fix: fix failing CI/CD on dev branch

[N2D4]

Fix three test failures introduced by recent commits on dev:

• projects.test.ts: Add missing allow_localhost field to inline snapshot
• cross-domain-auth.test.ts: Replace plain-object document mock with proper cookie-jar mock (with expiry support) so getAllCookiesClient()'s internal Cookies.set doesn't overwrite test cookies
• cross-domain-auth.test.ts: Use cross-origin afterCallbackRedirectUrl so planRedirectToHandler correctly enters the cross-domain-authorize flow
• Replace all remaining plain-object document mocks with createMockDocument() for consistency

Link to Devin session: https://app.devin.ai/sessions/e0f695fe8704431ab9daad5a74662682
Requested by: @N2D4

Summary by CodeRabbit

• Tests
  • Updated a project endpoint assertion to expect localhost config in current-project responses.
  • Added a stateful cookie simulation helper and converted cross-domain auth tests to use it, improving realism across redirects and nested flows.
• Chores
  • CI workflow adjusted to ensure required workspace packages are installed during emulator CLI builds.
  • Dev startup probe now verifies the generated client is present before proceeding.

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR that start with 'DevinAI' or '@devin'.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
stack-auth-hosted-components	Ready	Preview, Comment	May 22, 2026 9:28pm
stack-auth-mcp	Ready	Preview, Comment	May 22, 2026 9:28pm
stack-auth-skills	Ready	Preview, Comment	May 22, 2026 9:28pm
stack-backend	Ready	Preview, Comment	May 22, 2026 9:28pm
stack-dashboard	Ready	Preview, Comment	May 22, 2026 9:28pm
stack-demo	Ready	Preview, Comment	May 22, 2026 9:28pm
stack-docs	Ready	Preview, Comment	May 22, 2026 9:28pm
stack-preview-backend	Ready	Preview, Comment	May 22, 2026 9:28pm
stack-preview-dashboard	Ready	Preview, Comment	May 22, 2026 9:28pm

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 61386240-0d87-4969-ae6c-582f0adbc1b8

📥 Commits

Reviewing files that changed from the base of the PR and between b056d92 and 05ccfee.

📒 Files selected for processing (1)

• .github/workflows/qemu-emulator-build.yaml

---

📝 Walkthrough

Walkthrough

Adds a Map-backed test helper createMockDocument() for stateful document.cookie, applies it across many cross-domain auth tests (updates one redirect URL), updates a projects endpoint snapshot, adjusts a pnpm filter in CI, and extends a dev probe to wait for generated Prisma output.

Changes

Test Infrastructure and Expectations Updates

Layer / File(s)	Summary
Cookie mock helper implementation apps/e2e/tests/js/cross-domain-auth.test.ts	Adds createMockDocument() implementing document.cookie backed by a Map, plus a createElement stub.
Cross-domain auth test integrations apps/e2e/tests/js/cross-domain-auth.test.ts	Replaces prior static globalThis.document cookie stubs with createMockDocument() across many cross-domain auth and redirect tests; updates redirectBackUrl so stack_cross_domain_after_callback_redirect_url targets the hosted-domain /after URL.
Projects endpoint snapshot apps/e2e/tests/backend/endpoints/api/v1/projects.test.ts	Updates inline snapshot for "gets current project (internal)" to expect config.allow_localhost: true in the response.
Dev probe: wait for generated Prisma output scripts/wait-for-dev-package-imports.ts	Probe now checks for apps/backend/src/generated/prisma presence and throws an ERR_MODULE_NOT_FOUND-style error when missing so the retry loop can handle it.
Emulator build workflow pnpm filter update .github/workflows/qemu-emulator-build.yaml	Adds @stackframe/dashboard... to pnpm install --filter invocations in the amd64 Build and test job steps and expands comments explaining the reason.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• hexclave/stack-auth#1443: Overlaps at the same projects endpoint snapshot assertions for current project response payload shapes.

Suggested reviewers

• mantrakp04
• nams1570
• BilalG1

Poem

🐰 I mock the cookie, soft and neat,
Map-stored crumbs beneath my feet.
Redirects hop to hosted shores,
Snapshots now with one more score.
Tests twitch whiskers — all is sweet!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main objective: fixing failing CI/CD tests on the dev branch.
Description check	✅ Passed	The description provides a clear breakdown of the three main test failures fixed and the consistency improvements made, with a link to supporting context.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch devin/1779473691-fix-ci-dev

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This pull request fixes recently introduced E2E test failures on the dev branch by updating test fixtures/mocks to match updated runtime behavior in cross-domain handoff and project config responses.

Changes:

• Update the /api/v1/projects/current inline snapshot to include the newly returned allow_localhost config field.
• Replace a simplistic document.cookie stub with a cookie-jar-backed Document mock so js-cookie writes (via getAllCookiesClient()) don’t overwrite existing test cookies.
• Adjust stack_cross_domain_after_callback_redirect_url to a hosted-domain (cross-origin) URL so the intended cross-domain authorize flow is exercised.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
apps/e2e/tests/js/cross-domain-auth.test.ts	Improves cookie mocking fidelity and updates redirect URL fixture to reliably enter the cross-domain authorize path.
apps/e2e/tests/backend/endpoints/api/v1/projects.test.ts	Updates the current-project snapshot to include allow_localhost in the returned config.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[greptile-apps]

Greptile Summary

This PR fixes three failing e2e tests introduced by recent commits on the dev branch. The fixes are surgical and targeted: a snapshot update, a more faithful document mock, and a corrected URL origin for a cross-domain flow test.

• projects.test.ts: Adds the missing allow_localhost: true field to the inline snapshot for the "gets current project (internal)" test, which was added to the API response by the Cross domain handoffs PR.
• cross-domain-auth.test.ts (cookie mock): Replaces the static { cookie: \"\" } plain-object mock with a Map-backed createMockDocument() that correctly accumulates individual document.cookie = \"name=value\" assignments, preventing getAllCookiesClient()'s internal Cookies.set from clobbering the test-set cookie.
• cross-domain-auth.test.ts (cross-origin URL): Changes stack_cross_domain_after_callback_redirect_url from a same-origin localRedirectUrl to the hosted example-stack-hosted.test domain so that planRedirectToHandler correctly enters the cross-domain-authorize flow.

Confidence Score: 4/5

Safe to merge — all changes are confined to e2e test files and fix legitimate test failures without altering any production logic.

The createMockDocument cookie setter has no expiry/deletion handling, which won't break anything today but leaves a gap if future tests rely on cookie removal. The plain-object mock also persists across many other tests that don't yet set cookies, meaning the root cause could silently resurface there.

apps/e2e/tests/js/cross-domain-auth.test.ts — the remaining plain-object document mocks at multiple locations could cause similar test reliability issues if extended.

Important Files Changed

Filename	Overview
apps/e2e/tests/js/cross-domain-auth.test.ts	Adds createMockDocument() with a Map-based cookie jar to fix two tests that relied on cookie state being preserved across internal Cookies.set calls, and fixes the afterCallbackRedirectUrl to be cross-origin so planRedirectToHandler enters the correct flow.
apps/e2e/tests/backend/endpoints/api/v1/projects.test.ts	Adds missing allow_localhost: true field to the inline snapshot for the "gets current project (internal)" test, matching the field added by the Cross domain handoffs PR.

Comments Outside Diff (1)

1. apps/e2e/tests/js/cross-domain-auth.test.ts, line 68 (link)

   Remaining plain-object document mocks

   Many tests in this file still use the old { cookie: "", createElement: () => ({}) } plain-object mock (lines 68, 110, 141, 176, 287, 342, 398, 439, 477, 518, 570, 614, 643, 674). The root cause fixed in this PR — getAllCookiesClient()'s internal Cookies.set clobbering a static string — would silently affect any of these tests if they were ever extended to assert on cookie state. This isn't a bug today, but it may be worth replacing all occurrences with createMockDocument() for consistency.

   Prompt To Fix With AI

   This is a comment left during a code review.
   Path: apps/e2e/tests/js/cross-domain-auth.test.ts
   Line: 68
   
   Comment:
   **Remaining plain-object document mocks**
   
   Many tests in this file still use the old `{ cookie: "", createElement: () => ({}) }` plain-object mock (lines 68, 110, 141, 176, 287, 342, 398, 439, 477, 518, 570, 614, 643, 674). The root cause fixed in this PR — `getAllCookiesClient()`'s internal `Cookies.set` clobbering a static string — would silently affect any of these tests if they were ever extended to assert on cookie state. This isn't a bug today, but it may be worth replacing all occurrences with `createMockDocument()` for consistency.
   
   How can I resolve this? If you propose a fix, please make it concise.

   Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

Prompt To Fix All With AI

Fix the following 2 code review issues. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 2
apps/e2e/tests/js/cross-domain-auth.test.ts:5-19
**Cookie deletion not supported in mock**

The `createMockDocument` setter only handles writing cookies but never removes them: if any code path under test calls `document.cookie = "name=; expires=Thu, 01 Jan 1970 00:00:00 GMT"` (the standard deletion pattern), the mock will silently store an empty string value instead of evicting the key. This won't break the two tests being fixed here, but the same mock is now shared infrastructure — any future test that relies on cookie expiry/deletion will see stale values and get a confusing false-positive pass.

### Issue 2 of 2
apps/e2e/tests/js/cross-domain-auth.test.ts:68
**Remaining plain-object document mocks**

Many tests in this file still use the old `{ cookie: "", createElement: () => ({}) }` plain-object mock (lines 68, 110, 141, 176, 287, 342, 398, 439, 477, 518, 570, 614, 643, 674). The root cause fixed in this PR — `getAllCookiesClient()`'s internal `Cookies.set` clobbering a static string — would silently affect any of these tests if they were ever extended to assert on cookie state. This isn't a bug today, but it may be worth replacing all occurrences with `createMockDocument()` for consistency.

_{Reviews (1): Last reviewed commit: "fix: fix failing e2e tests on dev branch" | Re-trigger Greptile}

[greptile-apps]

Cookie deletion not supported in mock

The createMockDocument setter only handles writing cookies but never removes them: if any code path under test calls document.cookie = "name=; expires=Thu, 01 Jan 1970 00:00:00 GMT" (the standard deletion pattern), the mock will silently store an empty string value instead of evicting the key. This won't break the two tests being fixed here, but the same mock is now shared infrastructure — any future test that relies on cookie expiry/deletion will see stale values and get a confusing false-positive pass.

Prompt To Fix With AI

This is a comment left during a code review.
Path: apps/e2e/tests/js/cross-domain-auth.test.ts
Line: 5-19

Comment:
**Cookie deletion not supported in mock**

The `createMockDocument` setter only handles writing cookies but never removes them: if any code path under test calls `document.cookie = "name=; expires=Thu, 01 Jan 1970 00:00:00 GMT"` (the standard deletion pattern), the mock will silently store an empty string value instead of evicting the key. This won't break the two tests being fixed here, but the same mock is now shared infrastructure — any future test that relies on cookie expiry/deletion will see stale values and get a confusing false-positive pass.

How can I resolve this? If you propose a fix, please make it concise.

[devin-ai-integration]

Addressed in 8cbe5db — the setter now parses expires= directives and evicts the key when the date is in the past.

[devin-ai-integration]

Also addressed in 8cbe5db — replaced all 12 remaining plain-object { cookie: "", createElement: () => ({}) } mocks with createMockDocument() for consistency.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/e2e/tests/js/cross-domain-auth.test.ts`:
- Around line 5-20: Add a brief explanatory comment immediately above the "as
any" cast in createMockDocument explaining that the cast is intentional because
implementing the full Document interface is impractical for this test mock; note
that the mock intentionally provides only the minimal subset used by tests (the
cookie getter/setter and createElement) and that test coverage validates the
mock's behavior to ensure runtime type-safety. Reference createMockDocument, the
internal cookieJar and the cookie getter/setter and createElement to make clear
which parts are intentionally omitted.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b4cbd99f-bd90-452b-bf62-ffd302f8de47

📥 Commits

Reviewing files that changed from the base of the PR and between 197ad09 and e4cfba7.

📒 Files selected for processing (2)

• apps/e2e/tests/backend/endpoints/api/v1/projects.test.ts
• apps/e2e/tests/js/cross-domain-auth.test.ts

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/qemu-emulator-build.yaml:
- Around line 151-156: The workflow's pnpm install for the test job omits the
dashboard package filter even though turbo.json shows
`@stackframe/stack-cli`#build dependsOn
`@stackframe/dashboard`#build:rde-standalone; update the test job's pnpm install
command to include --filter '`@stackframe/dashboard`...' alongside --filter
'`@stackframe/stack-cli`...' so devDependencies for dashboard (e.g., tailwindcss)
are installed, or alternatively add a short comment explaining why the dashboard
build is intentionally excluded despite the dependsOn in turbo.json.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a43f8d85-f5e9-4847-a108-9232bd3bb2ea

📥 Commits

Reviewing files that changed from the base of the PR and between 8cbe5db and b056d92.

📒 Files selected for processing (3)

• .github/workflows/qemu-emulator-build.yaml
• apps/e2e/tests/js/cross-domain-auth.test.ts
• scripts/wait-for-dev-package-imports.ts