import { expect, test } from "@playwright/test";

// One canary per shell surface — confirms the route mounts and renders
// SOMETHING the user can see (heading or 403 gate) without OIDC.
// All run signed-out, so role-gated routes land on the NotAuthorized 403.

test.describe("customer-area surfaces @needs-stack", () => {
  const surfaces = [
    { path: "/products",                expected: "403" },
    { path: "/projects",                expected: "403" },
    { path: "/catalog",                 expected: "403" },
    { path: "/settings",                expected: "403" },
    { path: "/settings/users",          expected: "403" },
    { path: "/settings/api-keys",       expected: "403" },
    { path: "/settings/integrations",   expected: "403" },
    { path: "/billing",                 expected: "403" },
    { path: "/audit",                   expected: "403" },
    { path: "/support",                 expected: "403" },
  ];
  for (const { path, expected } of surfaces) {
    test(`acme${path} renders signed-out`, async ({ page }) => {
      await page.goto(path);
      await expect(page.getByRole("heading", { name: new RegExp(expected, "i") })).toBeVisible();
    });
  }
});