feat(e2e): Playwright suite — 134 tests across 9 spec areas + UA matrix

Adds an end-to-end Playwright test suite under e2e/ that spins up an
isolated docker-compose stack (Postgres :55432, Caddy :3101, backend with
EVENTSNAP_TEST_MODE=1, SvelteKit adapter-node frontend) and exercises the
SvelteKit app against the real Rust backend.

Phase 1 — happy paths covering every documented USER_JOURNEYS.md flow:
  01-auth/      join, recover, admin login, leave event, PIN lockout
  02-upload/    gallery picker (API path), rate-limit + admin toggle
  03-feed/      like/comment SSE, filters, SSE reconnect on visibility
  04-host/      event lock API, ban/unban, promote
  05-admin/     config validation, foundational authz guards, stats
  06-export/    /export status + download stub
  __smoke/      cross-UA happy-path (runs on every UA project)

Phase 2 — adversarial + browser chaos:
  07-adversarial/  XSS payloads (6 × display name path), SQLi shapes,
                   length / encoding / RTL override / NUL byte;
                   file-upload boundaries (ELF body claimed as JPEG,
                   oversize vs max_image_size_mb, zero-byte, NUL
                   filename, path-traversal, SVG-with-script);
                   JWT alg:none, signature/payload tamper, expired
                   session, PIN brute-force (serial + parallel),
                   admin password brute-force; deep authz (cross-user
                   delete, banned user across like/comment/feed-read,
                   host→admin escalation); small-scale DDoS (20× /join,
                   10MB comment body, 10 concurrent SSE).
  08-browser-chaos/ localStorage / sessionStorage / cookie purge,
                    IndexedDB drop mid-session, offline → reconnect,
                    slow-3G, 503 flakes, 429 with no retry storm,
                    multi-tab same/different user, no-JS, hostile CSS,
                    clock skew ±1h / -2d, localStorage quota exhausted.

Phase 3 — mobile gestures (runs only on chromium-mobile / Pixel 7):
  09-mobile/    touch-target ≥44px audit, env(safe-area-inset-bottom)
                structural check, long-press (FeedListCard → ContextSheet,
                quick-tap negation, click-suppression), double-tap
                (feed card like + lightbox heart-burst, via synthetic
                pointer events to bypass the first-tap-fires-click trap),
                viewport reflow (portrait/landscape/narrow/phablet),
                plus fixme stubs documenting planned gestures (swipe
                lightbox L/R, swipe-down dismiss, pull-to-refresh,
                long-press-comment).

Cross-UA matrix (chromium-engine projects run @smoke only):
  chromium-pixel7, chromium-galaxy-s22, samsung-internet (Samsung UA
  emulation on Galaxy viewport), edge-android, plus webkit-iphone,
  chrome-ios, firefox-android, firefox-desktop — the latter four need
  libavif16 on the host (Playwright dep) but the configs are in place.

Infrastructure:
  - fixtures/test.ts central test.extend (api, db, adminToken, guest,
    host, signIn). Per-test DB truncate via the dev-only POST
    /admin/__truncate route, gated by EVENTSNAP_TEST_MODE=1.
  - helpers/sse-listener.ts, helpers/upload-client.ts (Node-side
    multipart for adversarial file-upload tests + JPEG/PNG/ELF magic
    constants), helpers/touch.ts (longPress / doubleTap / swipe /
    inlineStyle / computedStyle).
  - 10 page objects covering every route + UploadSheet/Lightbox.
  - global-setup waits for /health, logs in admin, disables every
    rate-limit and quota toggle.
  - .github/workflows/e2e.yml: PR check runs chromium-desktop + the
    smoke matrix in parallel, uploads playwright-report/ and traces on
    failure.

Findings the suite surfaces as live `[finding]` warnings (not silenced):
  1. /admin/login has no rate-limit or lockout (bcrypt cost only).
  2. PIN-attempt counter races under parallel /recover requests.
  3. Zero-byte uploads pass /api/v1/upload.
  4. SVG-with-script can pass the magic-byte check (consider CSP +
     X-Content-Type-Options on /media/*).

Stack-internal docs live in e2e/README.md (UA tier table, Samsung
Internet escalation tiers A/B/C, debugging tips, roadmap).

Final tally: 134 passed / 0 failed / 9 skipped (test.fixme stubs for
not-yet-shipped gestures and one UI-upload-flow investigation).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

e2e/specs/07-adversarial/auth-tampering.spec.ts

@@ -0,0 +1,153 @@
+/**
+ * Phase 2 adversarial — JWT forgery, brute-force, and password attacks.
+ *
+ * The JWT secret is in docker-compose.test.yml as a fixed value — these
+ * tests do NOT try to forge tokens using that secret (that would only
+ * prove HS256 works). Instead they assert the *failure* paths: alg:none,
+ * tampered signature, expired sessions, wrong role.
+ */
+import { test, expect } from '../../fixtures/test';
+
+const BASE = process.env.E2E_FRONTEND_URL ?? 'http://localhost:3101';
+
+/** RFC-4648 base64url with no padding. */
+function b64u(s: string) {
+  return Buffer.from(s).toString('base64').replace(/=+$/, '').replace(/\+/g, '-').replace(/\//g, '_');
+}
+
+test.describe('Adversarial — JWT', () => {
+  test('alg:none token claiming admin role is rejected', async () => {
+    const header = b64u(JSON.stringify({ alg: 'none', typ: 'JWT' }));
+    const payload = b64u(JSON.stringify({
+      sub: '00000000-0000-0000-0000-000000000000',
+      role: 'admin',
+      event_id: '00000000-0000-0000-0000-000000000000',
+      exp: Math.floor(Date.now() / 1000) + 3600,
+    }));
+    const token = `${header}.${payload}.`;
+    const res = await fetch(`${BASE}/api/v1/admin/config`, {
+      headers: { Authorization: `Bearer ${token}` },
+    });
+    expect(res.status).toBe(401);
+  });
+
+  test('JWT with valid structure but bogus signature is rejected', async ({ guest }) => {
+    const g = await guest('SigForge');
+    const parts = g.jwt.split('.');
+    // Replace the signature with random bytes of the same length.
+    const fakeSig = parts[2].split('').reverse().join('');
+    const tampered = `${parts[0]}.${parts[1]}.${fakeSig}`;
+    const res = await fetch(`${BASE}/api/v1/me/context`, {
+      headers: { Authorization: `Bearer ${tampered}` },
+    });
+    expect(res.status).toBe(401);
+  });
+
+  test('JWT with payload-tampered role=admin (re-encoded payload, original signature) is rejected', async ({ guest }) => {
+    const g = await guest('RolePromote');
+    const parts = g.jwt.split('.');
+    const original = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
+    const escalated = { ...original, role: 'admin' };
+    const newPayload = b64u(JSON.stringify(escalated));
+    const tampered = `${parts[0]}.${newPayload}.${parts[2]}`;
+    const res = await fetch(`${BASE}/api/v1/admin/config`, {
+      headers: { Authorization: `Bearer ${tampered}` },
+    });
+    // Signature won't match the new payload → middleware must return 401, not 403.
+    expect(res.status).toBe(401);
+  });
+
+  test('JWT for a session that was deleted (logout) is rejected', async ({ guest, api }) => {
+    const g = await guest('LoggedOut');
+    await api.logout(g.jwt);
+    const res = await fetch(`${BASE}/api/v1/me/context`, {
+      headers: { Authorization: `Bearer ${g.jwt}` },
+    });
+    expect(res.status).toBe(401);
+  });
+
+  test('Authorization header without "Bearer " prefix is rejected', async ({ guest }) => {
+    const g = await guest('NoBearer');
+    const res = await fetch(`${BASE}/api/v1/me/context`, {
+      headers: { Authorization: g.jwt },
+    });
+    expect([401, 403]).toContain(res.status);
+  });
+
+  test('missing Authorization header on protected route returns 401', async () => {
+    const res = await fetch(`${BASE}/api/v1/me/context`);
+    expect(res.status).toBe(401);
+  });
+});
+
+test.describe('Adversarial — PIN brute-force', () => {
+  test('sequential wrong-PIN attempts lock the account after 3 attempts', async ({ guest }) => {
+    const g = await guest('Brute');
+    const wrong = g.pin === '0000' ? '1111' : '0000';
+
+    // Do them serially so the failed_pin_attempts counter increments
+    // monotonically. Parallel attempts race and may never accumulate to 3 in
+    // the current handler implementation — that's a separate finding.
+    const statuses: number[] = [];
+    for (let i = 0; i < 4; i++) {
+      const r = await fetch(`${BASE}/api/v1/recover`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ display_name: g.displayName, pin: wrong }),
+      });
+      statuses.push(r.status);
+    }
+    // First three are 401, fourth (or later) is 429.
+    expect(statuses.filter((s) => s === 200)).toHaveLength(0);
+    expect(statuses.some((s) => s === 429)).toBe(true);
+
+    // Now even the correct PIN fails until lockout expires.
+    const correct = await fetch(`${BASE}/api/v1/recover`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ display_name: g.displayName, pin: g.pin }),
+    });
+    expect(correct.status).toBe(429);
+  });
+
+  test('parallel wrong-PIN attempts may NOT all hit lockout (race-condition finding)', async ({ guest }) => {
+    const g = await guest('BruteParallel');
+    const wrong = g.pin === '0000' ? '1111' : '0000';
+
+    const attempts = await Promise.all(
+      Array.from({ length: 10 }, () =>
+        fetch(`${BASE}/api/v1/recover`, {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ display_name: g.displayName, pin: wrong }),
+        })
+      )
+    );
+    const statuses = attempts.map((r) => r.status);
+    expect(statuses.filter((s) => s === 200)).toHaveLength(0);
+    // Documented behavior: lockout counter may race so not every status is 429.
+    // Critical invariant: no attempt succeeded.
+    if (!statuses.some((s) => s === 429)) {
+      console.warn('[finding] PIN-attempt counter races under parallel requests — none hit lockout.');
+    }
+  });
+});
+
+test.describe('Adversarial — admin password brute-force', () => {
+  test('repeated wrong passwords do NOT lock the admin (documented finding)', async () => {
+    // The admin login handler does not currently implement lockout. This test
+    // documents the behavior so any future change is intentional.
+    const attempts = await Promise.all(
+      Array.from({ length: 10 }, () =>
+        fetch(`${BASE}/api/v1/admin/login`, {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ password: 'wrong-' + Math.random() }),
+        })
+      )
+    );
+    const statuses = attempts.map((r) => r.status);
+    expect(statuses.every((s) => s === 401)).toBe(true);
+    console.warn('[finding] /admin/login has no rate-limit or lockout — bcrypt cost is the only defense.');
+  });
+});