Add Layer 2 E2E tests: session injection for phone-mode signing

[ottovlotto]

Context

The E2E test suite (#48) uses --suri //Alice dev accounts for all tests. This bypasses the session/phone-signing code path entirely, leaving these flows untested:

• Phone-mode deploy (session signer, allowance checks, mapping checks)
• Session expiry detection
• Logout flow with a real session
• dot init detecting an existing valid session and skipping QR

Blocked on

@polkadot-apps/terminal merged a testing helper (paritytech/polkadot-apps#109) but hasn't published a new npm release yet. Current latest is 0.2.3 — need a release with createTestSession() or equivalent.

Action: Ask the polkadot-apps team to cut a release, then bump @polkadot-apps/terminal in package.json.

What to implement

Once the new version is published:

1. Bump @polkadot-apps/terminal in package.json
2. Add injectSession(account, opts?) helper to e2e/cli/fixtures/accounts.ts that:
   • Creates a temp dir
   • Uses the upstream test helper to write a valid session file
   • Returns the temp HOME path for use with the dot() wrapper's home option
3. Add Layer 2 tests:
   • init.test.ts: init with existing valid session skips QR, reports address
   • init.test.ts: init reports green for allowances when session key is funded
   • session.test.ts: expired session prompts re-auth
   • session.test.ts: logout clears session files correctly
   • deploy.test.ts: phone-mode deploy reaches signing step (can't complete without real phone)
4. Optionally add DOT_SESSION_DIR env var to src/utils/auth.ts for cleaner session dir override (currently using HOME override which works but is broader)

Reference

• E2E test plan: /Users/rebecca/code/playground-cli-e2e-test-plan.md
• Upstream issue: Feature request: expose test helper for synthesizing session files in @polkadot-apps/terminal polkadot-apps#109
• E2E test PR: feat: add E2E integration test suite #48

[ottovlotto]

Note for when this unblocks: #114 hardened two init/session assertions that should be tightened further once createTestSession is available on npm:

• init.test.ts "init with no session prompts for QR scan" — currently fails loudly if init falls into the Login skipped branch. With session injection we can also assert the positive control: a sibling test that injects a valid session and verifies init enters the existing-session branch (skips QR, reports the bound address).

• init.test.ts "init with corrupted session file does not silently succeed" — currently asserts the corrupt file is unchanged on disk. The complement once injection is available: after injecting a valid session, init should report it; after corrupting that session file, init should reject it without erasing.

Both are small follow-ups inside this issue's scope — flagging here so we don't lose the thread.

[ottovlotto]

NB: detail / planned approach overridden by new allowances approach, keeping open as a reminder to add mobile signing tests to the CLI

[ottovlotto]

Note 2026-05-11: body is out of date due to the @polkadot-apps/* → @parity/product-sdk-* namespace rename — the blocker references @polkadot-apps/terminal which is being replaced (target replacement package TBC).

Issue itself stays open: phone-mode / mobile signing tests are still needed. Body should be refreshed once the replacement createTestSession() package is identified.