✅ e2e: test card activation flow

[cruzdanilo]

---

Summary by CodeRabbit

• Accessibility

  • Added accessibility labels to the card sensitivity toggle for improved screen reader support.

• Chores

  • Enhanced end-to-end testing infrastructure with optimized test flows for card activation, asset operations, and identity verification processes.

[changeset-bot]

🦋 Changeset detected

Latest commit: 9766625

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Walkthrough

This PR refactors Maestro E2E test flows by extracting common conditional patterns into reusable subflows with ARIA support, adds accessibility labels to the card sensitivity toggle, expands panda mocks for comprehensive E2E testing, and updates deployment certificates with a new sandbox domain.

Changes

Cohort / File(s)	Summary
Changesets .changeset/brave-flies-clap.md, .changeset/common-drinks-grow.md, .changeset/hot-buckets-peel.md, .changeset/kind-yaks-jump.md	Four changeset entries tracking patch version bumps for @exactly/mobile and @exactly/server with test flow and accessibility improvements.
Maestro Flow Consolidation .maestro/flows/local.yaml, .maestro/subflows/borrowAsset.yaml, .maestro/subflows/sendAsset.yaml, .maestro/subflows/storeCoverage.yaml, .maestro/subflows/verifyIdentity.yaml	Replaces inline conditional runFlow blocks with external subflow references (tapAria.yaml), reducing code duplication and improving maintainability. Adds new card activation flow sequence.
New ARIA Subflows .maestro/subflows/tapAria.yaml, .maestro/subflows/tapWhileAria.yaml, .maestro/subflows/activateCard.yaml	Introduces reusable subflows for ARIA-based UI interaction patterns with platform-specific logic (web vs non-web) and environment variable-driven behavior for accessibility testing.
Accessibility & Component Updates src/components/card/Card.tsx	Adds aria-label to the card sensitivity toggle indicating "Show sensitive" or "Hide sensitive" state.
E2E Test Infrastructure server/test/e2e.ts, server/vitest.config.mts	Replaces minimal panda mock with comprehensive implementation including autoCredit, createCard, createUser, getCard, getPIN, getSecrets, getUser, isPanda, setPIN, signIssuerOp, updateCard, updateUser; adds PANDA_E2E_PRIVATE_KEY environment variable and crypto import for mock cryptography.
Certificate & Configuration common/pandaCertificate.ts	Adds public key entry for "sandbox.exactly.app" domain and introduces additional default key variant for certificate validation fallback.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• ✅ e2e misc improvements #702: Modifies Maestro flows and introduces ARIA-based accessibility patterns for E2E tests.
• ♻️ misc app improvements #633: Makes overlapping code-level changes across multiple files including Maestro subflows, Card component, and certificate configuration.
• ✅ e2e: add borrow asset flow #710: Updates E2E Maestro flows and test infrastructure with ARIA labels and enhanced panda mocking for loan/amount operations.

Suggested reviewers

• dieguezguille
• nfmelendez

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main focus of the PR: adding comprehensive e2e testing infrastructure and test flows for card activation, including new Maestro subflows, panda mocks, and aria-label enhancements.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch e2e

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @cruzdanilo, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a comprehensive end-to-end test for the card activation process, ensuring critical user flows are thoroughly validated. It significantly upgrades the mocking infrastructure for the Panda API, allowing for more robust and realistic simulation of card operations within the test environment. Furthermore, it refactors existing Maestro test flows by extracting common interaction patterns into reusable subflows, which enhances test maintainability and reduces redundancy. An accessibility improvement has also been made to the card component.

Highlights

• New Card Activation E2E Test: A new end-to-end test flow has been added to validate the card activation process, including freezing/unfreezing, PIN viewing, spending limits, and sensitive data display toggling.
• Enhanced Panda API Mocks: The Panda API mocks for e2e tests have been significantly expanded to provide more realistic simulations of user and card management, including secure secret retrieval using Node.js's crypto module.
• Maestro Flow Refactoring: Common Maestro test patterns, such as tapping elements by ARIA label or repeatedly tapping while an element is visible, have been extracted into reusable subflows, improving test maintainability and reducing redundancy.
• Accessibility Improvement: An aria-label has been added to the card sensitive data toggle in the UI, enhancing accessibility for users relying on assistive technologies.

Changelog

• .changeset/brave-flies-clap.md
  • Added a new changeset for @exactly/mobile related to the card activation flow test.
• .changeset/common-drinks-grow.md
  • Added a new changeset for @exactly/server indicating enhancements to Panda mocks for e2e tests.
• .changeset/hot-buckets-peel.md
  • Added a new changeset for @exactly/mobile for adding an ARIA label to the card sensitive toggle.
• .changeset/kind-yaks-jump.md
  • Added a new changeset for @exactly/mobile for extracting Maestro ARIA subflows.
• .maestro/flows/local.yaml
  • Replaced platform-specific runFlow blocks for 'Pending proposals' with the new tapWhileAria.yaml subflow.
  • Updated the borrowAsset flow to use 1 installment instead of 4.
  • Integrated the new activateCard.yaml subflow and related assertions to the local test flow.
• .maestro/subflows/activateCard.yaml
  • Added a new Maestro subflow to test various card functionalities, including activation, freezing/unfreezing, PIN viewing, spending limits, and sensitive data display toggling, with platform-specific logic.
• .maestro/subflows/borrowAsset.yaml
  • Refactored the 'Amount' tap logic to utilize the new tapAria.yaml subflow, removing platform-specific conditional runFlow blocks.
• .maestro/subflows/sendAsset.yaml
  • Refactored the 'Close' tap logic to utilize the new tapAria.yaml subflow, removing platform-specific conditional runFlow blocks.
• .maestro/subflows/storeCoverage.yaml
  • Refactored the 'Settings' tap logic to utilize the new tapAria.yaml subflow, removing platform-specific conditional runFlow blocks.
• .maestro/subflows/tapAria.yaml
  • Added a new Maestro subflow designed to tap on elements identified by their ARIA label, abstracting platform-specific (web vs. non-web) tapping commands.
• .maestro/subflows/tapWhileAria.yaml
  • Added a new Maestro subflow that repeatedly taps on a specified element while another element (identified by its ARIA label) is visible, handling platform differences.
• .maestro/subflows/verifyIdentity.yaml
  • Refactored the 'Back' tap logic to utilize the new tapAria.yaml subflow, removing platform-specific conditional runFlow blocks.
• common/pandaCertificate.ts
  • Added a new public key for the sandbox.exactly.app domain.
  • Updated the default public key configuration.
• server/test/e2e.ts
  • Imported the crypto module from Node.js.
  • Extensively refactored and expanded the vi.mock("../utils/panda") implementation to include comprehensive mock functions for createCard, createUser, getCard, getSecrets, getUser, updateCard, and updateUser.
  • The getSecrets mock now uses node:crypto to simulate decryption and encryption of sensitive card data, enhancing the realism of e2e tests.
• server/vitest.config.mts
  • Added the PANDA_E2E_PRIVATE_KEY environment variable to the Vitest configuration, providing the necessary private key for the enhanced Panda API mocks.
• src/components/card/Card.tsx
  • Added a dynamic aria-label attribute to the Pressable component that toggles sensitive card information, improving accessibility by indicating whether the action will 'Show sensitive' or 'Hide sensitive' data.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 5 additional flags.

[gemini-code-assist]

Code Review

This pull request introduces an end-to-end test for the card activation flow, which is a great addition. The changes include creating new Maestro subflows for better reusability, enhancing the server-side mocks for Panda, and adding necessary accessibility labels. The refactoring of Maestro flows is well-done and improves maintainability. I've provided a couple of suggestions to make the Panda mocks more robust by better simulating real-world API error handling, which will increase the reliability of your tests, aligning with guidelines for handling missing card records as client-side issues.

[sentry]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 66.84%. Comparing base (8b9feb6) to head (9766625).
⚠️ Report is 4 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #716      +/-   ##
==========================================
+ Coverage   65.67%   66.84%   +1.16%     
==========================================
  Files         190      201      +11     
  Lines        6005     6343     +338     
  Branches     1734     1861     +127     
==========================================
+ Hits         3944     4240     +296     
- Misses       1881     1923      +42     
  Partials      180      180              

Flag	Coverage Δ
e2e	66.84% <100.00%> (+19.57%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 5

🤖 Fix all issues with AI agents

In @.maestro/subflows/tapAria.yaml:
- Around line 3-9: Replace the leading "HACK" comment with a lowercase TODO
marker and a short lowercase explanation (e.g., "TODO: handle aria selector
differences between web and native"), and tighten inline brace spacing in the
two runFlow when mappings by removing spaces immediately after "{" and before
"}" so that the when maps read when: {true: "${maestro.platform != 'web'}"} and
when: {platform: web}; keep existing keys/functions (runFlow, when, commands,
tapOn, aria) intact while making only the comment and brace-spacing changes.

In @.maestro/subflows/tapWhileAria.yaml:
- Around line 10-15: The web flow's selector mismatch: inside runFlow -> repeat
the visible check uses { id: "${aria}" } but tapOn falls back to the raw string
"${tap ?? aria}", causing failures when aria is an id; change the tapOn fallback
to use an id selector object (e.g., tapOn: { id: "${aria}" }) when tap is not
provided, or add/accept a web-specific variable like tapId and use tapOn: { id:
"${tapId ?? aria}" } so the selector shape matches visible; update references in
the runFlow/repeat block (visible, tapOn, aria, tap) accordingly.
- Around line 7-9: The two Maestro repeat blocks using "repeat" with "while: {
visible: \"${aria}\" }" (and commands: [{ tapOn: \"${tap ?? aria}\" }]) need a
max-attempts cap to avoid infinite loops; update both repeat entries to include
a times parameter (e.g., times: 10) alongside the existing while condition so
the loop stops after the given attempts if "${aria}" never becomes invisible.

In `@server/test/e2e.ts`:
- Line 88: The mock for panda.getCard currently resolves undefined for missing
IDs; change the vi.fn().mockImplementation for getCard to instead reject (throw)
when the requested cardId is not found in the cards Map so it mirrors real
panda.getCard behavior (HTTP 404). Specifically, inside the mockImplementation
for getCard check cards.get(cardId) and if falsy return a rejected Promise (or
throw an Error with a clear message/status) otherwise return the resolved card;
keep the mock function name getCard and the cards Map reference so the change is
easy to locate.

In `@server/vitest.config.mts`:
- Around line 28-43: Remove the hardcoded PANDA_E2E_PRIVATE_KEY literal in
vitest.config.mts and instead read it from the environment at runtime (e.g.
process.env.PANDA_E2E_PRIVATE_KEY or import.meta.env depending on runtime),
updating the place that currently uses the multiline string to reference that
env variable; add a clear runtime check in the same module (throw or log and
exit) if PANDA_E2E_PRIVATE_KEY is missing so CI/test runs fail fast, and remove
the private key content from the repo/history (ensure you stop committing
secrets and rotate the exposed key).