feat(api): UDT-003 registro de usuarios — backend completo (Phases 1-6)

- Domain: Usuario.ForCreation factory, UsernameAlreadyExistsException, IUsuarioRepository extendido
- Application: CreateUsuarioCommand/Validator/Handler, UsuarioCreatedDto, AuthOptions password policy
- Infrastructure: UsuarioRepository.ExistsByUsernameAsync + AddAsync (INSERT OUTPUT INSERTED.Id), RoleClaimType="rol" en TokenValidationParameters
- Api: UsuariosController POST api/v1/users [Authorize(Roles="admin")], ExceptionFilter mapea UsernameAlreadyExistsException + SqlException 2627 → 409
- Tests (unit): 43 tests — 33 validator + 10 handler (107 total, green)
- Tests (integration): 7 tests CreateUsuarioEndpoint — 401/403/400/201/409/race/e2e (green)
- Fix: TestWebAppFactory.ConfigureTestServices reemplaza SqlConnectionFactory singleton con CS de test correcto

src/api/SIGCM2.Api/Controllers/UsuariosController.cs

@@ -0,0 +1,62 @@
+using FluentValidation;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+using SIGCM2.Application.Abstractions;
+using SIGCM2.Application.Usuarios.Create;
+
+namespace SIGCM2.Api.Controllers;
+
+[ApiController]
+[Route("api/v1/users")]
+[Authorize(Roles = "admin")]
+public sealed class UsuariosController : ControllerBase
+{
+    private readonly IDispatcher _dispatcher;
+    private readonly IValidator<CreateUsuarioCommand> _validator;
+
+    public UsuariosController(IDispatcher dispatcher, IValidator<CreateUsuarioCommand> validator)
+    {
+        _dispatcher = dispatcher;
+        _validator = validator;
+    }
+
+    /// <summary>Creates a new user. Requires admin role.</summary>
+    [HttpPost]
+    [ProducesResponseType(typeof(UsuarioCreatedDto), StatusCodes.Status201Created)]
+    [ProducesResponseType(StatusCodes.Status400BadRequest)]
+    [ProducesResponseType(StatusCodes.Status401Unauthorized)]
+    [ProducesResponseType(StatusCodes.Status403Forbidden)]
+    [ProducesResponseType(StatusCodes.Status409Conflict)]
+    public async Task<IActionResult> CreateUsuario([FromBody] CreateUsuarioRequest request)
+    {
+        var command = new CreateUsuarioCommand(
+            Username: request.Username ?? string.Empty,
+            Password: request.Password ?? string.Empty,
+            Nombre: request.Nombre ?? string.Empty,
+            Apellido: request.Apellido ?? string.Empty,
+            Email: request.Email,
+            Rol: request.Rol ?? string.Empty);
+
+        var validation = await _validator.ValidateAsync(command);
+        if (!validation.IsValid)
+        {
+            var errors = validation.Errors
+                .GroupBy(e => e.PropertyName)
+                .ToDictionary(g => g.Key, g => g.Select(e => e.ErrorMessage).ToArray());
+            return BadRequest(new { errors });
+        }
+
+        var result = await _dispatcher.Send<CreateUsuarioCommand, UsuarioCreatedDto>(command);
+
+        return CreatedAtAction(nameof(CreateUsuario), new { id = result.Id }, result);
+    }
+}
+
+/// <summary>Create user request body — nullable to catch missing field scenarios.</summary>
+public sealed record CreateUsuarioRequest(
+    string? Username,
+    string? Password,
+    string? Nombre,
+    string? Apellido,
+    string? Email,
+    string? Rol);

src/api/SIGCM2.Api/Filters/ExceptionFilter.cs

@@ -1,6 +1,7 @@
 using FluentValidation;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.Filters;
+using Microsoft.Data.SqlClient;
 using SIGCM2.Domain.Exceptions;
 
 namespace SIGCM2.Api.Filters;
@@ -18,6 +19,31 @@ public sealed class ExceptionFilter : IExceptionFilter
     {
         switch (context.Exception)
         {
+            case UsernameAlreadyExistsException usernameEx:
+                context.Result = new ObjectResult(new
+                {
+                    error = "username_taken",
+                    message = usernameEx.Message
+                })
+                {
+                    StatusCode = StatusCodes.Status409Conflict
+                };
+                context.ExceptionHandled = true;
+                break;
+
+            case SqlException sqlEx when sqlEx.Number == 2627:
+                // Safety net: UQ constraint violation from a race condition
+                context.Result = new ObjectResult(new
+                {
+                    error = "username_taken",
+                    message = "El nombre de usuario ya está en uso."
+                })
+                {
+                    StatusCode = StatusCodes.Status409Conflict
+                };
+                context.ExceptionHandled = true;
+                break;
+
             case InvalidCredentialsException:
                 context.Result = new ObjectResult(new { error = "Credenciales inválidas" })
                 {

src/api/SIGCM2.Application/Abstractions/Persistence/IUsuarioRepository.cs

@@ -6,4 +6,6 @@ public interface IUsuarioRepository
 {
     Task<Usuario?> GetByUsernameAsync(string username);
     Task<Usuario?> GetByIdAsync(int id, CancellationToken ct = default);
+    Task<bool> ExistsByUsernameAsync(string username, CancellationToken ct = default);
+    Task<int> AddAsync(Usuario usuario, CancellationToken ct = default);
 }

src/api/SIGCM2.Application/Auth/AuthOptions.cs

@@ -9,4 +9,9 @@ public sealed class AuthOptions
 {
     public int AccessTokenMinutes { get; set; } = 60;
     public int RefreshTokenDays { get; set; } = 7;
+
+    // Password policy — configurable, secure defaults
+    public int PasswordMinLength { get; set; } = 8;
+    public bool PasswordRequireLetter { get; set; } = true;
+    public bool PasswordRequireDigit { get; set; } = true;
 }

src/api/SIGCM2.Application/DependencyInjection.cs

@@ -4,6 +4,7 @@ using SIGCM2.Application.Abstractions;
 using SIGCM2.Application.Auth.Login;
 using SIGCM2.Application.Auth.Logout;
 using SIGCM2.Application.Auth.Refresh;
+using SIGCM2.Application.Usuarios.Create;
 
 namespace SIGCM2.Application;
 
@@ -15,6 +16,7 @@ public static class DependencyInjection
         services.AddScoped<ICommandHandler<LoginCommand, LoginResponseDto>, LoginCommandHandler>();
         services.AddScoped<ICommandHandler<RefreshCommand, RefreshResponseDto>, RefreshCommandHandler>();
         services.AddScoped<ICommandHandler<LogoutCommand, LogoutResponseDto>, LogoutCommandHandler>();
+        services.AddScoped<ICommandHandler<CreateUsuarioCommand, UsuarioCreatedDto>, CreateUsuarioCommandHandler>();
 
         // FluentValidation validators (scans entire Application assembly)
         services.AddValidatorsFromAssemblyContaining<LoginCommandValidator>();

src/api/SIGCM2.Application/Usuarios/Create/CreateUsuarioCommand.cs

@@ -0,0 +1,9 @@
+namespace SIGCM2.Application.Usuarios.Create;
+
+public sealed record CreateUsuarioCommand(
+    string Username,
+    string Password,
+    string Nombre,
+    string Apellido,
+    string? Email,
+    string Rol);

src/api/SIGCM2.Application/Usuarios/Create/CreateUsuarioCommandHandler.cs

@@ -0,0 +1,52 @@
+using SIGCM2.Application.Abstractions;
+using SIGCM2.Application.Abstractions.Persistence;
+using SIGCM2.Application.Abstractions.Security;
+using SIGCM2.Domain.Entities;
+using SIGCM2.Domain.Exceptions;
+
+namespace SIGCM2.Application.Usuarios.Create;
+
+public sealed class CreateUsuarioCommandHandler : ICommandHandler<CreateUsuarioCommand, UsuarioCreatedDto>
+{
+    private readonly IUsuarioRepository _repository;
+    private readonly IPasswordHasher _hasher;
+
+    public CreateUsuarioCommandHandler(
+        IUsuarioRepository repository,
+        IPasswordHasher hasher)
+    {
+        _repository = repository;
+        _hasher = hasher;
+    }
+
+    public async Task<UsuarioCreatedDto> Handle(CreateUsuarioCommand command)
+    {
+        // Check-then-insert: explicit check gives a clear 409 message.
+        // SqlException 2627 (UQ violation) acts as race-condition fallback — caught in ExceptionFilter.
+        var exists = await _repository.ExistsByUsernameAsync(command.Username);
+        if (exists)
+            throw new UsernameAlreadyExistsException(command.Username);
+
+        var passwordHash = _hasher.Hash(command.Password);
+
+        var usuario = Usuario.ForCreation(
+            username: command.Username,
+            passwordHash: passwordHash,
+            nombre: command.Nombre,
+            apellido: command.Apellido,
+            email: command.Email,
+            rol: command.Rol);
+
+        // TODO: audit — record which admin created this user (defer to UDT-Audit)
+        var newId = await _repository.AddAsync(usuario);
+
+        return new UsuarioCreatedDto(
+            Id: newId,
+            Username: usuario.Username,
+            Nombre: usuario.Nombre,
+            Apellido: usuario.Apellido,
+            Email: usuario.Email,
+            Rol: usuario.Rol,
+            Activo: usuario.Activo);
+    }
+}

src/api/SIGCM2.Application/Usuarios/Create/CreateUsuarioCommandValidator.cs

@@ -0,0 +1,60 @@
+using FluentValidation;
+using SIGCM2.Application.Auth;
+
+namespace SIGCM2.Application.Usuarios.Create;
+
+public sealed class CreateUsuarioCommandValidator : AbstractValidator<CreateUsuarioCommand>
+{
+    private static readonly string[] ValidRoles = ["admin", "vendedor", "tasador", "consulta"];
+
+    private const int UsernameMinLength = 3;
+    private const int UsernameMaxLength = 50;
+    private const int NombreMaxLength = 100;
+    private const int ApellidoMaxLength = 100;
+    private const int EmailMaxLength = 150;
+
+    public CreateUsuarioCommandValidator() : this(new AuthOptions()) { }
+
+    public CreateUsuarioCommandValidator(AuthOptions authOptions)
+    {
+        RuleFor(x => x.Username)
+            .NotEmpty().WithMessage("El nombre de usuario es requerido.")
+            .Length(UsernameMinLength, UsernameMaxLength)
+                .WithMessage($"El username debe tener entre {UsernameMinLength} y {UsernameMaxLength} caracteres.")
+            .Matches(@"^[a-zA-Z0-9._\-]+$")
+                .WithMessage("El username solo puede contener letras, dígitos, puntos, guiones y guiones bajos.");
+
+        RuleFor(x => x.Password)
+            .NotEmpty().WithMessage("La contraseña es requerida.")
+            .MinimumLength(authOptions.PasswordMinLength)
+                .WithMessage($"La contraseña debe tener al menos {authOptions.PasswordMinLength} caracteres.")
+            .Must(p => !authOptions.PasswordRequireLetter || ContainsLetter(p))
+                .WithMessage("La contraseña debe contener al menos una letra.")
+            .Must(p => !authOptions.PasswordRequireDigit || ContainsDigit(p))
+                .WithMessage("La contraseña debe contener al menos un dígito.");
+
+        RuleFor(x => x.Nombre)
+            .NotEmpty().WithMessage("El nombre es requerido.")
+            .MaximumLength(NombreMaxLength).WithMessage($"El nombre no puede superar los {NombreMaxLength} caracteres.");
+
+        RuleFor(x => x.Apellido)
+            .NotEmpty().WithMessage("El apellido es requerido.")
+            .MaximumLength(ApellidoMaxLength).WithMessage($"El apellido no puede superar los {ApellidoMaxLength} caracteres.");
+
+        RuleFor(x => x.Email)
+            .EmailAddress().WithMessage("El email no tiene un formato válido.")
+            .MaximumLength(EmailMaxLength).WithMessage($"El email no puede superar los {EmailMaxLength} caracteres.")
+            .When(x => x.Email is not null);
+
+        RuleFor(x => x.Rol)
+            .NotEmpty().WithMessage("El rol es requerido.")
+            .Must(r => ValidRoles.Contains(r))
+                .WithMessage($"El rol debe ser uno de: {string.Join(", ", ValidRoles)}.");
+    }
+
+    private static bool ContainsLetter(string value) =>
+        value is not null && value.Any(char.IsLetter);
+
+    private static bool ContainsDigit(string value) =>
+        value is not null && value.Any(char.IsDigit);
+}

src/api/SIGCM2.Application/Usuarios/Create/UsuarioCreatedDto.cs

@@ -0,0 +1,10 @@
+namespace SIGCM2.Application.Usuarios.Create;
+
+public sealed record UsuarioCreatedDto(
+    int Id,
+    string Username,
+    string Nombre,
+    string Apellido,
+    string? Email,
+    string Rol,
+    bool Activo);

src/api/SIGCM2.Domain/Entities/Usuario.cs

@@ -33,4 +33,28 @@ public sealed class Usuario
         PermisosJson = permisosJson;
         Activo = activo;
     }
+
+    /// <summary>
+    /// Factory for creating a new user (no Id — DB assigns via IDENTITY).
+    /// Defaults: Activo=true, PermisosJson="[]".
+    /// </summary>
+    public static Usuario ForCreation(
+        string username,
+        string passwordHash,
+        string nombre,
+        string apellido,
+        string? email,
+        string rol)
+    {
+        return new Usuario(
+            id: 0,
+            username: username,
+            passwordHash: passwordHash,
+            nombre: nombre,
+            apellido: apellido,
+            email: email,
+            rol: rol,
+            permisosJson: "[]",
+            activo: true);
+    }
 }

src/api/SIGCM2.Domain/Exceptions/UsernameAlreadyExistsException.cs

@@ -0,0 +1,12 @@
+namespace SIGCM2.Domain.Exceptions;
+
+public sealed class UsernameAlreadyExistsException : Exception
+{
+    public string Username { get; }
+
+    public UsernameAlreadyExistsException(string username)
+        : base($"El nombre de usuario '{username}' ya está en uso.")
+    {
+        Username = username;
+    }
+}

src/api/SIGCM2.Infrastructure/DependencyInjection.cs

@@ -85,7 +85,8 @@ public static class DependencyInjection
                     ValidateAudience = true,
                     ValidAudience = jwtOpts.Audience,
                     ValidateLifetime = true,
-                    ClockSkew = TimeSpan.Zero
+                    ClockSkew = TimeSpan.Zero,
+                    RoleClaimType = "rol"
                 };
             });
 

src/api/SIGCM2.Infrastructure/Persistence/UsuarioRepository.cs

@@ -56,6 +56,44 @@ public sealed class UsuarioRepository : IUsuarioRepository
         return MapRow(row);
     }
 
+    public async Task<bool> ExistsByUsernameAsync(string username, CancellationToken ct = default)
+    {
+        const string sql = """
+            SELECT COUNT(1) FROM dbo.Usuario WHERE Username = @Username
+            """;
+
+        await using var connection = _connectionFactory.CreateConnection();
+        await connection.OpenAsync(ct);
+
+        var count = await connection.ExecuteScalarAsync<int>(sql, new { Username = username });
+        return count > 0;
+    }
+
+    public async Task<int> AddAsync(Usuario usuario, CancellationToken ct = default)
+    {
+        // DF handles: Activo (1), PermisosJson ('[]'), FechaCreacion (GETDATE())
+        const string sql = """
+            INSERT INTO dbo.Usuario (Username, PasswordHash, Nombre, Apellido, Email, Rol)
+            OUTPUT INSERTED.Id
+            VALUES (@Username, @PasswordHash, @Nombre, @Apellido, @Email, @Rol)
+            """;
+
+        await using var connection = _connectionFactory.CreateConnection();
+        await connection.OpenAsync(ct);
+
+        var id = await connection.ExecuteScalarAsync<int>(sql, new
+        {
+            usuario.Username,
+            usuario.PasswordHash,
+            usuario.Nombre,
+            usuario.Apellido,
+            usuario.Email,
+            usuario.Rol
+        });
+
+        return id;
+    }
+
     private static Usuario MapRow(UsuarioRow row)
         => new(
             id: row.Id,