
server, or add E2E_TEST_MODE=true to apps/web/.env.local to bypass.
Co-Authored-By: claude-flow <ruv@ruv.net>
Hartmut