Stirling-Tools
diff --git a/‎.github/workflows/build.yml‎
Lines changed: 130 additions & 5 deletions b/‎.github/workflows/build.yml‎
Lines changed: 130 additions & 5 deletions
diff --git a/‎frontend/playwright.config.ts‎
Lines changed: 24 additions & 0 deletions b/‎frontend/playwright.config.ts‎
Lines changed: 24 additions & 0 deletions
diff --git a/‎frontend/src/core/tests/enterprise/license-and-features.spec.ts‎
Lines changed: 97 additions & 0 deletions b/‎frontend/src/core/tests/enterprise/license-and-features.spec.ts‎
Lines changed: 97 additions & 0 deletions
diff --git a/‎frontend/src/core/tests/enterprise/oauth-keycloak-login.spec.ts‎
Lines changed: 46 additions & 0 deletions b/‎frontend/src/core/tests/enterprise/oauth-keycloak-login.spec.ts‎
Lines changed: 46 additions & 0 deletions
diff --git a/‎frontend/src/core/tests/enterprise/saml-keycloak-login.spec.ts‎
Lines changed: 43 additions & 0 deletions b/‎frontend/src/core/tests/enterprise/saml-keycloak-login.spec.ts‎
Lines changed: 43 additions & 0 deletions
@@ -401,16 +401,17 @@ jobs:
         run: task frontend:test:e2e:install -- chromium
       - name: Start Spring Boot backend (background)
         env:
-          # Match the admin/admin credentials hard-coded in the live test helpers.
-          # Without these the backend falls back to the default admin/stirling user
-          # (see InitialSecuritySetup.createDefaultAdminUser) and every login fails.
-          SECURITY_INITIALLOGIN_USERNAME: admin
-          SECURITY_INITIALLOGIN_PASSWORD: admin
           # Suppress the analytics opt-in modal that fires on first admin login when
           # enableAnalytics is null (see Onboarding.tsx). The modal renders a Mantine
           # overlay that intercepts pointer events on every tool page until dismissed,
           # which causes every "click run button" assertion in the live suite to fail.
           SYSTEM_ENABLEANALYTICS: "false"
+        # NOTE: SECURITY_INITIALLOGIN_USERNAME/PASSWORD are intentionally NOT set.
+        # The live-setup project's bootstrap spec performs the real first-login
+        # flow against the backend's default admin/stirling user, exercising the
+        # forced-password-change UI and leaving the DB at admin/adminadmin for
+        # the rest of the live suite. This is both real coverage of the first-
+        # login flow and a stronger seed than env-var-driven user creation.
         run: |
           nohup ./gradlew :stirling-pdf:bootRun > /tmp/backend.log 2>&1 &
           echo $! > /tmp/backend.pid
@@ -458,6 +459,130 @@ jobs:
           path: frontend/playwright-report/
           retention-days: 7
 
+  playwright-e2e-enterprise:
+    # Enterprise suite — exercises premium-key gated features (audit, teams,
+    # analytics export) plus full OAuth + SAML logins via the Keycloak compose
+    # stacks under testing/compose. Skipped automatically when the secret is
+    # absent (forks, dependabot) so the job is opt-in for trusted PRs.
+    if: needs.files-changed.outputs.frontend == 'true' && secrets.PREMIUM_KEY_ENTERPRISE != ''
+    needs: files-changed
+    runs-on: ubuntu-latest
+    timeout-minutes: 45
+    env:
+      PREMIUM_KEY: ${{ secrets.PREMIUM_KEY_ENTERPRISE }}
+      PREMIUM_ENABLED: "true"
+      SYSTEM_ENABLEANALYTICS: "false"
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
+        with:
+          egress-policy: audit
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Set up JDK 25
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
+        with:
+          java-version: "25"
+          distribution: "temurin"
+      - name: Set up Node.js
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        with:
+          node-version: "22"
+          cache: "npm"
+          cache-dependency-path: frontend/package-lock.json
+      - name: Install Task
+        uses: go-task/setup-task@3be4020d41929789a01026e0e427a4321ce0ad44 # v2.0.0
+      - name: Install Playwright (chromium only)
+        run: task frontend:test:e2e:install -- chromium
+
+      # ───────── OAuth round-trip ─────────
+      - name: Bring up Keycloak + Stirling-PDF (OAuth)
+        working-directory: testing/compose
+        run: docker compose -f docker-compose-keycloak-oauth.yml up -d --build
+      - name: Wait for OAuth stack ready
+        working-directory: testing/compose
+        run: |
+          for i in $(seq 1 60); do
+            if bash validate-oauth-test.sh; then
+              exit 0
+            fi
+            sleep 5
+          done
+          docker compose -f docker-compose-keycloak-oauth.yml logs --tail=200
+          exit 1
+      - name: Run enterprise OAuth Playwright tests
+        id: oauth-tests
+        run: task frontend:test:e2e -- --project=enterprise --grep "OAuth"
+      - name: Tear down OAuth stack
+        if: always()
+        working-directory: testing/compose
+        run: docker compose -f docker-compose-keycloak-oauth.yml down -v
+
+      # ───────── SAML round-trip ─────────
+      - name: Bring up Keycloak + Stirling-PDF (SAML)
+        working-directory: testing/compose
+        run: docker compose -f docker-compose-keycloak-saml.yml up -d --build
+      - name: Wait for SAML stack ready
+        working-directory: testing/compose
+        run: |
+          for i in $(seq 1 60); do
+            if bash validate-saml-test.sh; then
+              exit 0
+            fi
+            sleep 5
+          done
+          docker compose -f docker-compose-keycloak-saml.yml logs --tail=200
+          exit 1
+      - name: Run enterprise SAML Playwright tests
+        id: saml-tests
+        run: task frontend:test:e2e -- --project=enterprise --grep "SAML"
+      - name: Tear down SAML stack
+        if: always()
+        working-directory: testing/compose
+        run: docker compose -f docker-compose-keycloak-saml.yml down -v
+
+      # ───────── License-gated feature tests (no IdP needed) ─────────
+      - name: Start backend for feature tests (premium-enabled, no SSO)
+        env:
+          SYSTEM_ENABLEANALYTICS: "false"
+        run: |
+          nohup ./gradlew :stirling-pdf:bootRun > /tmp/backend-ent.log 2>&1 &
+          echo $! > /tmp/backend-ent.pid
+      - name: Wait for backend ready
+        run: |
+          start=$SECONDS
+          for i in $(seq 1 300); do
+            if curl -fsS http://localhost:8080/api/v1/info/status >/dev/null 2>&1; then
+              echo "Backend up after $((SECONDS - start))s"
+              exit 0
+            fi
+            sleep 2
+          done
+          tail -200 /tmp/backend-ent.log || true
+          exit 1
+      - name: Run enterprise feature Playwright tests
+        id: feature-tests
+        run: task frontend:test:e2e -- --project=enterprise --grep "Enterprise license"
+      - name: Print backend log on failure
+        if: failure()
+        run: |
+          echo "::group::Enterprise backend log"
+          tail -500 /tmp/backend-ent.log || true
+          echo "::endgroup::"
+      - name: Stop backend
+        if: always()
+        run: |
+          if [ -f /tmp/backend-ent.pid ]; then
+            kill "$(cat /tmp/backend-ent.pid)" 2>/dev/null || true
+          fi
+      - name: Upload Playwright report
+        if: always()
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: playwright-report-enterprise-${{ github.run_id }}
+          path: frontend/playwright-report/
+          retention-days: 7
+
   check-licence:
     if: needs.files-changed.outputs.build == 'true'
     needs: [files-changed, build]
 
@@ -51,11 +51,35 @@ export default defineConfig({
       use: chromiumViewport,
     },
 
+    // Live setup — runs once before the live suite to perform the real
+    // forced-password-change first-login flow against a freshly-booted
+    // backend. The live project depends on it.
+    {
+      name: "live-setup",
+      testDir: "./src/core/tests/live-setup",
+      testMatch: /.*\.setup\.ts$/,
+      use: chromiumViewport,
+    },
+
     // Live backend — auth + admin-mutation + real-tool smoke
     {
       name: "live",
       testDir: "./src/core/tests/live",
       use: chromiumViewport,
+      dependencies: ["live-setup"],
+    },
+
+    // Enterprise — license-gated SSO/SAML/audit/teams against keycloak compose
+    // Uses port 8080 directly (the docker compose stack publishes the
+    // backend's built-in frontend there); the Vite dev server is bypassed
+    // because the OAuth/SAML callback URLs are registered against 8080.
+    {
+      name: "enterprise",
+      testDir: "./src/core/tests/enterprise",
+      use: {
+        ...chromiumViewport,
+        baseURL: "http://localhost:8080",
+      },
     },
 
     // Cross-browser coverage for the stubbed suite (opt-in locally)
 
@@ -0,0 +1,97 @@
+import { test, expect } from "@app/tests/helpers/test-base";
+import { loginAndSetup } from "@app/tests/helpers/login";
+
+/**
+ * Enterprise license validates and unlocks the corresponding feature
+ * surfaces in the admin UI:
+ *   - License panel reports a valid key (no "invalid"/"expired" state)
+ *   - Audit-log section is reachable from settings
+ *   - Team management section is reachable from settings
+ *   - Analytics-export affordance is present for admins
+ *
+ * Requires the backend booted with PREMIUM_KEY set to a real key.
+ */
+test.describe("Enterprise license unlocks admin surfaces", () => {
+  test.beforeEach(async ({ page }) => {
+    await loginAndSetup(page);
+  });
+
+  test("admin settings exposes license / audit / team / analytics sections", async ({
+    page,
+  }) => {
+    test.setTimeout(60_000);
+
+    await page.locator('[data-testid="config-button"]').first().click();
+    await page.waitForTimeout(500);
+
+    // License section — name varies (License, Premium, Subscription)
+    await expect(
+      page.getByText(/license|premium|subscription/i).first(),
+    ).toBeVisible({ timeout: 10_000 });
+
+    // No "invalid license" / "trial expired" warnings should be present
+    await expect(
+      page.getByText(/invalid license|expired|key required/i),
+    ).toHaveCount(0);
+
+    // Audit log section
+    await expect(page.getByText(/audit/i).first()).toBeVisible({
+      timeout: 5_000,
+    });
+
+    // Teams section
+    await expect(page.getByText(/teams/i).first()).toBeVisible({
+      timeout: 5_000,
+    });
+  });
+
+  test("audit log surface lists at least one event after a tool action", async ({
+    page,
+  }) => {
+    test.setTimeout(90_000);
+
+    // Generate one audit-worthy action: open settings (admin-only navigation)
+    await page.locator('[data-testid="config-button"]').first().click();
+    await page.waitForTimeout(500);
+
+    const auditNav = page.getByText(/audit/i).first();
+    if (!(await auditNav.isVisible({ timeout: 5_000 }).catch(() => false))) {
+      test.skip(true, "Audit section not reachable on this build");
+      return;
+    }
+    await auditNav.click();
+    await page.waitForTimeout(1_000);
+
+    // Either a table, a list of events, or "no events" empty state is fine —
+    // we're asserting the surface renders without an error/blank state.
+    const eventsSurface = page
+      .locator(
+        '[data-testid*="audit"], table, [class*="AuditEvent" i], [class*="audit-table" i]',
+      )
+      .first();
+    await expect(eventsSurface).toBeVisible({ timeout: 10_000 });
+  });
+
+  test("admin can reach team management and create-team affordance is present", async ({
+    page,
+  }) => {
+    test.setTimeout(60_000);
+
+    await page.locator('[data-testid="config-button"]').first().click();
+    await page.waitForTimeout(500);
+
+    const teamsNav = page.getByText(/^teams$/i).first();
+    if (!(await teamsNav.isVisible({ timeout: 5_000 }).catch(() => false))) {
+      test.skip(true, "Teams section not reachable on this build");
+      return;
+    }
+    await teamsNav.click();
+    await page.waitForTimeout(500);
+
+    await expect(
+      page
+        .getByRole("button", { name: /create team|new team|add team/i })
+        .first(),
+    ).toBeVisible({ timeout: 10_000 });
+  });
+});
@@ -0,0 +1,46 @@
+import { test, expect } from "@playwright/test";
+import { ensureCookieConsent } from "@app/tests/helpers/login";
+
+/**
+ * OAuth login round-trip via Keycloak.
+ *
+ * Requires the docker-compose-keycloak-oauth stack to be running:
+ *   - Keycloak on http://localhost:9080 with realm `stirling-oauth`
+ *   - Stirling-PDF on http://localhost:8080 with PREMIUM_KEY set
+ *
+ * Test user: oauthuser@example.com / oauthpassword (per
+ * testing/compose/keycloak-realm-oauth.json).
+ */
+test.describe("Enterprise OAuth login (Keycloak)", () => {
+  test("clicking the Keycloak provider redirects, authenticates, and lands on home", async ({
+    page,
+  }) => {
+    test.setTimeout(90_000);
+
+    await ensureCookieConsent(page);
+    await page.goto("/login", { waitUntil: "domcontentloaded" });
+
+    // The login page shows OAuth buttons rendered from app-config.oauth2
+    const keycloakBtn = page
+      .locator('a[href*="oauth2/authorization/keycloak"]')
+      .or(page.getByRole("button", { name: /keycloak|continue with/i }))
+      .first();
+    await expect(keycloakBtn).toBeVisible({ timeout: 10_000 });
+    await keycloakBtn.click();
+
+    // We are now on the Keycloak login page (different origin)
+    await page.waitForURL(/\/realms\/stirling-oauth\/protocol\/openid-connect/);
+
+    await page.locator("#username").fill("oauthuser@example.com");
+    await page.locator("#password").fill("oauthpassword");
+    await page.locator('input[type="submit"], button[type="submit"]').click();
+
+    // Back on Stirling-PDF, authenticated
+    await page.waitForURL((url) => !url.pathname.includes("/login"), {
+      timeout: 30_000,
+    });
+    await expect(
+      page.getByRole("link", { name: /^Tools$/i }).first(),
+    ).toBeVisible({ timeout: 15_000 });
+  });
+});
@@ -0,0 +1,43 @@
+import { test, expect } from "@playwright/test";
+import { ensureCookieConsent } from "@app/tests/helpers/login";
+
+/**
+ * SAML login round-trip via Keycloak.
+ *
+ * Requires the docker-compose-keycloak-saml stack:
+ *   - Keycloak on http://localhost:9080 with realm `stirling-saml`
+ *   - Stirling-PDF on http://localhost:8080 with PREMIUM_KEY set and
+ *     security.saml2.enabled=true
+ */
+test.describe("Enterprise SAML login (Keycloak)", () => {
+  test("SAML provider button completes the IdP redirect and signs the user in", async ({
+    page,
+  }) => {
+    test.setTimeout(90_000);
+
+    await ensureCookieConsent(page);
+    await page.goto("/login", { waitUntil: "domcontentloaded" });
+
+    const samlBtn = page
+      .locator('a[href*="saml"], a[href*="saml2"]')
+      .or(page.getByRole("button", { name: /saml|authentik|keycloak/i }))
+      .first();
+    await expect(samlBtn).toBeVisible({ timeout: 10_000 });
+    await samlBtn.click();
+
+    await page.waitForURL(/\/realms\/stirling-saml\/protocol\/saml/, {
+      timeout: 30_000,
+    });
+
+    await page.locator("#username").fill("samluser@example.com");
+    await page.locator("#password").fill("samlpassword");
+    await page.locator('input[type="submit"], button[type="submit"]').click();
+
+    await page.waitForURL((url) => !url.pathname.includes("/login"), {
+      timeout: 30_000,
+    });
+    await expect(
+      page.getByRole("link", { name: /^Tools$/i }).first(),
+    ).toBeVisible({ timeout: 15_000 });
+  });
+});