feat: Playwright against deployed music-room (shell + optional unionid chain)

No Rust/Compose; GitHub Actions with MOICEN_E2E_UNIONID secret; dotenv .env.e2e; proxy install script.

Made-with: Cursor

tests/home-shell.spec.ts

@@ -0,0 +1,28 @@
+import { test, expect } from '@playwright/test';
+
+// 对已部署 H5：匿名、伪造 unionid、page_path 净化（与 huike-front main.ts 一致）
+test.describe('music-room shell', () => {
+  test('根路径挂载 Vue 根节点', async ({ page }) => {
+    await page.goto('/');
+    await expect(page.locator('#app')).toBeVisible();
+  });
+
+  test('带伪造 unionid/status 的入口不应导致白屏', async ({ page }) => {
+    await page.goto('/?unionid=fake-wx-unionid-e2e&status=2', {
+      waitUntil: 'domcontentloaded',
+      timeout: 30_000,
+    });
+    await expect(page.locator('#app')).toBeVisible({ timeout: 30_000 });
+  });
+
+  test('page_path 内嵌他人 unionid 时应被剥离（最终 URL 不含该串）', async ({ page }) => {
+    const poison = 'attacker-unionid-e2e-marker';
+    const pagePath = encodeURIComponent(`/?unionid=${poison}&status=2`);
+    await page.goto(`/?page_path=${pagePath}`, {
+      waitUntil: 'domcontentloaded',
+      timeout: 30_000,
+    });
+    await page.waitForURL((u) => !u.toString().includes(poison), { timeout: 30_000 });
+    await expect(page.locator('#app')).toBeVisible();
+  });
+});