create-hq 10.9.1 → 10.11.0

package/commands/{team-sync.md → sync-team.md}

@@ -2,17 +2,17 @@
 
 Pull latest team content and push local changes for all joined teams. Bidirectional git sync using `gh` CLI for authentication — no manual git operations needed.
 
-**Usage:** `/sync` or `/sync --team <slug>` or `/sync --dry-run`
+**Usage:** `/sync` or `/sync <company>` or `/sync --dry-run`
 
 **Requires:** `gh` CLI authenticated (`gh auth status`)
 
 ## Arguments
 
 Parse the user's input for:
-- `--team <slug>` — Sync only a specific team by slug (e.g., `--team indigo`)
+- `<company>` — Sync (or promote) a specific company by slug (e.g., `/sync indigo`). Also accepts `--team <slug>` for backwards compatibility.
 - `--dry-run` — Show what would be synced without making changes
 
-If no flags, sync all discovered teams.
+If no company specified, sync all discovered teams.
 
 ## Process
 
@@ -62,16 +62,24 @@ If no files found:
 ```
 No teams found. Join a team first:
   npx create-hq
+
+To promote an existing company folder to a team repo:
+  /sync <company-slug>
 ```
 Stop here.
 
-If `--team <slug>` was specified, filter to only `companies/{slug}/team.json`. If that file doesn't exist:
+If a company slug was specified (e.g., `/sync acme` or `/sync --team acme`):
+
+First check if `companies/{slug}/` exists as a directory. If not:
 ```
-Team "{slug}" not found. Available teams:
-  {list discovered team slugs}
+Company folder "companies/{slug}/" not found.
 ```
 Stop here.
 
+Then check if `companies/{slug}/team.json` exists:
+- **If yes:** filter to only this team and continue to step 3 (normal sync).
+- **If no:** this company isn't a team yet. Proceed to the **Promote Flow** (section 6 below).
+
 ### 3. Sync each team
 
 For each team (or the single `--team` target):
@@ -416,6 +424,159 @@ Dry run complete — no changes were made.
     Would push: {N} local changes
 ```
 
+## 6. Promote Flow (inline)
+
+When `/sync <slug>` targets a company folder that has no `team.json`, run this flow instead of the normal sync. This creates a GitHub team repo from the existing local folder.
+
+```
+companies/{slug}/ isn't shared as a team yet.
+Promote it to a team repo so it can be synced and shared? (Y/n)
+```
+
+If the user says no, stop here. If yes, continue.
+
+### 6a. Authenticate
+
+Verify `gh` is authenticated (already done in step 1). Get the authenticated user:
+```bash
+gh api user --jq '.login' 2>/dev/null
+```
+
+### 6b. Select GitHub organization
+
+List orgs the user is admin of:
+```bash
+gh api user/orgs --jq '.[].login' 2>/dev/null
+```
+
+If no orgs found:
+```
+You need a GitHub organization to host the team repo.
+Create one at: https://github.com/organizations/new
+Then re-run /sync.
+```
+Stop the promote flow (sync results still reported normally).
+
+If one org, auto-select. If multiple, present numbered list.
+
+### 6c. Pre-push secrets scan
+
+Before creating the repo, scan the folder for accidental secrets:
+
+```bash
+# Scan settings/ directory (highest risk)
+grep -rnE '(api[_-]?key|password|secret|token)\s*[:=]\s*\S{10,}|-----BEGIN .* PRIVATE KEY-----|gh[pousr]_[A-Za-z0-9_]{36,}|op://|AKIA[0-9A-Z]{16}|sk-[A-Za-z0-9]{20,}' companies/{slug}/ --include='*.json' --include='*.yaml' --include='*.yml' --include='*.env' --include='*.md' --include='*.ts' --include='*.js' --include='*.sh' 2>/dev/null || true
+```
+
+**If matches found:**
+```
+Pre-push security scan found potential secrets in companies/{slug}/:
+
+  {file}:{line}: {match preview}
+
+These would be pushed to a shared GitHub repo (visible to all org members).
+
+Options:
+  1. Remove the sensitive data first (recommended)
+  2. Continue anyway (I've verified these are safe to share)
+```
+
+If option 1: abort promote flow, report which files to clean.
+If option 2: continue.
+
+**If no matches:** continue silently.
+
+### 6d. Create team repo
+
+```bash
+gh api orgs/{org}/repos -X POST -f name="hq-{slug}" -f private=true -f description="HQ Teams workspace for {slug}" --jq '.html_url' 2>&1
+```
+
+If the repo already exists (422 error), ask to reuse or abort.
+
+### 6e. Initialize and push
+
+```bash
+cd companies/{slug}
+
+# Init git if not already
+[ -d .git ] || git init -b main
+
+# Check for existing remote
+if git remote get-url origin 2>/dev/null; then
+  echo "This folder already has a git remote. Aborting to avoid conflict."
+  # Stop promote flow
+fi
+
+# Configure and push
+git remote add origin "https://github.com/{org}/hq-{slug}.git"
+git add -A
+git commit -m "Initial team content from HQ promote"
+git push -u origin main
+```
+
+### 6f. Write team.json
+
+Create `companies/{slug}/team.json` with metadata:
+```json
+{
+  "team_id": "{generated UUID}",
+  "team_name": "{slug}",
+  "team_slug": "{slug}",
+  "org_login": "{org}",
+  "org_id": {org_id},
+  "created_by": "{gh_username}",
+  "created_at": "{ISO8601}",
+  "hq_version": "promoted",
+  "repo_url": "https://github.com/{org}/hq-{slug}",
+  "clone_url": "https://github.com/{org}/hq-{slug}.git"
+}
+```
+
+Generate UUID:
+```bash
+uuidgen 2>/dev/null || python3 -c "import uuid; print(uuid.uuid4())"
+```
+
+Get org_id:
+```bash
+gh api orgs/{org} --jq '.id'
+```
+
+Commit and push team.json:
+```bash
+git -C companies/{slug} add team.json
+git -C companies/{slug} commit -m "chore: add team.json metadata"
+git -C companies/{slug} push origin main
+```
+
+### 6g. Post-promote wiring
+
+Update `companies/manifest.yaml` to include the team repo reference:
+- If company entry exists, add `hq-{slug}` to its `repos` array
+- If no entry exists, create a minimal entry with the repo
+
+Run search reindex:
+```bash
+qmd update 2>/dev/null || true
+```
+
+### 6h. Report promote results
+
+```
+Promoted companies/{slug}/ → https://github.com/{org}/hq-{slug}
+
+  Files pushed: {N}
+  team.json: companies/{slug}/team.json
+  Manifest: updated
+
+Next steps:
+  /sync — sync this team going forward
+  /invite — invite team members
+```
+
+After promoting, the newly created team is immediately eligible for normal sync in step 3.
+
 ## Security Notes
 
 - Git authentication is handled by `gh auth setup-git`, which configures a credential helper that delegates to `gh`. No tokens are stored on disk or passed via environment variables.

package/dist/__tests__/auth.test.js

@@ -1,201 +1,191 @@
-import { describe, it, expect, vi, beforeEach, afterEach, afterAll } from "vitest";
-import * as path from "path";
-import * as os from "os";
-import * as fs from "fs";
+import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
 /**
- * Unit tests for auth.ts:
- *   - githubApi error handling (403 on /user/installations)
- *   - ~/.hq/app-token.json persistence (load / save / clear)
- *   - Token validation via /user/installations probe
+ * Unit tests for auth.ts — Cognito version.
+ *
+ * Covers:
+ *   - DEFAULT_COGNITO config (Google-only, port 8765, shared pool with installer + CLI)
+ *   - readIdentity — decodes ID-token JWT payloads safely
+ *   - signOut — clears the cached session
+ *   - ensureCognitoToken — cache / refresh / interactive-login branches
+ *
+ * The hq-cloud module is mocked so tests never touch the filesystem or network.
  */
-// ─── Mocks ─────────────────────────────────────────────────────────────────
-const mockFetch = vi.fn();
-vi.stubGlobal("fetch", mockFetch);
-// Mock child_process so module-level execSync calls in auth.ts don't run
-vi.mock("child_process", () => ({
-    exec: vi.fn(),
-    execSync: vi.fn(),
+const mockLoadCachedTokens = vi.fn();
+const mockClearCachedTokens = vi.fn();
+const mockIsExpiring = vi.fn();
+const mockRefreshTokens = vi.fn();
+const mockBrowserLogin = vi.fn();
+vi.mock("@indigoai-us/hq-cloud", () => ({
+    loadCachedTokens: mockLoadCachedTokens,
+    clearCachedTokens: mockClearCachedTokens,
+    isExpiring: mockIsExpiring,
+    refreshTokens: mockRefreshTokens,
+    browserLogin: mockBrowserLogin,
 }));
-// Import after mocks are in place
-const { githubApi, loadGitHubAuth, saveGitHubAuth, clearGitHubAuth, isGitHubAuthValid, isAppScopedToken, HQ_APP_TOKEN_PATH, } = await import("../auth.js");
+const { DEFAULT_COGNITO, ensureCognitoToken, readIdentity, signOut, } = await import("../auth.js");
 // ─── Fixtures ──────────────────────────────────────────────────────────────
-const fakeAuth = {
-    access_token: "ghu_fake_app_token",
-    login: "testuser",
-    id: 12345,
-    name: "Test User",
-    email: "test@example.com",
-    issued_at: new Date().toISOString(),
-};
-// Use a temp directory so tests don't touch the real ~/.hq/
-const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "create-hq-auth-test-"));
-const tmpTokenPath = path.join(tmpDir, "app-token.json");
-// ─── githubApi ─────────────────────────────────────────────────────────────
-describe("githubApi", () => {
-    beforeEach(() => mockFetch.mockReset());
-    it("throws a user-friendly message on 403 for /user/installations", async () => {
-        mockFetch.mockResolvedValueOnce({
-            ok: false,
-            status: 403,
-            text: async () => JSON.stringify({
-                message: "You must authenticate with an access token authorized to a GitHub App in order to list installations",
-                documentation_url: "https://docs.github.com/rest/apps/installations#list-app-installations-accessible-to-the-user-access-token",
-                status: "403",
-            }),
-        });
-        await expect(githubApi("/user/installations?per_page=100", fakeAuth)).rejects.toThrow(/signed in with a regular GitHub token/i);
-    });
-    it("includes the re-run hint in the 403 installations error", async () => {
-        mockFetch.mockResolvedValueOnce({
-            ok: false,
-            status: 403,
-            text: async () => JSON.stringify({
-                message: "You must authenticate with an access token authorized to a GitHub App",
-            }),
-        });
-        await expect(githubApi("/user/installations?per_page=100", fakeAuth)).rejects.toThrow(/npx create-hq/);
-    });
-    it("preserves the raw error for non-installation 403s", async () => {
-        mockFetch.mockResolvedValueOnce({
-            ok: false,
-            status: 403,
-            text: async () => JSON.stringify({ message: "Resource not accessible by integration" }),
-        });
-        await expect(githubApi("/orgs/acme/repos", fakeAuth)).rejects.toThrow(/GitHub API 403 \/orgs\/acme\/repos/);
+/** Encode a JSON payload as a base64url JWT middle segment. */
+function encodeJwtPayload(payload) {
+    const json = JSON.stringify(payload);
+    const b64 = Buffer.from(json, "utf-8").toString("base64");
+    return b64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function makeTokens(idPayload) {
+    return {
+        accessToken: "access-" + Math.random().toString(36).slice(2),
+        idToken: `header.${encodeJwtPayload(idPayload)}.signature`,
+        refreshToken: "refresh-" + Math.random().toString(36).slice(2),
+        expiresAt: Date.now() + 60 * 60 * 1000,
+        tokenType: "Bearer",
+    };
+}
+// ─── DEFAULT_COGNITO ───────────────────────────────────────────────────────
+describe("DEFAULT_COGNITO", () => {
+    it("matches hq-installer and hq-cli pool (hq-vault-dev, us-east-1)", () => {
+        expect(DEFAULT_COGNITO.region).toBe("us-east-1");
+        expect(DEFAULT_COGNITO.userPoolDomain).toBe("hq-vault-dev");
+        expect(DEFAULT_COGNITO.clientId).toBe("4mmujmjq3srakdueg656b9m0mp");
+    });
+    it("forces Google as the identity provider", () => {
+        expect(DEFAULT_COGNITO.identityProvider).toBe("Google");
+    });
+    it("prompts Google to re-select the account", () => {
+        expect(DEFAULT_COGNITO.prompt).toBe("select_account");
+    });
+    it("uses port 8765 to match hq-cli", () => {
+        expect(DEFAULT_COGNITO.port).toBe(8765);
     });
-    it("throws the raw error for non-403 failures", async () => {
-        mockFetch.mockResolvedValueOnce({
-            ok: false,
-            status: 404,
-            text: async () => JSON.stringify({ message: "Not Found" }),
+});
+// ─── readIdentity ──────────────────────────────────────────────────────────
+describe("readIdentity", () => {
+    it("decodes sub, email, name from the ID token", () => {
+        const tokens = makeTokens({
+            sub: "abc-123",
+            email: "stefan@example.com",
+            name: "Stefan Johnson",
         });
-        await expect(githubApi("/user/installations?per_page=100", fakeAuth)).rejects.toThrow(/GitHub API 404/);
-    });
-    it("returns parsed JSON on success", async () => {
-        mockFetch.mockResolvedValueOnce({
-            ok: true,
-            status: 200,
-            json: async () => ({ installations: [] }),
+        const id = readIdentity(tokens);
+        expect(id).not.toBeNull();
+        expect(id.sub).toBe("abc-123");
+        expect(id.email).toBe("stefan@example.com");
+        expect(id.name).toBe("Stefan Johnson");
+    });
+    it("exposes the full decoded claims bag", () => {
+        const tokens = makeTokens({
+            sub: "abc",
+            email: "x@y.com",
+            "custom:org": "indigo",
         });
-        const result = await githubApi("/user/installations?per_page=100", fakeAuth);
-        expect(result).toEqual({ installations: [] });
+        const id = readIdentity(tokens);
+        expect(id.claims["custom:org"]).toBe("indigo");
+    });
+    it("returns undefined for missing email/name fields", () => {
+        const tokens = makeTokens({ sub: "abc" });
+        const id = readIdentity(tokens);
+        expect(id.sub).toBe("abc");
+        expect(id.email).toBeUndefined();
+        expect(id.name).toBeUndefined();
+    });
+    it("returns null when the ID token is malformed", () => {
+        const tokens = {
+            accessToken: "x",
+            idToken: "not-a-jwt",
+            refreshToken: "r",
+            expiresAt: Date.now() + 60000,
+            tokenType: "Bearer",
+        };
+        expect(readIdentity(tokens)).toBeNull();
+    });
+    it("returns null when the payload segment is invalid JSON", () => {
+        const tokens = {
+            accessToken: "x",
+            idToken: "header.!!!notbase64valid!!!.sig",
+            refreshToken: "r",
+            expiresAt: Date.now() + 60000,
+            tokenType: "Bearer",
+        };
+        expect(readIdentity(tokens)).toBeNull();
     });
 });
-// ─── ~/.hq/app-token.json persistence ──────────────────────────────────────
-describe("App token persistence", () => {
-    afterEach(() => {
-        // Clean up temp token file between tests
-        try {
-            fs.unlinkSync(tmpTokenPath);
-        }
-        catch { }
-    });
-    afterEach(() => {
-        // Clean up the real path if any test accidentally wrote there
-        // (shouldn't happen — we test with tmpTokenPath)
-    });
-    it("HQ_APP_TOKEN_PATH points to ~/.hq/app-token.json", () => {
-        const expected = path.join(os.homedir(), ".hq", "app-token.json");
-        expect(HQ_APP_TOKEN_PATH).toBe(expected);
-    });
-    it("saveGitHubAuth writes token file to disk", () => {
-        saveGitHubAuth(fakeAuth, tmpTokenPath);
-        // File was written
-        expect(fs.existsSync(tmpTokenPath)).toBe(true);
-        const stored = JSON.parse(fs.readFileSync(tmpTokenPath, "utf-8"));
-        expect(stored.login).toBe("testuser");
-        expect(stored.access_token).toBe("ghu_fake_app_token");
-    });
-    it("saveGitHubAuth creates ~/.hq/ directory if missing", () => {
-        const nested = path.join(tmpDir, "sub", "app-token.json");
-        saveGitHubAuth(fakeAuth, nested);
-        expect(fs.existsSync(nested)).toBe(true);
-    });
-    it("saveGitHubAuth sets restrictive file permissions (0600)", () => {
-        saveGitHubAuth(fakeAuth, tmpTokenPath);
-        const stat = fs.statSync(tmpTokenPath);
-        // Owner read+write only (0600 = 0o600 = 384 decimal)
-        expect(stat.mode & 0o777).toBe(0o600);
-    });
-    it("loadGitHubAuth reads from token file when present", () => {
-        // Write a valid token file
-        fs.writeFileSync(tmpTokenPath, JSON.stringify(fakeAuth), "utf-8");
-        const loaded = loadGitHubAuth(tmpTokenPath);
-        expect(loaded).not.toBeNull();
-        expect(loaded.login).toBe("testuser");
-        expect(loaded.access_token).toBe("ghu_fake_app_token");
-    });
-    it("loadGitHubAuth returns null when token file does not exist", () => {
-        const loaded = loadGitHubAuth(tmpTokenPath);
-        expect(loaded).toBeNull();
-    });
-    it("loadGitHubAuth returns null for corrupted JSON", () => {
-        fs.writeFileSync(tmpTokenPath, "NOT VALID JSON{{{", "utf-8");
-        const loaded = loadGitHubAuth(tmpTokenPath);
-        expect(loaded).toBeNull();
-    });
-    it("loadGitHubAuth returns null when token file is missing access_token", () => {
-        fs.writeFileSync(tmpTokenPath, JSON.stringify({ login: "x", id: 1 }), "utf-8");
-        const loaded = loadGitHubAuth(tmpTokenPath);
-        expect(loaded).toBeNull();
-    });
-    it("clearGitHubAuth removes the token file", () => {
-        fs.writeFileSync(tmpTokenPath, JSON.stringify(fakeAuth), "utf-8");
-        expect(fs.existsSync(tmpTokenPath)).toBe(true);
-        clearGitHubAuth(tmpTokenPath);
-        expect(fs.existsSync(tmpTokenPath)).toBe(false);
-    });
-    it("clearGitHubAuth is a no-op when file does not exist", () => {
-        // Should not throw
-        clearGitHubAuth(tmpTokenPath);
+// ─── signOut ───────────────────────────────────────────────────────────────
+describe("signOut", () => {
+    it("delegates to hq-cloud.clearCachedTokens", () => {
+        mockClearCachedTokens.mockReset();
+        signOut();
+        expect(mockClearCachedTokens).toHaveBeenCalledOnce();
     });
 });
-// ─── isGitHubAuthValid ─────────────────────────────────────────────────────
-describe("isGitHubAuthValid", () => {
-    beforeEach(() => mockFetch.mockReset());
-    it("returns true when /user responds 200", async () => {
-        mockFetch.mockResolvedValueOnce({ ok: true });
-        expect(await isGitHubAuthValid(fakeAuth)).toBe(true);
-    });
-    it("returns false when /user responds non-ok", async () => {
-        mockFetch.mockResolvedValueOnce({ ok: false, status: 401 });
-        expect(await isGitHubAuthValid(fakeAuth)).toBe(false);
-    });
-    it("returns false on network error", async () => {
-        mockFetch.mockRejectedValueOnce(new Error("ECONNREFUSED"));
-        expect(await isGitHubAuthValid(fakeAuth)).toBe(false);
+// ─── ensureCognitoToken ────────────────────────────────────────────────────
+describe("ensureCognitoToken", () => {
+    beforeEach(() => {
+        mockLoadCachedTokens.mockReset();
+        mockIsExpiring.mockReset();
+        mockRefreshTokens.mockReset();
+        mockBrowserLogin.mockReset();
     });
-});
-// ─── isAppScopedToken ──────────────────────────────────────────────────────
-describe("isAppScopedToken", () => {
-    beforeEach(() => mockFetch.mockReset());
-    it('returns "yes" when /user/installations responds 200', async () => {
-        mockFetch.mockResolvedValueOnce({ ok: true, status: 200 });
-        expect(await isAppScopedToken(fakeAuth)).toBe("yes");
-    });
-    it('returns "no" on 403 (definitive — wrong token type)', async () => {
-        mockFetch.mockResolvedValueOnce({ ok: false, status: 403 });
-        expect(await isAppScopedToken(fakeAuth)).toBe("no");
-    });
-    it('returns "unknown" on 5xx (transient server error)', async () => {
-        mockFetch.mockResolvedValueOnce({ ok: false, status: 500 });
-        expect(await isAppScopedToken(fakeAuth)).toBe("unknown");
-    });
-    it('returns "unknown" on network error', async () => {
-        mockFetch.mockRejectedValueOnce(new Error("ECONNREFUSED"));
-        expect(await isAppScopedToken(fakeAuth)).toBe("unknown");
-    });
-    it('returns "no" when access_token is empty', async () => {
-        expect(await isAppScopedToken({ ...fakeAuth, access_token: "" })).toBe("no");
-        // fetch should not have been called
-        expect(mockFetch).not.toHaveBeenCalled();
+    afterEach(() => {
+        vi.restoreAllMocks();
+    });
+    it("returns cached tokens when they are not expiring", async () => {
+        const cached = makeTokens({ sub: "abc" });
+        mockLoadCachedTokens.mockReturnValue(cached);
+        mockIsExpiring.mockReturnValue(false);
+        const result = await ensureCognitoToken();
+        expect(result).toBe(cached);
+        expect(mockRefreshTokens).not.toHaveBeenCalled();
+        expect(mockBrowserLogin).not.toHaveBeenCalled();
+    });
+    it("refreshes expiring tokens using the cached refresh token", async () => {
+        const cached = makeTokens({ sub: "abc" });
+        const refreshed = makeTokens({ sub: "abc" });
+        mockLoadCachedTokens.mockReturnValue(cached);
+        mockIsExpiring.mockReturnValue(true);
+        mockRefreshTokens.mockResolvedValue(refreshed);
+        const result = await ensureCognitoToken();
+        expect(result).toBe(refreshed);
+        expect(mockRefreshTokens).toHaveBeenCalledWith(DEFAULT_COGNITO, cached.refreshToken);
+        expect(mockBrowserLogin).not.toHaveBeenCalled();
+    });
+    it("falls back to browser login when refresh fails", async () => {
+        const cached = makeTokens({ sub: "abc" });
+        const fresh = makeTokens({ sub: "abc" });
+        mockLoadCachedTokens.mockReturnValue(cached);
+        mockIsExpiring.mockReturnValue(true);
+        mockRefreshTokens.mockRejectedValue(new Error("invalid_grant"));
+        mockBrowserLogin.mockResolvedValue(fresh);
+        const result = await ensureCognitoToken();
+        expect(result).toBe(fresh);
+        expect(mockBrowserLogin).toHaveBeenCalledWith(DEFAULT_COGNITO);
+    });
+    it("launches browser login when no cached tokens exist", async () => {
+        const fresh = makeTokens({ sub: "abc" });
+        mockLoadCachedTokens.mockReturnValue(null);
+        mockBrowserLogin.mockResolvedValue(fresh);
+        const result = await ensureCognitoToken();
+        expect(result).toBe(fresh);
+        expect(mockRefreshTokens).not.toHaveBeenCalled();
+        expect(mockBrowserLogin).toHaveBeenCalledWith(DEFAULT_COGNITO);
+    });
+    it("returns null in non-interactive mode when no cached token", async () => {
+        mockLoadCachedTokens.mockReturnValue(null);
+        const result = await ensureCognitoToken({ interactive: false });
+        expect(result).toBeNull();
+        expect(mockBrowserLogin).not.toHaveBeenCalled();
+    });
+    it("returns null in non-interactive mode when refresh fails", async () => {
+        const cached = makeTokens({ sub: "abc" });
+        mockLoadCachedTokens.mockReturnValue(cached);
+        mockIsExpiring.mockReturnValue(true);
+        mockRefreshTokens.mockRejectedValue(new Error("invalid_grant"));
+        const result = await ensureCognitoToken({ interactive: false });
+        expect(result).toBeNull();
+        expect(mockBrowserLogin).not.toHaveBeenCalled();
+    });
+    it("returns null when browser login throws", async () => {
+        mockLoadCachedTokens.mockReturnValue(null);
+        mockBrowserLogin.mockRejectedValue(new Error("user closed tab"));
+        const result = await ensureCognitoToken();
+        expect(result).toBeNull();
     });
 });
-// ─── Cleanup ───────────────────────────────────────────────────────────────
-afterAll(() => {
-    try {
-        fs.rmSync(tmpDir, { recursive: true, force: true });
-    }
-    catch { }
-});
 //# sourceMappingURL=auth.test.js.map