npm - @rebasepro/server-core - Versions diffs - 0.0.1-canary.000dc36 - Mend

@rebasepro/server-core 0.0.1-canary.000dc36

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (305) hide show

package/LICENSE +6 -0
package/README.md +40 -0
package/build-errors.txt +52 -0
package/coverage/clover.xml +3739 -0
package/coverage/coverage-final.json +31 -0
package/coverage/lcov-report/base.css +224 -0
package/coverage/lcov-report/block-navigation.js +87 -0
package/coverage/lcov-report/favicon.png +0 -0
package/coverage/lcov-report/index.html +266 -0
package/coverage/lcov-report/prettify.css +1 -0
package/coverage/lcov-report/prettify.js +2 -0
package/coverage/lcov-report/sort-arrow-sprite.png +0 -0
package/coverage/lcov-report/sorter.js +210 -0
package/coverage/lcov-report/src/api/ast-schema-editor.ts.html +952 -0
package/coverage/lcov-report/src/api/errors.ts.html +472 -0
package/coverage/lcov-report/src/api/graphql/graphql-schema-generator.ts.html +1069 -0
package/coverage/lcov-report/src/api/graphql/index.html +116 -0
package/coverage/lcov-report/src/api/index.html +176 -0
package/coverage/lcov-report/src/api/openapi-generator.ts.html +565 -0
package/coverage/lcov-report/src/api/rest/api-generator.ts.html +994 -0
package/coverage/lcov-report/src/api/rest/index.html +131 -0
package/coverage/lcov-report/src/api/rest/query-parser.ts.html +550 -0
package/coverage/lcov-report/src/api/schema-editor-routes.ts.html +202 -0
package/coverage/lcov-report/src/api/server.ts.html +823 -0
package/coverage/lcov-report/src/auth/admin-routes.ts.html +973 -0
package/coverage/lcov-report/src/auth/index.html +176 -0
package/coverage/lcov-report/src/auth/jwt.ts.html +574 -0
package/coverage/lcov-report/src/auth/middleware.ts.html +745 -0
package/coverage/lcov-report/src/auth/password.ts.html +310 -0
package/coverage/lcov-report/src/auth/services.ts.html +2074 -0
package/coverage/lcov-report/src/collections/index.html +116 -0
package/coverage/lcov-report/src/collections/loader.ts.html +232 -0
package/coverage/lcov-report/src/db/auth-schema.ts.html +523 -0
package/coverage/lcov-report/src/db/data-transformer.ts.html +1753 -0
package/coverage/lcov-report/src/db/entityService.ts.html +700 -0
package/coverage/lcov-report/src/db/index.html +146 -0
package/coverage/lcov-report/src/db/services/EntityFetchService.ts.html +4048 -0
package/coverage/lcov-report/src/db/services/EntityPersistService.ts.html +883 -0
package/coverage/lcov-report/src/db/services/RelationService.ts.html +3121 -0
package/coverage/lcov-report/src/db/services/entity-helpers.ts.html +442 -0
package/coverage/lcov-report/src/db/services/index.html +176 -0
package/coverage/lcov-report/src/db/services/index.ts.html +124 -0
package/coverage/lcov-report/src/generate-drizzle-schema-logic.ts.html +1960 -0
package/coverage/lcov-report/src/index.html +116 -0
package/coverage/lcov-report/src/services/driver-registry.ts.html +631 -0
package/coverage/lcov-report/src/services/index.html +131 -0
package/coverage/lcov-report/src/services/postgresDataDriver.ts.html +3025 -0
package/coverage/lcov-report/src/storage/LocalStorageController.ts.html +1189 -0
package/coverage/lcov-report/src/storage/S3StorageController.ts.html +970 -0
package/coverage/lcov-report/src/storage/index.html +161 -0
package/coverage/lcov-report/src/storage/storage-registry.ts.html +646 -0
package/coverage/lcov-report/src/storage/types.ts.html +451 -0
package/coverage/lcov-report/src/utils/drizzle-conditions.ts.html +3082 -0
package/coverage/lcov-report/src/utils/index.html +116 -0
package/coverage/lcov.info +7179 -0
package/dist/common/src/collections/CollectionRegistry.d.ts +56 -0
package/dist/common/src/collections/index.d.ts +1 -0
package/dist/common/src/data/buildRebaseData.d.ts +14 -0
package/dist/common/src/index.d.ts +3 -0
package/dist/common/src/util/builders.d.ts +57 -0
package/dist/common/src/util/callbacks.d.ts +6 -0
package/dist/common/src/util/collections.d.ts +11 -0
package/dist/common/src/util/common.d.ts +2 -0
package/dist/common/src/util/conditions.d.ts +26 -0
package/dist/common/src/util/entities.d.ts +58 -0
package/dist/common/src/util/enums.d.ts +3 -0
package/dist/common/src/util/index.d.ts +16 -0
package/dist/common/src/util/navigation_from_path.d.ts +34 -0
package/dist/common/src/util/navigation_utils.d.ts +20 -0
package/dist/common/src/util/parent_references_from_path.d.ts +6 -0
package/dist/common/src/util/paths.d.ts +14 -0
package/dist/common/src/util/permissions.d.ts +5 -0
package/dist/common/src/util/references.d.ts +2 -0
package/dist/common/src/util/relations.d.ts +22 -0
package/dist/common/src/util/resolutions.d.ts +72 -0
package/dist/common/src/util/storage.d.ts +24 -0
package/dist/index-DXVBFp5V.js +37 -0
package/dist/index-DXVBFp5V.js.map +1 -0
package/dist/index.es.js +49249 -0
package/dist/index.es.js.map +1 -0
package/dist/index.umd.js +49283 -0
package/dist/index.umd.js.map +1 -0
package/dist/server-core/src/api/ast-schema-editor.d.ts +21 -0
package/dist/server-core/src/api/collections_for_test/callbacks_test_collection.d.ts +2 -0
package/dist/server-core/src/api/errors.d.ts +35 -0
package/dist/server-core/src/api/graphql/graphql-schema-generator.d.ts +35 -0
package/dist/server-core/src/api/graphql/index.d.ts +1 -0
package/dist/server-core/src/api/index.d.ts +9 -0
package/dist/server-core/src/api/openapi-generator.d.ts +16 -0
package/dist/server-core/src/api/rest/api-generator.d.ts +76 -0
package/dist/server-core/src/api/rest/index.d.ts +1 -0
package/dist/server-core/src/api/rest/query-parser.d.ts +9 -0
package/dist/server-core/src/api/schema-editor-routes.d.ts +3 -0
package/dist/server-core/src/api/server.d.ts +40 -0
package/dist/server-core/src/api/types.d.ts +90 -0
package/dist/server-core/src/auth/admin-routes.d.ts +21 -0
package/dist/server-core/src/auth/apple-oauth.d.ts +30 -0
package/dist/server-core/src/auth/bitbucket-oauth.d.ts +11 -0
package/dist/server-core/src/auth/discord-oauth.d.ts +14 -0
package/dist/server-core/src/auth/facebook-oauth.d.ts +14 -0
package/dist/server-core/src/auth/github-oauth.d.ts +15 -0
package/dist/server-core/src/auth/gitlab-oauth.d.ts +13 -0
package/dist/server-core/src/auth/google-oauth.d.ts +14 -0
package/dist/server-core/src/auth/index.d.ts +23 -0
package/dist/server-core/src/auth/interfaces.d.ts +309 -0
package/dist/server-core/src/auth/jwt.d.ts +43 -0
package/dist/server-core/src/auth/linkedin-oauth.d.ts +18 -0
package/dist/server-core/src/auth/microsoft-oauth.d.ts +16 -0
package/dist/server-core/src/auth/middleware.d.ts +81 -0
package/dist/server-core/src/auth/password.d.ts +22 -0
package/dist/server-core/src/auth/rate-limiter.d.ts +31 -0
package/dist/server-core/src/auth/routes.d.ts +27 -0
package/dist/server-core/src/auth/slack-oauth.d.ts +12 -0
package/dist/server-core/src/auth/spotify-oauth.d.ts +12 -0
package/dist/server-core/src/auth/twitter-oauth.d.ts +18 -0
package/dist/server-core/src/bootstrappers/index.d.ts +0 -0
package/dist/server-core/src/collections/BackendCollectionRegistry.d.ts +13 -0
package/dist/server-core/src/collections/loader.d.ts +5 -0
package/dist/server-core/src/cron/cron-loader.d.ts +17 -0
package/dist/server-core/src/cron/cron-routes.d.ts +14 -0
package/dist/server-core/src/cron/cron-scheduler.d.ts +106 -0
package/dist/server-core/src/cron/cron-store.d.ts +32 -0
package/dist/server-core/src/cron/index.d.ts +6 -0
package/dist/server-core/src/db/interfaces.d.ts +18 -0
package/dist/server-core/src/email/index.d.ts +6 -0
package/dist/server-core/src/email/smtp-email-service.d.ts +25 -0
package/dist/server-core/src/email/templates.d.ts +42 -0
package/dist/server-core/src/email/types.d.ts +107 -0
package/dist/server-core/src/functions/function-loader.d.ts +17 -0
package/dist/server-core/src/functions/function-routes.d.ts +10 -0
package/dist/server-core/src/functions/index.d.ts +3 -0
package/dist/server-core/src/history/history-routes.d.ts +23 -0
package/dist/server-core/src/history/index.d.ts +1 -0
package/dist/server-core/src/index.d.ts +29 -0
package/dist/server-core/src/init.d.ts +168 -0
package/dist/server-core/src/serve-spa.d.ts +30 -0
package/dist/server-core/src/services/driver-registry.d.ts +78 -0
package/dist/server-core/src/singleton.d.ts +35 -0
package/dist/server-core/src/storage/LocalStorageController.d.ts +46 -0
package/dist/server-core/src/storage/S3StorageController.d.ts +36 -0
package/dist/server-core/src/storage/index.d.ts +25 -0
package/dist/server-core/src/storage/routes.d.ts +38 -0
package/dist/server-core/src/storage/storage-registry.d.ts +78 -0
package/dist/server-core/src/storage/types.d.ts +103 -0
package/dist/server-core/src/types/index.d.ts +11 -0
package/dist/server-core/src/utils/dev-port.d.ts +35 -0
package/dist/server-core/src/utils/logger.d.ts +31 -0
package/dist/server-core/src/utils/logging.d.ts +9 -0
package/dist/server-core/src/utils/request-logger.d.ts +19 -0
package/dist/server-core/src/utils/sql.d.ts +27 -0
package/dist/types/src/controllers/analytics_controller.d.ts +7 -0
package/dist/types/src/controllers/auth.d.ts +119 -0
package/dist/types/src/controllers/client.d.ts +170 -0
package/dist/types/src/controllers/collection_registry.d.ts +46 -0
package/dist/types/src/controllers/customization_controller.d.ts +60 -0
package/dist/types/src/controllers/data.d.ts +168 -0
package/dist/types/src/controllers/data_driver.d.ts +195 -0
package/dist/types/src/controllers/database_admin.d.ts +11 -0
package/dist/types/src/controllers/dialogs_controller.d.ts +36 -0
package/dist/types/src/controllers/effective_role.d.ts +4 -0
package/dist/types/src/controllers/email.d.ts +34 -0
package/dist/types/src/controllers/index.d.ts +18 -0
package/dist/types/src/controllers/local_config_persistence.d.ts +20 -0
package/dist/types/src/controllers/navigation.d.ts +213 -0
package/dist/types/src/controllers/registry.d.ts +54 -0
package/dist/types/src/controllers/side_dialogs_controller.d.ts +67 -0
package/dist/types/src/controllers/side_entity_controller.d.ts +90 -0
package/dist/types/src/controllers/snackbar.d.ts +24 -0
package/dist/types/src/controllers/storage.d.ts +171 -0
package/dist/types/src/index.d.ts +4 -0
package/dist/types/src/rebase_context.d.ts +105 -0
package/dist/types/src/types/backend.d.ts +536 -0
package/dist/types/src/types/backend_hooks.d.ts +187 -0
package/dist/types/src/types/builders.d.ts +15 -0
package/dist/types/src/types/chips.d.ts +5 -0
package/dist/types/src/types/collections.d.ts +857 -0
package/dist/types/src/types/cron.d.ts +102 -0
package/dist/types/src/types/data_source.d.ts +64 -0
package/dist/types/src/types/entities.d.ts +145 -0
package/dist/types/src/types/entity_actions.d.ts +98 -0
package/dist/types/src/types/entity_callbacks.d.ts +173 -0
package/dist/types/src/types/entity_link_builder.d.ts +7 -0
package/dist/types/src/types/entity_overrides.d.ts +10 -0
package/dist/types/src/types/entity_views.d.ts +59 -0
package/dist/types/src/types/export_import.d.ts +21 -0
package/dist/types/src/types/formex.d.ts +40 -0
package/dist/types/src/types/index.d.ts +25 -0
package/dist/types/src/types/locales.d.ts +4 -0
package/dist/types/src/types/modify_collections.d.ts +5 -0
package/dist/types/src/types/plugins.d.ts +282 -0
package/dist/types/src/types/properties.d.ts +1148 -0
package/dist/types/src/types/property_config.d.ts +70 -0
package/dist/types/src/types/relations.d.ts +336 -0
package/dist/types/src/types/slots.d.ts +262 -0
package/dist/types/src/types/translations.d.ts +874 -0
package/dist/types/src/types/user_management_delegate.d.ts +121 -0
package/dist/types/src/types/websockets.d.ts +78 -0
package/dist/types/src/users/index.d.ts +2 -0
package/dist/types/src/users/roles.d.ts +22 -0
package/dist/types/src/users/user.d.ts +46 -0
package/history_diff.log +385 -0
package/jest.config.cjs +16 -0
package/package.json +86 -0
package/scratch.ts +9 -0
package/src/api/ast-schema-editor.ts +289 -0
package/src/api/collections_for_test/callbacks_test_collection.ts +60 -0
package/src/api/errors.ts +179 -0
package/src/api/graphql/graphql-schema-generator.ts +336 -0
package/src/api/graphql/index.ts +2 -0
package/src/api/index.ts +11 -0
package/src/api/openapi-generator.ts +715 -0
package/src/api/rest/api-generator-count.test.ts +113 -0
package/src/api/rest/api-generator.ts +573 -0
package/src/api/rest/index.ts +2 -0
package/src/api/rest/query-parser.ts +155 -0
package/src/api/schema-editor-routes.ts +41 -0
package/src/api/server.ts +249 -0
package/src/api/types.ts +90 -0
package/src/auth/admin-routes.ts +605 -0
package/src/auth/apple-oauth.ts +120 -0
package/src/auth/bitbucket-oauth.ts +82 -0
package/src/auth/discord-oauth.ts +83 -0
package/src/auth/facebook-oauth.ts +72 -0
package/src/auth/github-oauth.ts +110 -0
package/src/auth/gitlab-oauth.ts +70 -0
package/src/auth/google-oauth.ts +48 -0
package/src/auth/index.ts +34 -0
package/src/auth/interfaces.ts +363 -0
package/src/auth/jwt.ts +181 -0
package/src/auth/linkedin-oauth.ts +81 -0
package/src/auth/microsoft-oauth.ts +88 -0
package/src/auth/middleware.ts +384 -0
package/src/auth/password.ts +77 -0
package/src/auth/rate-limiter.ts +133 -0
package/src/auth/routes.ts +788 -0
package/src/auth/slack-oauth.ts +71 -0
package/src/auth/spotify-oauth.ts +67 -0
package/src/auth/twitter-oauth.ts +120 -0
package/src/bootstrappers/index.ts +1 -0
package/src/collections/BackendCollectionRegistry.ts +20 -0
package/src/collections/loader.ts +49 -0
package/src/cron/cron-loader.ts +89 -0
package/src/cron/cron-routes.test.ts +265 -0
package/src/cron/cron-routes.ts +85 -0
package/src/cron/cron-scheduler.test.ts +547 -0
package/src/cron/cron-scheduler.ts +576 -0
package/src/cron/cron-store.ts +163 -0
package/src/cron/index.ts +6 -0
package/src/db/interfaces.ts +60 -0
package/src/email/index.ts +18 -0
package/src/email/smtp-email-service.ts +91 -0
package/src/email/templates.ts +388 -0
package/src/email/types.ts +105 -0
package/src/functions/function-loader.ts +119 -0
package/src/functions/function-routes.ts +31 -0
package/src/functions/index.ts +3 -0
package/src/history/history-routes.ts +129 -0
package/src/history/index.ts +2 -0
package/src/index.ts +66 -0
package/src/init.ts +737 -0
package/src/serve-spa.ts +81 -0
package/src/services/driver-registry.ts +182 -0
package/src/singleton.test.ts +28 -0
package/src/singleton.ts +70 -0
package/src/storage/LocalStorageController.ts +365 -0
package/src/storage/S3StorageController.ts +298 -0
package/src/storage/index.ts +43 -0
package/src/storage/routes.ts +264 -0
package/src/storage/storage-registry.ts +187 -0
package/src/storage/types.ts +134 -0
package/src/types/index.ts +27 -0
package/src/utils/dev-port.ts +176 -0
package/src/utils/logger.ts +143 -0
package/src/utils/logging.ts +38 -0
package/src/utils/request-logger.ts +66 -0
package/src/utils/sql.ts +38 -0
package/test/admin-routes.test.ts +640 -0
package/test/api-generator.test.ts +501 -0
package/test/ast-schema-editor.test.ts +63 -0
package/test/auth-middleware-hono.test.ts +556 -0
package/test/auth-routes.test.ts +1047 -0
package/test/backend-hooks-admin.test.ts +394 -0
package/test/backend-hooks-data.test.ts +408 -0
package/test/driver-registry.test.ts +282 -0
package/test/error-propagation.test.ts +226 -0
package/test/errors-hono.test.ts +133 -0
package/test/errors.test.ts +155 -0
package/test/jwt-security.test.ts +182 -0
package/test/jwt.test.ts +324 -0
package/test/middleware.test.ts +300 -0
package/test/password.test.ts +165 -0
package/test/query-parser.test.ts +263 -0
package/test/rate-limiter.test.ts +102 -0
package/test/safe-compare.test.ts +66 -0
package/test/singleton.test.ts +59 -0
package/test/storage-local.test.ts +271 -0
package/test/storage-registry.test.ts +282 -0
package/test/storage-routes.test.ts +222 -0
package/test/storage-s3.test.ts +304 -0
package/test-ast.ts +28 -0
package/test.ts +6 -0
package/test_output.txt +1133 -0
package/tsconfig.json +49 -0
package/tsconfig.prod.json +20 -0
package/vite.config.ts +80 -0

package/src/auth/admin-routes.ts ADDED Viewed

@@ -0,0 +1,605 @@
+import { Hono } from "hono";
+import { ApiError, errorHandler } from "../api/errors";
+import type { AuthRepository } from "./interfaces";
+import { requireAuth, requireAdmin, createRequireAuth } from "./middleware";
+import { hashPassword, validatePasswordStrength } from "./password";
+import { AuthModuleConfig } from "./routes";
+import type { BackendHooks, AdminUser, AdminRole, BackendHookContext } from "@rebasepro/types";
+interface AdminRouteOptions extends AuthModuleConfig {
+    serviceKey?: string;
+    /**
+     * Callback to persistently mark bootstrap as completed.
+     * Invoked after the first admin user is promoted via POST /admin/bootstrap.
+     */
+    setBootstrapCompleted?: () => Promise<void>;
+    /**
+     * Backend-level hooks for intercepting admin data.
+     */
+    hooks?: BackendHooks;
+}
+import { HonoEnv } from "../api/types";
+import { randomBytes, createHash } from "crypto";
+import { getUserInvitationTemplate, getPasswordResetTemplate } from "../email/templates";
+/**
+ * Generate a cryptographically secure random password that meets strength requirements.
+ */
+function generateSecurePassword(): string {
+    const upper = "ABCDEFGHJKLMNPQRSTUVWXYZ";
+    const lower = "abcdefghjkmnpqrstuvwxyz";
+    const digits = "23456789";
+    const all = upper + lower + digits;
+    // Guarantee at least one of each required class
+    const pick = (chars: string) => chars[Math.floor(Math.random() * chars.length)];
+    const parts = [pick(upper), pick(lower), pick(digits)];
+    // Fill remaining with random chars (16 total)
+    for (let i = parts.length; i < 16; i++) {
+        parts.push(pick(all));
+    }
+    // Shuffle
+    for (let i = parts.length - 1; i > 0; i--) {
+        const j = Math.floor(Math.random() * (i + 1));
+        [parts[i], parts[j]] = [parts[j], parts[i]];
+    }
+    return parts.join("");
+}
+/**
+ * Generate a secure random token
+ */
+function generateSecureToken(): string {
+    return randomBytes(40).toString("hex");
+}
+/**
+ * Hash a token for database storage
+ */
+function hashToken(token: string): string {
+    return createHash("sha256").update(token).digest("hex");
+}
+/**
+ * Create admin routes for user and role management
+ */
+export function createAdminRoutes(config: AdminRouteOptions): Hono<HonoEnv> {
+    const router = new Hono<HonoEnv>();
+    const authRepo = config.authRepo;
+    const { emailService, emailConfig, hooks } = config;
+    /** Build a BackendHookContext from Hono's context object */
+    function buildHookContext(c: { get: (key: string) => unknown }, method: BackendHookContext["method"]): BackendHookContext {
+        const user = c.get("user") as { userId: string; roles?: string[] } | undefined;
+        return {
+            requestUser: user ? { userId: user.userId, roles: user.roles ?? [] } : undefined,
+            method
+        };
+    }
+    /** Apply users.afterRead hook to an AdminUser, returning null to filter out */
+    async function applyUserAfterRead(user: AdminUser, ctx: BackendHookContext): Promise<AdminUser | null> {
+        if (!hooks?.users?.afterRead) return user;
+        return hooks.users.afterRead(user, ctx);
+    }
+    /** Apply users.afterRead hook to an array and filter nulls */
+    async function applyUserAfterReadBatch(users: AdminUser[], ctx: BackendHookContext): Promise<AdminUser[]> {
+        if (!hooks?.users?.afterRead) return users;
+        const results = await Promise.all(users.map(u => applyUserAfterRead(u, ctx)));
+        return results.filter((u): u is AdminUser => u !== null);
+    }
+    /** Apply roles.afterRead hook to an array and filter nulls */
+    async function applyRoleAfterReadBatch(roles: AdminRole[], ctx: BackendHookContext): Promise<AdminRole[]> {
+        if (!hooks?.roles?.afterRead) return roles;
+        const results = await Promise.all(roles.map(r => hooks!.roles!.afterRead!(r, ctx)));
+        return results.filter((r): r is AdminRole => r !== null);
+    }
+    /** Convert a DB user record + role IDs into the AdminUser API shape */
+    function toAdminUser(u: { id: string; email: string; displayName?: string | null; photoUrl?: string | null; createdAt?: Date | string; updatedAt?: Date | string }, roles: string[]): AdminUser {
+        return {
+            uid: u.id,
+            email: u.email,
+            displayName: u.displayName ?? null,
+            photoURL: u.photoUrl ?? null,
+            provider: "custom",
+            roles,
+            createdAt: u.createdAt instanceof Date ? u.createdAt.toISOString() : (u.createdAt ?? new Date().toISOString()),
+            updatedAt: u.updatedAt instanceof Date ? u.updatedAt.toISOString() : (u.updatedAt ?? new Date().toISOString())
+        };
+    }
+    // Attach Rebase error handler to ensure exceptions are correctly formatted
+    // instead of caught by Hono's default error handler from the sub-router.
+    router.onError(errorHandler);
+    // Apply auth middleware to all routes (service-key-aware when configured)
+    router.use("/*", createRequireAuth({ serviceKey: config.serviceKey }));
+    /**
+     * POST /admin/bootstrap
+     *
+     * One-time endpoint to promote the calling user to admin.
+     * Guarded by three layers:
+     *   1. Authentication (handled by middleware above)
+     *   2. Persistent `bootstrap_completed` flag (when `setBootstrapCompleted` is provided)
+     *   3. Database check — no existing admin users
+     *
+     * Once invoked successfully the persistent flag is set, permanently disabling
+     * this endpoint even if all admin users are later deleted.
+     */
+    router.post("/bootstrap", async (c) => {
+        const user = c.get("user");
+        if (!user || typeof user !== "object") {
+            throw ApiError.unauthorized("Not authenticated");
+        }
+        // ── Guard 1: persistent flag ──────────────────────────────────
+        if (config.isBootstrapCompleted) {
+            const alreadyDone = await config.isBootstrapCompleted();
+            if (alreadyDone) {
+                throw ApiError.forbidden("Bootstrap has already been completed.", "BOOTSTRAP_COMPLETED");
+            }
+        }
+        // ── Guard 2: no existing admin users ─────────────────────────
+        const users = await authRepo.listUsers();
+        let hasAdmin = false;
+        for (const u of users) {
+            const roles = await authRepo.getUserRoleIds(u.id);
+            if (roles.includes("admin")) {
+                hasAdmin = true;
+                break;
+            }
+        }
+        if (hasAdmin) {
+            throw ApiError.forbidden("Admin users already exist. Bootstrap not allowed.", "BOOTSTRAP_COMPLETED");
+        }
+        // ── Promote caller ───────────────────────────────────────────
+        const userId = "userId" in user ? user.userId : undefined;
+        if (!userId) {
+            throw ApiError.unauthorized("User ID not found in auth context");
+        }
+        await authRepo.setUserRoles(userId, ["admin"]);
+        // ── Set persistent flag ──────────────────────────────────────
+        if (config.setBootstrapCompleted) {
+            await config.setBootstrapCompleted();
+        }
+        return c.json({
+            success: true,
+            message: "You are now an admin",
+            user: {
+                uid: userId,
+                roles: ["admin"]
+            }
+        });
+    });
+    router.get("/users", requireAdmin, async (c) => {
+        const limitParam = c.req.query("limit");
+        const offsetParam = c.req.query("offset");
+        const search = c.req.query("search");
+        const orderBy = c.req.query("orderBy");
+        const orderDir = c.req.query("orderDir") as "asc" | "desc" | undefined;
+        const hookCtx = buildHookContext(c, "GET");
+        // If pagination params are provided, use the paginated path
+        if (limitParam !== undefined || search) {
+            const limit = limitParam ? parseInt(limitParam, 10) : 25;
+            const offset = offsetParam ? parseInt(offsetParam, 10) : 0;
+            const result = await authRepo.listUsersPaginated({
+                limit,
+                offset,
+                search: search || undefined,
+                orderBy: orderBy || undefined,
+                orderDir: orderDir || undefined,
+                roleId: c.req.query("role") || undefined
+            });
+            let usersWithRoles: AdminUser[] = await Promise.all(
+                result.users.map(async (u) => {
+                    const roles = await authRepo.getUserRoleIds(u.id);
+                    return toAdminUser(u, roles);
+                })
+            );
+            usersWithRoles = await applyUserAfterReadBatch(usersWithRoles, hookCtx);
+            return c.json({
+                users: usersWithRoles,
+                total: result.total,
+                limit: result.limit,
+                offset: result.offset
+            });
+        }
+        // Legacy: return all users (no pagination)
+        const users = await authRepo.listUsers();
+        let usersWithRoles: AdminUser[] = await Promise.all(
+            users.map(async (u) => {
+                const roles = await authRepo.getUserRoleIds(u.id);
+                return toAdminUser(u, roles);
+            })
+        );
+        usersWithRoles = await applyUserAfterReadBatch(usersWithRoles, hookCtx);
+        return c.json({ users: usersWithRoles });
+    });
+    router.get("/users/:userId", requireAdmin, async (c) => {
+        const userId = c.req.param("userId");
+        const result = await authRepo.getUserWithRoles(userId);
+        if (!result) {
+            throw ApiError.notFound("User not found");
+        }
+        const hookCtx = buildHookContext(c, "GET");
+        let adminUser: AdminUser | null = toAdminUser(result.user, result.roles.map(r => r.id));
+        adminUser = await applyUserAfterRead(adminUser, hookCtx);
+        if (!adminUser) {
+            throw ApiError.notFound("User not found");
+        }
+        return c.json({ user: adminUser });
+    });
+    router.post("/users", requireAdmin, async (c) => {
+        const body = await c.req.json();
+        let { email, displayName, password, roles } = body;
+        if (!email) {
+            throw ApiError.badRequest("Email is required", "INVALID_INPUT");
+        }
+        // Apply beforeSave hook
+        const hookCtx = buildHookContext(c, "POST");
+        if (hooks?.users?.beforeSave) {
+            const hooked = await hooks.users.beforeSave({ email, displayName, roles }, hookCtx);
+            email = hooked.email ?? email;
+            displayName = hooked.displayName ?? displayName;
+            roles = hooked.roles ?? roles;
+        }
+        const existing = await authRepo.getUserByEmail(email);
+        if (existing) {
+            throw ApiError.conflict("Email already exists", "EMAIL_EXISTS");
+        }
+        // Use provided password or auto-generate one
+        const clearPassword = password || generateSecurePassword();
+        const validation = validatePasswordStrength(clearPassword);
+        if (!validation.valid) {
+            throw ApiError.badRequest(validation.errors.join(". "), "WEAK_PASSWORD");
+        }
+        const passwordHash = await hashPassword(clearPassword);
+        const user = await authRepo.createUser({
+            email: email.toLowerCase(),
+            displayName: displayName || null,
+            passwordHash
+        });
+        if (roles && Array.isArray(roles) && roles.length > 0) {
+            await authRepo.setUserRoles(user.id, roles);
+        } else if (config.defaultRole) {
+            await authRepo.assignDefaultRole(user.id, config.defaultRole);
+        }
+        const userRoles = await authRepo.getUserRoleIds(user.id);
+        // Determine if we can send an invitation email
+        const isEmailConfigured = !!(emailService && emailService.isConfigured());
+        let invitationSent = false;
+        let temporaryPassword: string | undefined;
+        if (isEmailConfigured && !password) {
+            // Send invitation email via password-reset token flow
+            try {
+                const token = generateSecureToken();
+                const tokenHash = hashToken(token);
+                const expiresAt = new Date(Date.now() + 60 * 60 * 1000); // 1 hour
+                await authRepo.createPasswordResetToken(user.id, tokenHash, expiresAt);
+                const baseUrl = emailConfig?.resetPasswordUrl || "";
+                const setPasswordUrl = `${baseUrl}/reset-password?token=${token}`;
+                const appName = emailConfig?.appName || "Rebase";
+                const templateFn = emailConfig?.templates?.userInvitation;
+                const emailContent = templateFn
+                    ? templateFn(setPasswordUrl, { email: user.email,
+displayName: user.displayName })
+                    : getUserInvitationTemplate(setPasswordUrl, { email: user.email,
+displayName: user.displayName }, appName);
+                await emailService!.send({
+                    to: user.email,
+                    subject: emailContent.subject,
+                    html: emailContent.html,
+                    text: emailContent.text
+                });
+                invitationSent = true;
+            } catch (emailError: unknown) {
+                console.error("Failed to send invitation email:", emailError instanceof Error ? emailError.message : emailError);
+                // Fall back to returning the temporary password
+                temporaryPassword = clearPassword;
+            }
+        } else if (!password) {
+            // No email service — return the auto-generated password one-time
+            temporaryPassword = clearPassword;
+        }
+        // If admin provided a password explicitly, don't return it or send email
+        const createdAdminUser: AdminUser = toAdminUser(user, userRoles);
+        // Fire afterSave hook (fire-and-forget for side-effects)
+        if (hooks?.users?.afterSave) {
+            Promise.resolve(hooks.users.afterSave(createdAdminUser, hookCtx)).catch(err => {
+                console.error("[BackendHooks] users.afterSave error:", err instanceof Error ? err.message : err);
+            });
+        }
+        return c.json({
+            user: createdAdminUser,
+            invitationSent,
+            ...(temporaryPassword ? { temporaryPassword } : {})
+        }, 201);
+    });
+    router.post("/users/:userId/reset-password", requireAdmin, async (c) => {
+        const userId = c.req.param("userId");
+        const existing = await authRepo.getUserById(userId);
+        if (!existing) {
+            throw ApiError.notFound("User not found");
+        }
+        const isEmailConfigured = !!(emailService && emailService.isConfigured());
+        let invitationSent = false;
+        let temporaryPassword: string | undefined;
+        if (isEmailConfigured) {
+            try {
+                const token = generateSecureToken();
+                const tokenHash = hashToken(token);
+                const expiresAt = new Date(Date.now() + 60 * 60 * 1000); // 1 hour
+                await authRepo.createPasswordResetToken(existing.id, tokenHash, expiresAt);
+                const baseUrl = emailConfig?.resetPasswordUrl || "";
+                const setPasswordUrl = `${baseUrl}/reset-password?token=${token}`;
+                const appName = emailConfig?.appName || "Rebase";
+                const templateFn = emailConfig?.templates?.passwordReset;
+                const emailContent = templateFn
+                    ? templateFn(setPasswordUrl, { email: existing.email,
+displayName: existing.displayName })
+                    : getPasswordResetTemplate(setPasswordUrl, { email: existing.email,
+displayName: existing.displayName }, appName);
+                await emailService!.send({
+                    to: existing.email,
+                    subject: emailContent.subject,
+                    html: emailContent.html,
+                    text: emailContent.text
+                });
+                invitationSent = true;
+            } catch (emailError: unknown) {
+                console.error("Failed to send reset email:", emailError instanceof Error ? emailError.message : emailError);
+                // Fall back to returning the temporary password
+                const clearPassword = generateSecurePassword();
+                const passwordHash = await hashPassword(clearPassword);
+                await authRepo.updatePassword(existing.id, passwordHash);
+                temporaryPassword = clearPassword;
+            }
+        } else {
+            // No email service — generate password, set it, and return one-time
+            const clearPassword = generateSecurePassword();
+            const passwordHash = await hashPassword(clearPassword);
+            await authRepo.updatePassword(existing.id, passwordHash);
+            temporaryPassword = clearPassword;
+        }
+        const userRoles = await authRepo.getUserRoleIds(existing.id);
+        return c.json({
+            user: {
+                uid: existing.id,
+                email: existing.email,
+                displayName: existing.displayName,
+                roles: userRoles
+            },
+            invitationSent,
+            ...(temporaryPassword ? { temporaryPassword } : {})
+        }, 200);
+    });
+    router.put("/users/:userId", requireAdmin, async (c) => {
+        const userId = c.req.param("userId");
+        const body = await c.req.json();
+        let { email, displayName, password, roles } = body;
+        const existing = await authRepo.getUserById(userId);
+        if (!existing) {
+            throw ApiError.notFound("User not found");
+        }
+        // Apply beforeSave hook
+        const hookCtx = buildHookContext(c, "PUT");
+        if (hooks?.users?.beforeSave) {
+            const hooked = await hooks.users.beforeSave({ email, displayName, roles }, hookCtx);
+            email = hooked.email ?? email;
+            displayName = hooked.displayName ?? displayName;
+            roles = hooked.roles ?? roles;
+        }
+        const updates: Record<string, unknown> = {};
+        if (email !== undefined) updates.email = email.toLowerCase();
+        if (displayName !== undefined) updates.displayName = displayName;
+        if (password) {
+            const validation = validatePasswordStrength(password);
+            if (!validation.valid) {
+                throw ApiError.badRequest(validation.errors.join(". "), "WEAK_PASSWORD");
+            }
+            updates.passwordHash = await hashPassword(password);
+        }
+        if (Object.keys(updates).length > 0) {
+            await authRepo.updateUser(userId, updates);
+        }
+        if (roles !== undefined && Array.isArray(roles)) {
+            await authRepo.setUserRoles(userId, roles);
+        }
+        const result = await authRepo.getUserWithRoles(userId);
+        const updatedAdminUser: AdminUser = toAdminUser(result!.user, result!.roles.map(r => r.id));
+        // Fire afterSave hook (fire-and-forget)
+        if (hooks?.users?.afterSave) {
+            Promise.resolve(hooks.users.afterSave(updatedAdminUser, hookCtx)).catch(err => {
+                console.error("[BackendHooks] users.afterSave error:", err instanceof Error ? err.message : err);
+            });
+        }
+        return c.json({ user: updatedAdminUser });
+    });
+    router.delete("/users/:userId", requireAdmin, async (c) => {
+        const userId = c.req.param("userId");
+        const user = c.get("user");
+        const currentUserId = user && typeof user === "object" && "userId" in user ? user.userId : undefined;
+        if (currentUserId === userId) {
+            throw ApiError.badRequest("Cannot delete your own account", "SELF_DELETE");
+        }
+        const existing = await authRepo.getUserById(userId);
+        if (!existing) {
+            throw ApiError.notFound("User not found");
+        }
+        // Apply beforeDelete hook (throw to abort)
+        const hookCtx = buildHookContext(c, "DELETE");
+        if (hooks?.users?.beforeDelete) {
+            await hooks.users.beforeDelete(userId, hookCtx);
+        }
+        await authRepo.deleteUser(userId);
+        // Fire afterDelete hook (fire-and-forget)
+        if (hooks?.users?.afterDelete) {
+            Promise.resolve(hooks.users.afterDelete(userId, hookCtx)).catch(err => {
+                console.error("[BackendHooks] users.afterDelete error:", err instanceof Error ? err.message : err);
+            });
+        }
+        return c.json({ success: true });
+    });
+    router.get("/roles", requireAdmin, async (c) => {
+        const roles = await authRepo.listRoles();
+        const hookCtx = buildHookContext(c, "GET");
+        let adminRoles: AdminRole[] = roles.map(r => ({
+            id: r.id,
+            name: r.name,
+            isAdmin: r.isAdmin,
+            defaultPermissions: r.defaultPermissions,
+            config: r.config
+        }));
+        adminRoles = await applyRoleAfterReadBatch(adminRoles, hookCtx);
+        return c.json({ roles: adminRoles });
+    });
+    router.get("/roles/:roleId", requireAdmin, async (c) => {
+        const roleId = c.req.param("roleId");
+        const role = await authRepo.getRoleById(roleId);
+        if (!role) {
+            throw ApiError.notFound("Role not found");
+        }
+        return c.json({ role });
+    });
+    router.post("/roles", requireAdmin, async (c) => {
+        const body = await c.req.json();
+        const { id, name, isAdmin, defaultPermissions, config } = body;
+        if (!id || !name) {
+            throw ApiError.badRequest("Role ID and name are required", "INVALID_INPUT");
+        }
+        const existing = await authRepo.getRoleById(id);
+        if (existing) {
+            throw ApiError.conflict("Role already exists", "ROLE_EXISTS");
+        }
+        const role = await authRepo.createRole({
+            id,
+            name,
+            isAdmin: isAdmin ?? false,
+            defaultPermissions: defaultPermissions ?? null,
+            config: config ?? null
+        });
+        return c.json({ role }, 201);
+    });
+    router.put("/roles/:roleId", requireAdmin, async (c) => {
+        const roleId = c.req.param("roleId");
+        const body = await c.req.json();
+        const { name, isAdmin, defaultPermissions, config } = body;
+        const existing = await authRepo.getRoleById(roleId);
+        if (!existing) {
+            throw ApiError.notFound("Role not found");
+        }
+        const role = await authRepo.updateRole(roleId, {
+            name,
+            isAdmin,
+            defaultPermissions,
+            config
+        });
+        return c.json({ role });
+    });
+    router.delete("/roles/:roleId", requireAdmin, async (c) => {
+        const roleId = c.req.param("roleId");
+        if (["admin", "editor", "viewer"].includes(roleId)) {
+            throw ApiError.badRequest("Cannot delete built-in roles", "BUILTIN_ROLE");
+        }
+        const existing = await authRepo.getRoleById(roleId);
+        if (!existing) {
+            throw ApiError.notFound("Role not found");
+        }
+        await authRepo.deleteRole(roleId);
+        return c.json({ success: true });
+    });
+    return router;
+}