test(e2e): expand e2e coverage to account-settings, consent and auto-account-creation

docs/design/testing-gaps.md

@@ -120,6 +120,13 @@ pds-core callback, full OAuth flow).
 - Consider exporting `buildSocialProviders` for direct unit testing.
 - The OTP email wiring is best verified by integration or e2e tests
   that trigger a real OTP flow.
+- `extractOtp` in `e2e/support/mailpit.ts` uses heuristic regex patterns
+  rather than `OTP_LENGTH` / `OTP_CHARSET` env vars. This is slightly flaky
+  by nature — the robust alternative would be keeping those env vars in sync
+  between the deployed service and `e2e/.env`, but that requires manual
+  coordination on every config change and is error-prone across environments
+  (e.g. Railway vs local). The heuristic is preferred since the email
+  templates are in-repo and their structure is stable.
 
 ### 4. `auth-service/src/context.ts` and `index.ts` (0%)
 

e2e/.env.example

@@ -20,6 +20,12 @@ E2E_MAILPIT_URL=https://mailpit.example.com
 E2E_MAILPIT_USER=admin
 E2E_MAILPIT_PASS=
 
+# ── Internal API ──────────────────────────────────────────────────────────────
+# Required for internal-api.feature scenarios. Leave empty to skip them.
+# Must match EPDS_INTERNAL_SECRET on the pds-core service.
+# Copy from the root .env file — it mirrors the Railway environment.
+E2E_EPDS_INTERNAL_SECRET=
+
 # ── Optional ──────────────────────────────────────────────────────────────────
 
 # Set to 'true' to run headless (no visible browser window). Default: false.

e2e/README.md

@@ -91,11 +91,18 @@ the verification code without a real mail server.
 
 ### How the suite uses Mailpit
 
-- **Before each scenario** — the `Before` hook calls
-  `DELETE /api/v1/messages` to wipe the inbox, ensuring a clean slate.
-- **Email steps** — poll `GET /api/v1/search?query=to:<email>` every 500 ms
-  until the OTP email arrives (up to 15 seconds), then fetch the plain-text
-  view at `/view/<id>.txt` and extract the code with a regex.
+- **Scenario hygiene** — the global setup clears any leftover inbox state at
+  suite start, and per-scenario cleanup deletes messages for the scenario's
+  test recipient to avoid cross-scenario bleed.
+- **OTP retrieval** — before triggering OTP send for a recipient, tests clear
+  `to:<email>` via Mailpit search delete. After submit, they poll
+  `GET /api/v1/search?query=to:<email>` every 500 ms until an OTP email
+  arrives.
+- **Why clear before send** — this prevents stale OTP reuse when multiple OTP
+  emails are sent to the same recipient in one scenario (for example composed
+  setup + login, secondary-session login, retries, and resend flows).
+- **Code extraction** — once an email is found, tests fetch
+  `/view/<id>.txt` and extract the OTP with a regex.
 - **Auth** — requests use HTTP Basic auth (`E2E_MAILPIT_USER` /
   `E2E_MAILPIT_PASS`) encoded as an `Authorization: Basic ...` header.
 

e2e/cucumber.mjs

@@ -1,7 +1,12 @@
 export default {
-  paths: ['features/passwordless-authentication.feature'],
+  paths: [
+    'features/passwordless-authentication.feature',
+    'features/automatic-account-creation.feature',
+    'features/consent-screen.feature',
+    'features/account-settings.feature',
+  ],
   import: ['e2e/step-definitions/**/*.ts', 'e2e/support/**/*.ts'],
   format: ['pretty', 'html:reports/e2e.html'],
-  tags: 'not @manual',
+  tags: 'not @manual and not @docker-only and not @pending',
   strict: true,
 }