Fix dashboard static assets and add client e2e scripts

docs/GatewayTesting.md

@@ -74,6 +74,53 @@ The test output includes session id, worker process id, command status,
 HRESULT/status diagnostics, event sequence and handles, close status, and worker
 stdout/stderr lines emitted during the run.
 
+## Client E2E Scripts
+
+`scripts/discover-testmachine-tags.ps1` queries the ZB Galaxy Repository for the
+deployed runtime references used by the live client e2e scripts. It reads
+`TestMachine_001` through `TestMachine_020` and the expected attributes:
+
+- `ProtectedValue`
+- `TestChangingInt`
+- `TestBoolArray`
+- `TestIntArray`
+- `TestDateTimeArray`
+- `TestStringArray`
+
+The discovery output includes the exact `fullTagReference`, data type, array
+dimension, and security classification. The array attributes are expected to be
+dimension 50. `ProtectedValue` has security classification 2 and requires
+secured write semantics; the current client CLI e2e runner subscribes to it but
+does not attempt a normal `Write`.
+
+Run discovery directly when validating the Galaxy Repository inputs:
+
+```powershell
+powershell -ExecutionPolicy Bypass -File scripts/discover-testmachine-tags.ps1 -Json
+```
+
+`scripts/run-client-e2e-tests.ps1` drives the .NET, Go, Rust, Python, and Java
+client CLIs through a live gateway session. For each client it opens one
+session, registers, adds and advises every discovered test tag, reads a bounded
+event stream, then closes the session in a `finally` path. The script writes a
+JSON report under `artifacts/e2e/`.
+
+Build the gateway and worker, start the gateway, and provide a valid API key
+before running the client e2e script:
+
+```powershell
+$env:MXGATEWAY_API_KEY = "<api-key>"
+powershell -ExecutionPolicy Bypass -File scripts/run-client-e2e-tests.ps1
+```
+
+Useful runner options:
+
+```powershell
+powershell -ExecutionPolicy Bypass -File scripts/run-client-e2e-tests.ps1 -Clients dotnet,python -MachineStart 1 -MachineEnd 2
+powershell -ExecutionPolicy Bypass -File scripts/run-client-e2e-tests.ps1 -SkipStream
+powershell -ExecutionPolicy Bypass -File scripts/run-client-e2e-tests.ps1 -Endpoint localhost:5000 -ApiKeyEnv MXGATEWAY_API_KEY
+```
+
 ## Focused Commands
 
 Run the cross-language smoke matrix tests after changing the documented client

docs/design-decisions.md

@@ -296,7 +296,8 @@ Do not use MudBlazor or other Blazor UI component libraries for v1.
 
 Dashboard access should require API-key-backed dashboard authentication with
 `admin` scope when enabled. For local development, anonymous localhost access
-may exist only behind an explicit configuration option that defaults to false.
+is enabled by default through `Dashboard:AllowAnonymousLocalhost`; the bypass is
+limited to loopback requests.
 
 ## Later Revisit Items
 

docs/gateway-dashboard-design.md

@@ -275,8 +275,9 @@ The implementation path is:
 5. Dashboard pages require that cookie.
 6. Logout clears the cookie.
 
-For local development, allow an explicit `Dashboard:AllowAnonymousLocalhost`
-option. It must default to false.
+For local development, `Dashboard:AllowAnonymousLocalhost` defaults to `true`.
+The bypass applies only to loopback requests; remote dashboard requests still
+use the API-key-backed cookie flow.
 
 `DashboardAuthenticator` keeps API-key validation outside UI components. It
 formats the submitted key as a bearer authorization header for
@@ -296,7 +297,7 @@ Suggested configuration:
       "Enabled": true,
       "PathBase": "/dashboard",
       "RequireAdminScope": true,
-      "AllowAnonymousLocalhost": false,
+      "AllowAnonymousLocalhost": true,
       "SnapshotIntervalMilliseconds": 1000,
       "RecentFaultLimit": 100,
       "RecentSessionLimit": 200,

docs/gateway-process-design.md

@@ -682,7 +682,7 @@ SameSite, and scoped with the `__Host-MxGatewayDashboard` name. Logout clears
 that cookie. Login and logout posts use anti-forgery validation, and dashboard
 API keys are not accepted in query strings. `Dashboard:AllowAnonymousLocalhost`
 allows only loopback requests to bypass the dashboard cookie requirement and
-defaults to `false`.
+defaults to `true`.
 
 Recommended scopes:
 
@@ -861,7 +861,7 @@ Suggested configuration shape:
       "Enabled": true,
       "PathBase": "/dashboard",
       "RequireAdminScope": true,
-      "AllowAnonymousLocalhost": false,
+      "AllowAnonymousLocalhost": true,
       "SnapshotIntervalMilliseconds": 1000,
       "RecentFaultLimit": 100,
       "RecentSessionLimit": 200,