@wopr-network/platform-core 0.1.0

package/dist/auth/middleware.test.js

@@ -0,0 +1,213 @@
+import { createHash } from "node:crypto";
+import { Hono } from "hono";
+import { describe, expect, it, vi } from "vitest";
+import { dualAuth, sessionAuth } from "./middleware.js";
+function sha256(token) {
+    return createHash("sha256").update(token).digest("hex");
+}
+function mockApiKeyRepo(entries) {
+    const hashMap = new Map();
+    for (const [token, user] of entries) {
+        hashMap.set(sha256(token), user);
+    }
+    return {
+        async findByHash(keyHash) {
+            return hashMap.get(keyHash) ?? null;
+        },
+    };
+}
+function mockAuth(sessionResult = null) {
+    return {
+        api: {
+            getSession: vi.fn().mockResolvedValue(sessionResult),
+        },
+    };
+}
+describe("sessionAuth middleware", () => {
+    it("sets user and authMethod for valid session", async () => {
+        const auth = mockAuth({ user: { id: "user-1", role: "admin" } });
+        const app = new Hono();
+        app.use("/*", sessionAuth(auth));
+        app.get("/test", (c) => {
+            const user = c.get("user");
+            const method = c.get("authMethod");
+            return c.json({ userId: user.id, roles: user.roles, method });
+        });
+        const res = await app.request("/test");
+        expect(res.status).toBe(200);
+        const body = await res.json();
+        expect(body.userId).toBe("user-1");
+        expect(body.roles).toEqual(["admin", "user"]);
+        expect(body.method).toBe("session");
+    });
+    it("sets user roles as ['user'] for non-admin", async () => {
+        const auth = mockAuth({ user: { id: "user-2" } });
+        const app = new Hono();
+        app.use("/*", sessionAuth(auth));
+        app.get("/test", (c) => {
+            const user = c.get("user");
+            return c.json({ roles: user.roles });
+        });
+        const res = await app.request("/test");
+        expect(res.status).toBe(200);
+        const body = await res.json();
+        expect(body.roles).toEqual(["user"]);
+    });
+    it("returns 401 when no session found", async () => {
+        const auth = mockAuth(null);
+        const app = new Hono();
+        app.use("/*", sessionAuth(auth));
+        app.get("/test", (c) => c.json({ ok: true }));
+        const res = await app.request("/test");
+        expect(res.status).toBe(401);
+        const body = await res.json();
+        expect(body.error).toBe("Authentication required");
+    });
+    it("returns 401 when session has no user", async () => {
+        const auth = {
+            api: {
+                getSession: vi.fn().mockResolvedValue({ user: null }),
+            },
+        };
+        const app = new Hono();
+        app.use("/*", sessionAuth(auth));
+        app.get("/test", (c) => c.json({ ok: true }));
+        const res = await app.request("/test");
+        expect(res.status).toBe(401);
+    });
+    it("returns 503 when getSession throws a DB error", async () => {
+        const auth = {
+            api: {
+                getSession: vi.fn().mockRejectedValue(new Error("DB error")),
+            },
+        };
+        const app = new Hono();
+        app.use("/*", sessionAuth(auth));
+        app.get("/test", (c) => c.json({ ok: true }));
+        const res = await app.request("/test");
+        expect(res.status).toBe(503);
+        const body = await res.json();
+        expect(body.error).toBe("Service unavailable");
+    });
+});
+describe("dualAuth middleware", () => {
+    const apiKeyRepo = mockApiKeyRepo(new Map([
+        ["api-key-admin", { id: "admin-1", roles: ["admin"] }],
+        ["api-key-reader", { id: "reader-1", roles: ["user"] }],
+    ]));
+    it("authenticates with session cookie first", async () => {
+        const auth = mockAuth({ user: { id: "session-user", role: "admin" } });
+        const app = new Hono();
+        app.use("/*", dualAuth(auth, apiKeyRepo));
+        app.get("/test", (c) => {
+            const user = c.get("user");
+            const method = c.get("authMethod");
+            return c.json({ userId: user.id, method });
+        });
+        const res = await app.request("/test");
+        expect(res.status).toBe(200);
+        const body = await res.json();
+        expect(body.userId).toBe("session-user");
+        expect(body.method).toBe("session");
+    });
+    it("falls back to bearer token when session fails", async () => {
+        const auth = mockAuth(null);
+        const app = new Hono();
+        app.use("/*", dualAuth(auth, apiKeyRepo));
+        app.get("/test", (c) => {
+            const user = c.get("user");
+            const method = c.get("authMethod");
+            return c.json({ userId: user.id, method });
+        });
+        const res = await app.request("/test", {
+            headers: { Authorization: "Bearer api-key-admin" },
+        });
+        expect(res.status).toBe(200);
+        const body = await res.json();
+        expect(body.userId).toBe("admin-1");
+        expect(body.method).toBe("api_key");
+    });
+    it("returns 401 when neither session nor token is valid", async () => {
+        const auth = mockAuth(null);
+        const app = new Hono();
+        app.use("/*", dualAuth(auth, apiKeyRepo));
+        app.get("/test", (c) => c.json({ ok: true }));
+        const res = await app.request("/test");
+        expect(res.status).toBe(401);
+        const body = await res.json();
+        expect(body.error).toBe("Authentication required");
+    });
+    it("returns 401 when bearer token is unknown", async () => {
+        const auth = mockAuth(null);
+        const app = new Hono();
+        app.use("/*", dualAuth(auth, apiKeyRepo));
+        app.get("/test", (c) => c.json({ ok: true }));
+        const res = await app.request("/test", {
+            headers: { Authorization: "Bearer bad-token" },
+        });
+        expect(res.status).toBe(401);
+    });
+    it("returns 401 when Authorization header is not Bearer scheme", async () => {
+        const auth = mockAuth(null);
+        const app = new Hono();
+        app.use("/*", dualAuth(auth, apiKeyRepo));
+        app.get("/test", (c) => c.json({ ok: true }));
+        const res = await app.request("/test", {
+            headers: { Authorization: "Basic dXNlcjpwYXNz" },
+        });
+        expect(res.status).toBe(401);
+    });
+    it("works without apiKeyRepo (session-only mode)", async () => {
+        const auth = mockAuth(null);
+        const app = new Hono();
+        app.use("/*", dualAuth(auth));
+        app.get("/test", (c) => c.json({ ok: true }));
+        const res = await app.request("/test");
+        expect(res.status).toBe(401);
+    });
+    it("returns 503 when session DB lookup throws", async () => {
+        const auth = {
+            api: {
+                getSession: vi.fn().mockRejectedValue(new Error("Session DB error")),
+            },
+        };
+        const app = new Hono();
+        app.use("/*", dualAuth(auth, apiKeyRepo));
+        app.get("/test", (c) => c.json({ ok: true }));
+        const res = await app.request("/test", {
+            headers: { Authorization: "Bearer api-key-admin" },
+        });
+        expect(res.status).toBe(503);
+        const body = await res.json();
+        expect(body.error).toBe("Service unavailable");
+    });
+    it("returns 503 when API key DB lookup throws", async () => {
+        const auth = mockAuth(null);
+        const failingRepo = {
+            findByHash: vi.fn().mockRejectedValue(new Error("DB connection lost")),
+        };
+        const app = new Hono();
+        app.use("/*", dualAuth(auth, failingRepo));
+        app.get("/test", (c) => c.json({ ok: true }));
+        const res = await app.request("/test", {
+            headers: { Authorization: "Bearer some-token" },
+        });
+        expect(res.status).toBe(503);
+        const body = await res.json();
+        expect(body.error).toBe("Service unavailable");
+    });
+    it("copies API user roles to prevent mutation", async () => {
+        const auth = mockAuth(null);
+        const app = new Hono();
+        app.use("/*", dualAuth(auth, apiKeyRepo));
+        app.get("/test", (c) => {
+            const user = c.get("user");
+            return c.json({ roles: user.roles });
+        });
+        const res = await app.request("/test", {
+            headers: { Authorization: "Bearer api-key-reader" },
+        });
+        const body = await res.json();
+        expect(body.roles).toEqual(["user"]);
+    });
+});

package/dist/auth/scoped-tokens.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/auth/scoped-tokens.test.js

@@ -0,0 +1,306 @@
+import { Hono } from "hono";
+import { describe, expect, it } from "vitest";
+import { buildTokenMap, parseTokenScope, scopedBearerAuth, scopeSatisfies } from "./index.js";
+// ---------------------------------------------------------------------------
+// parseTokenScope
+// ---------------------------------------------------------------------------
+describe("parseTokenScope", () => {
+    it("parses read scope from wopr_read_<random>", () => {
+        expect(parseTokenScope("wopr_read_abc123")).toBe("read");
+    });
+    it("parses write scope from wopr_write_<random>", () => {
+        expect(parseTokenScope("wopr_write_xyz789")).toBe("write");
+    });
+    it("parses admin scope from wopr_admin_<random>", () => {
+        expect(parseTokenScope("wopr_admin_secret42")).toBe("admin");
+    });
+    it("handles tokens with underscores in the random part", () => {
+        expect(parseTokenScope("wopr_read_abc_def_ghi")).toBe("read");
+    });
+    it("returns null for tokens without wopr_ prefix", () => {
+        expect(parseTokenScope("some-plain-token")).toBeNull();
+        expect(parseTokenScope("fleet-token-123")).toBeNull();
+    });
+    it("returns null for empty string", () => {
+        expect(parseTokenScope("")).toBeNull();
+    });
+    it("returns null for wopr_ with no scope", () => {
+        expect(parseTokenScope("wopr_")).toBeNull();
+    });
+    it("returns null for wopr_ with invalid scope", () => {
+        expect(parseTokenScope("wopr_superadmin_abc")).toBeNull();
+        expect(parseTokenScope("wopr_delete_abc")).toBeNull();
+        expect(parseTokenScope("wopr_root_abc")).toBeNull();
+    });
+    it("returns null for wopr_ with scope but no random part", () => {
+        expect(parseTokenScope("wopr_read_")).toBeNull();
+        expect(parseTokenScope("wopr_read")).toBeNull();
+    });
+    it("returns null for partial prefix", () => {
+        expect(parseTokenScope("wop_read_abc")).toBeNull();
+        expect(parseTokenScope("WOPR_read_abc")).toBeNull();
+    });
+});
+// ---------------------------------------------------------------------------
+// scopeSatisfies
+// ---------------------------------------------------------------------------
+describe("scopeSatisfies", () => {
+    it("read satisfies read", () => {
+        expect(scopeSatisfies("read", "read")).toBe(true);
+    });
+    it("write satisfies read", () => {
+        expect(scopeSatisfies("write", "read")).toBe(true);
+    });
+    it("write satisfies write", () => {
+        expect(scopeSatisfies("write", "write")).toBe(true);
+    });
+    it("admin satisfies read", () => {
+        expect(scopeSatisfies("admin", "read")).toBe(true);
+    });
+    it("admin satisfies write", () => {
+        expect(scopeSatisfies("admin", "write")).toBe(true);
+    });
+    it("admin satisfies admin", () => {
+        expect(scopeSatisfies("admin", "admin")).toBe(true);
+    });
+    it("read does NOT satisfy write", () => {
+        expect(scopeSatisfies("read", "write")).toBe(false);
+    });
+    it("read does NOT satisfy admin", () => {
+        expect(scopeSatisfies("read", "admin")).toBe(false);
+    });
+    it("write does NOT satisfy admin", () => {
+        expect(scopeSatisfies("write", "admin")).toBe(false);
+    });
+});
+// ---------------------------------------------------------------------------
+// buildTokenMap
+// ---------------------------------------------------------------------------
+describe("buildTokenMap", () => {
+    it("maps FLEET_API_TOKEN as admin (backwards compat)", () => {
+        const map = buildTokenMap({ FLEET_API_TOKEN: "legacy-token" });
+        expect(map.get("legacy-token")).toBe("admin");
+    });
+    it("maps scoped env vars to correct scopes", () => {
+        const map = buildTokenMap({
+            FLEET_API_TOKEN_READ: "wopr_read_r1",
+            FLEET_API_TOKEN_WRITE: "wopr_write_w1",
+            FLEET_API_TOKEN_ADMIN: "wopr_admin_a1",
+        });
+        expect(map.get("wopr_read_r1")).toBe("read");
+        expect(map.get("wopr_write_w1")).toBe("write");
+        expect(map.get("wopr_admin_a1")).toBe("admin");
+    });
+    it("scoped vars take priority over legacy token", () => {
+        const token = "shared-token";
+        const map = buildTokenMap({
+            FLEET_API_TOKEN: token,
+            FLEET_API_TOKEN_READ: token,
+        });
+        // The scoped var should have set it to read first
+        expect(map.get(token)).toBe("read");
+    });
+    it("returns empty map when no env vars set", () => {
+        const map = buildTokenMap({});
+        expect(map.size).toBe(0);
+    });
+    it("ignores empty string env vars", () => {
+        const map = buildTokenMap({
+            FLEET_API_TOKEN: "",
+            FLEET_API_TOKEN_READ: "",
+            FLEET_API_TOKEN_WRITE: "",
+            FLEET_API_TOKEN_ADMIN: "",
+        });
+        expect(map.size).toBe(0);
+    });
+    it("ignores whitespace-only env vars", () => {
+        const map = buildTokenMap({
+            FLEET_API_TOKEN: "   ",
+            FLEET_API_TOKEN_READ: " ",
+        });
+        expect(map.size).toBe(0);
+    });
+    it("infers scope from wopr_ format for legacy token", () => {
+        const map = buildTokenMap({ FLEET_API_TOKEN: "wopr_read_abc123" });
+        expect(map.get("wopr_read_abc123")).toBe("read");
+    });
+    it("supports all scoped vars alongside legacy", () => {
+        const map = buildTokenMap({
+            FLEET_API_TOKEN: "legacy-admin",
+            FLEET_API_TOKEN_READ: "read-token",
+            FLEET_API_TOKEN_WRITE: "write-token",
+            FLEET_API_TOKEN_ADMIN: "admin-token",
+        });
+        expect(map.size).toBe(4);
+        expect(map.get("legacy-admin")).toBe("admin");
+        expect(map.get("read-token")).toBe("read");
+        expect(map.get("write-token")).toBe("write");
+        expect(map.get("admin-token")).toBe("admin");
+    });
+});
+// ---------------------------------------------------------------------------
+// scopedBearerAuth middleware
+// ---------------------------------------------------------------------------
+describe("scopedBearerAuth middleware", () => {
+    const tokenMap = new Map([
+        ["wopr_read_r1", "read"],
+        ["wopr_write_w1", "write"],
+        ["wopr_admin_a1", "admin"],
+        ["legacy-admin", "admin"],
+    ]);
+    function createApp(requiredScope) {
+        const app = new Hono();
+        app.use("/*", scopedBearerAuth(tokenMap, requiredScope));
+        app.get("/test", (c) => c.json({ ok: true }));
+        app.post("/test", (c) => c.json({ ok: true }));
+        return app;
+    }
+    describe("authentication", () => {
+        it("rejects request with no Authorization header", async () => {
+            const app = createApp("read");
+            const res = await app.request("/test");
+            expect(res.status).toBe(401);
+            const body = await res.json();
+            expect(body.error).toBe("Authentication required");
+        });
+        it("rejects request with empty Authorization header", async () => {
+            const app = createApp("read");
+            const res = await app.request("/test", {
+                headers: { Authorization: "" },
+            });
+            expect(res.status).toBe(401);
+        });
+        it("rejects request with non-Bearer scheme", async () => {
+            const app = createApp("read");
+            const res = await app.request("/test", {
+                headers: { Authorization: "Basic abc123" },
+            });
+            expect(res.status).toBe(401);
+        });
+        it("rejects request with unknown token", async () => {
+            const app = createApp("read");
+            const res = await app.request("/test", {
+                headers: { Authorization: "Bearer unknown-token" },
+            });
+            expect(res.status).toBe(401);
+            const body = await res.json();
+            expect(body.error).toBe("Invalid or expired token");
+        });
+    });
+    describe("read scope routes", () => {
+        const app = createApp("read");
+        it("allows read token on read routes", async () => {
+            const res = await app.request("/test", {
+                headers: { Authorization: "Bearer wopr_read_r1" },
+            });
+            expect(res.status).toBe(200);
+        });
+        it("allows write token on read routes", async () => {
+            const res = await app.request("/test", {
+                headers: { Authorization: "Bearer wopr_write_w1" },
+            });
+            expect(res.status).toBe(200);
+        });
+        it("allows admin token on read routes", async () => {
+            const res = await app.request("/test", {
+                headers: { Authorization: "Bearer wopr_admin_a1" },
+            });
+            expect(res.status).toBe(200);
+        });
+        it("allows legacy admin token on read routes", async () => {
+            const res = await app.request("/test", {
+                headers: { Authorization: "Bearer legacy-admin" },
+            });
+            expect(res.status).toBe(200);
+        });
+    });
+    describe("write scope routes", () => {
+        const app = createApp("write");
+        it("rejects read token on write routes with 403", async () => {
+            const res = await app.request("/test", {
+                method: "POST",
+                headers: { Authorization: "Bearer wopr_read_r1" },
+            });
+            expect(res.status).toBe(403);
+            const body = await res.json();
+            expect(body.error).toBe("Insufficient scope");
+            expect(body.required).toBe("write");
+            expect(body.provided).toBe("read");
+        });
+        it("allows write token on write routes", async () => {
+            const res = await app.request("/test", {
+                method: "POST",
+                headers: { Authorization: "Bearer wopr_write_w1" },
+            });
+            expect(res.status).toBe(200);
+        });
+        it("allows admin token on write routes", async () => {
+            const res = await app.request("/test", {
+                method: "POST",
+                headers: { Authorization: "Bearer wopr_admin_a1" },
+            });
+            expect(res.status).toBe(200);
+        });
+    });
+    describe("admin scope routes", () => {
+        const app = createApp("admin");
+        it("rejects read token on admin routes with 403", async () => {
+            const res = await app.request("/test", {
+                headers: { Authorization: "Bearer wopr_read_r1" },
+            });
+            expect(res.status).toBe(403);
+            const body = await res.json();
+            expect(body.error).toBe("Insufficient scope");
+            expect(body.required).toBe("admin");
+            expect(body.provided).toBe("read");
+        });
+        it("rejects write token on admin routes with 403", async () => {
+            const res = await app.request("/test", {
+                headers: { Authorization: "Bearer wopr_write_w1" },
+            });
+            expect(res.status).toBe(403);
+            const body = await res.json();
+            expect(body.error).toBe("Insufficient scope");
+            expect(body.required).toBe("admin");
+            expect(body.provided).toBe("write");
+        });
+        it("allows admin token on admin routes", async () => {
+            const res = await app.request("/test", {
+                headers: { Authorization: "Bearer wopr_admin_a1" },
+            });
+            expect(res.status).toBe(200);
+        });
+        it("allows legacy admin token on admin routes", async () => {
+            const res = await app.request("/test", {
+                headers: { Authorization: "Bearer legacy-admin" },
+            });
+            expect(res.status).toBe(200);
+        });
+    });
+    describe("backwards compatibility", () => {
+        it("existing FLEET_API_TOKEN works as admin on all scopes", async () => {
+            const legacyMap = buildTokenMap({ FLEET_API_TOKEN: "my-old-token" });
+            for (const scope of ["read", "write", "admin"]) {
+                const app = new Hono();
+                app.use("/*", scopedBearerAuth(legacyMap, scope));
+                app.get("/test", (c) => c.json({ ok: true }));
+                const res = await app.request("/test", {
+                    headers: { Authorization: "Bearer my-old-token" },
+                });
+                expect(res.status).toBe(200);
+            }
+        });
+    });
+    describe("empty token map", () => {
+        it("rejects all tokens when map is empty", async () => {
+            const emptyMap = new Map();
+            const app = new Hono();
+            app.use("/*", scopedBearerAuth(emptyMap, "read"));
+            app.get("/test", (c) => c.json({ ok: true }));
+            const res = await app.request("/test", {
+                headers: { Authorization: "Bearer any-token" },
+            });
+            expect(res.status).toBe(401);
+        });
+    });
+});

package/dist/auth/tenant-access.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/auth/tenant-access.test.js

@@ -0,0 +1,62 @@
+import { describe, expect, it, vi } from "vitest";
+import { validateTenantAccess } from "./index.js";
+function mockOrgMemberRepo(overrides = {}) {
+    return {
+        listMembers: vi.fn().mockResolvedValue([]),
+        addMember: vi.fn().mockResolvedValue(undefined),
+        updateMemberRole: vi.fn().mockResolvedValue(undefined),
+        removeMember: vi.fn().mockResolvedValue(undefined),
+        findMember: vi.fn().mockResolvedValue(null),
+        countAdminsAndOwners: vi.fn().mockResolvedValue(0),
+        listInvites: vi.fn().mockResolvedValue([]),
+        createInvite: vi.fn().mockResolvedValue(undefined),
+        findInviteById: vi.fn().mockResolvedValue(null),
+        findInviteByToken: vi.fn().mockResolvedValue(null),
+        deleteInvite: vi.fn().mockResolvedValue(undefined),
+        deleteAllMembers: vi.fn().mockResolvedValue(undefined),
+        deleteAllInvites: vi.fn().mockResolvedValue(undefined),
+        ...overrides,
+    };
+}
+describe("validateTenantAccess", () => {
+    it("allows access when requestedTenantId matches userId (personal tenant)", async () => {
+        const repo = mockOrgMemberRepo();
+        const result = await validateTenantAccess("user-1", "user-1", repo);
+        expect(result).toBe(true);
+        expect(repo.findMember).not.toHaveBeenCalled();
+    });
+    it("allows access when user is a member of the requested org", async () => {
+        const repo = mockOrgMemberRepo({
+            findMember: vi.fn().mockResolvedValue({
+                id: "m1",
+                orgId: "org-1",
+                userId: "user-1",
+                role: "member",
+                joinedAt: 0,
+            }),
+        });
+        const result = await validateTenantAccess("user-1", "org-1", repo);
+        expect(result).toBe(true);
+        expect(repo.findMember).toHaveBeenCalledWith("org-1", "user-1");
+    });
+    it("denies access when user is NOT a member of the requested org", async () => {
+        const repo = mockOrgMemberRepo({
+            findMember: vi.fn().mockResolvedValue(null),
+        });
+        const result = await validateTenantAccess("user-1", "org-evil", repo);
+        expect(result).toBe(false);
+        expect(repo.findMember).toHaveBeenCalledWith("org-evil", "user-1");
+    });
+    it("allows access when requestedTenantId is undefined (falls back to personal)", async () => {
+        const repo = mockOrgMemberRepo();
+        const result = await validateTenantAccess("user-1", undefined, repo);
+        expect(result).toBe(true);
+        expect(repo.findMember).not.toHaveBeenCalled();
+    });
+    it("allows access when requestedTenantId is empty string (falls back to personal)", async () => {
+        const repo = mockOrgMemberRepo();
+        const result = await validateTenantAccess("user-1", "", repo);
+        expect(result).toBe(true);
+        expect(repo.findMember).not.toHaveBeenCalled();
+    });
+});

package/dist/auth/user-creator.d.ts

@@ -0,0 +1,9 @@
+import type { RoleStore } from "../admin/role-store.js";
+export interface IUserCreator {
+    createUser(userId: string): Promise<void>;
+}
+/**
+ * Create a user creator that auto-promotes the first signup to platform_admin
+ * when no admins exist. After promotion, all subsequent signups are no-ops.
+ */
+export declare function createUserCreator(roleStore: RoleStore): Promise<IUserCreator>;

package/dist/auth/user-creator.js

@@ -0,0 +1,47 @@
+import { logger } from "../config/logger.js";
+class UserCreator {
+    async createUser(_userId) {
+        // No-op for normal signups
+    }
+}
+class AdminUserCreator {
+    roleStore;
+    holder;
+    constructor(roleStore, holder) {
+        this.roleStore = roleStore;
+        this.holder = holder;
+    }
+    async createUser(userId) {
+        // Swap to no-op BEFORE await to prevent concurrent double-promoting.
+        // Save the current creator so we can restore it on failure.
+        const previous = this.holder.creator;
+        this.holder.creator = new UserCreator();
+        try {
+            await this.roleStore.setRole(userId, "*", "platform_admin", "bootstrap");
+            logger.info(`Bootstrap: first user ${userId} auto-promoted to platform_admin`);
+        }
+        catch (err) {
+            // Restore holder so the next signup can retry bootstrap
+            this.holder.creator = previous;
+            throw err;
+        }
+    }
+}
+class UserCreatorHolder {
+    creator;
+    constructor(creator) {
+        this.creator = creator;
+    }
+}
+/**
+ * Create a user creator that auto-promotes the first signup to platform_admin
+ * when no admins exist. After promotion, all subsequent signups are no-ops.
+ */
+export async function createUserCreator(roleStore) {
+    const holder = new UserCreatorHolder(new UserCreator());
+    const count = await roleStore.countPlatformAdmins();
+    if (count === 0) {
+        holder.creator = new AdminUserCreator(roleStore, holder);
+    }
+    return { createUser: (id) => holder.creator.createUser(id) };
+}

package/dist/auth/user-creator.test.d.ts

@@ -0,0 +1 @@
+export {};