ci: run instanode-web e2e-prod payment/UI suite on every API build

.github/workflows/ci.yml

@@ -320,3 +320,62 @@ jobs:
           if [ "$http_code" != "204" ]; then
             echo "::warning::cross-repo dispatch returned $http_code (expected 204). Not failing the api PR yet."
           fi
+
+  # Cross-repo payment/UI integration gate. The api owns the cohort test-mode
+  # checkout routing + the Razorpay webhook tier-elevation — an api change that
+  # breaks them would not trigger instanode-web CI on its own, so the
+  # browser-level money-funnel regression could ship despite green api units.
+  #
+  # On every push to master (an API "build"/deploy) this fires a
+  # repository_dispatch that instanode-web's e2e-prod.yml listens for
+  # (`e2e-prod-from-deploy`): it installs Chromium and drives the full
+  # live-ui-payment flow (free cohort → UI Upgrade → Razorpay TEST checkout →
+  # card → assert Pro) against the just-deployed prod, plus the rest of the live
+  # suite. push-to-master only (NOT per-PR): the full leg mints a real TEST-mode
+  # subscription, so we run it on the deploy, not on every PR push.
+  #
+  # Auth: REPO_ACCESS_TOKEN must have `repo` scope on instanode-web (same secret
+  # as the auth-contract dispatch above). Missing → soft-skip so api CI stays
+  # green during rollout.
+  dispatch-e2e-prod:
+    name: Trigger instanode-web e2e-prod payment/UI suite (post-deploy)
+    runs-on: ubuntu-latest
+    needs: build-and-test
+    if: github.event_name == 'push' && github.ref == 'refs/heads/master'
+    steps:
+      - name: Fire e2e-prod-from-deploy repository_dispatch on instanode-web
+        env:
+          DISPATCH_TOKEN: ${{ secrets.REPO_ACCESS_TOKEN }}
+          SHA: ${{ github.sha }}
+          TRIGGER: ${{ github.event_name }}
+        run: |
+          set -euo pipefail
+          if [ -z "${DISPATCH_TOKEN:-}" ]; then
+            echo "::warning::REPO_ACCESS_TOKEN not set; skipping cross-repo e2e-prod dispatch. " \
+              "Provision the secret (with \`repo\` scope on instanode-web) to run the payment/UI suite on every API build."
+            exit 0
+          fi
+          # SHA is a 40-char hex from github.sha — repo-controlled. Validate shape.
+          case "$SHA" in
+            [0-9a-f]*) ;;
+            *) echo "::error::unexpected SHA shape: $SHA"; exit 1 ;;
+          esac
+          case "$TRIGGER" in
+            push) ;;
+            *) echo "::error::unexpected TRIGGER: $TRIGGER"; exit 1 ;;
+          esac
+          payload=$(printf '{"event_type":"e2e-prod-from-deploy","client_payload":{"api_sha":"%s","trigger":"%s","api_url":"https://api.instanode.dev","web_origin":"https://instanode.dev"}}' \
+            "$SHA" "$TRIGGER")
+          echo "Dispatching to InstaNode-dev/instanode-web: $payload"
+          http_code=$(curl -sS -o /tmp/dispatch_e2e.out -w '%{http_code}' \
+            -X POST \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${DISPATCH_TOKEN}" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            https://api.github.com/repos/InstaNode-dev/instanode-web/dispatches \
+            -d "$payload")
+          echo "dispatch response: HTTP $http_code"
+          cat /tmp/dispatch_e2e.out || true
+          if [ "$http_code" != "204" ]; then
+            echo "::warning::e2e-prod dispatch returned $http_code (expected 204). Not failing the api build yet."
+          fi