canopycms-auth-dev 0.0.0

package/src/dev-plugin.test.ts

@@ -0,0 +1,470 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest'
+import {
+  DevAuthPlugin,
+  createDevAuthPlugin,
+  DEFAULT_USERS,
+  DEFAULT_GROUPS,
+  DEV_ADMIN_USER_ID,
+} from './dev-plugin'
+import type { DevUser, DevGroup } from './dev-plugin'
+import type { AuthenticationResult } from 'canopycms/auth'
+
+// Type guard to assert successful authentication
+function assertSuccess(result: AuthenticationResult): asserts result is AuthenticationResult & {
+  success: true
+  user: NonNullable<AuthenticationResult['user']>
+} {
+  expect(result.success).toBe(true)
+  if (!result.success || !result.user) {
+    throw new Error('Authentication failed')
+  }
+}
+
+describe('DevAuthPlugin', () => {
+  describe('authenticate', () => {
+    it('returns default user when no headers provided', async () => {
+      const plugin = new DevAuthPlugin({})
+      const result = await plugin.authenticate(new Headers())
+
+      assertSuccess(result)
+      expect(result.user.userId).toBe('dev_user1_2nK8mP4xL9') // user1
+      expect(result.user.name).toBe('User One')
+      expect(result.user.email).toBe('user1@localhost.dev')
+      expect(result.user.externalGroups).toEqual(['team-a', 'team-b'])
+    })
+
+    it('authenticates via X-Test-User header', async () => {
+      const plugin = new DevAuthPlugin({})
+      const headers = new Headers({ 'X-Test-User': 'admin' })
+      const result = await plugin.authenticate(headers)
+
+      assertSuccess(result)
+      expect(result.user.userId).toBe('dev_admin_3xY6zW1qR5') // admin1
+      expect(result.user.name).toBe('Admin One')
+    })
+
+    it('authenticates via x-dev-user-id header', async () => {
+      const plugin = new DevAuthPlugin({})
+      const headers = new Headers({ 'x-dev-user-id': 'dev_user2_7qR3tY6wN2' })
+      const result = await plugin.authenticate(headers)
+
+      assertSuccess(result)
+      expect(result.user.userId).toBe('dev_user2_7qR3tY6wN2') // user2
+      expect(result.user.name).toBe('User Two')
+    })
+
+    it('authenticates via canopy-dev-user cookie', async () => {
+      const plugin = new DevAuthPlugin({})
+      const headers = new Headers({
+        cookie: 'canopy-dev-user=dev_user3_5vS1pM8kJ4; other=value',
+      })
+      const result = await plugin.authenticate(headers)
+
+      assertSuccess(result)
+      expect(result.user.userId).toBe('dev_user3_5vS1pM8kJ4') // user3
+      expect(result.user.name).toBe('User Three')
+    })
+
+    it('prioritizes X-Test-User over cookie', async () => {
+      const plugin = new DevAuthPlugin({})
+      const headers = new Headers({
+        'X-Test-User': 'admin',
+        cookie: 'canopy-dev-user=dev_user1_2nK8mP4xL9',
+      })
+      const result = await plugin.authenticate(headers)
+
+      assertSuccess(result)
+      expect(result.user.userId).toBe('dev_admin_3xY6zW1qR5') // admin1 from header
+    })
+
+    it('maps test user keys to dev user IDs', async () => {
+      const plugin = new DevAuthPlugin({})
+
+      const testCases = [
+        { key: 'admin', expectedId: 'dev_admin_3xY6zW1qR5' },
+        { key: 'editor', expectedId: 'dev_user1_2nK8mP4xL9' },
+        { key: 'viewer', expectedId: 'dev_user2_7qR3tY6wN2' },
+        { key: 'reviewer', expectedId: 'dev_reviewer_9aB4cD2eF7' },
+      ]
+
+      for (const { key, expectedId } of testCases) {
+        const headers = new Headers({ 'X-Test-User': key })
+        const result = await plugin.authenticate(headers)
+
+        assertSuccess(result)
+        expect(result.user.userId).toBe(expectedId)
+      }
+    })
+
+    it('returns failure for unknown user ID', async () => {
+      const plugin = new DevAuthPlugin({})
+      const headers = new Headers({ 'x-dev-user-id': 'unknown_user' })
+      const result = await plugin.authenticate(headers)
+
+      expect(result.success).toBe(false)
+      if (!result.success) {
+        expect(result.error).toContain('Dev user not found')
+      }
+    })
+
+    it('uses custom default user when specified', async () => {
+      const plugin = new DevAuthPlugin({
+        defaultUserId: 'dev_admin_3xY6zW1qR5', // admin1
+      })
+      const result = await plugin.authenticate(new Headers())
+
+      assertSuccess(result)
+      expect(result.user.userId).toBe('dev_admin_3xY6zW1qR5')
+    })
+  })
+
+  describe('searchUsers', () => {
+    it('returns all users when query is empty', async () => {
+      const plugin = new DevAuthPlugin({})
+      const results = await plugin.searchUsers('')
+
+      expect(results).toHaveLength(5)
+      expect(results[0].id).toBe('dev_user1_2nK8mP4xL9')
+      expect(results[0].name).toBe('User One')
+      expect(results[0].email).toBe('user1@localhost.dev')
+    })
+
+    it('filters users by name', async () => {
+      const plugin = new DevAuthPlugin({})
+      const results = await plugin.searchUsers('admin')
+
+      expect(results).toHaveLength(1)
+      expect(results[0].name).toBe('Admin One')
+    })
+
+    it('filters users by email', async () => {
+      const plugin = new DevAuthPlugin({})
+      const results = await plugin.searchUsers('reviewer1@')
+
+      expect(results).toHaveLength(1)
+      expect(results[0].id).toBe('dev_reviewer_9aB4cD2eF7')
+    })
+
+    it('is case insensitive', async () => {
+      const plugin = new DevAuthPlugin({})
+      const results = await plugin.searchUsers('USER')
+
+      expect(results.length).toBeGreaterThan(0)
+      expect(results.some((u) => u.name.toLowerCase().includes('user'))).toBe(true)
+    })
+
+    it('respects limit parameter', async () => {
+      const plugin = new DevAuthPlugin({})
+      const results = await plugin.searchUsers('', 2)
+
+      expect(results).toHaveLength(2)
+    })
+
+    it('works with custom users', async () => {
+      const customUsers: DevUser[] = [
+        {
+          userId: 'custom_1',
+          name: 'Custom User',
+          email: 'custom@test.com',
+          externalGroups: [],
+        },
+      ]
+      const plugin = new DevAuthPlugin({ users: customUsers })
+      const results = await plugin.searchUsers('custom')
+
+      expect(results).toHaveLength(1)
+      expect(results[0].id).toBe('custom_1')
+    })
+  })
+
+  describe('getUserMetadata', () => {
+    it('returns user metadata for valid user', async () => {
+      const plugin = new DevAuthPlugin({})
+      const metadata = await plugin.getUserMetadata('dev_user1_2nK8mP4xL9')
+
+      expect(metadata).toEqual({
+        id: 'dev_user1_2nK8mP4xL9',
+        name: 'User One',
+        email: 'user1@localhost.dev',
+        avatarUrl: undefined,
+      })
+    })
+
+    it('returns null for unknown user', async () => {
+      const plugin = new DevAuthPlugin({})
+      const metadata = await plugin.getUserMetadata('unknown')
+
+      expect(metadata).toBeNull()
+    })
+
+    it('includes avatarUrl when present', async () => {
+      const customUsers: DevUser[] = [
+        {
+          userId: 'user_1',
+          name: 'User',
+          email: 'user@test.com',
+          avatarUrl: 'https://example.com/avatar.jpg',
+          externalGroups: [],
+        },
+      ]
+      const plugin = new DevAuthPlugin({ users: customUsers })
+      const metadata = await plugin.getUserMetadata('user_1')
+
+      expect(metadata?.avatarUrl).toBe('https://example.com/avatar.jpg')
+    })
+  })
+
+  describe('getGroupMetadata', () => {
+    it('returns group metadata for valid group', async () => {
+      const plugin = new DevAuthPlugin({})
+      const metadata = await plugin.getGroupMetadata('team-a')
+
+      expect(metadata).toEqual({
+        id: 'team-a',
+        name: 'Team A',
+        description: 'Team A',
+      })
+    })
+
+    it('returns null for unknown group', async () => {
+      const plugin = new DevAuthPlugin({})
+      const metadata = await plugin.getGroupMetadata('unknown')
+
+      expect(metadata).toBeNull()
+    })
+
+    it('works with custom groups', async () => {
+      const customGroups: DevGroup[] = [
+        { id: 'team-x', name: 'Team X', description: 'Custom team' },
+      ]
+      const plugin = new DevAuthPlugin({ groups: customGroups })
+      const metadata = await plugin.getGroupMetadata('team-x')
+
+      expect(metadata).toEqual({
+        id: 'team-x',
+        name: 'Team X',
+        description: 'Custom team',
+      })
+    })
+  })
+
+  describe('listGroups', () => {
+    it('returns all groups by default', async () => {
+      const plugin = new DevAuthPlugin({})
+      const groups = await plugin.listGroups()
+
+      expect(groups).toHaveLength(3)
+      expect(groups.map((g) => g.id)).toEqual(['team-a', 'team-b', 'team-c'])
+    })
+
+    it('respects limit parameter', async () => {
+      const plugin = new DevAuthPlugin({})
+      const groups = await plugin.listGroups(2)
+
+      expect(groups).toHaveLength(2)
+    })
+  })
+
+  describe('searchExternalGroups', () => {
+    it('returns all groups when query is empty', async () => {
+      const plugin = new DevAuthPlugin({})
+      const results = await plugin.searchExternalGroups('')
+
+      expect(results).toHaveLength(3)
+    })
+
+    it('filters groups by name', async () => {
+      const plugin = new DevAuthPlugin({})
+      const results = await plugin.searchExternalGroups('team a')
+
+      expect(results).toHaveLength(1)
+      expect(results[0].id).toBe('team-a')
+      expect(results[0].name).toBe('Team A')
+    })
+
+    it('is case insensitive', async () => {
+      const plugin = new DevAuthPlugin({})
+      const results = await plugin.searchExternalGroups('TEAM')
+
+      expect(results.length).toBeGreaterThan(0)
+    })
+  })
+
+  describe('custom configuration', () => {
+    it('accepts custom users and groups', () => {
+      const customUsers: DevUser[] = [
+        {
+          userId: 'custom_1',
+          name: 'Custom',
+          email: 'custom@test.com',
+          externalGroups: ['custom-group'],
+        },
+      ]
+      const customGroups: DevGroup[] = [{ id: 'custom-group', name: 'Custom Group' }]
+
+      const plugin = new DevAuthPlugin({
+        users: customUsers,
+        groups: customGroups,
+        defaultUserId: 'custom_1',
+      })
+
+      expect(plugin).toBeInstanceOf(DevAuthPlugin)
+    })
+  })
+
+  describe('createDevAuthPlugin factory', () => {
+    beforeEach(() => {
+      vi.spyOn(console, 'info').mockImplementation(() => {})
+    })
+    afterEach(() => {
+      vi.restoreAllMocks()
+    })
+
+    it('creates plugin with default config', () => {
+      const plugin = createDevAuthPlugin()
+      expect(plugin).toBeInstanceOf(DevAuthPlugin)
+    })
+
+    it('creates plugin with custom config', () => {
+      const plugin = createDevAuthPlugin({
+        defaultUserId: 'dev_admin_3xY6zW1qR5',
+      })
+      expect(plugin).toBeInstanceOf(DevAuthPlugin)
+    })
+
+    it('works without any arguments', () => {
+      const plugin = createDevAuthPlugin()
+      expect(plugin).toBeInstanceOf(DevAuthPlugin)
+    })
+  })
+
+  describe('DEFAULT_USERS', () => {
+    it('exports default users', () => {
+      expect(DEFAULT_USERS).toHaveLength(5)
+      expect(DEFAULT_USERS[0].userId).toBe('dev_user1_2nK8mP4xL9')
+      expect(DEFAULT_USERS[4].userId).toBe('dev_admin_3xY6zW1qR5')
+    })
+
+    it('has correct user structure', () => {
+      DEFAULT_USERS.forEach((user) => {
+        expect(user).toHaveProperty('userId')
+        expect(user).toHaveProperty('name')
+        expect(user).toHaveProperty('email')
+        expect(user).toHaveProperty('externalGroups')
+        expect(Array.isArray(user.externalGroups)).toBe(true)
+      })
+    })
+  })
+
+  describe('DEFAULT_GROUPS', () => {
+    it('exports default groups', () => {
+      expect(DEFAULT_GROUPS).toHaveLength(3)
+      expect(DEFAULT_GROUPS.map((g) => g.id)).toEqual(['team-a', 'team-b', 'team-c'])
+    })
+
+    it('has correct group structure', () => {
+      DEFAULT_GROUPS.forEach((group) => {
+        expect(group).toHaveProperty('id')
+        expect(group).toHaveProperty('name')
+        expect(group).toHaveProperty('description')
+      })
+    })
+  })
+
+  describe('cookie parsing', () => {
+    it('extracts cookie from single cookie string', async () => {
+      const plugin = new DevAuthPlugin({})
+      const headers = new Headers({
+        cookie: 'canopy-dev-user=dev_admin_3xY6zW1qR5',
+      })
+      const result = await plugin.authenticate(headers)
+
+      assertSuccess(result)
+      expect(result.user.userId).toBe('dev_admin_3xY6zW1qR5')
+    })
+
+    it('extracts cookie from multiple cookies', async () => {
+      const plugin = new DevAuthPlugin({})
+      const headers = new Headers({
+        cookie: 'session=abc123; canopy-dev-user=dev_user2_7qR3tY6wN2; other=value',
+      })
+      const result = await plugin.authenticate(headers)
+
+      assertSuccess(result)
+      expect(result.user.userId).toBe('dev_user2_7qR3tY6wN2')
+    })
+
+    it('extracts cookie without semicolon separator', async () => {
+      const plugin = new DevAuthPlugin({})
+      const headers = new Headers({
+        cookie: 'canopy-dev-user=dev_reviewer_9aB4cD2eF7',
+      })
+      const result = await plugin.authenticate(headers)
+
+      assertSuccess(result)
+      expect(result.user.userId).toBe('dev_reviewer_9aB4cD2eF7')
+    })
+
+    it('returns default user when cookie not found', async () => {
+      const plugin = new DevAuthPlugin({})
+      const headers = new Headers({
+        cookie: 'session=abc123; other=value',
+      })
+      const result = await plugin.authenticate(headers)
+
+      assertSuccess(result)
+      expect(result.user.userId).toBe('dev_user1_2nK8mP4xL9') // default
+    })
+  })
+
+  describe('auto-bootstrap admin', () => {
+    let originalEnv: string | undefined
+
+    beforeEach(() => {
+      originalEnv = process.env.CANOPY_BOOTSTRAP_ADMIN_IDS
+      vi.spyOn(console, 'info').mockImplementation(() => {})
+    })
+
+    afterEach(() => {
+      vi.restoreAllMocks()
+      if (originalEnv === undefined) {
+        delete process.env.CANOPY_BOOTSTRAP_ADMIN_IDS
+      } else {
+        process.env.CANOPY_BOOTSTRAP_ADMIN_IDS = originalEnv
+      }
+    })
+
+    it('auto-sets CANOPY_BOOTSTRAP_ADMIN_IDS when not already set', () => {
+      delete process.env.CANOPY_BOOTSTRAP_ADMIN_IDS
+      createDevAuthPlugin()
+      expect(process.env.CANOPY_BOOTSTRAP_ADMIN_IDS).toBe(DEV_ADMIN_USER_ID)
+    })
+
+    it('does not override existing CANOPY_BOOTSTRAP_ADMIN_IDS', () => {
+      process.env.CANOPY_BOOTSTRAP_ADMIN_IDS = 'custom_user_id'
+      createDevAuthPlugin()
+      expect(process.env.CANOPY_BOOTSTRAP_ADMIN_IDS).toBe('custom_user_id')
+    })
+
+    it('can be disabled via autoBootstrapAdmin: false', () => {
+      delete process.env.CANOPY_BOOTSTRAP_ADMIN_IDS
+      createDevAuthPlugin({ autoBootstrapAdmin: false })
+      expect(process.env.CANOPY_BOOTSTRAP_ADMIN_IDS).toBeUndefined()
+    })
+
+    it('skips auto-bootstrap when custom users do not include admin user', () => {
+      delete process.env.CANOPY_BOOTSTRAP_ADMIN_IDS
+      createDevAuthPlugin({
+        users: [
+          {
+            userId: 'custom_1',
+            name: 'Custom',
+            email: 'custom@test.com',
+            externalGroups: [],
+          },
+        ],
+      })
+      expect(process.env.CANOPY_BOOTSTRAP_ADMIN_IDS).toBeUndefined()
+    })
+  })
+})

package/src/dev-plugin.ts

@@ -0,0 +1,241 @@
+import type { AuthPlugin } from 'canopycms/auth'
+import type { UserSearchResult, GroupMetadata, AuthenticationResult } from 'canopycms/auth'
+import { extractHeaders } from 'canopycms/auth'
+import type { CanopyUserId, CanopyGroupId } from 'canopycms'
+import { getDevUserCookieFromHeaders } from './cookie-utils'
+
+/**
+ * WARNING: This plugin is for development and testing only!
+ * Do not use in production environments.
+ */
+
+export interface DevUser {
+  userId: CanopyUserId
+  name: string
+  email: string
+  avatarUrl?: string
+  externalGroups: CanopyGroupId[]
+}
+
+export interface DevGroup {
+  id: CanopyGroupId
+  name: string
+  description?: string
+}
+
+export const DEV_ADMIN_USER_ID: CanopyUserId = 'dev_admin_3xY6zW1qR5'
+
+export interface DevAuthConfig {
+  /**
+   * Custom mock users. If not provided, uses default users.
+   */
+  users?: DevUser[]
+
+  /**
+   * Custom mock groups. If not provided, uses default groups.
+   */
+  groups?: DevGroup[]
+
+  /**
+   * Default user ID when no user is selected.
+   * @default 'dev_user1_2nK8mP4xL9' (user1)
+   */
+  defaultUserId?: CanopyUserId
+
+  /**
+   * Whether to auto-set CANOPY_BOOTSTRAP_ADMIN_IDS for the admin dev user
+   * when the env var is not already set. Defaults to true.
+   */
+  autoBootstrapAdmin?: boolean
+}
+
+export const DEFAULT_USERS: DevUser[] = [
+  {
+    userId: 'dev_user1_2nK8mP4xL9',
+    name: 'User One',
+    email: 'user1@localhost.dev',
+    externalGroups: ['team-a', 'team-b'],
+  },
+  {
+    userId: 'dev_user2_7qR3tY6wN2',
+    name: 'User Two',
+    email: 'user2@localhost.dev',
+    externalGroups: ['team-b'],
+  },
+  {
+    userId: 'dev_user3_5vS1pM8kJ4',
+    name: 'User Three',
+    email: 'user3@localhost.dev',
+    externalGroups: ['team-c'],
+  },
+  {
+    userId: 'dev_reviewer_9aB4cD2eF7',
+    name: 'Reviewer One',
+    email: 'reviewer1@localhost.dev',
+    externalGroups: ['team-a'],
+    // Note: 'Reviewers' membership comes from internal groups file, not auth plugin
+  },
+  {
+    userId: DEV_ADMIN_USER_ID,
+    name: 'Admin One',
+    email: 'admin1@localhost.dev',
+    externalGroups: ['team-a', 'team-b', 'team-c'],
+    // Note: Does NOT include 'Admins' - that's applied by bootstrap admin config or auto-bootstrap
+  },
+]
+
+export const DEFAULT_GROUPS: DevGroup[] = [
+  { id: 'team-a', name: 'Team A', description: 'Team A' },
+  { id: 'team-b', name: 'Team B', description: 'Team B' },
+  { id: 'team-c', name: 'Team C', description: 'Team C' },
+]
+
+/**
+ * Dev authentication plugin implementation for CanopyCMS.
+ * Supports both cookie-based (UI) and header-based (tests) authentication.
+ */
+export class DevAuthPlugin implements AuthPlugin {
+  private users: DevUser[]
+  private groups: DevGroup[]
+  private defaultUserId: CanopyUserId
+
+  constructor(config: DevAuthConfig = {}) {
+    this.users = config.users ?? DEFAULT_USERS
+    this.groups = config.groups ?? DEFAULT_GROUPS
+    this.defaultUserId = config.defaultUserId ?? 'dev_user1_2nK8mP4xL9'
+  }
+
+  async authenticate(context: unknown): Promise<AuthenticationResult> {
+    // 1. Extract headers using extractHeaders() helper
+    const headers = extractHeaders(context)
+    if (!headers) {
+      return { success: false, error: 'Invalid context' }
+    }
+
+    // 2. Check X-Test-User header (for test-app compatibility) FIRST
+    let userId = headers.get('X-Test-User')
+
+    // 3. If no test header, check x-dev-user-id header OR canopy-dev-user cookie
+    if (!userId) {
+      userId = headers.get('x-dev-user-id') ?? getDevUserCookieFromHeaders(headers)
+    }
+
+    // 4. Fall back to default user
+    if (!userId) {
+      userId = this.defaultUserId
+    }
+
+    // 5. Map test user keys to dev user IDs for test compatibility
+    const userIdMapped = this.mapTestUserKey(userId)
+
+    // 6. Find user in config
+    const user = this.users.find((u) => u.userId === userIdMapped)
+    if (!user) {
+      return { success: false, error: `Dev user not found: ${userId}` }
+    }
+
+    // 7. Return AuthenticationResult with externalGroups
+    return {
+      success: true,
+      user: {
+        userId: user.userId,
+        email: user.email,
+        name: user.name,
+        avatarUrl: user.avatarUrl,
+        externalGroups: user.externalGroups,
+      },
+    }
+  }
+
+  /**
+   * Map test-app user keys to dev user IDs for backward compatibility
+   */
+  private mapTestUserKey(key: string): CanopyUserId {
+    const testUserMap: Record<string, CanopyUserId> = {
+      admin: DEV_ADMIN_USER_ID, // admin1
+      editor: 'dev_user1_2nK8mP4xL9', // user1
+      viewer: 'dev_user2_7qR3tY6wN2', // user2
+      reviewer: 'dev_reviewer_9aB4cD2eF7', // reviewer1
+    }
+    return testUserMap[key] ?? key
+  }
+
+  async searchUsers(query: string, limit?: number): Promise<UserSearchResult[]> {
+    const lowerQuery = query.toLowerCase()
+    const filtered = this.users.filter(
+      (u) =>
+        u.name.toLowerCase().includes(lowerQuery) || u.email.toLowerCase().includes(lowerQuery),
+    )
+
+    const results = filtered.slice(0, limit)
+    return results.map((u) => ({
+      id: u.userId,
+      name: u.name,
+      email: u.email,
+      avatarUrl: u.avatarUrl,
+    }))
+  }
+
+  async getUserMetadata(userId: CanopyUserId): Promise<UserSearchResult | null> {
+    const user = this.users.find((u) => u.userId === userId)
+    if (!user) return null
+
+    return {
+      id: user.userId,
+      name: user.name,
+      email: user.email,
+      avatarUrl: user.avatarUrl,
+    }
+  }
+
+  async getGroupMetadata(groupId: CanopyGroupId): Promise<GroupMetadata | null> {
+    const group = this.groups.find((g) => g.id === groupId)
+    if (!group) return null
+
+    return {
+      id: group.id,
+      name: group.name,
+      description: group.description,
+    }
+  }
+
+  async listGroups(limit?: number): Promise<GroupMetadata[]> {
+    const groups = limit ? this.groups.slice(0, limit) : this.groups
+    return groups.map((g) => ({
+      id: g.id,
+      name: g.name,
+      description: g.description,
+    }))
+  }
+
+  async searchExternalGroups(query: string): Promise<Array<{ id: CanopyGroupId; name: string }>> {
+    const lowerQuery = query.toLowerCase()
+    return this.groups
+      .filter((g) => g.name.toLowerCase().includes(lowerQuery))
+      .map((g) => ({
+        id: g.id,
+        name: g.name,
+      }))
+  }
+}
+
+/**
+ * Factory function for creating dev auth plugin.
+ * By default, auto-sets CANOPY_BOOTSTRAP_ADMIN_IDS to the admin dev user
+ * if the env var is not already set. Disable with { autoBootstrapAdmin: false }.
+ */
+export function createDevAuthPlugin(config?: DevAuthConfig): AuthPlugin {
+  const shouldAutoBootstrap = config?.autoBootstrapAdmin ?? true
+  if (shouldAutoBootstrap && !process.env.CANOPY_BOOTSTRAP_ADMIN_IDS) {
+    const users = config?.users ?? DEFAULT_USERS
+    const adminUser = users.find((u) => u.userId === DEV_ADMIN_USER_ID)
+    if (adminUser) {
+      process.env.CANOPY_BOOTSTRAP_ADMIN_IDS = adminUser.userId
+      console.info(
+        `CanopyCMS dev-auth: Auto-configured ${adminUser.name} (${adminUser.userId}) as bootstrap admin. ` +
+          `Set CANOPY_BOOTSTRAP_ADMIN_IDS env var or pass autoBootstrapAdmin: false to override.`,
+      )
+    }
+  }
+  return new DevAuthPlugin(config ?? {})
+}