Add E2E test for org-member domain POST authorization

[jalexw]

Summary

Adds comprehensive E2E test coverage for the authorization check in POST /api/apps/:app_id/domains that prevents organization members (non-owner/admin) from adding domains to private applications.

Changes

• New test file: tests/e2e-auth-tests/cypress/e2e/apps/OrgMemberCannotAddAppDomain.cy.ts

  • Tests the specific regression case where an org member with role === "member" attempts to add a domain to a private app owned by their organization
  • Verifies that the endpoint correctly returns 403 with an appropriate error message
  • Ensures no resource_id is leaked in the rejected response
  • Complements existing authorization tests by covering the "authenticated member-only" branch (as opposed to non-member or unauthenticated cases)

• Version bump: tests/e2e-auth-tests/package.json (0.4.8 → 0.4.9)

Implementation Details

The test follows a realistic workflow:

1. Creates a regular user account (the member)
2. Logs in as superuser to create an organization and private app
3. Issues an invitation to the member and has them accept it (establishing role === "member")
4. Attempts to POST a domain as the member and verifies the 403 rejection

This guards against the specific regression where the authorization check in POST_create_app_domain.ts could be accidentally widened to include member role, allowing any org member to rewrite domain bindings.

https://claude.ai/code/session_01442m5sYx1WZgfdcmfyRkr2