jlinsights · jlinsights · Jun 5, 2026 · Jun 5, 2026 · coderabbitai · Jun 5, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -110,6 +110,14 @@ jobs:
         run: npm ci
 
       - name: Build application
+        env:
+          DATABASE_URL: postgresql://ci:ci@localhost:5432/asca_ci
+          NEXT_PUBLIC_SUPABASE_URL: https://example.supabase.co
+          NEXT_PUBLIC_SUPABASE_ANON_KEY: ci-anon-key
+          SUPABASE_SERVICE_ROLE_KEY: ci-service-role-key
+          NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY: pk_test_ZHVtbXkuY2xlcmsuYWNjb3VudHMuZGV2JA
+          CLERK_SECRET_KEY: sk_test_ci
+          NEXT_PUBLIC_APP_URL: http://localhost:3000
         run: npm run build
 
       - name: Upload build artifacts

diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml
@@ -37,10 +37,22 @@ jobs:
       - name: Setup environment variables
         run: |
           # Next.js with NODE_ENV=test loads .env.test (NOT .env.local).
-          # See: https://nextjs.org/docs/app/building-your-application/configuring/environment-variables
-          cp .env.example .env.test
-          cp .env.example .env.local  # safety net for any non-Next consumer
-          # Add any additional environment variables needed for testing
+          # Use structurally valid CI placeholders so Clerk validates during dev-server startup.
+          cat > .env.test <<'EOF'
+          DATABASE_URL="postgresql://ci:ci@localhost:5432/asca_ci"
+          NEXT_PUBLIC_SUPABASE_URL="https://example.supabase.co"
+          NEXT_PUBLIC_SUPABASE_ANON_KEY="ci-anon-key"
+          SUPABASE_SERVICE_ROLE_KEY="ci-service-role-key"
+          NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY="pk_test_ZHVtbXkuY2xlcmsuYWNjb3VudHMuZGV2JA"
+          CLERK_SECRET_KEY="sk_test_ci"
+          NEXT_PUBLIC_CLERK_SIGN_IN_URL="/sign-in"
+          NEXT_PUBLIC_CLERK_SIGN_UP_URL="/sign-up"
+          NEXT_PUBLIC_CLERK_AFTER_SIGN_IN_URL="/"
+          NEXT_PUBLIC_CLERK_AFTER_SIGN_UP_URL="/"
+          NEXT_PUBLIC_APP_URL="http://localhost:3000"
+          NEXT_PUBLIC_E2E_DISABLE_CLERK="true"
+          EOF
+          cp .env.test .env.local  # safety net for any non-Next consumer
 
       - name: Run Playwright tests
         run: npm run test:e2e:ci

diff --git a/.gitignore b/.gitignore
@@ -43,6 +43,9 @@ next-env.d.ts
 coverage/
 .nyc_output/
 .eslintcache
+playwright-report/
+test-results/
+.playwright-browsers/
 .vercel
 ops/venv/
 

diff --git a/.prettierignore b/.prettierignore
@@ -85,6 +85,8 @@ pnpm-lock.yaml
 # Test outputs
 coverage/
 junit.xml
+playwright-report/
+test-results/
 
 # Marketing/agent context (markdown tables would break under prettier)
 .agents/ 
diff --git a/app/api/members/__tests__/route.test.ts b/app/api/members/__tests__/route.test.ts
@@ -27,12 +27,18 @@ jest.mock('@/lib/security/rate-limit', () => ({
   },
 }))
 
+jest.mock('@clerk/nextjs/server', () => ({
+  auth: jest.fn().mockResolvedValue({ userId: 'test-user-id' }),
+}))
+
 import { describe, test, expect, beforeEach } from '@jest/globals'
 import { NextRequest } from 'next/server'
+import { auth } from '@clerk/nextjs/server'
 import { withPerformanceLog } from '@/lib/db'
 import { GET, POST } from '../route'
 
 const mockWithPerformanceLog = withPerformanceLog as jest.MockedFunction<typeof withPerformanceLog>
+const mockAuth = auth as unknown as jest.MockedFunction<() => Promise<{ userId: string | null }>>
 
 describe('GET /api/members', () => {
   beforeEach(() => {
@@ -159,7 +165,7 @@ describe('GET /api/members', () => {
     await GET(request)
 
     // Assert
-    expect(mockWithPerformanceLog).toHaveBeenCalledWith('members.list', expect.any(Function))
+    expect(mockWithPerformanceLog).toHaveBeenCalledWith('members.listPublic', expect.any(Function))
   })
 })
 
@@ -173,6 +179,24 @@ describe('POST /api/members', () => {
 
   beforeEach(() => {
     jest.clearAllMocks()
+    mockAuth.mockResolvedValue({ userId: 'test-user-id' })
+  })
+
+  test('should return 401 when authentication is missing', async () => {
+    mockAuth.mockResolvedValueOnce({ userId: null })
+
+    const request = new NextRequest('http://localhost:3000/api/members', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(validBody),
+    })
+
+    const response = await POST(request)
+    const data = await response.json()
+
+    expect(response.status).toBe(401)
+    expect(data.success).toBe(false)
+    expect(data.error.code).toBe('UNAUTHORIZED')
   })
 
   test('should create member and return 201 with valid data', async () => {