Replaces racy one-shot checks with auto-retrying assertions, asserts the
referrer-block test against the deterministic 403 response (not iframe
content), uses an OS-allocated port for the static test app with
connection-tracked teardown, caches the JWT access token across tests,
sends CSRF on the guest-token call (page.request always carries the
storageState cookie, so JWT-only doesn't actually skip CSRF), and waits
for a real viz element inside chart containers rather than a class that
doesn't exist. Verified with --repeat-each=5 (25/25 passing).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds five tests covering the embedded dashboard flow against the
world_health example: render, hideTitle UI config, chart rendering,
allowed_domains referrer check, and guest-token data access. Includes:
- A chromium-embedded Playwright project, excluded from the main
project via testIgnore so it can be opted into separately.
- An EmbeddedPage page object and API helpers for embedding/guest
tokens plus dashboard lookup by slug.
- A static test app (embedded-app/index.html) loaded from a minimal
Node static server. Playwright bridges the guest-token fetch from
Node into the browser via page.exposeFunction.
- EMBEDDED timeout/config constants.
Workflow integration and test-environment configuration land in a
follow-up commit.
