Marks the user with the given email as an admin. Used by the
cypress harness to bootstrap an admin without a public promote
endpoint and is also useful for ops.
Switch from MAIL_MAILER=log to smtp pointing at mailpit on
:1025. From-address mirrors LaravelEmailFactory's confirmation
email format. phpunit.xml keeps MAIL_MAILER=array so unit and
feature tests do not touch mailpit.
Replaces the laravel-default scaffold seeder with one file per
domain (AdminUser, User, Post, Comment) plus a config/seed.php
to source admin credentials from env. DatabaseSeeder is now a
pure orchestrator that calls the sub-seeders in dependency
order.
Adds POST /admin/posts/feature, POST /admin/posts/unfeature
(both auth-required, admin-checked inside controller via the
use case's ForbiddenException), and public GET /posts/featured.
Post serialization now includes featureSlot.
Wires PostController (recent, show, create, delete, listByUser)
and CommentController (listForPost, create, delete) to the
existing use cases. Posts and comments expose author display
names alongside user IDs. CommentRepository binding added to
RepositoryServiceProvider.
Adds AuthenticatesUsers feature trait that runs the full
signup -> confirm -> login flow and exposes the resulting auth
cookie. Bumps phpunit defaultTimeLimit to 30 seconds so the
multi-bcrypt-per-test feature flow finishes inside the limit.
Wires AuthController (signup, confirmEmail, login, me, logout)
to the existing auth use cases. Routes mounted under /api with
AuthMiddleware on logout/me. RepositoryServiceProvider gains
EmailConfirmationToken and Post bindings; AppServiceProvider
binds the Emailer/EmailFactory and constructs SignupUser with
the configured from-address.
Signup now collects only email + displayName, creates an
unconfirmed user with empty password hash, mints an
EmailConfirmationToken, and dispatches a confirmation email.
Password is set during ConfirmUserEmail.
Adds displayname to existing assertions and new tests covering:
null/short/invalid-charset displayname, duplicate displayname,
findability by displayname. AuthenticateUser tests pick up the
seedUser displayname argument.
Add display_name (unique) and email_confirmed_at columns plus
matching getters, DTO fields, repo methods (findByDisplayName,
update), and migration. Existing auth tests updated to construct
User with the new params.
7 cases: zero postId or requesterId -> BadRequest; unknown post
is idempotent no-op; author can delete own post; admin can
delete anyone's post; non-author non-admin -> ForbiddenException;
forbidden attempts leave post intact.
4 cases: zero/negative id -> BadRequest; unknown id -> null
(controller maps to 404); existing id returns the Post.
GetPost takes int id directly (no Request object - the value is
trivial and controllers pull it from a route param).
5 cases: zero/negative userId -> BadRequest; user with no posts
-> []; returns only requested user's posts (filters out other
authors); ordered newest-first by createdAt. fails red.
