@nextsparkjs/theme-default 0.1.0-beta.100 → 0.1.0-beta.101

package/config/app.config.ts

@@ -34,6 +34,27 @@ export const APP_CONFIG_OVERRIDES = {
     },
   },
 
+  // =============================================================================
+  // AUTHENTICATION CONFIGURATION
+  // =============================================================================
+  /**
+   * Registration modes:
+   * - 'open': Anyone can register (email+password and Google OAuth) - DEFAULT
+   * - 'domain-restricted': Only Google OAuth for specific email domains
+   * - 'invitation-only': Registration only via invitation link
+   */
+  auth: {
+    registration: {
+      mode: 'domain-restricted' as const,
+      allowedDomains: ['nextspark.dev'],
+    },
+    providers: {
+      google: {
+        enabled: true,
+      },
+    },
+  },
+
   // =============================================================================
   // INTERNATIONALIZATION OVERRIDES
   // =============================================================================

package/migrations/090_demo_users_teams.sql

@@ -168,7 +168,7 @@ INSERT INTO "teams" (
     'carlos-mendoza-team',
     'Default workspace',
     'usr-carlos-001',
-    '{}'::jsonb,
+    '{"isSeedData": true}'::jsonb,
     NOW(),
     NOW()
   ),
@@ -178,7 +178,7 @@ INSERT INTO "teams" (
     'james-wilson-team',
     'Default workspace',
     'usr-james-002',
-    '{}'::jsonb,
+    '{"isSeedData": true}'::jsonb,
     NOW(),
     NOW()
   ),
@@ -188,7 +188,7 @@ INSERT INTO "teams" (
     'diego-ramirez-team',
     'Default workspace',
     'usr-diego-003',
-    '{}'::jsonb,
+    '{"isSeedData": true}'::jsonb,
     NOW(),
     NOW()
   ),
@@ -198,7 +198,7 @@ INSERT INTO "teams" (
     'michael-brown-team',
     'Default workspace',
     'usr-michael-004',
-    '{}'::jsonb,
+    '{"isSeedData": true}'::jsonb,
     NOW(),
     NOW()
   ),
@@ -208,7 +208,7 @@ INSERT INTO "teams" (
     'ana-garcia-team',
     'Default workspace',
     'usr-ana-005',
-    '{}'::jsonb,
+    '{"isSeedData": true}'::jsonb,
     NOW(),
     NOW()
   ),
@@ -218,7 +218,7 @@ INSERT INTO "teams" (
     'emily-johnson-team',
     'Default workspace',
     'usr-emily-006',
-    '{}'::jsonb,
+    '{"isSeedData": true}'::jsonb,
     NOW(),
     NOW()
   ),
@@ -228,7 +228,7 @@ INSERT INTO "teams" (
     'sofia-lopez-team',
     'Default workspace',
     'usr-sofia-007',
-    '{}'::jsonb,
+    '{"isSeedData": true}'::jsonb,
     NOW(),
     NOW()
   ),
@@ -238,7 +238,7 @@ INSERT INTO "teams" (
     'sarah-davis-team',
     'Default workspace',
     'usr-sarah-008',
-    '{}'::jsonb,
+    '{"isSeedData": true}'::jsonb,
     NOW(),
     NOW()
   ),
@@ -252,7 +252,7 @@ INSERT INTO "teams" (
     'everpoint-labs',
     'Technology Company - Software development and innovation',
     'usr-carlos-001',
-    '{"segment": "startup", "industry": "technology"}'::jsonb,
+    '{"segment": "startup", "industry": "technology", "isSeedData": true}'::jsonb,
     NOW(),
     NOW()
   ),
@@ -262,7 +262,7 @@ INSERT INTO "teams" (
     'ironvale-global',
     'Consulting Firm - Business strategy and management consulting',
     'usr-ana-005',
-    '{"segment": "enterprise", "industry": "consulting"}'::jsonb,
+    '{"segment": "enterprise", "industry": "consulting", "isSeedData": true}'::jsonb,
     NOW(),
     NOW()
   ),
@@ -272,7 +272,7 @@ INSERT INTO "teams" (
     'riverstone-ventures',
     'Investment Fund - Early-stage startup investments',
     'usr-sofia-007',
-    '{"segment": "startup", "industry": "finance"}'::jsonb,
+    '{"segment": "startup", "industry": "finance", "isSeedData": true}'::jsonb,
     NOW(),
     NOW()
   )

package/migrations/091_greek_teams_billing.sql

@@ -154,22 +154,22 @@ INSERT INTO "teams" (
   "createdAt",
   "updatedAt"
 ) VALUES
-  ('team-alpha-001', 'Alpha Tech', 'alpha-tech', 'Software startup - Building innovative solutions', 'usr-alpha-01', '{"segment": "startup", "industry": "software", "employeeCount": 15}'::jsonb, NOW() - INTERVAL '180 days', NOW()),
-  ('team-beta-002', 'Beta Solutions', 'beta-solutions', 'Digital agency - Creative marketing and design', 'usr-beta-01', '{"segment": "smb", "industry": "marketing", "employeeCount": 25}'::jsonb, NOW() - INTERVAL '180 days', NOW()),
-  ('team-gamma-003', 'Gamma Industries', 'gamma-industries', 'Manufacturing - Industrial equipment and supplies', 'usr-gamma-01', '{"segment": "enterprise", "industry": "manufacturing", "employeeCount": 150}'::jsonb, NOW() - INTERVAL '180 days', NOW()),
-  ('team-delta-004', 'Delta Dynamics', 'delta-dynamics', 'Engineering - Precision engineering services', 'usr-delta-01', '{"segment": "smb", "industry": "engineering", "employeeCount": 40}'::jsonb, NOW() - INTERVAL '180 days', NOW()),
-  ('team-epsilon-005', 'Epsilon Media', 'epsilon-media', 'Media company - Content creation and distribution', 'usr-epsilon-01', '{"segment": "smb", "industry": "media", "employeeCount": 35}'::jsonb, NOW() - INTERVAL '180 days', NOW()),
-  ('team-zeta-006', 'Zeta Finance', 'zeta-finance', 'Fintech - Financial technology solutions', 'usr-zeta-01', '{"segment": "startup", "industry": "fintech", "employeeCount": 20}'::jsonb, NOW() - INTERVAL '180 days', NOW()),
-  ('team-eta-007', 'Eta Healthcare', 'eta-healthcare', 'Healthcare - Medical technology and services', 'usr-eta-01', '{"segment": "enterprise", "industry": "healthcare", "employeeCount": 200}'::jsonb, NOW() - INTERVAL '180 days', NOW()),
-  ('team-theta-008', 'Theta Enterprises', 'theta-enterprises', 'Large corporation - Enterprise solutions', 'usr-theta-01', '{"segment": "enterprise", "industry": "consulting", "employeeCount": 500}'::jsonb, NOW() - INTERVAL '180 days', NOW()),
-  ('team-iota-009', 'Iota Consulting', 'iota-consulting', 'Consulting - Business strategy and operations', 'usr-iota-01', '{"segment": "smb", "industry": "consulting", "employeeCount": 30, "churned": true}'::jsonb, NOW() - INTERVAL '180 days', NOW()),
-  ('team-kappa-010', 'Kappa Labs', 'kappa-labs', 'Research lab - R&D and innovation', 'usr-kappa-01', '{"segment": "startup", "industry": "research", "employeeCount": 12, "churned": true}'::jsonb, NOW() - INTERVAL '180 days', NOW()),
+  ('team-alpha-001', 'Alpha Tech', 'alpha-tech', 'Software startup - Building innovative solutions', 'usr-alpha-01', '{"segment": "startup", "industry": "software", "employeeCount": 15, "isSeedData": true}'::jsonb, NOW() - INTERVAL '180 days', NOW()),
+  ('team-beta-002', 'Beta Solutions', 'beta-solutions', 'Digital agency - Creative marketing and design', 'usr-beta-01', '{"segment": "smb", "industry": "marketing", "employeeCount": 25, "isSeedData": true}'::jsonb, NOW() - INTERVAL '180 days', NOW()),
+  ('team-gamma-003', 'Gamma Industries', 'gamma-industries', 'Manufacturing - Industrial equipment and supplies', 'usr-gamma-01', '{"segment": "enterprise", "industry": "manufacturing", "employeeCount": 150, "isSeedData": true}'::jsonb, NOW() - INTERVAL '180 days', NOW()),
+  ('team-delta-004', 'Delta Dynamics', 'delta-dynamics', 'Engineering - Precision engineering services', 'usr-delta-01', '{"segment": "smb", "industry": "engineering", "employeeCount": 40, "isSeedData": true}'::jsonb, NOW() - INTERVAL '180 days', NOW()),
+  ('team-epsilon-005', 'Epsilon Media', 'epsilon-media', 'Media company - Content creation and distribution', 'usr-epsilon-01', '{"segment": "smb", "industry": "media", "employeeCount": 35, "isSeedData": true}'::jsonb, NOW() - INTERVAL '180 days', NOW()),
+  ('team-zeta-006', 'Zeta Finance', 'zeta-finance', 'Fintech - Financial technology solutions', 'usr-zeta-01', '{"segment": "startup", "industry": "fintech", "employeeCount": 20, "isSeedData": true}'::jsonb, NOW() - INTERVAL '180 days', NOW()),
+  ('team-eta-007', 'Eta Healthcare', 'eta-healthcare', 'Healthcare - Medical technology and services', 'usr-eta-01', '{"segment": "enterprise", "industry": "healthcare", "employeeCount": 200, "isSeedData": true}'::jsonb, NOW() - INTERVAL '180 days', NOW()),
+  ('team-theta-008', 'Theta Enterprises', 'theta-enterprises', 'Large corporation - Enterprise solutions', 'usr-theta-01', '{"segment": "enterprise", "industry": "consulting", "employeeCount": 500, "isSeedData": true}'::jsonb, NOW() - INTERVAL '180 days', NOW()),
+  ('team-iota-009', 'Iota Consulting', 'iota-consulting', 'Consulting - Business strategy and operations', 'usr-iota-01', '{"segment": "smb", "industry": "consulting", "employeeCount": 30, "churned": true, "isSeedData": true}'::jsonb, NOW() - INTERVAL '180 days', NOW()),
+  ('team-kappa-010', 'Kappa Labs', 'kappa-labs', 'Research lab - R&D and innovation', 'usr-kappa-01', '{"segment": "startup", "industry": "research", "employeeCount": 12, "churned": true, "isSeedData": true}'::jsonb, NOW() - INTERVAL '180 days', NOW()),
   -- Annual Subscription Teams (Teams 11-15)
-  ('team-lambda-011', 'Lambda Corp', 'lambda-corp', 'Enterprise - Global technology corporation', 'usr-lambda-01', '{"segment": "enterprise", "industry": "technology", "employeeCount": 500, "billingCycle": "annual"}'::jsonb, NOW() - INTERVAL '365 days', NOW()),
-  ('team-mu-012', 'Mu Industries', 'mu-industries', 'Manufacturing - Heavy industry and automation', 'usr-mu-01', '{"segment": "enterprise", "industry": "manufacturing", "employeeCount": 450, "billingCycle": "annual"}'::jsonb, NOW() - INTERVAL '365 days', NOW()),
-  ('team-nu-013', 'Nu Dynamics', 'nu-dynamics', 'Technology - Advanced systems and AI', 'usr-nu-01', '{"segment": "enterprise", "industry": "technology", "employeeCount": 300, "billingCycle": "annual"}'::jsonb, NOW() - INTERVAL '365 days', NOW()),
-  ('team-xi-014', 'Xi Solutions', 'xi-solutions', 'Consulting - Strategic advisory services', 'usr-xi-01', '{"segment": "smb", "industry": "consulting", "employeeCount": 50, "billingCycle": "annual"}'::jsonb, NOW() - INTERVAL '365 days', NOW()),
-  ('team-omicron-015', 'Omicron Labs', 'omicron-labs', 'Research - Scientific research and development', 'usr-omicron-01', '{"segment": "startup", "industry": "research", "employeeCount": 25, "billingCycle": "annual"}'::jsonb, NOW() - INTERVAL '365 days', NOW())
+  ('team-lambda-011', 'Lambda Corp', 'lambda-corp', 'Enterprise - Global technology corporation', 'usr-lambda-01', '{"segment": "enterprise", "industry": "technology", "employeeCount": 500, "billingCycle": "annual", "isSeedData": true}'::jsonb, NOW() - INTERVAL '365 days', NOW()),
+  ('team-mu-012', 'Mu Industries', 'mu-industries', 'Manufacturing - Heavy industry and automation', 'usr-mu-01', '{"segment": "enterprise", "industry": "manufacturing", "employeeCount": 450, "billingCycle": "annual", "isSeedData": true}'::jsonb, NOW() - INTERVAL '365 days', NOW()),
+  ('team-nu-013', 'Nu Dynamics', 'nu-dynamics', 'Technology - Advanced systems and AI', 'usr-nu-01', '{"segment": "enterprise", "industry": "technology", "employeeCount": 300, "billingCycle": "annual", "isSeedData": true}'::jsonb, NOW() - INTERVAL '365 days', NOW()),
+  ('team-xi-014', 'Xi Solutions', 'xi-solutions', 'Consulting - Strategic advisory services', 'usr-xi-01', '{"segment": "smb", "industry": "consulting", "employeeCount": 50, "billingCycle": "annual", "isSeedData": true}'::jsonb, NOW() - INTERVAL '365 days', NOW()),
+  ('team-omicron-015', 'Omicron Labs', 'omicron-labs', 'Research - Scientific research and development', 'usr-omicron-01', '{"segment": "startup", "industry": "research", "employeeCount": 25, "billingCycle": "annual", "isSeedData": true}'::jsonb, NOW() - INTERVAL '365 days', NOW())
 ON CONFLICT (id) DO NOTHING;
 
 -- NEW TEAM MEMBERSHIPS (50 total - 5 per team)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nextsparkjs/theme-default",
-  "version": "0.1.0-beta.100",
+  "version": "0.1.0-beta.101",
   "private": false,
   "type": "module",
   "main": "./config/theme.config.ts",

package/tests/cypress/e2e/uat/_core/auth/registration-control-invitation.cy.ts

@@ -0,0 +1,176 @@
+/// <reference types="cypress" />
+
+import * as allure from 'allure-cypress'
+
+import { DEFAULT_THEME_USERS } from '../../../../src/session-helpers'
+
+/**
+ * Registration Control Tests - Invitation-Only Mode
+ *
+ * Verifies registration mode enforcement when mode is 'invitation-only'.
+ * Tests: signup redirect, login page visibility, API blocking, existing user login.
+ *
+ * These tests detect the current registration mode and skip if not 'invitation-only'.
+ * Detection: invitation-only mode redirects /signup AND shows email login on /login
+ * (unlike domain-restricted which hides email login).
+ */
+describe('Registration Control - Invitation-Only Mode', {
+  tags: ['@uat', '@feat-auth', '@security', '@regression']
+}, () => {
+  const TEST_PASSWORD = Cypress.env('TEST_PASSWORD') || 'Test1234'
+
+  before(() => {
+    // Detect invitation-only mode:
+    // 1. /signup redirects (shared with domain-restricted)
+    // 2. /login shows email form (NOT shared with domain-restricted, which hides it)
+    cy.request({
+      url: '/signup',
+      followRedirect: false,
+      failOnStatusCode: false,
+    }).then((signupResponse) => {
+      if (signupResponse.status < 300 || signupResponse.status >= 400) {
+        // /signup is accessible — this is 'open' mode, skip
+        Cypress.runner.stop()
+        return
+      }
+
+      // /signup redirects — could be domain-restricted or invitation-only
+      // Check login page for email form to distinguish
+      cy.visit('/login')
+      cy.get('body').then(($body) => {
+        // In domain-restricted mode, email login is hidden (no showEmail toggle, no form)
+        // In invitation-only mode, email login IS shown
+        const hasEmailForm = $body.find('[data-cy="auth.login.form"]').length > 0
+        const hasShowEmail = $body.find('[data-cy="auth.login.showEmail"]').length > 0
+
+        if (!hasEmailForm && !hasShowEmail) {
+          // No email login at all — this is domain-restricted, not invitation-only
+          Cypress.runner.stop()
+        }
+      })
+    })
+  })
+
+  beforeEach(() => {
+    allure.epic('UAT')
+    allure.feature('Registration Control')
+    cy.clearCookies()
+    cy.clearLocalStorage()
+  })
+
+  describe('REG_INV_001: Signup page redirects in invitation-only mode', () => {
+    it('should redirect /signup to /login', () => {
+      allure.story('Signup Redirect')
+      allure.severity('critical')
+
+      cy.log('1. Visit /signup')
+      cy.visit('/signup', { failOnStatusCode: false })
+
+      cy.log('2. Should redirect to /login')
+      cy.url().should('include', '/login')
+    })
+  })
+
+  describe('REG_INV_002: Login page shows email login but no signup link', () => {
+    it('should show email login and hide signup link', () => {
+      allure.story('Login Page Visibility')
+      allure.severity('critical')
+
+      cy.log('1. Visit /login')
+      cy.visit('/login')
+
+      cy.log('2. Email login should be available')
+      cy.get('body').then(($body) => {
+        if ($body.find('[data-cy="auth.login.showEmail"]').length) {
+          cy.get('[data-cy="auth.login.showEmail"]').click()
+        }
+      })
+      cy.get('[data-cy="auth.login.form"]').should('exist')
+
+      cy.log('3. Signup link should NOT exist')
+      cy.get('[data-cy="auth.login.signupLink"]').should('not.exist')
+    })
+  })
+
+  describe('REG_INV_003: API blocks email signup in invitation-only mode', () => {
+    it('should return 403 for email signup attempt', () => {
+      allure.story('API Signup Blocking')
+      allure.severity('critical')
+
+      cy.log('1. POST /api/auth/sign-up/email with new user data')
+      cy.request({
+        method: 'POST',
+        url: '/api/auth/sign-up/email',
+        body: {
+          name: 'Test Uninvited User',
+          email: 'uninvited@some-domain.com',
+          password: 'TestPassword123',
+        },
+        failOnStatusCode: false,
+      }).then((response) => {
+        cy.log(`Response status: ${response.status}`)
+        // Should be blocked — 403 or 500 (from SIGNUP_RESTRICTED error)
+        expect(response.status).to.be.oneOf([403, 500])
+      })
+    })
+  })
+
+  describe('REG_INV_004: API blocks alternative signup endpoints', () => {
+    it('should block signup via alternative endpoints', () => {
+      allure.story('API Signup Blocking')
+      allure.severity('normal')
+
+      const signupPayload = {
+        name: 'Test Uninvited User',
+        email: 'uninvited@some-domain.com',
+        password: 'TestPassword123',
+      }
+
+      const endpoints = [
+        '/api/auth/sign-up/email',
+        '/api/auth/sign-up/credentials',
+      ]
+
+      endpoints.forEach((endpoint) => {
+        cy.log(`Testing: POST ${endpoint}`)
+        cy.request({
+          method: 'POST',
+          url: endpoint,
+          body: signupPayload,
+          failOnStatusCode: false,
+        }).then((response) => {
+          cy.log(`${endpoint} → ${response.status}`)
+          // Should be blocked (403/500 for blocked signup, 404 for non-existent)
+          expect(response.status).to.be.oneOf([403, 404, 422, 500])
+        })
+      })
+    })
+  })
+
+  describe('REG_INV_005: Existing user can still login with email+password', () => {
+    it('should allow existing user to sign in via API', () => {
+      allure.story('Existing User Login')
+      allure.severity('critical')
+
+      const existingUser = DEFAULT_THEME_USERS.OWNER
+
+      cy.log(`1. POST /api/auth/sign-in/email with existing user: ${existingUser}`)
+      cy.request({
+        method: 'POST',
+        url: '/api/auth/sign-in/email',
+        body: {
+          email: existingUser,
+          password: TEST_PASSWORD,
+        },
+        failOnStatusCode: false,
+      }).then((response) => {
+        cy.log(`Response status: ${response.status}`)
+        expect(response.status).to.eq(200)
+      })
+    })
+  })
+
+  after(() => {
+    cy.log('Registration control (invitation-only mode) tests completed')
+  })
+})

package/tests/cypress/e2e/uat/_core/auth/registration-control-open.cy.ts

@@ -0,0 +1,131 @@
+/// <reference types="cypress" />
+
+import * as allure from 'allure-cypress'
+
+/**
+ * Registration Control Tests - Open Mode
+ *
+ * Verifies registration mode enforcement when mode is 'open'.
+ * Tests: signup accessibility, login page elements, API signup allowed.
+ *
+ * These tests detect the current registration mode and skip if not 'open'.
+ */
+describe('Registration Control - Open Mode', {
+  tags: ['@uat', '@feat-auth', '@security', '@regression']
+}, () => {
+  const TEST_PASSWORD = Cypress.env('TEST_PASSWORD') || 'Test1234'
+
+  before(() => {
+    // Detect registration mode by checking if /signup is accessible (not redirected)
+    cy.request({
+      url: '/signup',
+      followRedirect: false,
+      failOnStatusCode: false,
+    }).then((response) => {
+      // In open mode, /signup returns 200 (not a redirect)
+      // In domain-restricted or invitation-only (with existing team), it redirects (307/308)
+      if (response.status >= 300 && response.status < 400) {
+        // Not open mode — skip all tests in this suite
+        Cypress.runner.stop()
+      }
+      // Additionally verify that the login page shows a signup link (confirms open mode)
+    })
+  })
+
+  beforeEach(() => {
+    allure.epic('UAT')
+    allure.feature('Registration Control')
+    cy.clearCookies()
+    cy.clearLocalStorage()
+  })
+
+  describe('REG_OPEN_001: Signup page is accessible in open mode', () => {
+    it('should show the signup form without redirecting', () => {
+      allure.story('Signup Accessibility')
+      allure.severity('critical')
+
+      cy.log('1. Visit /signup')
+      cy.visit('/signup')
+
+      cy.log('2. Should stay on /signup (no redirect)')
+      cy.url().should('include', '/signup')
+
+      cy.log('3. Signup form should be visible')
+      cy.get('form').should('exist')
+    })
+  })
+
+  describe('REG_OPEN_002: Login page shows email login and signup link', () => {
+    it('should show email login form and signup link', () => {
+      allure.story('Login Page Visibility')
+      allure.severity('critical')
+
+      cy.log('1. Visit /login')
+      cy.visit('/login')
+
+      cy.log('2. Email login should be available')
+      // Either the form is visible directly, or a "show email" toggle exists
+      cy.get('body').then(($body) => {
+        if ($body.find('[data-cy="auth.login.showEmail"]').length) {
+          cy.get('[data-cy="auth.login.showEmail"]').click()
+        }
+      })
+      cy.get('[data-cy="auth.login.form"]').should('exist')
+
+      cy.log('3. Signup link should be visible')
+      cy.get('[data-cy="auth.login.signupLink"]').should('be.visible')
+    })
+  })
+
+  describe('REG_OPEN_003: API allows email signup in open mode', () => {
+    it('should allow new user registration via email', () => {
+      allure.story('API Signup Allowed')
+      allure.severity('critical')
+
+      const uniqueEmail = `test-open-${Date.now()}@test-cypress.dev`
+
+      cy.log(`1. POST /api/auth/sign-up/email with new user: ${uniqueEmail}`)
+      cy.request({
+        method: 'POST',
+        url: '/api/auth/sign-up/email',
+        body: {
+          name: 'Test Open Mode User',
+          email: uniqueEmail,
+          password: TEST_PASSWORD,
+        },
+        failOnStatusCode: false,
+      }).then((response) => {
+        cy.log(`Response status: ${response.status}`)
+        // Open mode should allow signup (200) or require email verification (200 with token)
+        // Should NOT be 403 (blocked)
+        expect(response.status).to.not.eq(403)
+        expect(response.status).to.be.oneOf([200, 201])
+      })
+    })
+  })
+
+  describe('REG_OPEN_004: Existing user can login with email+password', () => {
+    it('should allow existing user to sign in via API', () => {
+      allure.story('Existing User Login')
+      allure.severity('critical')
+
+      cy.log('1. POST /api/auth/sign-in/email with existing user')
+      cy.request({
+        method: 'POST',
+        url: '/api/auth/sign-in/email',
+        body: {
+          email: Cypress.env('OWNER_EMAIL') || 'carlos.mendoza@nextspark.dev',
+          password: TEST_PASSWORD,
+        },
+        failOnStatusCode: false,
+      }).then((response) => {
+        cy.log(`Response status: ${response.status}`)
+        expect(response.status).to.eq(200)
+      })
+    })
+  })
+
+  after(() => {
+    cy.log('Registration control (open mode) tests completed')
+  })
+})

package/tests/cypress/e2e/uat/_core/auth/registration-control.cy.ts

@@ -0,0 +1,140 @@
+/// <reference types="cypress" />
+
+import * as allure from 'allure-cypress'
+
+import { DEFAULT_THEME_USERS } from '../../../../src/session-helpers'
+
+/**
+ * Registration Control Tests
+ *
+ * Verifies registration mode enforcement in domain-restricted mode (default theme).
+ * Tests: signup redirect, login page visibility, API blocking, existing user login.
+ */
+describe('Registration Control - Domain Restricted Mode', {
+  tags: ['@uat', '@feat-auth', '@security', '@regression']
+}, () => {
+  const TEST_PASSWORD = Cypress.env('TEST_PASSWORD') || 'Test1234'
+
+  beforeEach(() => {
+    allure.epic('UAT')
+    allure.feature('Registration Control')
+    cy.clearCookies()
+    cy.clearLocalStorage()
+  })
+
+  describe('REG_001: Signup page redirects in domain-restricted mode', () => {
+    it('should redirect /signup to /login', () => {
+      allure.story('Signup Redirect')
+      allure.severity('critical')
+
+      cy.log('1. Visit /signup')
+      cy.visit('/signup', { failOnStatusCode: false })
+
+      cy.log('2. Should redirect to /login')
+      cy.url().should('include', '/login')
+    })
+  })
+
+  describe('REG_002: Login page hides email login in domain-restricted mode', () => {
+    it('should show Google button but hide email login options', () => {
+      allure.story('Login Page Visibility')
+      allure.severity('critical')
+
+      cy.log('1. Visit /login')
+      cy.visit('/login')
+
+      cy.log('2. Google sign-in button should be visible')
+      cy.get('[data-cy="auth.login.googleSignin"]').should('be.visible')
+
+      cy.log('3. "Show email" link should NOT exist')
+      cy.get('[data-cy="auth.login.showEmail"]').should('not.exist')
+
+      cy.log('4. Email form should NOT exist')
+      cy.get('[data-cy="auth.login.form"]').should('not.exist')
+
+      cy.log('5. Signup link should NOT exist')
+      cy.get('[data-cy="auth.login.signupLink"]').should('not.exist')
+    })
+  })
+
+  describe('REG_003: API blocks email signup in domain-restricted mode', () => {
+    it('should return 403 for email signup attempt', () => {
+      allure.story('API Signup Blocking')
+      allure.severity('critical')
+
+      cy.log('1. POST /api/auth/sign-up/email with new user data')
+      cy.request({
+        method: 'POST',
+        url: '/api/auth/sign-up/email',
+        body: {
+          name: 'Test New User',
+          email: 'newuser@unauthorized-domain.com',
+          password: 'TestPassword123',
+        },
+        failOnStatusCode: false,
+      }).then((response) => {
+        cy.log(`Response status: ${response.status}`)
+        expect(response.status).to.eq(403)
+      })
+    })
+  })
+
+  describe('REG_004: API blocks alternative signup endpoints', () => {
+    it('should block signup via alternative endpoints', () => {
+      allure.story('API Signup Blocking')
+      allure.severity('normal')
+
+      const signupPayload = {
+        name: 'Test New User',
+        email: 'newuser@unauthorized-domain.com',
+        password: 'TestPassword123',
+      }
+
+      const endpoints = [
+        '/api/auth/sign-up/email',
+        '/api/auth/sign-up/credentials',
+      ]
+
+      endpoints.forEach((endpoint) => {
+        cy.log(`Testing: POST ${endpoint}`)
+        cy.request({
+          method: 'POST',
+          url: endpoint,
+          body: signupPayload,
+          failOnStatusCode: false,
+        }).then((response) => {
+          cy.log(`${endpoint} → ${response.status}`)
+          // Should be blocked (403 or 404 for non-existent endpoints)
+          expect(response.status).to.be.oneOf([403, 404, 422])
+        })
+      })
+    })
+  })
+
+  describe('REG_005: Existing user can still login with email+password', () => {
+    it('should allow existing user to sign in via API', () => {
+      allure.story('Existing User Login')
+      allure.severity('critical')
+
+      const existingUser = DEFAULT_THEME_USERS.OWNER
+
+      cy.log(`1. POST /api/auth/sign-in/email with existing user: ${existingUser}`)
+      cy.request({
+        method: 'POST',
+        url: '/api/auth/sign-in/email',
+        body: {
+          email: existingUser,
+          password: TEST_PASSWORD,
+        },
+        failOnStatusCode: false,
+      }).then((response) => {
+        cy.log(`Response status: ${response.status}`)
+        expect(response.status).to.eq(200)
+      })
+    })
+  })
+
+  after(() => {
+    cy.log('Registration control tests completed')
+  })
+})