fix: update tests to use new dev URL and signing secret

[splindsay-92]

CI tests were failing since we switched to using website-signed config. This fixes the issues by using the new dev CLI and server signing secret (no longer uses CI bypass).

• Updated the Github workflows to replace CI Bypass with the terminal server signing token.
• Set logs to avoid color formatting output when running in CI to make them more readable.
• Replaced CI bypass with terminal server signing secret in code.
• Replaced the production HTTP and WS endpoints with dev for testing.
• Removed some unused code segments.

---

Note

Medium Risk
Touches CI auth/token injection and test rate-limit gating, so misconfiguration can cause broad CI/E2E failures; functional product logic impact is limited to default WebSocket URL selection in the example app.

Overview
CI and E2E test execution now uses TERMINAL_SERVER_SIGNING_SECRET (and injected CI auth token) instead of the legacy CI_BYPASS_SECRET, with GitHub workflows updated accordingly (including NO_COLOR=1 for cleaner logs).

Default WebSocket/HTTP endpoints used by the Web CLI app, unit tests, and Playwright E2E suites are switched from web-cli.ably.com to the dev hosted terminal web-cli-terminal.ably-dev.com, and shared helpers are refactored to centralize terminal URL selection and “remote server” detection for timeouts/delays/rate-limit behavior. Legacy browser CI auth utilities (packages/react-web-cli/src/lib/ci-auth.ts) are removed and signing-secret lookup fallbacks are tightened.

^{Written by Cursor Bugbot for commit 3f798c3. This will update automatically on new commits. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
cli-web-cli	Ready	Preview, Comment	Feb 16, 2026 0:44am

[coderabbitai]

Walkthrough

Updates GitHub Actions workflows to use TERMINAL_SERVER_SIGNING_SECRET and add NO_COLOR environment variables while removing CI_BYPASS_SECRET. Updates test files and helpers to reference the new web-cli-terminal.ably-dev.com domain and switch environment variable checks from CI_BYPASS_SECRET to TERMINAL_SERVER_SIGNING_SECRET.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflows .github/workflows/e2e-tests.yml, .github/workflows/e2e-web-cli-parallel.yml, .github/workflows/test.yml	Add TERMINAL_SERVER_SIGNING_SECRET and NO_COLOR environment variables across workflow jobs; remove CI_BYPASS_SECRET from environment configuration.
React Unit Tests packages/react-web-cli/src/AblyCliTerminal.test.tsx	Update test domain references and session storage keys from web-cli.ably.com to web-cli-terminal.ably-dev.com.
E2E Test Setup and Helpers test/e2e/web-cli/global-setup.ts, test/e2e/web-cli/helpers/base-test.ts, test/e2e/web-cli/helpers/ci-auth.ts, test/e2e/web-cli/helpers/setup-ci-auth.ts, test/e2e/web-cli/helpers/signing-helper.ts, test/e2e/web-cli/shared-setup.ts, test/e2e/web-cli/test-rate-limiter.ts	Replace CI_BYPASS_SECRET with TERMINAL_SERVER_SIGNING_SECRET in environment checks; update domain strings from web-cli.ably.com to web-cli-terminal.ably-dev.com; remove exported functions logCIAuthStatus and getCIAuthToken.
E2E Test Files test/e2e/web-cli/domain-scoped-auth.test.ts, test/e2e/web-cli/prompt-integrity.test.ts, test/e2e/web-cli/reconnection-diagnostic.test.ts, test/e2e/web-cli/reconnection-utils.ts, test/e2e/web-cli/reconnection.test.ts, test/e2e/web-cli/session-resume.test.ts, test/e2e/web-cli/wait-helpers.ts, test/e2e/web-cli/web-cli.test.ts	Update default TERMINAL_SERVER_URL and domain references from web-cli.ably.com to web-cli-terminal.ably-dev.com in WebSocket URLs and domain-based logic checks.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A hop, a skip, the domains shift clear,
From public web to terminal's frontier,
Signing secrets dance in CI's refrain,
No colors needed, just plain domain change,
Our tests now peek at the dev exchange! 🎉

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main changes: updating tests to use a new dev URL (web-cli-terminal.ably-dev.com) and replacing CI_BYPASS_SECRET with TERMINAL_SERVER_SIGNING_SECRET.
Docstring Coverage	✅ Passed	Docstring coverage is 80.00% which is sufficient. The required threshold is 80.00%.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into main
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/use-new-server-signing-and-dev-test-env

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

test/e2e/web-cli/helpers/signing-helper.ts (1)

103-118: ⚠️ Potential issue | 🟡 Minor

logSigningStatus still references CI_BYPASS_SECRET, contradicting getTestSecret behavior.

getTestSecret() and isSigningAvailable() no longer consider CI_BYPASS_SECRET, but logSigningStatus() still checks it (line 106) and can report "CI_BYPASS_SECRET" as the active secret (lines 115-116). When only CI_BYPASS_SECRET is set, getTestSecret() returns the fallback dev secret, yet the log would misleadingly claim CI_BYPASS_SECRET is in use. This will confuse anyone debugging signing issues.

Proposed fix: remove stale CI_BYPASS_SECRET reference

 export function logSigningStatus(): void {
   const hasTerminalSecret = !!process.env.TERMINAL_SERVER_SIGNING_SECRET;
   const hasSigningSecret = !!process.env.SIGNING_SECRET;
-  const hasCISecret = !!process.env.CI_BYPASS_SECRET;
 
   console.log("[Signing Helper] Configuration:", {
     TERMINAL_SERVER_SIGNING_SECRET: hasTerminalSecret ? "SET" : "NOT SET",
     SIGNING_SECRET: hasSigningSecret ? "SET" : "NOT SET",
     usingSecret: hasTerminalSecret
       ? "TERMINAL_SERVER_SIGNING_SECRET"
       : hasSigningSecret
         ? "SIGNING_SECRET"
-        : hasCISecret
-          ? "CI_BYPASS_SECRET"
-          : "fallback",
+        : "fallback (dev-test-secret)",
   });
 }

🤖 Fix all issues with AI agents

In @.github/workflows/e2e-web-cli-parallel.yml:
- Around line 218-226: The rate-limit job is currently setting the environment
variable TERMINAL_SERVER_SIGNING_SECRET which causes test-rate-limiter.ts to
disable rate limiting (connectionsPerBatch: 1000, pauseDuration: 0), so remove
TERMINAL_SERVER_SIGNING_SECRET from the job's env block (the env that includes
NO_COLOR, E2E_ABLY_API_KEY, TEST_GROUP: rate-limit, etc.) so the rate-limit test
runs with real limits; also verify no other env or secrets in this job inject
TERMINAL_SERVER_SIGNING_SECRET.

In `@test/e2e/web-cli/domain-scoped-auth.test.ts`:
- Around line 252-254: The fallback assigned to actualDomain includes the scheme
("wss://") so the localStorage key check (k.includes(actualDomain)) never
matches; change the fallback to the bare host or always extract the host portion
so actualDomain holds "web-cli-terminal.ably-dev.com". Update the assignment of
actualDomain (where process.env.TERMINAL_SERVER_URL is checked) to parse the URL
and use .host for both code paths (or replace the literal
"wss://web-cli-terminal.ably-dev.com" with "web-cli-terminal.ably-dev.com") so
currentDomainKeys and the subsequent assertion operate on matching domain
strings.

🧹 Nitpick comments (4)

test/e2e/web-cli/test-rate-limiter.ts (1)

22-36: Stale log message: still references "CI bypass" after switching to signing secret.

Line 29 logs Rate limiting DISABLED - CI bypass enabled but the condition now checks TERMINAL_SERVER_SIGNING_SECRET. The message should reflect the new semantics to avoid confusion when debugging CI logs.

Suggested fix

-        `[RateLimit Config] Rate limiting DISABLED - CI bypass enabled`,
+        `[RateLimit Config] Rate limiting DISABLED - server signing secret available`,

test/e2e/web-cli/helpers/ci-auth.ts (1)

43-49: JSDoc refers to "bypass secret" but the implementation now checks TERMINAL_SERVER_SIGNING_SECRET.

Minor doc inconsistency — the comment says "bypass secret is available" but the function now checks TERMINAL_SERVER_SIGNING_SECRET. Consider updating the JSDoc to reflect the new env var name.

📝 Suggested doc update

 /**
  * Check if CI bypass mode should be used
- * `@returns` true if CI mode is enabled and bypass secret is available
+ * `@returns` true if TERMINAL_SERVER_SIGNING_SECRET is available
  */

test/e2e/web-cli/helpers/base-test.ts (1)

163-168: isProduction now checks for a dev domain — consider renaming for clarity.

The variable isProduction is checking for web-cli-terminal.ably-dev.com, which is a development environment. The name is misleading; this is really detecting "remote server" vs "local server." A rename like isRemoteServer would better convey intent.

📝 Suggested rename

-    const isProduction =
+    const isRemoteServer =
       !process.env.TERMINAL_SERVER_URL ||
       process.env.TERMINAL_SERVER_URL.includes("web-cli-terminal.ably-dev.com");
-    if (isProduction) {
+    if (isRemoteServer) {
       await page.waitForTimeout(1000);
     }

test/e2e/web-cli/wait-helpers.ts (1)

16-20: Same isProduction naming concern as in base-test.ts.

This isProduction variable now detects web-cli-terminal.ably-dev.com (a dev domain). Consider renaming to isRemoteServer for consistency with the suggested change in base-test.ts.

[maratal]

LGTM, but I'm newbie here, so the second pair of eyes would probably make more sense. wdyt @AndyTWF

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}