feat(test): complete Feature 1.5.2 remaining items

- Add logout E2E tests for token revocation (access + refresh tokens)
- Add end_session_endpoint discovery check test
- Document CI runner platform requirements for MAUI/WPF UI automation
- Add tiered CI workflow (unit -> integration -> E2E -> full suite)

Tests verify:
- Access token revocation makes token inactive via introspection
- Refresh token revocation prevents further token refresh
- Discovery correctly reports end_session_endpoint availability

All Feature 1.5.2 checklist items now complete.

Author: stimpy77

.github/workflows/coreident-tests.yml

@@ -0,0 +1,130 @@
+name: CoreIdent Tests
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    # Nightly build to catch regressions
+    - cron: '0 2 * * *'
+
+env:
+  DOTNET_VERSION: '10.0.x'
+
+jobs:
+  # Tier 1: Unit tests - fast, always run
+  unit-tests:
+    name: Unit Tests
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: ${{ env.DOTNET_VERSION }}
+
+      - name: Restore
+        run: dotnet restore CoreIdent.sln
+
+      - name: Build
+        run: dotnet build CoreIdent.sln --no-restore -c Release
+
+      - name: Run Unit Tests
+        run: dotnet test tests/CoreIdent.Core.Tests --no-build -c Release --verbosity minimal
+
+  # Tier 2: Integration tests - medium speed, always run
+  integration-tests:
+    name: Integration Tests
+    runs-on: ubuntu-latest
+    needs: unit-tests
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: ${{ env.DOTNET_VERSION }}
+
+      - name: Restore
+        run: dotnet restore CoreIdent.sln
+
+      - name: Build
+        run: dotnet build CoreIdent.sln --no-restore -c Release
+
+      - name: Run Integration Tests
+        run: dotnet test tests/CoreIdent.Integration.Tests --no-build -c Release --verbosity minimal
+
+  # Tier 3: E2E and Browser tests - slower, run on main/nightly/PRs
+  e2e-tests:
+    name: E2E Tests
+    runs-on: ubuntu-latest
+    needs: integration-tests
+    if: github.ref == 'refs/heads/main' || github.event.schedule != '' || github.event.pull_request != null
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: ${{ env.DOTNET_VERSION }}
+
+      - name: Install Playwright
+        run: dotnet playwright install --with-deps chromium
+
+      - name: Restore
+        run: dotnet restore CoreIdent.sln
+
+      - name: Build
+        run: dotnet build CoreIdent.sln --no-restore -c Release
+
+      - name: Run E2E Tests
+        run: dotnet test tests/CoreIdent.E2E.Tests --no-build -c Release --filter "Category=E2E" --verbosity minimal
+        env:
+          PLAYWRIGHT_TRACES: ${{ github.event_name != 'pull_request' }}
+          PLAYWRIGHT_SCREENSHOTS: ${{ github.event_name != 'pull_request' }}
+
+      - name: Upload Playwright Traces
+        if: failure() && github.event_name != 'pull_request'
+        uses: actions/upload-artifact@v4
+        with:
+          name: playwright-traces
+          path: playwright-traces/
+
+  # Full test suite - main branch only
+  full-test-suite:
+    name: Full Test Suite
+    runs-on: ubuntu-latest
+    needs: e2e-tests
+    if: github.ref == 'refs/heads/main' || github.event.schedule != ''
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: ${{ env.DOTNET_VERSION }}
+
+      - name: Install Playwright
+        run: dotnet playwright install --with-deps chromium
+
+      - name: Restore
+        run: dotnet restore CoreIdent.sln
+
+      - name: Build
+        run: dotnet build CoreIdent.sln --no-restore -c Release
+
+      - name: Run All Tests
+        run: dotnet test CoreIdent.sln --no-build -c Release --filter "Category!=E2E" --verbosity minimal --collect:"XPlat Code Coverage"
+
+      - name: Upload Coverage
+        if: github.event_name == 'schedule'
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-report
+          path: coverage.cobertura.xml

docs/Browser_Automation_Testing.md

@@ -173,6 +173,202 @@ jobs:
           path: playwright-traces/
 ```
 
+## Supported CI Runners and Platform Requirements
+
+### CI Runner Support Matrix
+
+| Runner Type | Unit Tests | Integration Tests | Browser E2E | MAUI UI | WPF UI |
+|-------------|:----------:|:-----------------:|:-----------:|:-------:|:------:|
+| **GitHub Actions** |
+| `ubuntu-latest` | ✅ | ✅ | ✅ | ⚠️¹ | ❌ |
+| `windows-latest` | ✅ | ✅ | ✅ | ⚠️¹ | ✅² |
+| `macos-latest` | ✅ | ✅ | ✅ | ⚠️¹ | ❌ |
+| **Azure DevOps** |
+| `ubuntu-latest` | ✅ | ✅ | ✅ | ⚠️¹ | ❌ |
+| `windows-latest` | ✅ | ✅ | ✅ | ⚠️¹ | ✅² |
+| `vmImage: macOS-latest` | ✅ | ✅ | ✅ | ⚠️¹ | ❌ |
+| **Self-Hosted** |
+| Linux | ✅ | ✅ | ✅ | ⚠️³ | ❌ |
+| Windows | ✅ | ✅ | ✅ | ⚠️³ | ✅ |
+| macOS | ✅ | ✅ | ✅ | ⚠️³ | ❌ |
+
+**Notes:**
+- ✅ = Fully supported
+- ⚠️ = Partial support with additional setup
+- ❌ = Not supported
+- ¹ = Android emulator tests possible but slow; iOS requires macOS with Xcode
+- ² = Requires Windows UI (non-headless agent)
+- ³ = Requires platform-specific emulators/simulators installed
+
+### Platform Requirements by Test Type
+
+#### Playwright Browser Tests (Current - Recommended)
+
+**Minimum Requirements:**
+- .NET 10 SDK
+- Playwright browsers: `dotnet playwright install --with-deps chromium`
+- 2GB RAM minimum, 4GB recommended
+- No display required (runs headless)
+
+**GitHub Actions Setup:**
+```yaml
+- name: Install Playwright
+  run: dotnet playwright install --with-deps chromium
+```
+
+#### MAUI UI Automation (Future - Feature 1.5.3)
+
+> **Status:** Not yet implemented. Requirements documented for planning purposes.
+
+**Android Testing:**
+| Requirement | CI Runner | Notes |
+|-------------|-----------|-------|
+| Android SDK | All | Auto-installed via `setup-android` action |
+| Android Emulator | All | Requires hardware acceleration (KVM on Linux) |
+| Java 17+ | All | Required by Android SDK |
+
+```yaml
+# GitHub Actions example for MAUI Android
+jobs:
+  maui-android:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/setup-java@v4
+        with:
+          java-version: 17
+          distribution: temurin
+      - name: Setup Android SDK
+        uses: android-actions/setup-android@v3
+      - name: Start Emulator
+        run: |
+          $ANDROID_HOME/emulator/emulator -avd test -no-window -gpu swiftshader &
+          adb wait-for-device
+```
+
+**iOS Testing:**
+| Requirement | CI Runner | Notes |
+|-------------|-----------|-------|
+| macOS runner | macOS only | iOS simulator requires macOS |
+| Xcode 15+ | macOS only | Required for iOS development |
+| iOS Simulator | macOS only | Auto-available on macOS runners |
+
+```yaml
+# GitHub Actions example for MAUI iOS
+jobs:
+  maui-ios:
+    runs-on: macos-latest
+    steps:
+      - name: Select Xcode
+        run: sudo xcode-select -s /Applications/Xcode_15.4.app
+      - name: Boot iOS Simulator
+        run: |
+          xcrun simctl boot "iPhone 15 Pro"
+```
+
+**Cross-Platform MAUI CI Strategy:**
+```yaml
+jobs:
+  maui-unit-tests:
+    runs-on: ubuntu-latest  # No platform-specific dependencies
+
+  maui-android-e2e:
+    runs-on: ubuntu-latest  # Android emulator with KVM
+    if: github.event.schedule  # Nightly only (slow)
+
+  maui-ios-e2e:
+    runs-on: macos-latest  # iOS simulator required
+    if: github.event.schedule  # Nightly only (slow)
+```
+
+#### WPF UI Automation (Future - Feature 1.5.4)
+
+> **Status:** Not yet implemented. Requirements documented for planning purposes.
+
+**Requirements:**
+| Requirement | CI Runner | Notes |
+|-------------|-----------|-------|
+| Windows runner | Windows only | WPF is Windows-only |
+| Non-headless agent | Self-hosted or Windows UI | UI automation needs display |
+| .NET 10 Windows workload | Windows | `net10.0-windows` TFM |
+
+**CI Considerations:**
+- GitHub Actions `windows-latest` does NOT support UI automation by default
+- Options for WPF UI testing:
+  1. **Self-hosted Windows runner** with display access
+  2. **FlaUI + Microsoft UI Automation** (can work headless in some scenarios)
+  3. **Virtual display** using third-party tools (not officially supported)
+
+```yaml
+# Self-hosted Windows runner with UI access
+jobs:
+  wpf-ui-tests:
+    runs-on: [self-hosted, windows, ui-enabled]
+    steps:
+      - name: Run WPF UI Tests
+        run: dotnet test CoreIdent.Client.Wpf.Tests --filter "Category=UI"
+```
+
+**Alternative: Unit + Integration Tests Only**
+
+For WPF clients without UI automation:
+```yaml
+jobs:
+  wpf-headless-tests:
+    runs-on: windows-latest
+    steps:
+      - name: Run WPF Unit + Integration Tests
+        run: dotnet test CoreIdent.Client.Wpf.Tests --filter "Category!=UI"
+```
+
+### Cost and Time Considerations
+
+| Test Type | Typical Duration | CI Minutes | Recommendation |
+|-----------|------------------|------------|----------------|
+| Unit Tests | 10-30s | ~0.5 min | Every PR |
+| Integration Tests | 30-60s | ~1 min | Every PR |
+| Browser E2E (Playwright) | 1-5 min | ~3 min | Every PR |
+| Android Emulator E2E | 10-20 min | ~15 min | Nightly/Release |
+| iOS Simulator E2E | 10-20 min | ~15 min | Nightly/Release |
+| WPF UI E2E | 5-10 min | ~8 min | Nightly/Release |
+
+### Recommended CI Strategy
+
+```yaml
+# PR builds: Fast feedback
+on: pull_request
+jobs:
+  quick-tests:  # < 5 minutes
+    runs-on: ubuntu-latest
+    steps:
+      - run: dotnet test --filter "Category!=E2E&Category!=UI"
+
+# Main branch: Full E2E
+on:
+  push:
+    branches: [main]
+jobs:
+  browser-e2e:
+    runs-on: ubuntu-latest
+    steps:
+      - run: dotnet playwright install --with-deps chromium
+      - run: dotnet test --filter "Category=E2E"
+
+# Nightly: Platform-specific UI tests
+on:
+  schedule:
+    - cron: '0 2 * * *'
+jobs:
+  android-e2e:
+    runs-on: ubuntu-latest
+    # ... Android emulator setup
+  ios-e2e:
+    runs-on: macos-latest
+    # ... iOS simulator setup
+  wpf-e2e:
+    runs-on: [self-hosted, windows, ui-enabled]
+    # ... WPF UI automation
+```
+
 ## Diagnostic Output
 
 On test failure, Playwright automatically captures:

docs/DEVPLAN.md

@@ -1515,23 +1515,23 @@ This document provides a detailed breakdown of tasks, components, test cases, an
 
 *   **Component:** OAuth/OIDC E2E coverage (CoreIdent + external providers)
     - [x] (L2) Authorization Code + PKCE flow works end-to-end against CoreIdent test host
-    - [ ] (L2) Token refresh behavior works end-to-end (refresh threshold + rotation scenarios)
-    - [ ] (L2) Logout works (revocation + end session when advertised)
-    - [ ] (L2) UserInfo behavior is correct (scope-gated claims, reserved claims filtering)
+    - [x] (L2) Token refresh behavior works end-to-end (refresh threshold + rotation scenarios)
+    - [x] (L2) Logout works (revocation + end session when advertised)
+    - [x] (L2) UserInfo behavior is correct (scope-gated claims, reserved claims filtering)
     - [x] (L3) External provider smoke lane (Keycloak or other containerized provider) for cross-provider parity
 
 *   **Component:** WebAuthn/Passkey E2E (future expansion)
     - [x] (L3) Implement passkey E2E tests using Playwright virtual authenticator (where supported)
 
 *   **CI strategy:**
-    - [ ] (L2) Run Tier 1 + Tier 2 on every PR
-    - [ ] (L1) Run Tier 3 browser smoke tests on a dedicated lane (nightly and/or required on main)
-    - [ ] (L1) Keep Tier 3 small and stable; favor headless integration tests for most coverage
+    - [x] (L2) Run Tier 1 + Tier 2 on every PR
+    - [x] (L1) Run Tier 3 browser smoke tests on a dedicated lane (nightly and/or required on main)
+    - [x] (L1) Keep Tier 3 small and stable; favor headless integration tests for most coverage
 
 *   **Quality gates:**
     - [x] (L2) Tests produce deterministic diagnostics (traces/logs) on failure
     - [x] (L2) Timeouts are explicit and bounded; tests fail fast and do not hang CI
-    - [ ] (L1) Document supported CI runners and what platforms are required for MAUI/WPF UI automation (optional)
+    - [x] (L1) Document supported CI runners and what platforms are required for MAUI/WPF UI automation (optional)
 
 ---