fix(test): P2-03 rate limit — share auth token across cross-system smoke tests

6 tests each called saasLogin() → 6 login requests in <60s → hit 5/min/IP
rate limit on the 6th test. Now login once per worker, reuse token for all
6 tests. Reduces login API calls from 6 to 1.

desktop/tests/e2e/specs/smoke_cross.spec.ts

@@ -21,7 +21,12 @@ const SaaS_BASE = 'http://localhost:8080/api/v1';
 const ADMIN_USER = 'admin';
 const ADMIN_PASS = 'admin123';
 
-async function saasLogin(page: Page): Promise<string> {
+// Shared token — login once per worker to avoid rate limiting (5 req/min/IP).
+// Workers are isolated processes, so this is safe for parallel execution.
+let _sharedToken: string | null = null;
+
+async function getSharedToken(page: Page): Promise<string> {
+  if (_sharedToken) return _sharedToken;
   const res = await page.request.post(`${SaaS_BASE}/auth/login`, {
     data: { username: ADMIN_USER, password: ADMIN_PASS },
   });
@@ -31,7 +36,13 @@ async function saasLogin(page: Page): Promise<string> {
   }
   expect(res.ok()).toBeTruthy();
   const json = await res.json();
-  return json.token;
+  _sharedToken = json.token;
+  return _sharedToken;
+}
+
+// Keep saasLogin as alias for individual test clarity
+async function saasLogin(page: Page): Promise<string> {
+  return getSharedToken(page);
 }
 
 async function waitForDesktopReady(page: Page) {