CU-24: Signup calendar consent & onboarding entry (Google + Microsoft combined consent, email/password, connect-resilience)

Priority: P1 Accounts/sessions: This suite exercises the signup entry points, so it needs more than a pre-logged-in Calendo session:

• Test A & D (combined-consent proof; connect-resilience regression): can run with the existing P1 Google session (ravikantguptaofficial@gmail.com) signed into the browser.
• Test B & C (fresh Google signup happy/decline paths): require a Google account that is signed into the browser but does NOT yet have a Calendo account (e.g. a dedicated throwaway like mhrmrh2p@gmail.com, or a P-account whose Calendo account was just deleted via CU-02). Plus-aliases do NOT work here — Google OAuth uses the real account email.
• Test E (email/password contrast): a fresh plus-alias email account, same as CU-02/CU-18.

Parallel-safe: Test A (read-only consent inspection) and Test E are parallel-safe. Tests B/C/D mutate a real account's calendar connection — run them serially and clean up after. Exclusive (rewrites global host availability?): No. Estimated time: ~20 minutes. L3 reality checks: Yes — (B) confirm in the Google Account's "Third-party apps with account access" (or a real calendar event/conflict) that Calendo actually received calendar access during signup; (D) confirm the booking page reflects the connected calendar.

Why this suite exists

A user reported (June 2026) that after "Sign in with Google" they were NOT shown a calendar-permission step the way Calendly shows it — and separately, after connecting a calendar they got stuck looping on "Connect your calendar." Two fixes shipped:

1. Combined consent at signup — Sign up with Google AND Sign up with Microsoft now request calendar access in the SAME provider consent screen (Calendly-style), and if granted, connect the calendar immediately and drop the user onto onboarding Step 2 (Schedule) instead of Step 1. (Google shows calendar as an optional checkbox; Microsoft consent is all-or-nothing.)
2. Connect-resilience — onboarding now trusts the ?calendar=connected signal and never serves a stale /api/calendars, so a user who connected is never bounced back to Step 1.

The automated CU suite previously MISSED both because it uses pre-logged-in accounts and never drove a cold-cache fresh-signup→connect flow. This suite closes that gap. The underlying logic is also unit-tested in tests/unit/worker/google-signup-calendar.test.js, tests/unit/worker/microsoft-signup-calendar.test.js, and tests/unit/client/cu-run6-regressions.test.js; this suite verifies the real-browser reality the unit tests can't (the actual provider consent screen and the onboarding entry point).

Preconditions

• Production https://calendo.dev reachable.
• For Test A/D: the browser is signed into Google as P1 (ravikantguptaofficial@gmail.com). No cold Google login mid-run (per 00-setup-preconditions.md).
• For Test B/C: a Google account signed into the browser with no existing Calendo account. If none is available, run Test A only and record B/C as BLOCKED (no fresh Google account) — do NOT perform a cold Google login and do NOT delete P1's account.
• For Test E: Gmail signed in as ravikantguptaofficial@gmail.com to read the verification email (plus-alias delivery).
• RUNID: pick a fresh UTC token, e.g. 20260604-1600. Reuse it for every value below.

Test A — Combined consent proof (always runnable)

Goal: Prove that "Sign up with Google" requests calendar access in the same Google consent (the behavior the user expected from Calendly).

1. Action: Open https://calendo.dev/auth/register.html in a context where no Calendo session auto-redirects (fresh tab). Expect: A "Create account" form plus a "Sign up with Google" button. [L1]
2. Action: Hover/inspect the "Sign up with Google" link. Expect: it points at /api/auth/oauth/google?intent=signup (the intent=signup is what triggers the combined consent). [L1]
3. Action: Click "Sign up with Google." Pick the Google account when prompted. Expect: the Google "Sign in with Google" consent screen appears and explicitly lists Google Calendar access — an item reading approximately "See, edit, share, and permanently delete all the calendars you can access using Google Calendar" (rendered as a checkbox under "Select what Calendo can access"). This is the combined consent. Capture screenshot: cu24-01-combined-consent.png [L1]
   • If Google skips the consent screen because this account already granted Calendo calendar access previously, that's expected for a returning grant; record it and confirm the proxy instead: during the redirect, the URL on accounts.google.com contains scope=...calendar.events...calendar.readonly (the combined scope is being requested). [L2]
4. Action: Click Cancel (do not complete, to keep this test read-only) unless you are continuing into Test B. Expect: returned to Calendo register/login. [L1]

PASS: the Google consent for "Sign up with Google" includes Google Calendar access. FAIL: the consent only asks for name/email/profile with no calendar item AND the redirect scope lacks the calendar scopes.

Test B — Fresh Google signup, calendar GRANTED → skip to Schedule (needs fresh Google account)

Goal: A brand-new Google signup that grants calendar lands on Step 2 with the calendar already connected — no separate "Connect your calendar" click.

1. Action: With a fresh Google account (no Calendo account) signed into the browser, open https://calendo.dev/auth/register.html and click "Sign up with Google." Select the account.
2. Action: On the consent screen, leave the Google Calendar checkbox CHECKED (grant it) and click Continue/Allow. Expect: you are redirected to https://calendo.dev/dashboard/?...calendar=connected and the URL param is cleaned shortly after. Capture screenshot: cu24-02-after-grant.png [L1]
3. Action: Observe the onboarding wizard state. Expect: the stepper shows "2. Schedule" as the ACTIVE step (Step 1 "Calendar" shown as done/skipped), NOT the "Connect your calendar" screen. A "Calendar connected!" toast may appear. [L1]
4. Action: Open Settings → Integrations (or finish onboarding and check). Expect: Google Calendar shows Connected for this account. [L2]
5. Action (L3): In a new tab open the Google Account permissions page (myaccount.google.com → Security → "Third-party apps with account access") OR create a real busy event and confirm it blocks a booking slot. Expect: Calendo is listed with Google Calendar access / the busy event blocks the slot — proving the calendar was really connected during signup. Capture screenshot: cu24-03-google-access.png [L3]

PASS: fresh Google signup with calendar granted → lands on Step 2 (Schedule) with Google Calendar connected, verified externally. FAIL: lands on Step 1 "Connect your calendar," or Settings shows no connection despite granting.

Cleanup (Test B)

If you used a disposable account, leave it or delete it via Settings → Delete account. If you used a P-account, note it now has a fresh Calendo account + calendar connection.

Test C — Fresh Google signup, calendar DECLINED → Connect Calendar step (needs fresh Google account)

Goal: Declining the calendar checkbox still completes sign-in and falls back to the in-app connect step.

1. Action: Repeat Test B step 1 with a fresh Google account, but on the consent screen UNCHECK the Google Calendar box, then Continue. Expect: sign-in completes; you land on https://calendo.dev/dashboard/?welcome=1 (NO calendar=connected). [L1]
2. Action: Observe onboarding. Expect: Step 1 "Connect your calendar" is shown (with Connect Google / Connect Outlook buttons), because no calendar was granted. Capture screenshot: cu24-04-declined-step1.png [L1]

PASS: declining calendar at signup → onboarding Step 1 "Connect your calendar." FAIL: errors out, or wrongly claims a calendar is connected.

Test D — Connect-resilience regression: don't get stuck after connecting (runnable with P1)

Goal: After connecting a calendar from the onboarding/connect screen, the user advances and is NOT looped back to "Connect your calendar" (the reported bug).

1. Action: As a user who is on the "Connect your calendar" step (a fresh account on Step 1, or open /dashboard/ for an account whose onboarding isn't complete), click "Connect Google Calendar" and complete the Google consent (calendar). Expect: redirect to /dashboard/?calendar=connected. [L1]
2. Action: Observe the screen immediately after the redirect (do NOT manually refresh). Expect: you advance to Step 2 "Schedule" (or the dashboard if onboarding was already complete) with a "Calendar connected!" toast — you are NOT shown "Connect your calendar" again. Capture screenshot: cu24-05-no-loop.png [L1]
3. Action: Hard-refresh the page once. Expect: still NOT stuck on Step 1; the connection persists and you remain past it. [L2]

PASS: connecting a calendar always moves the user forward; no loop back to Step 1 even on a stale/cached calendars read. FAIL: the "Connect your calendar" screen reappears after a successful connect.

Test E — Email/password signup still shows the Connect Calendar step (contrast)

Goal: Confirm the non-Google path is unchanged: email/password signups are asked to connect a calendar in-app (there is no OAuth consent to piggyback on).

1. Action: Register a fresh account with email ravikantguptaofficial+su-<RUNID>@gmail.com + password at https://calendo.dev/auth/register.html, verify via the Gmail email (see CU-02/CU-18 for the verification mechanics). [L1/L3]
2. Action: After verifying, reach the dashboard onboarding. Expect: the "Connect your calendar" step is shown (Step 1) — the email/password user must connect (or skip) a calendar in-app. Capture screenshot: cu24-06-emailpw-step1.png [L1]

PASS: email/password signup shows the in-app Connect Calendar step. FAIL: it errors, skips calendar setup silently, or claims a calendar is connected.

Cleanup (Test E)

Delete the +su-<RUNID> throwaway account via Settings → Delete account.

Test F — Microsoft signup combined consent → Outlook connected → skip to Schedule (Outlook parity)

Goal: "Sign up with Microsoft" requests Outlook calendar access in the same Microsoft consent, and granting it connects Outlook + skips to Step 2 — the Outlook equivalent of Tests A/B. Account: a Microsoft account signed into the browser with no existing Calendo account. If only ravikant0909@outlook.com is available and it already has a Calendo account, run the read-only proof (step 1–2) and record the full signup path as BLOCKED (no fresh Microsoft account) — do NOT delete an account that other suites depend on, and do NOT perform a cold Microsoft login.

1. Action: Open https://calendo.dev/auth/register.html (fresh tab) and inspect the "Sign up with Microsoft" button. Expect: it points at /api/auth/oauth/microsoft?intent=signup. [L1]
2. Action: Click "Sign up with Microsoft." Expect: the Microsoft consent screen lists Calendars (read/write) permission alongside sign-in — i.e. the redirect to login.microsoftonline.com requests scope=...Calendars.ReadWrite...offline_access.... (Microsoft consent is all-or-nothing — there is no per-scope checkbox; declining cancels sign-in entirely, so there is no "declined calendar but signed in" path like Google's Test C.) Capture screenshot: cu24-07-ms-consent.png [L1]
3. Action (fresh MS account only): Approve the consent. Expect: redirect to https://calendo.dev/dashboard/?...calendar=connected, onboarding shows Step 2 "Schedule" (not "Connect your calendar"), and Settings → Integrations shows Outlook Calendar = Connected. Capture screenshot: cu24-08-ms-after-grant.png [L1/L2]
4. Action (L3, fresh MS account only): Create a "Busy" event in outlook.com (Pacific time) overlapping a slot and confirm the booking page blocks it (or confirm Calendo appears under the Microsoft account's app permissions). Expect: the real Outlook calendar is connected and conflict-checked. [L3]

PASS: Microsoft signup requests calendar in the same consent, and granting connects Outlook + lands on Step 2. FAIL: the Microsoft consent omits calendar, or a granted signup still shows "Connect your calendar."

Cleanup (Test F)

If you used a disposable Microsoft account, leave or delete its Calendo account. Delete any test event from outlook.com.

Notes for the runner

• Never perform a cold Google/Microsoft password login mid-run. If a calendar OAuth would require entering a Google password, stop and record BLOCKED.
• The combined-consent SCOPES are deterministic and also asserted in unit tests; the highest-value real-browser checks here are Test A (the consent screen lists calendar) and Test D (no loop after connect) — prioritize those if time is short.

Full reference: auth lifecycle is CU-02; the onboarding wizard internals are CU-18.