feat(admin): bearer auth with admin-only gate + login screen

apps/admin/src/auth/AuthContext.test.tsx

@@ -0,0 +1,92 @@
+import { render, screen, waitFor } from '@testing-library/react';
+import userEvent from '@testing-library/user-event';
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
+import { AuthProvider, useAuth } from './AuthContext';
+import { fetchMe } from '../api/me';
+import { signIn as apiSignIn } from '../lib/api';
+import { clearToken, getToken, setToken } from '../lib/auth-storage';
+
+// Mock the network layer so no real requests are made.
+vi.mock('../lib/api', () => ({
+  signIn: vi.fn(),
+}));
+vi.mock('../api/me', () => ({
+  fetchMe: vi.fn(),
+}));
+
+const mockedSignIn = vi.mocked(apiSignIn);
+const mockedFetchMe = vi.mocked(fetchMe);
+
+// A tiny harness that exposes the auth context's state + signIn.
+function Harness() {
+  const { isAuthed, signIn } = useAuth();
+  return (
+    <div>
+      <span data-testid="authed">{String(isAuthed)}</span>
+      <button
+        type="button"
+        onClick={() => {
+          signIn('user@solelog.local', 'pw').catch((err) => {
+            const el = document.getElementById('err');
+            if (el) el.textContent = err instanceof Error ? err.message : String(err);
+          });
+        }}
+      >
+        go
+      </button>
+      <span id="err" />
+    </div>
+  );
+}
+
+function renderHarness() {
+  return render(
+    <AuthProvider>
+      <Harness />
+    </AuthProvider>
+  );
+}
+
+describe('AuthContext admin gate', () => {
+  beforeEach(() => {
+    mockedSignIn.mockReset();
+    mockedFetchMe.mockReset();
+    // signIn stores a token (mirror the real lib/api behaviour).
+    mockedSignIn.mockImplementation(async () => {
+      setToken('tok');
+    });
+  });
+
+  afterEach(() => {
+    clearToken();
+    vi.clearAllMocks();
+  });
+
+  it('signs in an admin: isAuthed becomes true, token kept', async () => {
+    mockedFetchMe.mockResolvedValue({
+      user: { id: 'a1', email: 'admin@solelog.local', name: 'Admin', role: 'admin' },
+    });
+    const user = userEvent.setup();
+    renderHarness();
+    expect(screen.getByTestId('authed')).toHaveTextContent('false');
+
+    await user.click(screen.getByRole('button', { name: 'go' }));
+
+    await waitFor(() => expect(screen.getByTestId('authed')).toHaveTextContent('true'));
+    expect(getToken()).toBe('tok');
+  });
+
+  it('rejects a worker: throws not-admin, clears the token, stays unauthed', async () => {
+    mockedFetchMe.mockResolvedValue({
+      user: { id: 'w1', email: 'worker@solelog.local', name: 'Werker', role: 'worker' },
+    });
+    const user = userEvent.setup();
+    renderHarness();
+
+    await user.click(screen.getByRole('button', { name: 'go' }));
+
+    await waitFor(() => expect(document.getElementById('err')).toHaveTextContent('not-admin'));
+    expect(getToken()).toBeNull();
+    expect(screen.getByTestId('authed')).toHaveTextContent('false');
+  });
+});