npm - canopycms-auth-dev - Versions diffs - 0.0.0 → 0.0.1 - Mend

canopycms-auth-dev 0.0.0 → 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/package.json +3 -4
package/src/UserSwitcherButton.tsx +0 -46
package/src/UserSwitcherModal.tsx +0 -63
package/src/cache-writer.ts +0 -61
package/src/client.ts +0 -34
package/src/cookie-utils.ts +0 -44
package/src/dev-plugin.test.ts +0 -470
package/src/dev-plugin.ts +0 -241
package/src/index.ts +0 -11
package/src/jwt-verifier.ts +0 -46

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "canopycms-auth-dev",
-  "version": "0.0.0",
+  "version": "0.0.1",
   "description": "Development authentication provider for CanopyCMS",
   "license": "MIT",
   "repository": {
@@ -18,8 +18,7 @@
     "./cache-writer": "./src/cache-writer.ts"
   },
   "files": [
-    "dist",
-    "src"
+    "dist"
   ],
   "publishConfig": {
     "exports": {
@@ -46,7 +45,7 @@
     "node": ">=18"
   },
   "peerDependencies": {
-    "canopycms": "*",
+    "canopycms": "^0.0.1",
     "react": "^18.0.0 || ^19.0.0",
     "@mantine/core": "^7.0.0",
     "@mantine/hooks": "^7.0.0",

package/src/UserSwitcherButton.tsx DELETED Viewed

@@ -1,46 +0,0 @@
-'use client'
-import { useState, useEffect } from 'react'
-import { ActionIcon, Avatar } from '@mantine/core'
-import { UserSwitcherModal } from './UserSwitcherModal'
-import { DEFAULT_USERS } from './dev-plugin'
-import { getDevUserCookie, DEFAULT_USER_ID } from './cookie-utils'
-/**
- * User switcher button component that shows current user avatar and opens modal
- */
-export function UserSwitcherButton() {
-  const [opened, setOpened] = useState(false)
-  const [mounted, setMounted] = useState(false)
-  // Only read cookie after mount to avoid hydration mismatch
-  useEffect(() => {
-    setMounted(true)
-  }, [])
-  // Read current user from cookie (only on client)
-  const currentUserId = mounted ? (getDevUserCookie() ?? DEFAULT_USER_ID) : DEFAULT_USER_ID
-  const currentUser = DEFAULT_USERS.find((u) => u.userId === currentUserId)
-  return (
-    <>
-      <ActionIcon
-        variant="subtle"
-        size="lg"
-        radius="md"
-        onClick={() => setOpened(true)}
-        aria-label="Switch user"
-      >
-        <Avatar size="sm" color="blue">
-          {currentUser?.name[0] ?? 'U'}
-        </Avatar>
-      </ActionIcon>
-      <UserSwitcherModal
-        opened={opened}
-        onClose={() => setOpened(false)}
-        currentUserId={currentUserId}
-      />
-    </>
-  )
-}

package/src/UserSwitcherModal.tsx DELETED Viewed

@@ -1,63 +0,0 @@
-'use client'
-import { Modal, Stack, Paper, Group, Avatar, Text, Badge } from '@mantine/core'
-import { MdCheck } from 'react-icons/md'
-import { DEFAULT_USERS } from './dev-plugin'
-import { setDevUserCookie } from './cookie-utils'
-interface Props {
-  opened: boolean
-  onClose: () => void
-  currentUserId: string
-}
-/**
- * User switcher modal component that displays all available dev users
- */
-export function UserSwitcherModal({ opened, onClose, currentUserId }: Props) {
-  const switchUser = (userId: string) => {
-    // Set cookie for 7 days
-    setDevUserCookie(userId)
-    // Reload to apply new user
-    window.location.reload()
-  }
-  return (
-    <Modal opened={opened} onClose={onClose} title="Switch Development User">
-      <Stack gap="sm">
-        {DEFAULT_USERS.map((user) => (
-          <Paper
-            key={user.userId}
-            p="md"
-            withBorder
-            style={{ cursor: 'pointer' }}
-            onClick={() => switchUser(user.userId)}
-          >
-            <Group justify="space-between" mb="xs">
-              <Group>
-                <Avatar color="blue">{user.name[0]}</Avatar>
-                <div>
-                  <Text fw={500}>{user.name}</Text>
-                  <Text size="sm" c="dimmed">
-                    {user.email}
-                  </Text>
-                </div>
-              </Group>
-              {user.userId === currentUserId && <MdCheck size={20} />}
-            </Group>
-            {user.externalGroups.length > 0 && (
-              <Group gap="xs">
-                {user.externalGroups.map((g) => (
-                  <Badge key={g} variant="outline" size="sm">
-                    {g}
-                  </Badge>
-                ))}
-              </Group>
-            )}
-          </Paper>
-        ))}
-      </Stack>
-    </Modal>
-  )
-}

package/src/cache-writer.ts DELETED Viewed

@@ -1,61 +0,0 @@
-import { writeAuthCacheSnapshot } from 'canopycms/auth/cache'
-import { DEFAULT_USERS, DEFAULT_GROUPS } from './dev-plugin'
-import type { DevUser, DevGroup } from './dev-plugin'
-export interface RefreshDevCacheOptions {
-  /** Directory to write cache files to (e.g., .canopy-prod-sim/.cache) */
-  cachePath: string
-  /** Custom users (defaults to DEFAULT_USERS) */
-  users?: DevUser[]
-  /** Custom groups (defaults to DEFAULT_GROUPS) */
-  groups?: DevGroup[]
-}
-/**
- * Write dev users/groups to cache files for FileBasedAuthCache.
- *
- * This is the dev-auth equivalent of refreshClerkCache() — it populates
- * the same JSON files that CachingAuthPlugin reads. Since dev users are
- * hardcoded, no API calls are needed.
- *
- * Used by the worker's `run-once` command in prod-sim mode with dev auth.
- */
-export async function refreshDevCache(
-  options: RefreshDevCacheOptions,
-): Promise<{ userCount: number; groupCount: number }> {
-  const { cachePath } = options
-  const users = options.users ?? DEFAULT_USERS
-  const groups = options.groups ?? DEFAULT_GROUPS
-  const usersData = {
-    users: users.map((u) => ({
-      id: u.userId,
-      name: u.name,
-      email: u.email,
-      avatarUrl: u.avatarUrl,
-    })),
-  }
-  const groupsData = {
-    groups: groups.map((g) => ({
-      id: g.id,
-      name: g.name,
-      description: g.description,
-    })),
-  }
-  const membershipsData = {
-    memberships: Object.fromEntries(
-      users.filter((u) => u.externalGroups.length > 0).map((u) => [u.userId, u.externalGroups]),
-    ),
-  }
-  // Write cache files atomically via snapshot directory + symlink swap
-  await writeAuthCacheSnapshot(cachePath, {
-    'users.json': usersData,
-    'orgs.json': groupsData,
-    'memberships.json': membershipsData,
-  })
-  return { userCount: users.length, groupCount: groups.length }
-}

package/src/client.ts DELETED Viewed

@@ -1,34 +0,0 @@
-'use client'
-import type { CanopyClientConfig } from 'canopycms/client'
-import { UserSwitcherButton } from './UserSwitcherButton'
-import { clearDevUserCookie } from './cookie-utils'
-/**
- * Hook that provides dev auth handlers and components for CanopyCMS editor.
- * Model after: packages/canopycms-auth-clerk/src/client.ts
- *
- * @example
- * ```tsx
- * import { useDevAuthConfig } from 'canopycms-auth-dev/client'
- * import config from '../../canopycms.config'
- *
- * export default function EditPage() {
- *   const devAuth = useDevAuthConfig()
- *   const editorConfig = config.client(devAuth)
- *   return <CanopyEditorPage config={editorConfig} />
- * }
- * ```
- */
-export function useDevAuthConfig(): Pick<CanopyClientConfig, 'editor'> {
-  return {
-    editor: {
-      AccountComponent: UserSwitcherButton,
-      onLogoutClick: () => {
-        // Reset to default user
-        clearDevUserCookie()
-        window.location.reload()
-      },
-    },
-  }
-}

package/src/cookie-utils.ts DELETED Viewed

@@ -1,44 +0,0 @@
-import type { HeadersLike } from 'canopycms/auth'
-export const DEV_USER_COOKIE_NAME = 'canopy-dev-user'
-export const DEV_USER_COOKIE_MAX_AGE = 60 * 60 * 24 * 7 // 7 days
-export const DEFAULT_USER_ID = 'dev_user1_2nK8mP4xL9'
-/**
- * Server-side: Extract cookie value from HTTP headers
- */
-export function getDevUserCookieFromHeaders(headers: HeadersLike): string | null {
-  const cookie = headers.get('Cookie')
-  if (!cookie) return null
-  const match = cookie.match(new RegExp(`${DEV_USER_COOKIE_NAME}=([^;]+)`))
-  return match?.[1] ?? null
-}
-/**
- * Client-side: Read cookie from document.cookie
- */
-export function getDevUserCookie(): string | null {
-  if (typeof document === 'undefined') return null
-  const match = document.cookie.match(new RegExp(`${DEV_USER_COOKIE_NAME}=([^;]+)`))
-  return match?.[1] ?? null
-}
-/**
- * Client-side: Set dev user cookie
- */
-export function setDevUserCookie(userId: string): void {
-  if (typeof document === 'undefined') return
-  document.cookie = `${DEV_USER_COOKIE_NAME}=${userId}; path=/; max-age=${DEV_USER_COOKIE_MAX_AGE}; SameSite=Lax`
-}
-/**
- * Client-side: Clear dev user cookie (logout)
- */
-export function clearDevUserCookie(): void {
-  if (typeof document === 'undefined') return
-  document.cookie = `${DEV_USER_COOKIE_NAME}=; path=/; max-age=0`
-}

package/src/dev-plugin.test.ts DELETED Viewed

@@ -1,470 +0,0 @@
-import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest'
-import {
-  DevAuthPlugin,
-  createDevAuthPlugin,
-  DEFAULT_USERS,
-  DEFAULT_GROUPS,
-  DEV_ADMIN_USER_ID,
-} from './dev-plugin'
-import type { DevUser, DevGroup } from './dev-plugin'
-import type { AuthenticationResult } from 'canopycms/auth'
-// Type guard to assert successful authentication
-function assertSuccess(result: AuthenticationResult): asserts result is AuthenticationResult & {
-  success: true
-  user: NonNullable<AuthenticationResult['user']>
-} {
-  expect(result.success).toBe(true)
-  if (!result.success || !result.user) {
-    throw new Error('Authentication failed')
-  }
-}
-describe('DevAuthPlugin', () => {
-  describe('authenticate', () => {
-    it('returns default user when no headers provided', async () => {
-      const plugin = new DevAuthPlugin({})
-      const result = await plugin.authenticate(new Headers())
-      assertSuccess(result)
-      expect(result.user.userId).toBe('dev_user1_2nK8mP4xL9') // user1
-      expect(result.user.name).toBe('User One')
-      expect(result.user.email).toBe('user1@localhost.dev')
-      expect(result.user.externalGroups).toEqual(['team-a', 'team-b'])
-    })
-    it('authenticates via X-Test-User header', async () => {
-      const plugin = new DevAuthPlugin({})
-      const headers = new Headers({ 'X-Test-User': 'admin' })
-      const result = await plugin.authenticate(headers)
-      assertSuccess(result)
-      expect(result.user.userId).toBe('dev_admin_3xY6zW1qR5') // admin1
-      expect(result.user.name).toBe('Admin One')
-    })
-    it('authenticates via x-dev-user-id header', async () => {
-      const plugin = new DevAuthPlugin({})
-      const headers = new Headers({ 'x-dev-user-id': 'dev_user2_7qR3tY6wN2' })
-      const result = await plugin.authenticate(headers)
-      assertSuccess(result)
-      expect(result.user.userId).toBe('dev_user2_7qR3tY6wN2') // user2
-      expect(result.user.name).toBe('User Two')
-    })
-    it('authenticates via canopy-dev-user cookie', async () => {
-      const plugin = new DevAuthPlugin({})
-      const headers = new Headers({
-        cookie: 'canopy-dev-user=dev_user3_5vS1pM8kJ4; other=value',
-      })
-      const result = await plugin.authenticate(headers)
-      assertSuccess(result)
-      expect(result.user.userId).toBe('dev_user3_5vS1pM8kJ4') // user3
-      expect(result.user.name).toBe('User Three')
-    })
-    it('prioritizes X-Test-User over cookie', async () => {
-      const plugin = new DevAuthPlugin({})
-      const headers = new Headers({
-        'X-Test-User': 'admin',
-        cookie: 'canopy-dev-user=dev_user1_2nK8mP4xL9',
-      })
-      const result = await plugin.authenticate(headers)
-      assertSuccess(result)
-      expect(result.user.userId).toBe('dev_admin_3xY6zW1qR5') // admin1 from header
-    })
-    it('maps test user keys to dev user IDs', async () => {
-      const plugin = new DevAuthPlugin({})
-      const testCases = [
-        { key: 'admin', expectedId: 'dev_admin_3xY6zW1qR5' },
-        { key: 'editor', expectedId: 'dev_user1_2nK8mP4xL9' },
-        { key: 'viewer', expectedId: 'dev_user2_7qR3tY6wN2' },
-        { key: 'reviewer', expectedId: 'dev_reviewer_9aB4cD2eF7' },
-      ]
-      for (const { key, expectedId } of testCases) {
-        const headers = new Headers({ 'X-Test-User': key })
-        const result = await plugin.authenticate(headers)
-        assertSuccess(result)
-        expect(result.user.userId).toBe(expectedId)
-      }
-    })
-    it('returns failure for unknown user ID', async () => {
-      const plugin = new DevAuthPlugin({})
-      const headers = new Headers({ 'x-dev-user-id': 'unknown_user' })
-      const result = await plugin.authenticate(headers)
-      expect(result.success).toBe(false)
-      if (!result.success) {
-        expect(result.error).toContain('Dev user not found')
-      }
-    })
-    it('uses custom default user when specified', async () => {
-      const plugin = new DevAuthPlugin({
-        defaultUserId: 'dev_admin_3xY6zW1qR5', // admin1
-      })
-      const result = await plugin.authenticate(new Headers())
-      assertSuccess(result)
-      expect(result.user.userId).toBe('dev_admin_3xY6zW1qR5')
-    })
-  })
-  describe('searchUsers', () => {
-    it('returns all users when query is empty', async () => {
-      const plugin = new DevAuthPlugin({})
-      const results = await plugin.searchUsers('')
-      expect(results).toHaveLength(5)
-      expect(results[0].id).toBe('dev_user1_2nK8mP4xL9')
-      expect(results[0].name).toBe('User One')
-      expect(results[0].email).toBe('user1@localhost.dev')
-    })
-    it('filters users by name', async () => {
-      const plugin = new DevAuthPlugin({})
-      const results = await plugin.searchUsers('admin')
-      expect(results).toHaveLength(1)
-      expect(results[0].name).toBe('Admin One')
-    })
-    it('filters users by email', async () => {
-      const plugin = new DevAuthPlugin({})
-      const results = await plugin.searchUsers('reviewer1@')
-      expect(results).toHaveLength(1)
-      expect(results[0].id).toBe('dev_reviewer_9aB4cD2eF7')
-    })
-    it('is case insensitive', async () => {
-      const plugin = new DevAuthPlugin({})
-      const results = await plugin.searchUsers('USER')
-      expect(results.length).toBeGreaterThan(0)
-      expect(results.some((u) => u.name.toLowerCase().includes('user'))).toBe(true)
-    })
-    it('respects limit parameter', async () => {
-      const plugin = new DevAuthPlugin({})
-      const results = await plugin.searchUsers('', 2)
-      expect(results).toHaveLength(2)
-    })
-    it('works with custom users', async () => {
-      const customUsers: DevUser[] = [
-        {
-          userId: 'custom_1',
-          name: 'Custom User',
-          email: 'custom@test.com',
-          externalGroups: [],
-        },
-      ]
-      const plugin = new DevAuthPlugin({ users: customUsers })
-      const results = await plugin.searchUsers('custom')
-      expect(results).toHaveLength(1)
-      expect(results[0].id).toBe('custom_1')
-    })
-  })
-  describe('getUserMetadata', () => {
-    it('returns user metadata for valid user', async () => {
-      const plugin = new DevAuthPlugin({})
-      const metadata = await plugin.getUserMetadata('dev_user1_2nK8mP4xL9')
-      expect(metadata).toEqual({
-        id: 'dev_user1_2nK8mP4xL9',
-        name: 'User One',
-        email: 'user1@localhost.dev',
-        avatarUrl: undefined,
-      })
-    })
-    it('returns null for unknown user', async () => {
-      const plugin = new DevAuthPlugin({})
-      const metadata = await plugin.getUserMetadata('unknown')
-      expect(metadata).toBeNull()
-    })
-    it('includes avatarUrl when present', async () => {
-      const customUsers: DevUser[] = [
-        {
-          userId: 'user_1',
-          name: 'User',
-          email: 'user@test.com',
-          avatarUrl: 'https://example.com/avatar.jpg',
-          externalGroups: [],
-        },
-      ]
-      const plugin = new DevAuthPlugin({ users: customUsers })
-      const metadata = await plugin.getUserMetadata('user_1')
-      expect(metadata?.avatarUrl).toBe('https://example.com/avatar.jpg')
-    })
-  })
-  describe('getGroupMetadata', () => {
-    it('returns group metadata for valid group', async () => {
-      const plugin = new DevAuthPlugin({})
-      const metadata = await plugin.getGroupMetadata('team-a')
-      expect(metadata).toEqual({
-        id: 'team-a',
-        name: 'Team A',
-        description: 'Team A',
-      })
-    })
-    it('returns null for unknown group', async () => {
-      const plugin = new DevAuthPlugin({})
-      const metadata = await plugin.getGroupMetadata('unknown')
-      expect(metadata).toBeNull()
-    })
-    it('works with custom groups', async () => {
-      const customGroups: DevGroup[] = [
-        { id: 'team-x', name: 'Team X', description: 'Custom team' },
-      ]
-      const plugin = new DevAuthPlugin({ groups: customGroups })
-      const metadata = await plugin.getGroupMetadata('team-x')
-      expect(metadata).toEqual({
-        id: 'team-x',
-        name: 'Team X',
-        description: 'Custom team',
-      })
-    })
-  })
-  describe('listGroups', () => {
-    it('returns all groups by default', async () => {
-      const plugin = new DevAuthPlugin({})
-      const groups = await plugin.listGroups()
-      expect(groups).toHaveLength(3)
-      expect(groups.map((g) => g.id)).toEqual(['team-a', 'team-b', 'team-c'])
-    })
-    it('respects limit parameter', async () => {
-      const plugin = new DevAuthPlugin({})
-      const groups = await plugin.listGroups(2)
-      expect(groups).toHaveLength(2)
-    })
-  })
-  describe('searchExternalGroups', () => {
-    it('returns all groups when query is empty', async () => {
-      const plugin = new DevAuthPlugin({})
-      const results = await plugin.searchExternalGroups('')
-      expect(results).toHaveLength(3)
-    })
-    it('filters groups by name', async () => {
-      const plugin = new DevAuthPlugin({})
-      const results = await plugin.searchExternalGroups('team a')
-      expect(results).toHaveLength(1)
-      expect(results[0].id).toBe('team-a')
-      expect(results[0].name).toBe('Team A')
-    })
-    it('is case insensitive', async () => {
-      const plugin = new DevAuthPlugin({})
-      const results = await plugin.searchExternalGroups('TEAM')
-      expect(results.length).toBeGreaterThan(0)
-    })
-  })
-  describe('custom configuration', () => {
-    it('accepts custom users and groups', () => {
-      const customUsers: DevUser[] = [
-        {
-          userId: 'custom_1',
-          name: 'Custom',
-          email: 'custom@test.com',
-          externalGroups: ['custom-group'],
-        },
-      ]
-      const customGroups: DevGroup[] = [{ id: 'custom-group', name: 'Custom Group' }]
-      const plugin = new DevAuthPlugin({
-        users: customUsers,
-        groups: customGroups,
-        defaultUserId: 'custom_1',
-      })
-      expect(plugin).toBeInstanceOf(DevAuthPlugin)
-    })
-  })
-  describe('createDevAuthPlugin factory', () => {
-    beforeEach(() => {
-      vi.spyOn(console, 'info').mockImplementation(() => {})
-    })
-    afterEach(() => {
-      vi.restoreAllMocks()
-    })
-    it('creates plugin with default config', () => {
-      const plugin = createDevAuthPlugin()
-      expect(plugin).toBeInstanceOf(DevAuthPlugin)
-    })
-    it('creates plugin with custom config', () => {
-      const plugin = createDevAuthPlugin({
-        defaultUserId: 'dev_admin_3xY6zW1qR5',
-      })
-      expect(plugin).toBeInstanceOf(DevAuthPlugin)
-    })
-    it('works without any arguments', () => {
-      const plugin = createDevAuthPlugin()
-      expect(plugin).toBeInstanceOf(DevAuthPlugin)
-    })
-  })
-  describe('DEFAULT_USERS', () => {
-    it('exports default users', () => {
-      expect(DEFAULT_USERS).toHaveLength(5)
-      expect(DEFAULT_USERS[0].userId).toBe('dev_user1_2nK8mP4xL9')
-      expect(DEFAULT_USERS[4].userId).toBe('dev_admin_3xY6zW1qR5')
-    })
-    it('has correct user structure', () => {
-      DEFAULT_USERS.forEach((user) => {
-        expect(user).toHaveProperty('userId')
-        expect(user).toHaveProperty('name')
-        expect(user).toHaveProperty('email')
-        expect(user).toHaveProperty('externalGroups')
-        expect(Array.isArray(user.externalGroups)).toBe(true)
-      })
-    })
-  })
-  describe('DEFAULT_GROUPS', () => {
-    it('exports default groups', () => {
-      expect(DEFAULT_GROUPS).toHaveLength(3)
-      expect(DEFAULT_GROUPS.map((g) => g.id)).toEqual(['team-a', 'team-b', 'team-c'])
-    })
-    it('has correct group structure', () => {
-      DEFAULT_GROUPS.forEach((group) => {
-        expect(group).toHaveProperty('id')
-        expect(group).toHaveProperty('name')
-        expect(group).toHaveProperty('description')
-      })
-    })
-  })
-  describe('cookie parsing', () => {
-    it('extracts cookie from single cookie string', async () => {
-      const plugin = new DevAuthPlugin({})
-      const headers = new Headers({
-        cookie: 'canopy-dev-user=dev_admin_3xY6zW1qR5',
-      })
-      const result = await plugin.authenticate(headers)
-      assertSuccess(result)
-      expect(result.user.userId).toBe('dev_admin_3xY6zW1qR5')
-    })
-    it('extracts cookie from multiple cookies', async () => {
-      const plugin = new DevAuthPlugin({})
-      const headers = new Headers({
-        cookie: 'session=abc123; canopy-dev-user=dev_user2_7qR3tY6wN2; other=value',
-      })
-      const result = await plugin.authenticate(headers)
-      assertSuccess(result)
-      expect(result.user.userId).toBe('dev_user2_7qR3tY6wN2')
-    })
-    it('extracts cookie without semicolon separator', async () => {
-      const plugin = new DevAuthPlugin({})
-      const headers = new Headers({
-        cookie: 'canopy-dev-user=dev_reviewer_9aB4cD2eF7',
-      })
-      const result = await plugin.authenticate(headers)
-      assertSuccess(result)
-      expect(result.user.userId).toBe('dev_reviewer_9aB4cD2eF7')
-    })
-    it('returns default user when cookie not found', async () => {
-      const plugin = new DevAuthPlugin({})
-      const headers = new Headers({
-        cookie: 'session=abc123; other=value',
-      })
-      const result = await plugin.authenticate(headers)
-      assertSuccess(result)
-      expect(result.user.userId).toBe('dev_user1_2nK8mP4xL9') // default
-    })
-  })
-  describe('auto-bootstrap admin', () => {
-    let originalEnv: string | undefined
-    beforeEach(() => {
-      originalEnv = process.env.CANOPY_BOOTSTRAP_ADMIN_IDS
-      vi.spyOn(console, 'info').mockImplementation(() => {})
-    })
-    afterEach(() => {
-      vi.restoreAllMocks()
-      if (originalEnv === undefined) {
-        delete process.env.CANOPY_BOOTSTRAP_ADMIN_IDS
-      } else {
-        process.env.CANOPY_BOOTSTRAP_ADMIN_IDS = originalEnv
-      }
-    })
-    it('auto-sets CANOPY_BOOTSTRAP_ADMIN_IDS when not already set', () => {
-      delete process.env.CANOPY_BOOTSTRAP_ADMIN_IDS
-      createDevAuthPlugin()
-      expect(process.env.CANOPY_BOOTSTRAP_ADMIN_IDS).toBe(DEV_ADMIN_USER_ID)
-    })
-    it('does not override existing CANOPY_BOOTSTRAP_ADMIN_IDS', () => {
-      process.env.CANOPY_BOOTSTRAP_ADMIN_IDS = 'custom_user_id'
-      createDevAuthPlugin()
-      expect(process.env.CANOPY_BOOTSTRAP_ADMIN_IDS).toBe('custom_user_id')
-    })
-    it('can be disabled via autoBootstrapAdmin: false', () => {
-      delete process.env.CANOPY_BOOTSTRAP_ADMIN_IDS
-      createDevAuthPlugin({ autoBootstrapAdmin: false })
-      expect(process.env.CANOPY_BOOTSTRAP_ADMIN_IDS).toBeUndefined()
-    })
-    it('skips auto-bootstrap when custom users do not include admin user', () => {
-      delete process.env.CANOPY_BOOTSTRAP_ADMIN_IDS
-      createDevAuthPlugin({
-        users: [
-          {
-            userId: 'custom_1',
-            name: 'Custom',
-            email: 'custom@test.com',
-            externalGroups: [],
-          },
-        ],
-      })
-      expect(process.env.CANOPY_BOOTSTRAP_ADMIN_IDS).toBeUndefined()
-    })
-  })
-})

package/src/dev-plugin.ts DELETED Viewed

@@ -1,241 +0,0 @@
-import type { AuthPlugin } from 'canopycms/auth'
-import type { UserSearchResult, GroupMetadata, AuthenticationResult } from 'canopycms/auth'
-import { extractHeaders } from 'canopycms/auth'
-import type { CanopyUserId, CanopyGroupId } from 'canopycms'
-import { getDevUserCookieFromHeaders } from './cookie-utils'
-/**
- * WARNING: This plugin is for development and testing only!
- * Do not use in production environments.
- */
-export interface DevUser {
-  userId: CanopyUserId
-  name: string
-  email: string
-  avatarUrl?: string
-  externalGroups: CanopyGroupId[]
-}
-export interface DevGroup {
-  id: CanopyGroupId
-  name: string
-  description?: string
-}
-export const DEV_ADMIN_USER_ID: CanopyUserId = 'dev_admin_3xY6zW1qR5'
-export interface DevAuthConfig {
-  /**
-   * Custom mock users. If not provided, uses default users.
-   */
-  users?: DevUser[]
-  /**
-   * Custom mock groups. If not provided, uses default groups.
-   */
-  groups?: DevGroup[]
-  /**
-   * Default user ID when no user is selected.
-   * @default 'dev_user1_2nK8mP4xL9' (user1)
-   */
-  defaultUserId?: CanopyUserId
-  /**
-   * Whether to auto-set CANOPY_BOOTSTRAP_ADMIN_IDS for the admin dev user
-   * when the env var is not already set. Defaults to true.
-   */
-  autoBootstrapAdmin?: boolean
-}
-export const DEFAULT_USERS: DevUser[] = [
-  {
-    userId: 'dev_user1_2nK8mP4xL9',
-    name: 'User One',
-    email: 'user1@localhost.dev',
-    externalGroups: ['team-a', 'team-b'],
-  },
-  {
-    userId: 'dev_user2_7qR3tY6wN2',
-    name: 'User Two',
-    email: 'user2@localhost.dev',
-    externalGroups: ['team-b'],
-  },
-  {
-    userId: 'dev_user3_5vS1pM8kJ4',
-    name: 'User Three',
-    email: 'user3@localhost.dev',
-    externalGroups: ['team-c'],
-  },
-  {
-    userId: 'dev_reviewer_9aB4cD2eF7',
-    name: 'Reviewer One',
-    email: 'reviewer1@localhost.dev',
-    externalGroups: ['team-a'],
-    // Note: 'Reviewers' membership comes from internal groups file, not auth plugin
-  },
-  {
-    userId: DEV_ADMIN_USER_ID,
-    name: 'Admin One',
-    email: 'admin1@localhost.dev',
-    externalGroups: ['team-a', 'team-b', 'team-c'],
-    // Note: Does NOT include 'Admins' - that's applied by bootstrap admin config or auto-bootstrap
-  },
-]
-export const DEFAULT_GROUPS: DevGroup[] = [
-  { id: 'team-a', name: 'Team A', description: 'Team A' },
-  { id: 'team-b', name: 'Team B', description: 'Team B' },
-  { id: 'team-c', name: 'Team C', description: 'Team C' },
-]
-/**
- * Dev authentication plugin implementation for CanopyCMS.
- * Supports both cookie-based (UI) and header-based (tests) authentication.
- */
-export class DevAuthPlugin implements AuthPlugin {
-  private users: DevUser[]
-  private groups: DevGroup[]
-  private defaultUserId: CanopyUserId
-  constructor(config: DevAuthConfig = {}) {
-    this.users = config.users ?? DEFAULT_USERS
-    this.groups = config.groups ?? DEFAULT_GROUPS
-    this.defaultUserId = config.defaultUserId ?? 'dev_user1_2nK8mP4xL9'
-  }
-  async authenticate(context: unknown): Promise<AuthenticationResult> {
-    // 1. Extract headers using extractHeaders() helper
-    const headers = extractHeaders(context)
-    if (!headers) {
-      return { success: false, error: 'Invalid context' }
-    }
-    // 2. Check X-Test-User header (for test-app compatibility) FIRST
-    let userId = headers.get('X-Test-User')
-    // 3. If no test header, check x-dev-user-id header OR canopy-dev-user cookie
-    if (!userId) {
-      userId = headers.get('x-dev-user-id') ?? getDevUserCookieFromHeaders(headers)
-    }
-    // 4. Fall back to default user
-    if (!userId) {
-      userId = this.defaultUserId
-    }
-    // 5. Map test user keys to dev user IDs for test compatibility
-    const userIdMapped = this.mapTestUserKey(userId)
-    // 6. Find user in config
-    const user = this.users.find((u) => u.userId === userIdMapped)
-    if (!user) {
-      return { success: false, error: `Dev user not found: ${userId}` }
-    }
-    // 7. Return AuthenticationResult with externalGroups
-    return {
-      success: true,
-      user: {
-        userId: user.userId,
-        email: user.email,
-        name: user.name,
-        avatarUrl: user.avatarUrl,
-        externalGroups: user.externalGroups,
-      },
-    }
-  }
-  /**
-   * Map test-app user keys to dev user IDs for backward compatibility
-   */
-  private mapTestUserKey(key: string): CanopyUserId {
-    const testUserMap: Record<string, CanopyUserId> = {
-      admin: DEV_ADMIN_USER_ID, // admin1
-      editor: 'dev_user1_2nK8mP4xL9', // user1
-      viewer: 'dev_user2_7qR3tY6wN2', // user2
-      reviewer: 'dev_reviewer_9aB4cD2eF7', // reviewer1
-    }
-    return testUserMap[key] ?? key
-  }
-  async searchUsers(query: string, limit?: number): Promise<UserSearchResult[]> {
-    const lowerQuery = query.toLowerCase()
-    const filtered = this.users.filter(
-      (u) =>
-        u.name.toLowerCase().includes(lowerQuery) || u.email.toLowerCase().includes(lowerQuery),
-    )
-    const results = filtered.slice(0, limit)
-    return results.map((u) => ({
-      id: u.userId,
-      name: u.name,
-      email: u.email,
-      avatarUrl: u.avatarUrl,
-    }))
-  }
-  async getUserMetadata(userId: CanopyUserId): Promise<UserSearchResult | null> {
-    const user = this.users.find((u) => u.userId === userId)
-    if (!user) return null
-    return {
-      id: user.userId,
-      name: user.name,
-      email: user.email,
-      avatarUrl: user.avatarUrl,
-    }
-  }
-  async getGroupMetadata(groupId: CanopyGroupId): Promise<GroupMetadata | null> {
-    const group = this.groups.find((g) => g.id === groupId)
-    if (!group) return null
-    return {
-      id: group.id,
-      name: group.name,
-      description: group.description,
-    }
-  }
-  async listGroups(limit?: number): Promise<GroupMetadata[]> {
-    const groups = limit ? this.groups.slice(0, limit) : this.groups
-    return groups.map((g) => ({
-      id: g.id,
-      name: g.name,
-      description: g.description,
-    }))
-  }
-  async searchExternalGroups(query: string): Promise<Array<{ id: CanopyGroupId; name: string }>> {
-    const lowerQuery = query.toLowerCase()
-    return this.groups
-      .filter((g) => g.name.toLowerCase().includes(lowerQuery))
-      .map((g) => ({
-        id: g.id,
-        name: g.name,
-      }))
-  }
-}
-/**
- * Factory function for creating dev auth plugin.
- * By default, auto-sets CANOPY_BOOTSTRAP_ADMIN_IDS to the admin dev user
- * if the env var is not already set. Disable with { autoBootstrapAdmin: false }.
- */
-export function createDevAuthPlugin(config?: DevAuthConfig): AuthPlugin {
-  const shouldAutoBootstrap = config?.autoBootstrapAdmin ?? true
-  if (shouldAutoBootstrap && !process.env.CANOPY_BOOTSTRAP_ADMIN_IDS) {
-    const users = config?.users ?? DEFAULT_USERS
-    const adminUser = users.find((u) => u.userId === DEV_ADMIN_USER_ID)
-    if (adminUser) {
-      process.env.CANOPY_BOOTSTRAP_ADMIN_IDS = adminUser.userId
-      console.info(
-        `CanopyCMS dev-auth: Auto-configured ${adminUser.name} (${adminUser.userId}) as bootstrap admin. ` +
-          `Set CANOPY_BOOTSTRAP_ADMIN_IDS env var or pass autoBootstrapAdmin: false to override.`,
-      )
-    }
-  }
-  return new DevAuthPlugin(config ?? {})
-}

package/src/index.ts DELETED Viewed

@@ -1,11 +0,0 @@
-export {
-  createDevAuthPlugin,
-  DevAuthPlugin,
-  DEFAULT_USERS,
-  DEFAULT_GROUPS,
-  DEV_ADMIN_USER_ID,
-} from './dev-plugin'
-export type { DevAuthConfig, DevUser, DevGroup } from './dev-plugin'
-export { createDevTokenVerifier } from './jwt-verifier'
-export { refreshDevCache } from './cache-writer'
-export type { RefreshDevCacheOptions } from './cache-writer'

package/src/jwt-verifier.ts DELETED Viewed

@@ -1,46 +0,0 @@
-import { extractHeaders } from 'canopycms/auth'
-import type { TokenVerifier } from 'canopycms/auth'
-import { getDevUserCookieFromHeaders, DEFAULT_USER_ID } from './cookie-utils'
-import { DEV_ADMIN_USER_ID } from './dev-plugin'
-/**
- * Test user key → dev user ID mapping.
- * Matches the mapping in DevAuthPlugin.mapTestUserKey().
- */
-const TEST_USER_MAP: Record<string, string> = {
-  admin: DEV_ADMIN_USER_ID,
-  editor: 'dev_user1_2nK8mP4xL9',
-  viewer: 'dev_user2_7qR3tY6wN2',
-  reviewer: 'dev_reviewer_9aB4cD2eF7',
-}
-/**
- * Creates a token verifier for dev auth.
- * Extracts userId from X-Test-User header, x-dev-user-id header,
- * or canopy-dev-user cookie — same logic as DevAuthPlugin.authenticate().
- *
- * Used with CachingAuthPlugin in prod-sim mode to simulate the prod
- * code path (token verification + cached metadata lookup) using dev users.
- */
-export function createDevTokenVerifier(options?: { defaultUserId?: string }): TokenVerifier {
-  const defaultUserId = options?.defaultUserId ?? DEFAULT_USER_ID
-  return async (context: unknown) => {
-    const headers = extractHeaders(context)
-    if (!headers) return null
-    // Same extraction logic as DevAuthPlugin.authenticate()
-    let userId = headers.get('X-Test-User')
-    if (!userId) {
-      userId = headers.get('x-dev-user-id') ?? getDevUserCookieFromHeaders(headers)
-    }
-    if (!userId) {
-      userId = defaultUserId
-    }
-    // Map test user keys to dev user IDs
-    const mapped = TEST_USER_MAP[userId] ?? userId
-    return { userId: mapped }
-  }
-}