docs: update staging auth instructions to use smoke test token

Replace references to demo-credentials.md for staging login with the
smoke test token flow via SAM_PLAYWRIGHT_PRIMARY_USER env var and
POST /api/auth/token-login. Production auth still uses GitHub OAuth.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: raphaeltm

.claude/rules/02-quality-gates.md

@@ -203,7 +203,7 @@ String containment tests on structured output create false confidence. The test
 **Full details in `.claude/rules/13-staging-verification.md`.** Summary of the hard requirements:
 
 1. **Staging deployment MUST be green.** The `Deploy Staging` workflow is manual — you must trigger it via `gh workflow run deploy-staging.yml --ref <branch>`. Check for existing active runs first and wait at least 5 minutes if one is in progress. A failed staging deployment is the same severity as a failed test — it blocks merge.
-2. **Live app MUST be verified via Playwright.** After staging deploys, log into `app.sammy.party` (staging — NOT `app.simple-agent-manager.org`, which is production) using test credentials at `/workspaces/.tmp/secure/demo-credentials.md`, and actively test the application.
+2. **Live app MUST be verified via Playwright.** After staging deploys, authenticate to `app.sammy.party` (staging — NOT `app.simple-agent-manager.org`, which is production) using the smoke test token in `SAM_PLAYWRIGHT_PRIMARY_USER` env var via `POST https://api.sammy.party/api/auth/token-login` with body `{ "token": "<value>" }`, then navigate and actively test the application. See `.claude/rules/13-staging-verification.md` for the full login procedure.
 3. **Existing workflows MUST be confirmed working.** Navigate the dashboard, projects, settings. Verify no regressions — pages load, data displays, navigation works, no new console errors.
 4. **New feature/fix MUST be verified on staging.** The specific changes in the PR must work correctly on the live staging environment.
 5. **Evidence MUST be reported.** Include screenshots, API responses, or Playwright observations in the PR.
@@ -213,7 +213,7 @@ String containment tests on structured output create false confidence. The test
 - A "small refactor" still deploys and verifies — prove no behavior changed
 - A "fix for broken staging" is the STRONGEST reason to verify — confirm the fix works
 - "Tests pass" is not sufficient — tests passed for bugs that only manifested in the real environment
-- If you cannot authenticate, ask the human — do NOT skip verification
+- If you cannot authenticate (e.g., `SAM_PLAYWRIGHT_PRIMARY_USER` env var not set), ask the human — do NOT skip verification
 
 ## Post-Push CI Procedure (Required)
 
@@ -227,6 +227,6 @@ After ANY merge to main, the production deployment triggers automatically. You M
 
 1. Wait for the Deploy Production workflow to complete successfully in GitHub Actions.
 2. Use Playwright to navigate to `app.simple-agent-manager.org` (production) and test the deployed feature end-to-end.
-3. Use the test credentials stored at `/workspaces/.tmp/secure/demo-credentials.md` to authenticate. If the file is missing, ask the human for credentials.
+3. Authenticate using GitHub OAuth credentials at `/workspaces/.tmp/secure/demo-credentials.md` (production uses GitHub OAuth, not smoke test tokens). If the file is missing, ask the human for credentials.
 4. If the feature cannot be tested via Playwright, document why and what was verified manually.
 5. Report results to the user — do not assume deployment success just because CI passed.

.claude/rules/13-staging-verification.md

@@ -62,9 +62,19 @@ If the deployment fails:
 
 After staging deployment succeeds, use Playwright to test the live app:
 
-1. Navigate to `https://app.sammy.party` (staging)
-2. Authenticate using test credentials at `/workspaces/.tmp/secure/demo-credentials.md`
-   - If the file is missing, ask the human for credentials — do NOT skip this step
+1. Authenticate using the smoke test token via the token-login API:
+   ```typescript
+   // In Playwright, use page.request to POST to the token-login endpoint.
+   // This sets the session cookie on the browser context automatically.
+   const loginResp = await page.request.post('https://api.sammy.party/api/auth/token-login', {
+     data: { token: process.env.SAM_PLAYWRIGHT_PRIMARY_USER },
+     headers: { 'Content-Type': 'application/json' },
+   });
+   // Verify login succeeded (status 200, response has success: true)
+   ```
+   - The `SAM_PLAYWRIGHT_PRIMARY_USER` env var contains the smoke test token
+   - If the env var is not set, ask the human — do NOT skip this step
+2. Navigate to `https://app.sammy.party` (staging) — the session cookie from step 1 authenticates you
 3. Verify your changes work as intended (see verification checklists below)
 4. Verify existing core workflows still work (see regression checklist below)
 
@@ -128,7 +138,7 @@ If you find a bug unrelated to your PR, file it as a backlog task (`tasks/backlo
 - **App doesn't load** → fix the issue, do not merge
 - **Your feature doesn't work on staging** → fix the issue, do not merge
 - **Existing workflow is broken** → investigate whether your PR caused it; if yes, fix it; if pre-existing, file a backlog task but still do not merge with NEW regressions
-- **Cannot authenticate** → ask the human for credentials, do not skip verification
+- **Cannot authenticate** → check that `SAM_PLAYWRIGHT_PRIMARY_USER` env var is set; if not, ask the human — do not skip verification
 
 ## Feature-Specific Verification Is Mandatory (Not Just Page Loads)
 

CLAUDE.md

@@ -156,7 +156,8 @@ Claude Code supports dual authentication: **API keys** (pay-per-use from Anthrop
 
 ## Testing
 
-- **Test credentials** for the live app are at `/workspaces/.tmp/secure/demo-credentials.md` (outside repo)
+- **Staging authentication**: Use the smoke test token in `SAM_PLAYWRIGHT_PRIMARY_USER` env var. POST it to `https://api.sammy.party/api/auth/token-login` with body `{ "token": "<value>" }` to get a session cookie, then navigate to `https://app.sammy.party`. See `.claude/rules/13-staging-verification.md` for full procedure.
+- **Production authentication**: Use GitHub OAuth credentials at `/workspaces/.tmp/secure/demo-credentials.md` (outside repo)
 - **Live test cleanup required**: delete test workspaces/nodes after verification
 - **Staging verification required for every code PR** — see `.claude/rules/13-staging-verification.md`
 - See `.claude/rules/02-quality-gates.md` for full testing requirements