feat(opsserver): add admin user create/delete management and default hosted idp.global auth support

ts/opsserver/handlers/admin.handler.ts

@@ -159,6 +159,93 @@ export class AdminHandler {
       throw new plugins.typedrequest.TypedResponseError((error as Error).message || 'failed to create initial admin');
     }
   }
+
+  public async createUser(optionsArg: {
+    email: string;
+    name?: string;
+    role: interfaces.requests.TUserManagementRole;
+    password: string;
+    enableIdpGlobalAuth?: boolean;
+  }): Promise<interfaces.requests.IReq_CreateUser['response']> {
+    const store = this.getAccountStore();
+    if (!store) {
+      return { success: false, message: 'database is not ready' };
+    }
+    if (!(await store.hasActiveAdminAccount())) {
+      return { success: false, message: 'initial admin bootstrap is required before creating users' };
+    }
+
+    const role = optionsArg.role;
+    if (role !== 'admin' && role !== 'user') {
+      return { success: false, message: 'role must be admin or user' };
+    }
+
+    const password = String(optionsArg.password || '');
+    if (!password) {
+      return { success: false, message: 'password is required' };
+    }
+
+    const authSources: Array<'local' | 'idp.global'> = ['local'];
+    if (optionsArg.enableIdpGlobalAuth) {
+      authSources.push('idp.global');
+    }
+
+    try {
+      const email = String(optionsArg.email || '').trim();
+      const account = await store.createAccount({
+        email,
+        name: String(optionsArg.name || '').trim() || email,
+        role,
+        authSources,
+        password,
+      });
+      return { success: true, user: this.accountToUser(account) };
+    } catch (error) {
+      return { success: false, message: (error as Error).message || 'failed to create user' };
+    }
+  }
+
+  public async deleteUser(optionsArg: {
+    id: string;
+    requestingUserId: string;
+  }): Promise<interfaces.requests.IReq_DeleteUser['response']> {
+    const store = this.getAccountStore();
+    if (!store) {
+      return { success: false, message: 'database is not ready' };
+    }
+    if (!(await store.hasActiveAdminAccount())) {
+      return { success: false, message: 'initial admin bootstrap is required before deleting users' };
+    }
+
+    const id = String(optionsArg.id || '').trim();
+    if (!id) {
+      return { success: false, message: 'user id is required' };
+    }
+    if (id === optionsArg.requestingUserId) {
+      return { success: false, message: 'cannot delete the current user' };
+    }
+
+    const account = await store.getAccountById(id);
+    if (!account) {
+      return { success: false, message: 'user not found' };
+    }
+
+    if (account.role === 'admin' && account.status === 'active') {
+      const activeAdmins = (await store.listAccounts()).filter(
+        (accountArg) => accountArg.role === 'admin' && accountArg.status === 'active',
+      );
+      if (activeAdmins.length <= 1) {
+        return { success: false, message: 'cannot delete the last active admin' };
+      }
+    }
+
+    const doc = await plugins.idpSdkServer.IdpSdkAccountDoc.findById(id);
+    if (!doc) {
+      return { success: false, message: 'user not found' };
+    }
+    await doc.delete();
+    return { success: true };
+  }
   
   private registerHandlers(): void {
     this.typedrouter.addTypedHandler(
@@ -420,23 +507,17 @@ export class AdminHandler {
     }
 
     const baseUrl = this.opsServerRef.dcRouterRef.options.adminAuth?.idpGlobalUrl || process.env.DCROUTER_IDP_GLOBAL_URL;
-    if (!baseUrl) {
-      return undefined;
-    }
-
     if (!this.idpClient) {
-      this.idpClient = new plugins.idpSdkServer.IdpGlobalServerClient({ baseUrl });
+      this.idpClient = baseUrl
+        ? new plugins.idpSdkServer.IdpGlobalServerClient({ baseUrl })
+        : new plugins.idpSdkServer.IdpGlobalServerClient({} as plugins.idpSdkServer.IIdpGlobalServerClientOptions);
       this.ownsIdpClient = true;
     }
     return this.idpClient;
   }
 
   private isIdpGlobalConfigured(): boolean {
-    return !!(
-      this.opsServerRef.dcRouterRef.options.adminAuth?.idpClient ||
-      this.opsServerRef.dcRouterRef.options.adminAuth?.idpGlobalUrl ||
-      process.env.DCROUTER_IDP_GLOBAL_URL
-    );
+    return true;
   }
 
   private accountToUser(accountArg: plugins.idpSdkServer.IIdpSdkAccount): TAdminUser {

ts/opsserver/handlers/users.handler.ts

@@ -3,7 +3,7 @@ import type { OpsServer } from '../classes.opsserver.js';
 import * as interfaces from '../../../ts_interfaces/index.js';
 
 /**
- * Read-only handler for OpsServer user accounts. Registers on adminRouter,
+ * Handler for OpsServer user accounts. Registers on adminRouter,
  * so admin middleware enforces auth + role check before the handler runs.
  * User data is owned by AdminHandler; this handler just exposes a safe
  * projection of it via TypedRequest.
@@ -16,7 +16,7 @@ export class UsersHandler {
   private registerHandlers(): void {
     const router = this.opsServerRef.adminRouter;
 
-    // List users (admin-only, read-only)
+    // List users (admin-only)
     router.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ListUsers>(
         'listUsers',
@@ -26,5 +26,28 @@ export class UsersHandler {
         },
       ),
     );
+
+    router.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateUser>(
+        'createUser',
+        async (dataArg) => this.opsServerRef.adminHandler.createUser({
+          email: dataArg.email,
+          name: dataArg.name,
+          role: dataArg.role,
+          password: dataArg.password,
+          enableIdpGlobalAuth: dataArg.enableIdpGlobalAuth,
+        }),
+      ),
+    );
+
+    router.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteUser>(
+        'deleteUser',
+        async (dataArg) => this.opsServerRef.adminHandler.deleteUser({
+          id: dataArg.id,
+          requestingUserId: dataArg.identity.userId,
+        }),
+      ),
+    );
   }
 }