Default per-user main.py; invite-only by default

Co-authored-by: Cursor <cursoragent@cursor.com>

tests/test_auth.py

@@ -31,6 +31,32 @@ def test_auth_status_public(tmp_path, monkeypatch):
         assert r.json() == {"auth_enabled": False, "register_open": True, "invite_required": False}
 
 
+def test_auth_invite_only_defaults_on(monkeypatch, tmp_path):
+    """When AUTH_INVITE_ONLY is unset, require invites (deployment-safe default)."""
+    import editor_app.config as config
+    import editor_app.db.session as db_sess
+    import editor_app.main as main
+
+    monkeypatch.setenv("WORKSPACE_ROOT", str(tmp_path))
+    monkeypatch.setenv("AUTH_DATABASE_PATH", str(tmp_path / "auth.db"))
+    monkeypatch.setenv("AUTH_REGISTER_OPEN", "true")
+    monkeypatch.setenv("AUTH_ENABLED", "true")
+    monkeypatch.delenv("AUTH_INVITE_ONLY", raising=False)
+    monkeypatch.delenv("EDITOR_API_KEY", raising=False)
+    monkeypatch.delenv("BOOTSTRAP_ADMIN_USERNAME", raising=False)
+    monkeypatch.delenv("BOOTSTRAP_ADMIN_PASSWORD", raising=False)
+    config.WORKSPACE_ROOT = tmp_path
+    db_sess.reset_engine()
+    importlib.reload(main)
+
+    with TestClient(main.app) as client:
+        st = client.get("/api/auth/status")
+        assert st.status_code == 200
+        assert st.json()["invite_required"] is True
+        denied = client.post("/api/auth/register", json={"username": "noc", "password": "password99"})
+        assert denied.status_code == 403
+
+
 def test_register_login_and_api_access(tmp_path, monkeypatch):
     with TestClient(
         _reload_app(tmp_path, monkeypatch, AUTH_ENABLED="true", AUTH_REGISTER_OPEN="true")
@@ -58,6 +84,25 @@ def test_register_login_and_api_access(tmp_path, monkeypatch):
         assert client.get("/api/files").status_code == 401
 
 
+def test_new_user_workspace_has_default_main_py(tmp_path, monkeypatch):
+    with TestClient(
+        _reload_app(tmp_path, monkeypatch, AUTH_ENABLED="true", AUTH_REGISTER_OPEN="true")
+    ) as client:
+        reg = client.post("/api/auth/register", json={"username": "alice", "password": "password99"})
+        assert reg.status_code == 200
+        assert reg.json()["username"] == "alice"
+        uid = reg.json()["id"]
+        on_disk = tmp_path / "users" / f"alice-{uid}" / "code" / "main.py"
+        assert on_disk.is_file()
+        assert on_disk.read_text(encoding="utf-8") == 'print("Hello, World!")\n'
+
+        assert client.post("/api/auth/login", json={"username": "alice", "password": "password99"}).status_code == 200
+        fetched = client.get("/api/file/code/main.py")
+        assert fetched.status_code == 200
+        assert fetched.json()["filename"] == "main.py"
+        assert 'Hello, World!' in fetched.json()["content"]
+
+
 def test_second_user_not_superuser(tmp_path, monkeypatch):
     with TestClient(
         _reload_app(tmp_path, monkeypatch, AUTH_ENABLED="true", AUTH_REGISTER_OPEN="true")