test(e2e): role-shadowing specs in apps + scripts suites

Lifts loginAsUserToken + pageWithUserToken out of members.spec.ts into
fixtures/role-page.ts (third file that needs them). Adds shadowing
coverage: viewer member sees no New-app / Add-domain / Settings / Save
/ +Add-route, editor sees Save but no Delete header, and CodeMirror
renders contenteditable=false for viewers.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

dashboard/tests/e2e/scripts/scripts.spec.ts

@@ -2,6 +2,41 @@ import { expect, type Page } from '@playwright/test';
 import { test } from '../fixtures/ids';
 import { CleanupRegistry } from '../fixtures/cleanup';
 import { adminApi } from '../fixtures/api';
+import { loginAsUserToken, pageWithUserToken } from '../fixtures/role-page';
+
+const MEMBER_PW = 'e2e-member-pw';
+
+async function seedAppScriptAndMember(opts: {
+	slug: string;
+	username: string;
+	role: 'viewer' | 'editor';
+}): Promise<{ scriptId: string; userId: string }> {
+	const api = await adminApi();
+	try {
+		const appRes = await api.post('/api/v1/admin/apps', {
+			data: { slug: opts.slug, name: opts.slug }
+		});
+		expect(appRes.ok()).toBe(true);
+		const appId = ((await appRes.json()) as { id: string }).id;
+		const scriptRes = await api.post('/api/v1/admin/scripts', {
+			data: { app_id: appId, name: `${opts.slug}-sc`, source: HELLO_RHAI }
+		});
+		expect(scriptRes.ok()).toBe(true);
+		const scriptId = ((await scriptRes.json()) as { id: string }).id;
+		const userRes = await api.post('/api/v1/admin/admins', {
+			data: { username: opts.username, password: MEMBER_PW, instance_role: 'member' }
+		});
+		expect(userRes.ok()).toBe(true);
+		const userId = ((await userRes.json()) as { id: string }).id;
+		const memberRes = await api.post(`/api/v1/admin/apps/${opts.slug}/members`, {
+			data: { user_id: userId, role: opts.role }
+		});
+		expect(memberRes.ok()).toBe(true);
+		return { scriptId, userId };
+	} finally {
+		await api.dispose();
+	}
+}
 
 // Phase B3 — Scripts CRUD + Editor. The script editor lives at
 // /admin/scripts/{id}. Setup uses the API to create the app (and
@@ -175,6 +210,105 @@ test.describe('B3 settings', () => {
 	});
 });
 
+test.describe('B3 scripts role shadowing', () => {
+	test('viewer: no Delete header, no Save/Format on Edit, no Add route on Routing', async ({
+		browser,
+		uniqueSlug,
+		uniqueUsername
+	}) => {
+		const slug = uniqueSlug('vscr');
+		const username = uniqueUsername('viewer');
+		const { scriptId, userId } = await seedAppScriptAndMember({
+			slug,
+			username,
+			role: 'viewer'
+		});
+		cleanup.app(slug);
+		cleanup.adminUser(userId);
+
+		const token = await loginAsUserToken(username, MEMBER_PW);
+		const page = await pageWithUserToken(browser, token);
+		try {
+			await page.goto(`/admin/scripts/${scriptId}`);
+			// Header Delete is hidden for non-admins.
+			await expect(page.getByRole('button', { name: /^Delete$/ })).toHaveCount(0);
+			// Save/Format on the Edit tab are hidden for viewers.
+			await expect(page.getByRole('button', { name: /^Save$/ })).toHaveCount(0);
+			await expect(
+				page.locator('.editor-header').getByRole('button', { name: 'Format' })
+			).toHaveCount(0);
+			// Test invoke is still visible (everyone with read access).
+			await expect(page.getByRole('button', { name: /^Send$/ })).toBeVisible();
+			// Routing tab loads, no +Add route.
+			await page.getByRole('button', { name: /Routing/ }).click();
+			await expect(page.getByRole('button', { name: /\+ Add route/ })).toHaveCount(0);
+			// Settings tab is absent for non-admins.
+			await expect(page.getByRole('button', { name: /^Settings$/ })).toHaveCount(0);
+		} finally {
+			await page.context().close();
+		}
+	});
+
+	test('viewer: CodeMirror is read-only', async ({
+		browser,
+		uniqueSlug,
+		uniqueUsername
+	}) => {
+		const slug = uniqueSlug('vro');
+		const username = uniqueUsername('viewer');
+		const { scriptId, userId } = await seedAppScriptAndMember({
+			slug,
+			username,
+			role: 'viewer'
+		});
+		cleanup.app(slug);
+		cleanup.adminUser(userId);
+
+		const token = await loginAsUserToken(username, MEMBER_PW);
+		const page = await pageWithUserToken(browser, token);
+		try {
+			await page.goto(`/admin/scripts/${scriptId}`);
+			const cm = page.locator('.cm-content').first();
+			await expect(cm).toBeVisible();
+			// CodeMirror sets contenteditable=false when EditorView.editable.of(false)
+			// is in effect; that's the canonical signal for read-only mode.
+			await expect(cm).toHaveAttribute('contenteditable', 'false');
+		} finally {
+			await page.context().close();
+		}
+	});
+
+	test('editor: Save visible, Delete header hidden', async ({
+		browser,
+		uniqueSlug,
+		uniqueUsername
+	}) => {
+		const slug = uniqueSlug('escr');
+		const username = uniqueUsername('editor');
+		const { scriptId, userId } = await seedAppScriptAndMember({
+			slug,
+			username,
+			role: 'editor'
+		});
+		cleanup.app(slug);
+		cleanup.adminUser(userId);
+
+		const token = await loginAsUserToken(username, MEMBER_PW);
+		const page = await pageWithUserToken(browser, token);
+		try {
+			await page.goto(`/admin/scripts/${scriptId}`);
+			// Editor sees Save (disabled until the buffer changes — that's fine).
+			await expect(page.getByRole('button', { name: /^Save$/ })).toBeVisible();
+			// Delete stays admin-only.
+			await expect(page.getByRole('button', { name: /^Delete$/ })).toHaveCount(0);
+			// Settings stays admin-only.
+			await expect(page.getByRole('button', { name: /^Settings$/ })).toHaveCount(0);
+		} finally {
+			await page.context().close();
+		}
+	});
+});
+
 test.describe('B3 adversarial', () => {
 	test('infinite loop script hits the sandbox timeout', async ({ page, uniqueSlug }) => {
 		const slug = uniqueSlug('loop');