Open source testing tutorial: real signup, real OTP, no mocks

The ten best-ranked results for this phrase on Google are listicles. They name Selenium, Cypress, Playwright, Appium, JMeter, then stop. Not one of them walks a reader through a real signup flow end-to-end: create a throwaway inbox, submit the form, pull the OTP out of the email body, paste it into a split-input verification UI, and assert the user lands on the dashboard. That is the first wall a new tester hits, and it is exactly where the listicles hand waive. This tutorial ships the missing step. The Assrt codebase, which is open source, implements all of it in two files: a DisposableEmail class in assrt-mcp/src/core/email.ts and the OTP-aware paste logic wired into the agent at assrt-mcp/src/core/agent.ts line 235.

A seeded account skips the part the product actually has bugs in: the verification email itself. The email might never send, the link might be wrong, the OTP might have the wrong TTL, the signed token in the link might not verify, the multi-digit OTP field might only accept paste and not typed input. None of those failures surface if you log in as a pre-created user. A disposable inbox lets you run the real submission path against a real SMTP hop. In this tutorial the inbox is allocated from temp-mail.io via their internal v3 API (POST https://api.internal.temp-mail.io/api/v3/email/new with a 10-character name length), returning {email, token}. That happens inside DisposableEmail.create() at email.ts lines 43 through 56.

By trying seven regex patterns in priority order and returning the first match. The patterns live at email.ts lines 101 through 109, and the order matters because a body that contains `your verification code is 842155, reference ID 1234` would otherwise match the reference ID first. The list, in order: /(?:code|Code|CODE)[:\s]+(\d{4,8})/, /(?:verification|Verification)[:\s]+(\d{4,8})/, /(?:OTP|otp)[:\s]+(\d{4,8})/, /(?:pin|PIN|Pin)[:\s]+(\d{4,8})/, /\b(\d{6})\b/, /\b(\d{4})\b/, /\b(\d{8})\b/. The first four bind to a label, the last three are bare-digit fallbacks. If every pattern misses, the function returns an empty code plus the email body so you can see what actually arrived instead of a null that erases context.

One ClipboardEvent. The exact expression the system prompt tells the agent to dispatch is pinned at agent.ts line 235: const inp = document.querySelector('input[maxlength="1"]'); const c = inp.parentElement; const dt = new DataTransfer(); dt.setData('text/plain', 'CODE_HERE'); c.dispatchEvent(new ClipboardEvent('paste', {clipboardData: dt, bubbles: true, cancelable: true})). This matters because most OTP UIs register a paste handler on the input group container that splits the pasted value across every box. If you keystroke one digit at a time, React Hook Form or similar controllers intercept the key events and discard all but the focused field. The paste event is the only path the UI library expects, and every agent that does not know this will spend 30 minutes on a phantom focus bug.

60 seconds default timeout with a 3 second poll interval, set at email.ts lines 67 through 77 inside waitForEmail. Each poll calls GET /email/{address}/messages on the temp-mail.io API and returns the last message if the inbox is non-empty. The agent loop calls the higher-level waitForVerificationCode, which first waits for any email and then runs the seven-pattern regex scan. If you need shorter polling for a transactional email that arrives in under 2 seconds, pass intervalMs. If you need longer because your provider has a slow queue, bump timeoutMs. Neither changes behavior, just cadence.

The tool result for wait_for_verification_code is a string of the shape `Verification code received: 482155\nFrom: noreply@example.com\nSubject: Your verification code`. That string is appended to the conversation as a tool_result, so the next model turn sees it as prior context. The model then picks the next tool call, usually evaluate with the clipboard expression above, or type_text into the visible OTP input, and fills the code. There is no hardcoded control flow that links email receipt to form fill. The agent reasons about it each turn with the full transcript.

No. Assrt is open source (MIT, see assrt-mcp/LICENSE). The disposable inbox is a free public API. The browser runs via @playwright/mcp, also open source. The only paid dependency is the LLM, and it is bring-your-own: either an Anthropic API key or a Claude Code OAuth token in macOS Keychain (see assrt-mcp/src/core/keychain.ts). Every file the run produces is on your local disk at /tmp/assrt/. The scenario.md plan is yours to commit to your repo. Uninstalling assrt deletes one npm package; it does not lock up your tests in a proprietary dashboard you pay $7.5K/month to read.

You absolutely can. Every tool Assrt provides to the agent is a thin wrapper over Playwright MCP primitives. The reason this tutorial is not a Playwright-only tutorial is that writing the signup-plus-OTP flow in raw Playwright code is 60 to 120 lines of TypeScript per case, every line has a locator that rots when the UI changes, and the test code has to be updated by a human with knowledge of the current markup. The #Case format is 6 lines of English that describe intent, and the agent rediscovers the selectors at run time from an accessibility tree. When the Email field moves from aria-label to placeholder, Playwright code fails; the #Case keeps passing because the accessibility tree snapshot still finds an email-shaped input.

Yes. Omit the --headed flag. Playwright MCP launches Chromium headless and the recording still works. Add a workflow step that runs `npx @assrt-ai/assrt run --url $PREVIEW_URL --plan-file tests/signup.md --json` and uploads /tmp/assrt/<runId>/ as an artifact on failure. GitHub Actions, Vercel preview deploys, and Fly.io release pipelines all work. The only operational note: temp-mail.io is rate limited per source IP, so a CI runner that burns through 200 signup tests per hour may see throttling. For that scale, swap DisposableEmail for your own inbox service by replacing the fetch URL in email.ts.

The run directory under /tmp/assrt/<runId>/ keeps everything. events.json has every tool call with timestamps; you can see the exact second wait_for_verification_code returned, and whether the code field was null or populated. screenshots/ has a numbered PNG for each visual tool call: 04_step5_type_text.png will show the OTP field, and 05_step6_assert.png will show whatever the page looked like when the assertion ran. The WebM recording at video/recording.webm plays back the whole run at 1x (default) or 5x (press 5 in the player); a wrong paste is usually obvious at 5x. And because the DisposableEmail logs the email body into the tool result, you can see exactly what text the regex failed to match against.

Six lines. `#Case 1: New user can sign up and verify email` header, then numbered steps: `1. Call create_temp_email to get a throwaway address 2. Navigate to /signup 3. Type that email into the Email field 4. Click the Continue button 5. Call wait_for_verification_code and use evaluate with a ClipboardEvent paste to fill the code 6. Assert the text 'Welcome' appears on the page`. The agent reads each step as English, picks one of 18 named tools per step, and logs the result. The full tool list is in agent.ts between lines 18 and 186; the three email tools you need for this flow are create_temp_email, wait_for_verification_code, and check_email_inbox.

For most web applications, yes. The same format covers login, onboarding, profile updates, settings changes, subscription upgrades, and destructive flows like account deletion. For third-party integrations (Telegram bot, Slack webhook, GitHub PR check), the agent has http_request as tool 17, so a #Case can chain `submit form`, `poll the third-party API`, `assert the message arrived`. wait_for_stable (tool 18) handles async content that updates after the initial load: LLM chat responses, search suggestions, lazy-loaded dashboards. The one flow this shape does not handle well is pixel-perfect visual regression; for that you still want a dedicated screenshot-diff tool.