Use this section as the current normative supplement when older sections are silent on late-stage browser regressions.
- Cursor pagination must separate the request cursor from the response `next_cursor`. If a page updates request state directly from the response on initial load, add a regression test proving it does not auto-fetch follow-up pages.
- Frontend service adapters must decode backend envelopes by exact field names and must match the shared HTTP client contract exactly. Any admin API shape change requires a service-level regression test and at least one consuming page regression.
- Admin-surface E2E assertions must prefer route, heading, role, or labeled-control locators. Broad text matching is not sufficient when the same text can appear in menus, cards, tables, and toasts.
- When `cd frontend/admin && npm.cmd run e2e:full:win` fails in the late suite, triage in this order: backend contract mismatch, page-state or pagination bug, selector assumption bug, then CDP or browser-runtime instability.
- Browser-suite retry code must refresh mutable preconditions such as `admin_bootstrap_required` from live backend capabilities before re-running scenarios against the same backend state.
- When the supported browser gate changes from red to green or from green to red, update `docs/status/REAL_PROJECT_STATUS.md`, `docs/team/QUALITY_STANDARD.md`, `docs/team/TECHNICAL_GUIDE.md`, and `docs/team/PROJECT_EXPERIENCE_SUMMARY.md` in the same batch.
## 2026-04-23 Password Reset And CDP Stability Supplement
- Capability endpoints must reflect real mounted-route availability. If password reset, email code, SMS code, or similar auth routes are conditionally mounted, the matching capability flags must be derived from the same condition or explicitly synchronized at assembly time.
- A new auth or session browser scenario only counts as accepted when the targeted scenario is green and the full supported browser gate `cd frontend/admin && npm.cmd run e2e:full:win` is green on the same branch state.
- Playwright CDP recovery must attempt connection-level recovery when the persistent page disappears late in the suite. Declaring failure before trying to reconnect is not an acceptable steady-state gate design.
## 2026-04-23 Permissions CRUD And Full Matrix Governance Supplement
Use this section as the current supplement when older sections do not cover permissions CRUD closure or runner-observation mismatches.
- If a frontend adapter normalizes backend enums or status values, the regression set must cover three layers on the same change: raw backend payload acceptance, normalized frontend read shape, and outbound write serialization.
- Shared auth clients must attach the current non-expired access token immediately. An unrelated refresh already in flight is not a valid reason to downgrade a request to missing auth.
- When a supported browser scenario depends on real network proof and CDP request or response observers miss the call, use evidence derived from the real page fetch path before classifying the failure as product behavior. Runner instrumentation must not silently redefine a healthy product as broken.
- Modal, drawer, or overlay transitions that still intercept input after close has started must be treated as first-class E2E timing constraints. Wait for interaction blocking to stop, not only for a broad visibility assertion.
- Backend handlers that accept admin CRUD writes must remain compatible with the payload forms actually sent by the current browser client during rollout, including numeric enum values such as permission `type=0` and mixed numeric or string status updates when those paths are supported.
- Supported build commands are part of the release gate. If Vite or another build tool requires an explicit project root or equivalent configuration for the documented command to pass, fix the project config rather than relying on an ad hoc wrapper or local shell state.
- If a form includes UI-only fields such as `confirm_password`, outbound service code must strip or remap those fields before hitting the API. UI form names are not a valid substitute for the backend write contract.
- Service regression tests for write paths must assert the exact payload sent into the shared HTTP client, not only the values collected from the component or form layer.
- Browser-runner fetch or response waiters must be action-scoped. A waiter that can outlive a failed action and later crash with a page-closed error is not acceptable verification infrastructure.
- The supported Windows browser gate may share one real backend and one real test database while still isolating browser processes per scenario. Reusing a single long-lived browser is not a quality requirement when the browser runtime itself is the unstable component.
- If browser-runtime instability is external to the product and reproducible across Chromium variants, recover at the scenario boundary with a fresh browser before classifying the supported gate as inherently flaky.
- The supported wrapper and the Playwright runner must derive selected scenario names from one shared source of truth. Duplicated scenario lists are a governance bug because they can make filtered evidence disagree with the documented main gate.
- A path parameter is never sufficient authorization for an owner-scoped resource. For endpoints such as `/devices/:id`, `/users/:id/password`, and similar resource-by-id APIs, the handler must pass actor identity into the service layer and the service layer must re-check ownership or admin privilege before reading or mutating the resource.
- IDOR regression coverage for owner-scoped resources must include at least one non-owner read attempt, one non-owner mutation attempt, one non-owner destructive attempt, and one privileged state-change attempt such as trust, status, or reset semantics. Include one admin positive path when admin access is part of the contract.
