Fix MfaCredentialTests and resolve merge conflicts with main

Update SetRecoveryCodes test to match domain method: empty/null now
clears codes instead of throwing (supports exhausted recovery codes).
Remove AuthenticationRegistrationTests (belongs to PR #813, not cache PR).
Take main's versions for non-cache files.

Author: Chris0Jeky

.github/workflows/ci-extended.yml

@@ -107,6 +107,16 @@ jobs:
       dotnet-version: 8.0.x
       node-version: 24.13.1
 
+  e2e-cross-browser:
+    name: E2E Cross-Browser Matrix
+    if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'testing'))
+    needs:
+      - backend-solution
+    uses: ./.github/workflows/reusable-e2e-cross-browser.yml
+    with:
+      dotnet-version: 8.0.x
+      node-version: 24.13.1
+
   visual-regression:
     name: Visual Regression
     if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && (contains(github.event.pull_request.labels.*.name, 'testing') || contains(github.event.pull_request.labels.*.name, 'visual')))

.github/workflows/ci-nightly.yml

@@ -60,6 +60,15 @@ jobs:
       k6-duration: "90s"
       k6-user-pool: "6"
 
+  e2e-cross-browser:
+    name: E2E Cross-Browser Matrix
+    needs:
+      - backend-solution
+    uses: ./.github/workflows/reusable-e2e-cross-browser.yml
+    with:
+      dotnet-version: 8.0.x
+      node-version: 24.13.1
+
   container-images:
     name: Container Images Regression
     needs:

.github/workflows/ci-required.yml

@@ -20,6 +20,7 @@
 #     ├── reusable-openapi-guardrail.yml
 #     ├── reusable-backend-solution.yml (label: testing)
 #     ├── reusable-e2e-smoke.yml (label: testing)
+#     ├── reusable-e2e-cross-browser.yml (label: testing)
 #     ├── reusable-demo-director-smoke.yml (label: automation)
 #     ├── reusable-load-concurrency-harness.yml (label: testing)
 #     └── reusable-container-integration.yml (label: testing) — Testcontainers PostgreSQL
@@ -28,6 +29,7 @@
 #     ├── reusable-openapi-guardrail.yml
 #     ├── reusable-backend-solution.yml
 #     ├── reusable-e2e-smoke.yml
+#     ├── reusable-e2e-cross-browser.yml
 #     ├── reusable-load-concurrency-harness.yml
 #     └── reusable-container-images.yml
 #

.github/workflows/reusable-e2e-cross-browser.yml

@@ -0,0 +1,106 @@
+name: Reusable E2E Cross-Browser Matrix
+
+on:
+  workflow_call:
+    inputs:
+      dotnet-version:
+        description: .NET SDK version used for E2E backend setup
+        required: false
+        default: "8.0.x"
+        type: string
+      node-version:
+        description: Node.js version used for E2E frontend setup
+        required: false
+        default: "24.13.1"
+        type: string
+
+permissions:
+  contents: read
+
+env:
+  NUGET_PACKAGES: ${{ github.workspace }}/.nuget/packages
+
+jobs:
+  e2e-cross-browser:
+    name: E2E (${{ matrix.project }})
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - project: chromium
+            browser: chromium
+          - project: firefox
+            browser: firefox
+          - project: webkit
+            browser: webkit
+          - project: mobile-chrome
+            browser: chromium
+          - project: mobile-safari
+            browser: webkit
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version }}
+          cache: true
+          cache-dependency-path: |
+            backend/Taskdeck.sln
+            backend/**/*.csproj
+
+      - name: Setup Node
+        uses: actions/setup-node@v6
+        with:
+          node-version: ${{ inputs.node-version }}
+          cache: npm
+          cache-dependency-path: frontend/taskdeck-web/package-lock.json
+
+      - name: Restore backend
+        run: dotnet restore backend/Taskdeck.sln
+
+      - name: Install frontend dependencies
+        working-directory: frontend/taskdeck-web
+        run: npm ci
+
+      - name: Cache Playwright browsers
+        uses: actions/cache@v5
+        with:
+          path: ~/.cache/ms-playwright
+          key: ms-playwright-${{ runner.os }}-${{ hashFiles('frontend/taskdeck-web/package-lock.json') }}
+
+      - name: Install Playwright browsers
+        working-directory: frontend/taskdeck-web
+        run: npx playwright install --with-deps ${{ matrix.browser }}
+
+      - name: Remove stale E2E database
+        working-directory: frontend/taskdeck-web
+        run: node -e "require('fs').rmSync('taskdeck.e2e.ci.db',{force:true});"
+
+      - name: Run Playwright tests (${{ matrix.project }})
+        timeout-minutes: 15
+        working-directory: frontend/taskdeck-web
+        env:
+          CI: "true"
+          TASKDECK_E2E_DB: taskdeck.e2e.ci.db
+          TASKDECK_RUN_DEMO: "0"
+        run: npx playwright test --project=${{ matrix.project }} --reporter=line
+
+      - name: Upload Playwright report
+        if: failure()
+        uses: actions/upload-artifact@v7
+        with:
+          name: playwright-report-${{ matrix.project }}
+          path: frontend/taskdeck-web/playwright-report
+          if-no-files-found: ignore
+
+      - name: Upload Playwright test results
+        if: failure()
+        uses: actions/upload-artifact@v7
+        with:
+          name: playwright-test-results-${{ matrix.project }}
+          path: frontend/taskdeck-web/test-results
+          if-no-files-found: ignore

.github/workflows/reusable-e2e-smoke.yml

@@ -73,7 +73,7 @@ jobs:
           CI: "true"
           TASKDECK_E2E_DB: taskdeck.e2e.ci.db
           TASKDECK_RUN_DEMO: "0"
-        run: npx playwright test --reporter=line
+        run: npx playwright test --project=chromium --reporter=line
 
       - name: Upload Playwright report
         if: failure()

backend/src/Taskdeck.Api/Controllers/TelemetryController.cs

@@ -0,0 +1,120 @@
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+using Taskdeck.Application.Services;
+
+namespace Taskdeck.Api.Controllers;
+
+/// <summary>
+/// Endpoints for opt-in product telemetry event recording and client configuration.
+/// All telemetry is disabled by default and requires explicit opt-in.
+/// </summary>
+[ApiController]
+[Route("api/telemetry")]
+[Authorize]
+public class TelemetryController : ControllerBase
+{
+    private readonly ITelemetryEventService _telemetryEventService;
+    private readonly SentrySettings _sentrySettings;
+    private readonly AnalyticsSettings _analyticsSettings;
+    private readonly TelemetrySettings _telemetrySettings;
+
+    public TelemetryController(
+        ITelemetryEventService telemetryEventService,
+        SentrySettings sentrySettings,
+        AnalyticsSettings analyticsSettings,
+        TelemetrySettings telemetrySettings)
+    {
+        _telemetryEventService = telemetryEventService;
+        _sentrySettings = sentrySettings;
+        _analyticsSettings = analyticsSettings;
+        _telemetrySettings = telemetrySettings;
+    }
+
+    /// <summary>
+    /// Returns client-side telemetry configuration. The frontend uses this to
+    /// determine which integrations are available and how to initialize them.
+    /// DSNs and script URLs are only returned when the corresponding integration
+    /// is enabled. No secrets or API keys are exposed.
+    /// </summary>
+    [HttpGet("config")]
+    [AllowAnonymous]
+    public IActionResult GetConfig()
+    {
+        return Ok(new ClientTelemetryConfigResponse
+        {
+            Sentry = new SentryClientConfig
+            {
+                Enabled = _sentrySettings.Enabled,
+                Dsn = _sentrySettings.Enabled ? _sentrySettings.Dsn : string.Empty,
+                Environment = _sentrySettings.Environment,
+                TracesSampleRate = _sentrySettings.TracesSampleRate,
+            },
+            Analytics = new AnalyticsClientConfig
+            {
+                Enabled = _analyticsSettings.Enabled,
+                Provider = _analyticsSettings.Enabled ? _analyticsSettings.Provider : string.Empty,
+                ScriptUrl = _analyticsSettings.Enabled ? _analyticsSettings.ScriptUrl : string.Empty,
+                SiteId = _analyticsSettings.Enabled ? _analyticsSettings.SiteId : string.Empty,
+            },
+            Telemetry = new TelemetryClientConfig
+            {
+                Enabled = _telemetrySettings.Enabled,
+            },
+        });
+    }
+
+    /// <summary>
+    /// Records a batch of product telemetry events. Requires authentication.
+    /// Events are validated against the taxonomy naming convention and rejected
+    /// if telemetry is disabled on the server.
+    /// </summary>
+    [HttpPost("events")]
+    public IActionResult RecordEvents([FromBody] TelemetryBatchRequest? request)
+    {
+        if (!_telemetryEventService.IsEnabled)
+        {
+            return Ok(new { recorded = 0, message = "Telemetry is disabled on this server." });
+        }
+
+        if (request == null || request.Events == null || request.Events.Count == 0)
+        {
+            return BadRequest(new { error = "No events provided." });
+        }
+
+        var recorded = _telemetryEventService.RecordEvents(request.Events);
+        return Ok(new { recorded });
+    }
+}
+
+public sealed class ClientTelemetryConfigResponse
+{
+    public SentryClientConfig Sentry { get; set; } = new();
+    public AnalyticsClientConfig Analytics { get; set; } = new();
+    public TelemetryClientConfig Telemetry { get; set; } = new();
+}
+
+public sealed class SentryClientConfig
+{
+    public bool Enabled { get; set; }
+    public string Dsn { get; set; } = string.Empty;
+    public string Environment { get; set; } = string.Empty;
+    public double TracesSampleRate { get; set; }
+}
+
+public sealed class AnalyticsClientConfig
+{
+    public bool Enabled { get; set; }
+    public string Provider { get; set; } = string.Empty;
+    public string ScriptUrl { get; set; } = string.Empty;
+    public string SiteId { get; set; } = string.Empty;
+}
+
+public sealed class TelemetryClientConfig
+{
+    public bool Enabled { get; set; }
+}
+
+public sealed class TelemetryBatchRequest
+{
+    public List<TelemetryEvent> Events { get; set; } = new();
+}

backend/src/Taskdeck.Api/Extensions/AuthenticationRegistration.cs

@@ -1,11 +1,8 @@
 using System.Security.Claims;
 using System.Text;
 using Microsoft.AspNetCore.Authentication;
-using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
 using Microsoft.AspNetCore.Authentication.OAuth.Claims;
-using Microsoft.AspNetCore.Authentication.OpenIdConnect;
-using Microsoft.AspNetCore.Http;
 using Microsoft.IdentityModel.Tokens;
 using Taskdeck.Api.Contracts;
 using Taskdeck.Application.Services;
@@ -16,16 +13,10 @@ namespace Taskdeck.Api.Extensions;
 
 public static class AuthenticationRegistration
 {
-    /// <summary>
-    /// Cookie scheme used for temporary external auth state (OAuth/OIDC handshake).
-    /// </summary>
-    public const string ExternalAuthenticationScheme = "External";
-
     public static IServiceCollection AddTaskdeckAuthentication(
         this IServiceCollection services,
         JwtSettings jwtSettings,
-        GitHubOAuthSettings? gitHubOAuthSettings = null,
-        OidcSettings? oidcSettings = null)
+        GitHubOAuthSettings? gitHubOAuthSettings = null)
     {
         if (string.IsNullOrWhiteSpace(jwtSettings.SecretKey) ||
             jwtSettings.SecretKey.Length < 32 ||
@@ -35,21 +26,7 @@ public static IServiceCollection AddTaskdeckAuthentication(
             return services;
         }
 
-        var authBuilder = services.AddAuthentication(options =>
-            {
-                options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
-                options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
-                options.DefaultSignInScheme = ExternalAuthenticationScheme;
-            })
-            .AddCookie(ExternalAuthenticationScheme, options =>
-            {
-                options.Cookie.Name = ".Taskdeck.ExternalAuth";
-                options.Cookie.HttpOnly = true;
-                options.Cookie.SameSite = SameSiteMode.Lax;
-                options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest;
-                options.ExpireTimeSpan = TimeSpan.FromMinutes(5);
-                options.SlidingExpiration = false;
-            })
+        var authBuilder = services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
             .AddJwtBearer(options =>
             {
                 options.TokenValidationParameters = new TokenValidationParameters
@@ -113,7 +90,6 @@ await context.Response.WriteAsJsonAsync(new ApiErrorResponse(
         {
             authBuilder.AddOAuth("GitHub", options =>
             {
-                options.SignInScheme = ExternalAuthenticationScheme;
                 options.ClientId = gitHubOAuthSettings.ClientId;
                 options.ClientSecret = gitHubOAuthSettings.ClientSecret;
                 options.AuthorizationEndpoint = "https://github.com/login/oauth/authorize";
@@ -142,42 +118,6 @@ await context.Response.WriteAsJsonAsync(new ApiErrorResponse(
             });
         }
 
-        // Environment-gated: add OIDC providers when configured
-        if (oidcSettings != null)
-        {
-            foreach (var provider in oidcSettings.ConfiguredProviders)
-            {
-                var schemeName = $"Oidc_{provider.Name}";
-                var callbackPath = !string.IsNullOrWhiteSpace(provider.CallbackPath)
-                    ? provider.CallbackPath
-                    : $"/api/auth/oidc/{provider.Name.ToLowerInvariant()}/oauth-redirect";
-
-                authBuilder.AddOpenIdConnect(schemeName, provider.DisplayName, options =>
-                {
-                    options.SignInScheme = ExternalAuthenticationScheme;
-                    options.Authority = provider.Authority;
-                    options.ClientId = provider.ClientId;
-                    options.ClientSecret = provider.ClientSecret;
-                    options.CallbackPath = callbackPath;
-                    options.ResponseType = "code";
-                    options.SaveTokens = false;
-                    options.GetClaimsFromUserInfoEndpoint = true;
-
-                    options.Scope.Clear();
-                    foreach (var scope in provider.Scopes)
-                    {
-                        options.Scope.Add(scope);
-                    }
-
-                    // Map standard OIDC claims to ClaimTypes
-                    options.ClaimActions.MapJsonKey(ClaimTypes.NameIdentifier, "sub");
-                    options.ClaimActions.MapJsonKey(ClaimTypes.Name, "preferred_username");
-                    options.ClaimActions.MapJsonKey(ClaimTypes.Email, "email");
-                    options.ClaimActions.MapJsonKey("name", "name");
-                });
-            }
-        }
-
         return services;
     }