2026-04-14 14:44:28 +00:00
89 changed files with 11159 additions and 0 deletions
--- a/.atl/skill-registry.md
+++ b/.atl/skill-registry.md
@@ -0,0 +1,61 @@
 # Skill Registry — sig-cm2
 Generated: 2026-04-13
 ## User Skills
 | Skill | Trigger |
 |-------|---------|
 | `sdd-init` | User says "sdd init", "iniciar sdd", "openspec init" |
 | `sdd-explore` | Orchestrator launches exploration of a feature or codebase area |
 | `sdd-propose` | Orchestrator launches proposal for a change |
 | `sdd-spec` | Orchestrator launches spec writing for a change |
 | `sdd-design` | Orchestrator launches technical design for a change |
 | `sdd-tasks` | Orchestrator launches task breakdown for a change |
 | `sdd-apply` | Orchestrator launches implementation of tasks |
 | `sdd-verify` | Orchestrator launches verification of a completed change |
 | `sdd-archive` | Orchestrator launches archival of a completed change |
 | `sdd-onboard` | User wants a guided SDD walkthrough |
 | `judgment-day` | User says "judgment day", "review adversarial", "doble review", "juzgar" |
 | `go-testing` | Writing Go tests, using teatest, Bubbletea TUI testing |
 | `skill-creator` | Creating a new AI agent skill |
 | `branch-pr` | Creating a pull request, preparing changes for review |
 | `issue-creation` | Creating a GitHub issue, bug report, or feature request |
 | `skill-registry` | Update skill registry, "actualizar skills" |
 | `obsidian-cli` | Interact with Obsidian vault via CLI |
 | `obsidian-markdown` | Creating/editing Obsidian Flavored Markdown (.md files in vault) |
 | `gitea-workflow` | Agile workflow for Gitea repos, "run the workflow", "what's next" |
 | `find-skills` | "Find a skill for X", "how do I do X", discover capabilities |
 ## Project Conventions
 | File | Role |
 |------|------|
 | `Obsidian/SPEC.md` | Source of truth — visión, módulos, tech stack |
 | `Obsidian/STATUS.md` | Estado de UDTs — ÚNICO lugar para marcar tareas `[x]` |
 | `Obsidian/INSTRUCCIONES_IA.md` | SOP del agente: bucle de ejecución, reglas de lectura |
 | `Obsidian/02-ARQUITECTURA-y-TECH-STACK/` | UDTs por módulo con CMV (Contexto Mínimo Viable) |
 | `Obsidian/04-DOMINIO-y-REGLAS-de-NEGOCIO/` | Reglas de negocio — consultar ante dudas |
 ## Compact Rules
 ### SIG-CM2 Development Rules
 - Orden de implementación SIEMPRE: BD → Backend → Frontend
 - Rama por UDT: `feature/UDT-XXX` (o VTA-XXX, TAS-XXX, INT-XXX, ADM-XXX)
 - Commits: `tipo(módulo): descripción` — feat/fix/docs/refactor/test/chore/security
 - NUNCA leer `Obsidian/07-RELEVAMIENTOS/` sin instrucción humana explícita
 - Para dudas de negocio: consultar `04-DOMINIO-y-REGLAS-de-NEGOCIO/` o `SPEC.md`
 - Antes de cada UDT: leer STATUS.md → leer UDT en carpeta 02 → cargar solo el CMV indicado
 ### Architecture
 - Clean Architecture: SIGCM2.Api / SIGCM2.Application / SIGCM2.Domain / SIGCM2.Infrastructure
 - Backend ORM: Dapper 2.x (NO Entity Framework — decisión arquitectural)
 - Lógica crítica de negocio: Stored Procedures en SQL Server
 - Frontend state: Zustand (global) + TanStack Query (server state)
 - Frontend estructura: src/api, src/components/{ui,features}, src/features/*, src/hooks, src/layouts, src/pages, src/stores, src/utils
 ### Strict TDD Mode (ACTIVE)
 - Tests ANTES del código de producción (Red → Green → Refactor)
 - Backend: xUnit + NSubstitute — comando: `dotnet test`
 - Frontend: Vitest + React Testing Library — comando: `vitest`
 - Coverage backend: `dotnet test --collect:"XPlat Code Coverage"`
 - Coverage frontend: `vitest --coverage`
--- a/.gitignore
+++ b/.gitignore
@@ -29,6 +29,41 @@ yarn-error.log*
 #.env.production.local
 # ----------------------------------------------------------------------------
 # ## .NET Build Artifacts ##
 # ----------------------------------------------------------------------------
 [Bb]in/
 [Oo]bj/
 *.user
 *.suo
 *.userosscache
 *.sln.docstates
 .vs/
 TestResults/
 *.trx
 *.coverage
 *.coveragexml
 # ----------------------------------------------------------------------------
 # ## JWT / Security Keys ##
 # ----------------------------------------------------------------------------
 src/api/SIGCM2.Api/keys/*.pem
 # ----------------------------------------------------------------------------
 # ## ASP.NET Core local secrets ##
 # ----------------------------------------------------------------------------
 src/api/SIGCM2.Api/appsettings.Development.json
 src/api/SIGCM2.Api/appsettings.Test.json
 tests/SIGCM2.Api.Tests/appsettings.Test.json
 tests/SIGCM2.Application.Tests/appsettings.Test.json
 # ----------------------------------------------------------------------------
 # ## Frontend Build Artifacts ##
 # ----------------------------------------------------------------------------
 src/web/dist/
 src/web/node_modules/
 src/web/.vite/
 # ----------------------------------------------------------------------------
 # ## Documentación ##
 # ----------------------------------------------------------------------------
--- a/Directory.Packages.props
+++ b/Directory.Packages.props
@@ -0,0 +1,30 @@
 <Project>
  <PropertyGroup>
    <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
  </PropertyGroup>
  <!-- Production dependencies -->
  <ItemGroup>
    <PackageVersion Include="Dapper" Version="2.1.35" />
    <PackageVersion Include="Microsoft.AspNetCore.OpenApi" Version="10.0.5" />
    <PackageVersion Include="Microsoft.Data.SqlClient" Version="5.2.2" />
    <PackageVersion Include="BCrypt.Net-Next" Version="4.0.3" />
    <PackageVersion Include="FluentValidation.AspNetCore" Version="11.3.0" />
    <PackageVersion Include="Serilog.AspNetCore" Version="8.0.3" />
    <PackageVersion Include="Serilog.Sinks.Seq" Version="8.0.0" />
    <PackageVersion Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="10.0.0-preview.3.25172.1" />
    <PackageVersion Include="Scalar.AspNetCore" Version="2.5.6" />
    <PackageVersion Include="System.IdentityModel.Tokens.Jwt" Version="8.9.0" />
    <PackageVersion Include="Microsoft.IdentityModel.Tokens" Version="8.9.0" />
  </ItemGroup>
  <!-- Test dependencies -->
  <ItemGroup>
    <PackageVersion Include="xunit" Version="2.9.3" />
    <PackageVersion Include="xunit.runner.visualstudio" Version="3.1.4" />
    <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="17.14.1" />
    <PackageVersion Include="NSubstitute" Version="5.3.0" />
    <PackageVersion Include="FluentAssertions" Version="6.12.2" />
    <PackageVersion Include="Microsoft.AspNetCore.Mvc.Testing" Version="10.0.0-preview.3.25172.1" />
    <PackageVersion Include="Respawn" Version="6.2.1" />
    <PackageVersion Include="coverlet.collector" Version="6.0.4" />
  </ItemGroup>
 </Project>
--- a/SIGCM2.slnx
+++ b/SIGCM2.slnx
@@ -0,0 +1,14 @@
 <Solution>
  <Folder Name="/src/" />
  <Folder Name="/src/api/">
    <Project Path="src/api/SIGCM2.Api/SIGCM2.Api.csproj" />
    <Project Path="src/api/SIGCM2.Application/SIGCM2.Application.csproj" />
    <Project Path="src/api/SIGCM2.Domain/SIGCM2.Domain.csproj" />
    <Project Path="src/api/SIGCM2.Infrastructure/SIGCM2.Infrastructure.csproj" />
  </Folder>
  <Folder Name="/tests/">
    <Project Path="tests/SIGCM2.Api.Tests/SIGCM2.Api.Tests.csproj" />
    <Project Path="tests/SIGCM2.Application.Tests/SIGCM2.Application.Tests.csproj" />
    <Project Path="tests/SIGCM2.TestSupport/SIGCM2.TestSupport.csproj" />
  </Folder>
 </Solution>
--- a/database/migrations/V001__create_usuario.sql
+++ b/database/migrations/V001__create_usuario.sql
@@ -0,0 +1,43 @@
 -- V001__create_usuario.sql
 -- Creates the core Usuario table for SIG-CM2
 -- Run on: SIGCM2 (prod) and SIGCM2_Test (integration tests)
 SET QUOTED_IDENTIFIER ON;
 SET ANSI_NULLS ON;
 GO
 IF OBJECT_ID('dbo.Usuario', 'U') IS NULL
 BEGIN
    CREATE TABLE dbo.Usuario (
        Id                INT IDENTITY(1,1)   NOT NULL CONSTRAINT PK_Usuario PRIMARY KEY,
        Username          NVARCHAR(50)        NOT NULL,
        PasswordHash      NVARCHAR(255)       NOT NULL,
        Nombre            NVARCHAR(100)       NOT NULL,
        Apellido          NVARCHAR(100)       NOT NULL,
        Email             NVARCHAR(150)       NULL,
        Rol               VARCHAR(30)         NOT NULL,
        PermisosJson      NVARCHAR(MAX)       NOT NULL CONSTRAINT DF_Usuario_Permisos DEFAULT('[]'),
        Activo            BIT                 NOT NULL CONSTRAINT DF_Usuario_Activo DEFAULT(1),
        FechaCreacion     DATETIME2(3)        NOT NULL CONSTRAINT DF_Usuario_FechaCreacion DEFAULT(SYSUTCDATETIME()),
        FechaModificacion DATETIME2(3)        NULL,
        UltimoLogin       DATETIME2(3)        NULL,
        CONSTRAINT UQ_Usuario_Username UNIQUE (Username),
        CONSTRAINT CK_Usuario_Rol CHECK (Rol IN ('admin','vendedor','tasador','consulta'))
    );
    PRINT 'Table dbo.Usuario created successfully.';
 END
 ELSE
 BEGIN
    PRINT 'Table dbo.Usuario already exists — skipping.';
 END
 GO
 IF NOT EXISTS (SELECT 1 FROM sys.indexes WHERE name = 'IX_Usuario_Username_Activo' AND object_id = OBJECT_ID('dbo.Usuario'))
 BEGIN
    CREATE INDEX IX_Usuario_Username_Activo
        ON dbo.Usuario(Username)
        WHERE Activo = 1;
    PRINT 'Index IX_Usuario_Username_Activo created.';
 END
 GO
--- a/database/seeds/S001__seed_admin.sql
+++ b/database/seeds/S001__seed_admin.sql
@@ -0,0 +1,30 @@
 -- S001__seed_admin.sql
 -- Seeds the default admin user for SIG-CM2
 -- BCrypt hash of '@Diego550@' at cost 12
 -- Generated: 2026-04-13
 SET QUOTED_IDENTIFIER ON;
 SET ANSI_NULLS ON;
 SET NOCOUNT ON;
 GO
 IF NOT EXISTS (SELECT 1 FROM dbo.Usuario WHERE Username = 'admin')
 BEGIN
    INSERT INTO dbo.Usuario (Username, PasswordHash, Nombre, Apellido, Email, Rol, PermisosJson, Activo)
    VALUES (
        'admin',
        '$2a$12$rmq6tlSAQ8WXhR2CwLCSeuwCJKz/.8Eab95UQCUNfwe4dokeOqMcW',
        'Administrador',
        'Sistema',
        NULL,
        'admin',
        '["*"]',
        1
    );
    PRINT 'Admin user seeded successfully.';
 END
 ELSE
 BEGIN
    PRINT 'Admin user already exists — skipping.';
 END
 GO
--- a/docs/smoke-test-udt-001.md
+++ b/docs/smoke-test-udt-001.md
@@ -0,0 +1,134 @@
 # Smoke Test — UDT-001 Login
 Manual checklist para verificar la integración completa del flujo de login.
 ## Pre-requisitos
 - SQL Server TECNICA3 con base `SIGCM2` y seed admin ejecutado (`database/seeds/S001__seed_admin.sql`)
 - Claves RSA generadas: `scripts/generate-keys.ps1` ya corrido
 - `src/api/SIGCM2.Api/appsettings.Development.json` configurado con connection string y rutas de claves
 - Node.js 18+ instalado
 - .NET 10 SDK instalado
 ## Pasos
 ### 1. Arrancar el backend
 Abrir Terminal 1 en la raíz del repositorio:
 ```bash
 dotnet run --project src/api/SIGCM2.Api
 ```
 Verificar que la consola muestre algo similar a:
 ```
 Now listening on: http://localhost:5000
 Application started. Press Ctrl+C to shut down.
 ```
 ### 2. Arrancar el frontend
 Abrir Terminal 2:
 ```bash
 cd src/web
 npm run dev
 ```
 Verificar que la consola muestre:
 ```
  VITE v8.x.x  ready in Xms
  ➜  Local:   http://localhost:5173/
 ```
 ### 3. Verificar redirect a /login
 - Abrir `http://localhost:5173` en el navegador
 - Debe redirigir automáticamente a `http://localhost:5173/login`
 - Debe mostrar el formulario de login con campos **Usuario** y **Contraseña**
 **Esperado**: Formulario visible, sin errores en consola del navegador.
 ### 4. Login con credenciales válidas
 - Ingresar `admin` en el campo **Usuario**
 - Ingresar `@Diego550@` en el campo **Contraseña**
 - Hacer click en **Ingresar**
 **Esperado**: Botón se deshabilita brevemente mientras carga.
 ### 5. Verificar Network tab — POST /api/v1/auth/login
 - Abrir DevTools → pestaña **Network**
 - Buscar la request `POST /api/v1/auth/login`
 - Verificar:
  - Status: `200 OK`
  - Response body contiene: `accessToken`, `refreshToken`, `expiresIn`, `usuario`
  - `usuario.username` = `"admin"`, `usuario.rol` = `"admin"`
 **Esperado**: Respuesta 200 con JWT válido.
 ### 6. Verificar LocalStorage — auth-storage
 - DevTools → pestaña **Application** → Storage → Local Storage → `http://localhost:5173`
 - Buscar clave `auth-storage`
 - Verificar que el JSON contenga:
  ```json
  {
    "state": {
      "user": { "username": "admin", "rol": "admin", ... },
      "accessToken": "eyJ..."
    }
  }
  ```
 **Esperado**: Token y datos de usuario persistidos correctamente.
 ### 7. Verificar redirect a Dashboard
 - Luego del login exitoso, la URL debe cambiar a `http://localhost:5173/`
 - Debe mostrarse: **"SIG-CM2 — Dashboard — Bienvenido al SIG-CM2."**
 **Esperado**: Placeholder de Dashboard visible.
 ### 8. Verificar firma JWT en jwt.io
 - Copiar el valor de `accessToken` del LocalStorage
 - Abrir [https://jwt.io](https://jwt.io)
 - Pegar el token en el campo "Encoded"
 - En "VERIFY SIGNATURE" → sección "Public Key or Certificate": pegar el contenido de `src/api/SIGCM2.Api/keys/public.pem`
 - Verificar:
  - Header: `"alg": "RS256"`
  - Payload contiene: `sub`, `name` (= `"admin"`), `rol` (= `"admin"`), `permisos` (= `["*"]`), `iss`, `aud`, `exp`
  - Footer muestra: **"Signature Verified"** (fondo azul)
 **Esperado**: Firma RS256 válida, claims correctos.
 ### 9. Probar login fallido
 - Volver a `http://localhost:5173/login` (o hacer logout si hubiera botón)
 - Ingresar `admin` / `wrongpass`
 - Hacer click en **Ingresar**
 - Verificar en **Network**: `POST /api/v1/auth/login` → Status `401`
 - Verificar en la UI: mensaje de error visible con texto **"Credenciales inválidas"** (sin stack trace)
 **Esperado**: Error visible en UI, sin exposición de detalles internos.
 ---
 ## Resultado esperado global
 | Paso | Resultado |
 |------|-----------|
 | 1. Backend arranca en :5000 | ✅ / ❌ |
 | 2. Frontend arranca en :5173 | ✅ / ❌ |
 | 3. Redirect a /login | ✅ / ❌ |
 | 4. Login con admin/@Diego550@ | ✅ / ❌ |
 | 5. Network: POST 200 + JWT | ✅ / ❌ |
 | 6. LocalStorage: auth-storage con token | ✅ / ❌ |
 | 7. Redirect a / Dashboard | ✅ / ❌ |
 | 8. JWT verificado en jwt.io (RS256) | ✅ / ❌ |
 | 9. Login fallido: error en UI, 401 en Network | ✅ / ❌ |
--- a/scripts/generate-keys.ps1
+++ b/scripts/generate-keys.ps1
@@ -0,0 +1,30 @@
 # generate-keys.ps1
 # Generates RSA 2048 key pair for JWT RS256 signing
 # Requires: PowerShell 7+ (pwsh)
 # Usage: pwsh -File scripts/generate-keys.ps1
 # Keys are written to src/api/SIGCM2.Api/keys/ (gitignored)
 $keysDir = Join-Path $PSScriptRoot "..\src\api\SIGCM2.Api\keys"
 $keysDir = [System.IO.Path]::GetFullPath($keysDir)
 if (-not (Test-Path $keysDir)) {
    New-Item -ItemType Directory -Path $keysDir | Out-Null
 }
 $privatePath = Join-Path $keysDir "private.pem"
 $publicPath  = Join-Path $keysDir "public.pem"
 $rsa  = [System.Security.Cryptography.RSA]::Create(2048)
 $priv = $rsa.ExportRSAPrivateKeyPem()
 $pub  = $rsa.ExportRSAPublicKeyPem()
 $rsa.Dispose()
 Set-Content -Path $privatePath -Value $priv -Encoding UTF8 -NoNewline
 Set-Content -Path $publicPath  -Value $pub  -Encoding UTF8 -NoNewline
 Write-Host "RSA 2048 key pair generated:"
 Write-Host "  Private: $privatePath"
 Write-Host "  Public:  $publicPath"
 Write-Host ""
 Write-Host "IMPORTANT: These files are gitignored. Regenerate on each dev machine."
 Write-Host "For production: set env vars JWT__PrivateKey and JWT__PublicKey (PEM content)."
--- a/src/api/SIGCM2.Api/Controllers/AuthController.cs
+++ b/src/api/SIGCM2.Api/Controllers/AuthController.cs
@@ -0,0 +1,48 @@
 using FluentValidation;
 using Microsoft.AspNetCore.Mvc;
 using SIGCM2.Application.Abstractions;
 using SIGCM2.Application.Auth.Login;
 namespace SIGCM2.Api.Controllers;
 [ApiController]
 [Route("api/v1/auth")]
 public sealed class AuthController : ControllerBase
 {
    private readonly IDispatcher _dispatcher;
    private readonly IValidator<LoginCommand> _validator;
    public AuthController(IDispatcher dispatcher, IValidator<LoginCommand> validator)
    {
        _dispatcher = dispatcher;
        _validator = validator;
    }
    /// <summary>Authenticates a user and returns a JWT access token.</summary>
    /// <response code="200">Returns access token and refresh token.</response>
    /// <response code="400">Validation error — missing or empty fields.</response>
    /// <response code="401">Invalid credentials.</response>
    [HttpPost("login")]
    [ProducesResponseType(typeof(LoginResponseDto), StatusCodes.Status200OK)]
    [ProducesResponseType(StatusCodes.Status400BadRequest)]
    [ProducesResponseType(StatusCodes.Status401Unauthorized)]
    public async Task<IActionResult> Login([FromBody] LoginRequest request)
    {
        var command = new LoginCommand(request.Username ?? string.Empty, request.Password ?? string.Empty);
        var validation = await _validator.ValidateAsync(command);
        if (!validation.IsValid)
        {
            var errors = validation.Errors
                .GroupBy(e => e.PropertyName)
                .ToDictionary(g => g.Key, g => g.Select(e => e.ErrorMessage).ToArray());
            return BadRequest(new { errors });
        }
        var result = await _dispatcher.Send<LoginCommand, LoginResponseDto>(command);
        return Ok(result);
    }
 }
 /// <summary>Login request body — nullable to catch missing field scenarios.</summary>
 public sealed record LoginRequest(string? Username, string? Password);
--- a/src/api/SIGCM2.Api/Filters/ExceptionFilter.cs
+++ b/src/api/SIGCM2.Api/Filters/ExceptionFilter.cs
@@ -0,0 +1,50 @@
 using FluentValidation;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.Filters;
 using SIGCM2.Domain.Exceptions;
 namespace SIGCM2.Api.Filters;
 public sealed class ExceptionFilter : IExceptionFilter
 {
    private readonly ILogger<ExceptionFilter> _logger;
    public ExceptionFilter(ILogger<ExceptionFilter> logger)
    {
        _logger = logger;
    }
    public void OnException(ExceptionContext context)
    {
        switch (context.Exception)
        {
            case InvalidCredentialsException:
                context.Result = new ObjectResult(new { error = "Credenciales inválidas" })
                {
                    StatusCode = StatusCodes.Status401Unauthorized
                };
                context.ExceptionHandled = true;
                break;
            case ValidationException validationEx:
                var errors = validationEx.Errors
                    .GroupBy(e => e.PropertyName)
                    .ToDictionary(
                        g => g.Key,
                        g => g.Select(e => e.ErrorMessage).ToArray());
                context.Result = new BadRequestObjectResult(new { errors });
                context.ExceptionHandled = true;
                break;
            default:
                _logger.LogError(context.Exception, "Unhandled exception");
                context.Result = new ObjectResult(new { error = "Internal server error" })
                {
                    StatusCode = StatusCodes.Status500InternalServerError
                };
                context.ExceptionHandled = true;
                break;
        }
    }
 }
--- a/src/api/SIGCM2.Api/Program.cs
+++ b/src/api/SIGCM2.Api/Program.cs
@@ -0,0 +1,69 @@
 using Serilog;
 using Scalar.AspNetCore;
 using SIGCM2.Application;
 using SIGCM2.Infrastructure;
 using SIGCM2.Api.Filters;
 // Bootstrap logger — before DI is built
 Log.Logger = new LoggerConfiguration()
    .WriteTo.Console()
    .CreateBootstrapLogger();
 Log.Information("Starting SIGCM2 API");
 var builder = WebApplication.CreateBuilder(args);
 // Serilog — reads from appsettings.json "Serilog" section
 builder.Host.UseSerilog((ctx, lc) => lc
    .ReadFrom.Configuration(ctx.Configuration));
 // Application + Infrastructure DI
 builder.Services.AddApplication();
 builder.Services.AddInfrastructure(builder.Configuration);
 // Controllers with exception filter
 builder.Services.AddControllers(opts =>
 {
    opts.Filters.Add<ExceptionFilter>();
 });
 // OpenAPI / Scalar
 builder.Services.AddOpenApi();
 // CORS
 var allowedOrigins = builder.Configuration
    .GetSection("Cors:AllowedOrigins")
    .Get<string[]>() ?? [];
 builder.Services.AddCors(opts =>
 {
    opts.AddDefaultPolicy(policy =>
        policy.WithOrigins(allowedOrigins)
              .AllowAnyHeader()
              .AllowAnyMethod());
 });
 var app = builder.Build();
 // Middleware pipeline
 app.UseSerilogRequestLogging();
 if (app.Environment.IsDevelopment() || app.Environment.IsEnvironment("Testing"))
 {
    app.MapOpenApi();
    app.MapScalarApiReference(opts =>
    {
        opts.Title = "SIGCM2 API";
    });
 }
 app.UseHttpsRedirection();
 app.UseCors();
 app.UseAuthentication();
 app.UseAuthorization();
 app.MapControllers();
 app.Run();
 // Exposed for WebApplicationFactory in integration tests
 public partial class Program { }
--- a/src/api/SIGCM2.Api/Properties/launchSettings.json
+++ b/src/api/SIGCM2.Api/Properties/launchSettings.json
@@ -0,0 +1,23 @@
 {
  "$schema": "https://json.schemastore.org/launchsettings.json",
  "profiles": {
    "http": {
      "commandName": "Project",
      "dotnetRunMessages": true,
      "launchBrowser": false,
      "applicationUrl": "http://localhost:5212",
      "environmentVariables": {
        "ASPNETCORE_ENVIRONMENT": "Development"
      }
    },
    "https": {
      "commandName": "Project",
      "dotnetRunMessages": true,
      "launchBrowser": false,
      "applicationUrl": "https://localhost:7280;http://localhost:5212",
      "environmentVariables": {
        "ASPNETCORE_ENVIRONMENT": "Development"
      }
    }
  }
 }
--- a/src/api/SIGCM2.Api/SIGCM2.Api.csproj
+++ b/src/api/SIGCM2.Api/SIGCM2.Api.csproj
@@ -0,0 +1,25 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
  <PropertyGroup>
    <TargetFramework>net10.0</TargetFramework>
    <Nullable>enable</Nullable>
    <ImplicitUsings>enable</ImplicitUsings>
    <RootNamespace>SIGCM2.Api</RootNamespace>
  </PropertyGroup>
  <ItemGroup>
    <PackageReference Include="Microsoft.AspNetCore.OpenApi" />
    <PackageReference Include="Serilog.AspNetCore" />
    <PackageReference Include="Serilog.Sinks.Seq" />
    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" />
    <PackageReference Include="Scalar.AspNetCore" />
    <PackageReference Include="FluentValidation.AspNetCore" />
  </ItemGroup>
  <ItemGroup>
    <ProjectReference Include="..\SIGCM2.Application\SIGCM2.Application.csproj" />
    <ProjectReference Include="..\SIGCM2.Infrastructure\SIGCM2.Infrastructure.csproj" />
    <ProjectReference Include="..\SIGCM2.Domain\SIGCM2.Domain.csproj" />
  </ItemGroup>
 </Project>
--- a/src/api/SIGCM2.Api/SIGCM2.Api.http
+++ b/src/api/SIGCM2.Api/SIGCM2.Api.http
@@ -0,0 +1,6 @@
@SIGCM2.Api_HostAddress = http://localhost:5212
 GET {{SIGCM2.Api_HostAddress}}/weatherforecast/
 Accept: application/json
 ###
--- a/src/api/SIGCM2.Api/appsettings.Development.json.example
+++ b/src/api/SIGCM2.Api/appsettings.Development.json.example
@@ -0,0 +1,13 @@
 {
  "ConnectionStrings": {
    "SqlServer": "Server=<YOUR_SERVER>;Database=SIGCM2;User Id=<YOUR_USER>;Password=<YOUR_PASSWORD>;TrustServerCertificate=True;"
  },
  "Serilog": {
    "MinimumLevel": {
      "Default": "Debug",
      "Override": {
        "Microsoft.AspNetCore": "Information"
      }
    }
  }
 }
--- a/src/api/SIGCM2.Api/appsettings.json
+++ b/src/api/SIGCM2.Api/appsettings.json
@@ -0,0 +1,35 @@
 {
  "ConnectionStrings": {
    "SqlServer": "Server=__SET_IN_DEV_OR_ENV__;Database=SIGCM2;User Id=__SET_IN_DEV_OR_ENV__;Password=__SET_IN_DEV_OR_ENV__;TrustServerCertificate=True;"
  },
  "Jwt": {
    "Issuer": "sigcm2.api",
    "Audience": "sigcm2.web",
    "AccessTokenMinutes": 60,
    "PrivateKeyPath": "keys/private.pem",
    "PublicKeyPath": "keys/public.pem",
    "PrivateKey": null,
    "PublicKey": null
  },
  "Cors": {
    "AllowedOrigins": [ "http://localhost:5173" ]
  },
  "Serilog": {
    "MinimumLevel": {
      "Default": "Information",
      "Override": {
        "Microsoft.AspNetCore": "Warning",
        "Microsoft.EntityFrameworkCore": "Warning"
      }
    },
    "WriteTo": [
      { "Name": "Console" },
      {
        "Name": "Seq",
        "Args": { "serverUrl": "http://localhost:5341" }
      }
    ],
    "Enrich": [ "FromLogContext", "WithMachineName", "WithThreadId" ]
  },
  "AllowedHosts": "*"
 }
--- a/src/api/SIGCM2.Api/keys/.gitkeep
+++ b/src/api/SIGCM2.Api/keys/.gitkeep
--- a/src/api/SIGCM2.Api/keys/README.md
+++ b/src/api/SIGCM2.Api/keys/README.md
@@ -0,0 +1,28 @@
 # JWT RSA Keys
 This directory holds the RSA 2048 key pair used for JWT RS256 signing.
 ## Files (gitignored)
 - `private.pem` — RSA private key (NEVER commit this)
 - `public.pem`  — RSA public key (NEVER commit this)
 - `.gitkeep`    — keeps this directory tracked in git
 ## Regenerate keys
 Run from the repo root (requires PowerShell 7 / pwsh):
 ```powershell
 pwsh -File scripts/generate-keys.ps1
 ```
 ## Production
 In production, set these environment variables instead of files:
 ```
 JWT__PrivateKey=<base64-encoded PEM content>
 JWT__PublicKey=<base64-encoded PEM content>
 ```
 The API's `RsaKeyLoader` checks environment variables first, falls back to files.
--- a/src/api/SIGCM2.Application/Abstractions/ICommandHandler.cs
+++ b/src/api/SIGCM2.Application/Abstractions/ICommandHandler.cs
@@ -0,0 +1,6 @@
 namespace SIGCM2.Application.Abstractions;
 public interface ICommandHandler<TCommand, TResult>
 {
    Task<TResult> Handle(TCommand command);
 }
--- a/src/api/SIGCM2.Application/Abstractions/IDispatcher.cs
+++ b/src/api/SIGCM2.Application/Abstractions/IDispatcher.cs
@@ -0,0 +1,6 @@
 namespace SIGCM2.Application.Abstractions;
 public interface IDispatcher
 {
    Task<TResult> Send<TCommand, TResult>(TCommand command);
 }
--- a/src/api/SIGCM2.Application/Abstractions/IQueryHandler.cs
+++ b/src/api/SIGCM2.Application/Abstractions/IQueryHandler.cs
@@ -0,0 +1,6 @@
 namespace SIGCM2.Application.Abstractions;
 public interface IQueryHandler<TQuery, TResult>
 {
    Task<TResult> Handle(TQuery query);
 }
--- a/src/api/SIGCM2.Application/Abstractions/Persistence/IUsuarioRepository.cs
+++ b/src/api/SIGCM2.Application/Abstractions/Persistence/IUsuarioRepository.cs
@@ -0,0 +1,8 @@
 using SIGCM2.Domain.Entities;
 namespace SIGCM2.Application.Abstractions.Persistence;
 public interface IUsuarioRepository
 {
    Task<Usuario?> GetByUsernameAsync(string username);
 }
--- a/src/api/SIGCM2.Application/Abstractions/Security/IJwtService.cs
+++ b/src/api/SIGCM2.Application/Abstractions/Security/IJwtService.cs
@@ -0,0 +1,8 @@
 using SIGCM2.Domain.Entities;
 namespace SIGCM2.Application.Abstractions.Security;
 public interface IJwtService
 {
    string GenerateAccessToken(Usuario usuario);
 }
--- a/src/api/SIGCM2.Application/Abstractions/Security/IPasswordHasher.cs
+++ b/src/api/SIGCM2.Application/Abstractions/Security/IPasswordHasher.cs
@@ -0,0 +1,7 @@
 namespace SIGCM2.Application.Abstractions.Security;
 public interface IPasswordHasher
 {
    bool Verify(string plainPassword, string hash);
    string Hash(string plainPassword);
 }
--- a/src/api/SIGCM2.Application/Auth/Login/LoginCommand.cs
+++ b/src/api/SIGCM2.Application/Auth/Login/LoginCommand.cs
@@ -0,0 +1,3 @@
 namespace SIGCM2.Application.Auth.Login;
 public sealed record LoginCommand(string Username, string Password);
--- a/src/api/SIGCM2.Application/Auth/Login/LoginCommandHandler.cs
+++ b/src/api/SIGCM2.Application/Auth/Login/LoginCommandHandler.cs
@@ -0,0 +1,54 @@
 using System.Text.Json;
 using SIGCM2.Application.Abstractions;
 using SIGCM2.Application.Abstractions.Persistence;
 using SIGCM2.Application.Abstractions.Security;
 using SIGCM2.Domain.Exceptions;
 namespace SIGCM2.Application.Auth.Login;
 public sealed class LoginCommandHandler : ICommandHandler<LoginCommand, LoginResponseDto>
 {
    private readonly IUsuarioRepository _repository;
    private readonly IPasswordHasher _hasher;
    private readonly IJwtService _jwtService;
    public LoginCommandHandler(
        IUsuarioRepository repository,
        IPasswordHasher hasher,
        IJwtService jwtService)
    {
        _repository = repository;
        _hasher = hasher;
        _jwtService = jwtService;
    }
    public async Task<LoginResponseDto> Handle(LoginCommand command)
    {
        var usuario = await _repository.GetByUsernameAsync(command.Username);
        // Deliberately vague — never reveal which check failed
        if (usuario is null || !usuario.Activo)
            throw new InvalidCredentialsException();
        if (!_hasher.Verify(command.Password, usuario.PasswordHash))
            throw new InvalidCredentialsException();
        var accessToken = _jwtService.GenerateAccessToken(usuario);
        var refreshToken = Guid.NewGuid().ToString("N"); // opaque, not persisted in UDT-001
        var permisos = JsonSerializer.Deserialize<string[]>(usuario.PermisosJson)
                       ?? Array.Empty<string>();
        return new LoginResponseDto(
            AccessToken: accessToken,
            RefreshToken: refreshToken,
            ExpiresIn: 3600,
            Usuario: new UsuarioDto(
                Id: usuario.Id,
                Nombre: $"{usuario.Nombre} {usuario.Apellido}".Trim(),
                Rol: usuario.Rol,
                Permisos: permisos
            )
        );
    }
 }
--- a/src/api/SIGCM2.Application/Auth/Login/LoginCommandValidator.cs
+++ b/src/api/SIGCM2.Application/Auth/Login/LoginCommandValidator.cs
@@ -0,0 +1,17 @@
 using FluentValidation;
 namespace SIGCM2.Application.Auth.Login;
 public sealed class LoginCommandValidator : AbstractValidator<LoginCommand>
 {
    public LoginCommandValidator()
    {
        RuleFor(x => x.Username)
            .NotEmpty()
            .WithMessage("El nombre de usuario es requerido.");
        RuleFor(x => x.Password)
            .NotEmpty()
            .WithMessage("La contraseña es requerida.");
    }
 }
--- a/src/api/SIGCM2.Application/Auth/Login/LoginResponseDto.cs
+++ b/src/api/SIGCM2.Application/Auth/Login/LoginResponseDto.cs
@@ -0,0 +1,15 @@
 namespace SIGCM2.Application.Auth.Login;
 public sealed record LoginResponseDto(
    string AccessToken,
    string RefreshToken,
    int ExpiresIn,
    UsuarioDto Usuario
 );
 public sealed record UsuarioDto(
    int Id,
    string Nombre,
    string Rol,
    string[] Permisos
 );
--- a/src/api/SIGCM2.Application/DependencyInjection.cs
+++ b/src/api/SIGCM2.Application/DependencyInjection.cs
@@ -0,0 +1,20 @@
 using FluentValidation;
 using Microsoft.Extensions.DependencyInjection;
 using SIGCM2.Application.Abstractions;
 using SIGCM2.Application.Auth.Login;
 namespace SIGCM2.Application;
 public static class DependencyInjection
 {
    public static IServiceCollection AddApplication(this IServiceCollection services)
    {
        // Register command handlers
        services.AddScoped<ICommandHandler<LoginCommand, LoginResponseDto>, LoginCommandHandler>();
        // Register FluentValidation validators from this assembly
        services.AddValidatorsFromAssemblyContaining<LoginCommandValidator>();
        return services;
    }
 }
--- a/src/api/SIGCM2.Application/SIGCM2.Application.csproj
+++ b/src/api/SIGCM2.Application/SIGCM2.Application.csproj
@@ -0,0 +1,18 @@
 <Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <TargetFramework>net10.0</TargetFramework>
    <ImplicitUsings>enable</ImplicitUsings>
    <Nullable>enable</Nullable>
    <RootNamespace>SIGCM2.Application</RootNamespace>
  </PropertyGroup>
  <ItemGroup>
    <PackageReference Include="FluentValidation.AspNetCore" />
  </ItemGroup>
  <ItemGroup>
    <ProjectReference Include="..\SIGCM2.Domain\SIGCM2.Domain.csproj" />
  </ItemGroup>
 </Project>
--- a/src/api/SIGCM2.Domain/Entities/Usuario.cs
+++ b/src/api/SIGCM2.Domain/Entities/Usuario.cs
@@ -0,0 +1,36 @@
 namespace SIGCM2.Domain.Entities;
 public sealed class Usuario
 {
    public int Id { get; }
    public string Username { get; }
    public string PasswordHash { get; }
    public string Nombre { get; }
    public string Apellido { get; }
    public string? Email { get; }
    public string Rol { get; }
    public string PermisosJson { get; }
    public bool Activo { get; }
    public Usuario(
        int id,
        string username,
        string passwordHash,
        string nombre,
        string apellido,
        string? email,
        string rol,
        string permisosJson,
        bool activo)
    {
        Id = id;
        Username = username;
        PasswordHash = passwordHash;
        Nombre = nombre;
        Apellido = apellido;
        Email = email;
        Rol = rol;
        PermisosJson = permisosJson;
        Activo = activo;
    }
 }
--- a/src/api/SIGCM2.Domain/Exceptions/InvalidCredentialsException.cs
+++ b/src/api/SIGCM2.Domain/Exceptions/InvalidCredentialsException.cs
@@ -0,0 +1,11 @@
 namespace SIGCM2.Domain.Exceptions;
 /// <summary>
 /// Thrown when login credentials are invalid (user not found, wrong password, or inactive).
 /// Deliberately vague to prevent user enumeration.
 /// </summary>
 public sealed class InvalidCredentialsException : Exception
 {
    public InvalidCredentialsException()
        : base("Credenciales inválidas") { }
 }
--- a/src/api/SIGCM2.Domain/SIGCM2.Domain.csproj
+++ b/src/api/SIGCM2.Domain/SIGCM2.Domain.csproj
@@ -0,0 +1,10 @@
 <Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <TargetFramework>net10.0</TargetFramework>
    <ImplicitUsings>enable</ImplicitUsings>
    <Nullable>enable</Nullable>
    <RootNamespace>SIGCM2.Domain</RootNamespace>
  </PropertyGroup>
 </Project>
--- a/src/api/SIGCM2.Infrastructure/DependencyInjection.cs
+++ b/src/api/SIGCM2.Infrastructure/DependencyInjection.cs
@@ -0,0 +1,76 @@
 using System.Security.Cryptography;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Options;
 using Microsoft.IdentityModel.Tokens;
 using SIGCM2.Application.Abstractions;
 using SIGCM2.Application.Abstractions.Persistence;
 using SIGCM2.Application.Abstractions.Security;
 using SIGCM2.Infrastructure.Messaging;
 using SIGCM2.Infrastructure.Persistence;
 using SIGCM2.Infrastructure.Security;
 namespace SIGCM2.Infrastructure;
 public static class DependencyInjection
 {
    public static IServiceCollection AddInfrastructure(
        this IServiceCollection services,
        IConfiguration configuration)
    {
        // Database
        var connectionString = configuration.GetConnectionString("SqlServer")
            ?? throw new InvalidOperationException("Missing ConnectionStrings:SqlServer");
        services.AddSingleton(new SqlConnectionFactory(connectionString));
        services.AddScoped<IUsuarioRepository, UsuarioRepository>();
        // JWT Options — bound lazily via IOptions so tests can override via ConfigureWebHost
        services.Configure<JwtOptions>(configuration.GetSection("Jwt"));
        // Also expose as JwtOptions directly for convenience (resolves via IOptions<JwtOptions>)
        services.AddSingleton<JwtOptions>(sp => sp.GetRequiredService<IOptions<JwtOptions>>().Value);
        // RSA key pair — loaded lazily as singletons from the fully-resolved JwtOptions
        services.AddSingleton<RSA>(sp =>
        {
            var opts = sp.GetRequiredService<JwtOptions>();
            return RsaKeyLoader.LoadPrivateKey(opts);
        });
        services.AddSingleton<RsaSecurityKey>(sp =>
        {
            var opts = sp.GetRequiredService<JwtOptions>();
            return new RsaSecurityKey(RsaKeyLoader.LoadPublicKey(opts));
        });
        services.AddScoped<IJwtService>(sp =>
            new JwtService(sp.GetRequiredService<RSA>(), sp.GetRequiredService<JwtOptions>()));
        services.AddScoped<IPasswordHasher, BcryptPasswordHasher>();
        // Dispatcher
        services.AddScoped<IDispatcher, Dispatcher>();
        // JWT Bearer authentication
        services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
            .AddJwtBearer();
        // Post-configure JWT Bearer — wire RSA public key + validation params from resolved options
        services.AddOptions<JwtBearerOptions>(JwtBearerDefaults.AuthenticationScheme)
            .PostConfigure<RsaSecurityKey, JwtOptions>((jwtBearerOpts, rsaKey, jwtOpts) =>
            {
                jwtBearerOpts.TokenValidationParameters = new TokenValidationParameters
                {
                    ValidateIssuerSigningKey = true,
                    IssuerSigningKey = rsaKey,
                    ValidateIssuer = true,
                    ValidIssuer = jwtOpts.Issuer,
                    ValidateAudience = true,
                    ValidAudience = jwtOpts.Audience,
                    ValidateLifetime = true,
                    ClockSkew = TimeSpan.Zero
                };
            });
        return services;
    }
 }
--- a/src/api/SIGCM2.Infrastructure/Messaging/Dispatcher.cs
+++ b/src/api/SIGCM2.Infrastructure/Messaging/Dispatcher.cs
@@ -0,0 +1,20 @@
 using Microsoft.Extensions.DependencyInjection;
 using SIGCM2.Application.Abstractions;
 namespace SIGCM2.Infrastructure.Messaging;
 public sealed class Dispatcher : IDispatcher
 {
    private readonly IServiceProvider _serviceProvider;
    public Dispatcher(IServiceProvider serviceProvider)
    {
        _serviceProvider = serviceProvider;
    }
    public Task<TResult> Send<TCommand, TResult>(TCommand command)
    {
        var handler = _serviceProvider.GetRequiredService<ICommandHandler<TCommand, TResult>>();
        return handler.Handle(command!);
    }
 }
--- a/src/api/SIGCM2.Infrastructure/Persistence/SqlConnectionFactory.cs
+++ b/src/api/SIGCM2.Infrastructure/Persistence/SqlConnectionFactory.cs
@@ -0,0 +1,15 @@
 using Microsoft.Data.SqlClient;
 namespace SIGCM2.Infrastructure.Persistence;
 public sealed class SqlConnectionFactory
 {
    private readonly string _connectionString;
    public SqlConnectionFactory(string connectionString)
    {
        _connectionString = connectionString;
    }
    public SqlConnection CreateConnection() => new(_connectionString);
 }
--- a/src/api/SIGCM2.Infrastructure/Persistence/UsuarioRepository.cs
+++ b/src/api/SIGCM2.Infrastructure/Persistence/UsuarioRepository.cs
@@ -0,0 +1,60 @@
 using Dapper;
 using SIGCM2.Application.Abstractions.Persistence;
 using SIGCM2.Domain.Entities;
 namespace SIGCM2.Infrastructure.Persistence;
 public sealed class UsuarioRepository : IUsuarioRepository
 {
    private readonly SqlConnectionFactory _connectionFactory;
    public UsuarioRepository(SqlConnectionFactory connectionFactory)
    {
        _connectionFactory = connectionFactory;
    }
    public async Task<Usuario?> GetByUsernameAsync(string username)
    {
        const string sql = """
            SELECT
                Id, Username, PasswordHash,
                Nombre, Apellido, Email,
                Rol, PermisosJson, Activo
            FROM dbo.Usuario
            WHERE Username = @Username
              AND Activo = 1
            """;
        await using var connection = _connectionFactory.CreateConnection();
        await connection.OpenAsync();
        var row = await connection.QuerySingleOrDefaultAsync<UsuarioRow>(sql, new { Username = username });
        if (row is null) return null;
        return new Usuario(
            id: row.Id,
            username: row.Username,
            passwordHash: row.PasswordHash,
            nombre: row.Nombre,
            apellido: row.Apellido,
            email: row.Email,
            rol: row.Rol,
            permisosJson: row.PermisosJson,
            activo: row.Activo
        );
    }
    // Flat DTO for Dapper mapping (avoids polluting domain entity with Dapper attributes)
    private sealed record UsuarioRow(
        int Id,
        string Username,
        string PasswordHash,
        string Nombre,
        string Apellido,
        string? Email,
        string Rol,
        string PermisosJson,
        bool Activo
    );
 }
--- a/src/api/SIGCM2.Infrastructure/SIGCM2.Infrastructure.csproj
+++ b/src/api/SIGCM2.Infrastructure/SIGCM2.Infrastructure.csproj
@@ -0,0 +1,24 @@
 <Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <TargetFramework>net10.0</TargetFramework>
    <ImplicitUsings>enable</ImplicitUsings>
    <Nullable>enable</Nullable>
    <RootNamespace>SIGCM2.Infrastructure</RootNamespace>
  </PropertyGroup>
  <ItemGroup>
    <PackageReference Include="Dapper" />
    <PackageReference Include="Microsoft.Data.SqlClient" />
    <PackageReference Include="BCrypt.Net-Next" />
    <PackageReference Include="System.IdentityModel.Tokens.Jwt" />
    <PackageReference Include="Microsoft.IdentityModel.Tokens" />
    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" />
  </ItemGroup>
  <ItemGroup>
    <ProjectReference Include="..\SIGCM2.Application\SIGCM2.Application.csproj" />
    <ProjectReference Include="..\SIGCM2.Domain\SIGCM2.Domain.csproj" />
  </ItemGroup>
 </Project>
--- a/src/api/SIGCM2.Infrastructure/Security/BcryptPasswordHasher.cs
+++ b/src/api/SIGCM2.Infrastructure/Security/BcryptPasswordHasher.cs
@@ -0,0 +1,15 @@
 using SIGCM2.Application.Abstractions.Security;
 using BCryptNet = BCrypt.Net.BCrypt;
 namespace SIGCM2.Infrastructure.Security;
 public sealed class BcryptPasswordHasher : IPasswordHasher
 {
    private const int WorkFactor = 12;
    public bool Verify(string plainPassword, string hash)
        => BCryptNet.Verify(plainPassword, hash);
    public string Hash(string plainPassword)
        => BCryptNet.HashPassword(plainPassword, WorkFactor);
 }
--- a/src/api/SIGCM2.Infrastructure/Security/JwtOptions.cs
+++ b/src/api/SIGCM2.Infrastructure/Security/JwtOptions.cs
@@ -0,0 +1,20 @@
 namespace SIGCM2.Infrastructure.Security;
 public sealed class JwtOptions
 {
    public string Issuer { get; set; } = "sigcm2.api";
    public string Audience { get; set; } = "sigcm2.web";
    public int AccessTokenMinutes { get; set; } = 60;
    /// <summary>Path to private.pem file (dev). Used if PrivateKey is null.</summary>
    public string? PrivateKeyPath { get; set; }
    /// <summary>Path to public.pem file (dev). Used if PublicKey is null.</summary>
    public string? PublicKeyPath { get; set; }
    /// <summary>PEM content from env var (production). Takes precedence over file.</summary>
    public string? PrivateKey { get; set; }
    /// <summary>PEM content from env var (production). Takes precedence over file.</summary>
    public string? PublicKey { get; set; }
 }
--- a/src/api/SIGCM2.Infrastructure/Security/JwtService.cs
+++ b/src/api/SIGCM2.Infrastructure/Security/JwtService.cs
@@ -0,0 +1,68 @@
 using System.Security.Claims;
 using System.Security.Cryptography;
 using System.Text.Json;
 using Microsoft.IdentityModel.Tokens;
 using System.IdentityModel.Tokens.Jwt;
 using SIGCM2.Application.Abstractions.Security;
 using SIGCM2.Domain.Entities;
 namespace SIGCM2.Infrastructure.Security;
 public sealed class JwtService : IJwtService
 {
    private readonly RSA _rsa;
    private readonly JwtOptions _options;
    public JwtService(RSA rsa, JwtOptions options)
    {
        _rsa = rsa;
        _options = options;
    }
    public string GenerateAccessToken(Usuario usuario)
    {
        var signingKey = new RsaSecurityKey(_rsa);
        var credentials = new SigningCredentials(signingKey, SecurityAlgorithms.RsaSha256);
        var permisos = DeserializePermisos(usuario.PermisosJson);
        var claims = new List<Claim>
        {
            new(JwtRegisteredClaimNames.Sub, usuario.Id.ToString()),
            new(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
            new("name", usuario.Username),
            new("rol", usuario.Rol),
        };
        // Add each permission as a separate claim
        foreach (var permiso in permisos)
            claims.Add(new Claim("permisos", permiso));
        var now = DateTime.UtcNow;
        var descriptor = new SecurityTokenDescriptor
        {
            Subject = new ClaimsIdentity(claims),
            Issuer = _options.Issuer,
            Audience = _options.Audience,
            IssuedAt = now,
            Expires = now.AddMinutes(_options.AccessTokenMinutes),
            SigningCredentials = credentials
        };
        var handler = new JwtSecurityTokenHandler();
        var token = handler.CreateToken(descriptor);
        return handler.WriteToken(token);
    }
    private static string[] DeserializePermisos(string permisosJson)
    {
        try
        {
            return JsonSerializer.Deserialize<string[]>(permisosJson) ?? [];
        }
        catch
        {
            return [];
        }
    }
 }
--- a/src/api/SIGCM2.Infrastructure/Security/RsaKeyLoader.cs
+++ b/src/api/SIGCM2.Infrastructure/Security/RsaKeyLoader.cs
@@ -0,0 +1,49 @@
 using System.Security.Cryptography;
 namespace SIGCM2.Infrastructure.Security;
 public static class RsaKeyLoader
 {
    /// <summary>
    /// Loads the RSA private key from environment variable (production)
    /// or from the PEM file on disk (development).
    /// </summary>
    public static RSA LoadPrivateKey(JwtOptions options)
    {
        var pem = options.PrivateKey ?? ReadPemFile(options.PrivateKeyPath, "private.pem");
        var rsa = RSA.Create();
        rsa.ImportFromPem(pem);
        return rsa;
    }
    /// <summary>
    /// Loads the RSA public key from environment variable (production)
    /// or from the PEM file on disk (development).
    /// </summary>
    public static RSA LoadPublicKey(JwtOptions options)
    {
        var pem = options.PublicKey ?? ReadPemFile(options.PublicKeyPath, "public.pem");
        var rsa = RSA.Create();
        rsa.ImportFromPem(pem);
        return rsa;
    }
    private static string ReadPemFile(string? path, string fallbackName)
    {
        if (string.IsNullOrWhiteSpace(path))
        {
            throw new InvalidOperationException(
                $"JWT key not configured. Set the env var or provide a path for {fallbackName}. " +
                $"Run: pwsh -File scripts/generate-keys.ps1");
        }
        if (!File.Exists(path))
        {
            throw new FileNotFoundException(
                $"JWT key file not found at '{path}'. " +
                $"Run: pwsh -File scripts/generate-keys.ps1", path);
        }
        return File.ReadAllText(path);
    }
 }
--- a/src/web/.gitignore
+++ b/src/web/.gitignore
@@ -0,0 +1,24 @@
 # Logs
 logs
 *.log
 npm-debug.log*
 yarn-debug.log*
 yarn-error.log*
 pnpm-debug.log*
 lerna-debug.log*
 node_modules
 dist
 dist-ssr
 *.local
 # Editor directories and files
 .vscode/*
 !.vscode/extensions.json
 .idea
 .DS_Store
 *.suo
 *.ntvs*
 *.njsproj
 *.sln
 *.sw?
--- a/src/web/README.md
+++ b/src/web/README.md
@@ -0,0 +1,73 @@
 # React + TypeScript + Vite
 This template provides a minimal setup to get React working in Vite with HMR and some ESLint rules.
 Currently, two official plugins are available:
 - [@vitejs/plugin-react](https://github.com/vitejs/vite-plugin-react/blob/main/packages/plugin-react) uses [Oxc](https://oxc.rs)
 - [@vitejs/plugin-react-swc](https://github.com/vitejs/vite-plugin-react/blob/main/packages/plugin-react-swc) uses [SWC](https://swc.rs/)
 ## React Compiler
 The React Compiler is not enabled on this template because of its impact on dev & build performances. To add it, see [this documentation](https://react.dev/learn/react-compiler/installation).
 ## Expanding the ESLint configuration
 If you are developing a production application, we recommend updating the configuration to enable type-aware lint rules:
 ```js
 export default defineConfig([
  globalIgnores(['dist']),
  {
    files: ['**/*.{ts,tsx}'],
    extends: [
      // Other configs...
      // Remove tseslint.configs.recommended and replace with this
      tseslint.configs.recommendedTypeChecked,
      // Alternatively, use this for stricter rules
      tseslint.configs.strictTypeChecked,
      // Optionally, add this for stylistic rules
      tseslint.configs.stylisticTypeChecked,
      // Other configs...
    ],
    languageOptions: {
      parserOptions: {
        project: ['./tsconfig.node.json', './tsconfig.app.json'],
        tsconfigRootDir: import.meta.dirname,
      },
      // other options...
    },
  },
 ])
 ```
 You can also install [eslint-plugin-react-x](https://github.com/Rel1cx/eslint-react/tree/main/packages/plugins/eslint-plugin-react-x) and [eslint-plugin-react-dom](https://github.com/Rel1cx/eslint-react/tree/main/packages/plugins/eslint-plugin-react-dom) for React-specific lint rules:
 ```js
 // eslint.config.js
 import reactX from 'eslint-plugin-react-x'
 import reactDom from 'eslint-plugin-react-dom'
 export default defineConfig([
  globalIgnores(['dist']),
  {
    files: ['**/*.{ts,tsx}'],
    extends: [
      // Other configs...
      // Enable lint rules for React
      reactX.configs['recommended-typescript'],
      // Enable lint rules for React DOM
      reactDom.configs.recommended,
    ],
    languageOptions: {
      parserOptions: {
        project: ['./tsconfig.node.json', './tsconfig.app.json'],
        tsconfigRootDir: import.meta.dirname,
      },
      // other options...
    },
  },
 ])
 ```
--- a/src/web/env.development.example
+++ b/src/web/env.development.example
@@ -0,0 +1 @@
 VITE_API_URL=http://localhost:5000
--- a/src/web/eslint.config.js
+++ b/src/web/eslint.config.js
@@ -0,0 +1,23 @@
 import js from '@eslint/js'
 import globals from 'globals'
 import reactHooks from 'eslint-plugin-react-hooks'
 import reactRefresh from 'eslint-plugin-react-refresh'
 import tseslint from 'typescript-eslint'
 import { defineConfig, globalIgnores } from 'eslint/config'
 export default defineConfig([
  globalIgnores(['dist']),
  {
    files: ['**/*.{ts,tsx}'],
    extends: [
      js.configs.recommended,
      tseslint.configs.recommended,
      reactHooks.configs.flat.recommended,
      reactRefresh.configs.vite,
    ],
    languageOptions: {
      ecmaVersion: 2020,
      globals: globals.browser,
    },
  },
 ])
--- a/src/web/index.html
+++ b/src/web/index.html
@@ -0,0 +1,13 @@
 <!doctype html>
 <html lang="en">
  <head>
    <meta charset="UTF-8" />
    <link rel="icon" type="image/svg+xml" href="/favicon.svg" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <title>web</title>
  </head>
  <body>
    <div id="root"></div>
    <script type="module" src="/src/main.tsx"></script>
  </body>
 </html>
--- a/src/web/package-lock.json
+++ b/src/web/package-lock.json
--- a/src/web/package.json
+++ b/src/web/package.json
@@ -0,0 +1,46 @@
 {
  "name": "web",
  "private": true,
  "version": "0.0.0",
  "type": "module",
  "scripts": {
    "dev": "vite",
    "build": "tsc -b && vite build",
    "lint": "eslint .",
    "preview": "vite preview",
    "test": "vitest run",
    "test:watch": "vitest",
    "test:coverage": "vitest run --coverage"
  },
  "dependencies": {
    "@tanstack/react-query": "^5.99.0",
    "axios": "1.7",
    "react": "^19.2.4",
    "react-dom": "^19.2.4",
    "react-router-dom": "^7.14.1",
    "zustand": "^5.0.12"
  },
  "devDependencies": {
    "@eslint/js": "^9.39.4",
    "@tailwindcss/vite": "^4.2.2",
    "@testing-library/jest-dom": "^6.9.1",
    "@testing-library/react": "^16.3.2",
    "@testing-library/user-event": "^14.6.1",
    "@types/node": "^24.12.2",
    "@types/react": "^19.2.14",
    "@types/react-dom": "^19.2.3",
    "@vitejs/plugin-react": "^6.0.1",
    "@vitest/coverage-v8": "^2.1.9",
    "eslint": "^9.39.4",
    "eslint-plugin-react-hooks": "^7.0.1",
    "eslint-plugin-react-refresh": "^0.5.2",
    "globals": "^17.4.0",
    "jsdom": "^25.0.1",
    "msw": "^2.13.2",
    "tailwindcss": "^4.0.0",
    "typescript": "~6.0.2",
    "typescript-eslint": "^8.58.0",
    "vite": "^8.0.4",
    "vitest": "^2.1.9"
  }
 }
--- a/src/web/public/favicon.svg
+++ b/src/web/public/favicon.svg
--- a/src/web/public/icons.svg
+++ b/src/web/public/icons.svg
@@ -0,0 +1,24 @@
 <svg xmlns="http://www.w3.org/2000/svg">
  <symbol id="bluesky-icon" viewBox="0 0 16 17">
    <g clip-path="url(#bluesky-clip)"><path fill="#08060d" d="M7.75 7.735c-.693-1.348-2.58-3.86-4.334-5.097-1.68-1.187-2.32-.981-2.74-.79C.188 2.065.1 2.812.1 3.251s.241 3.602.398 4.13c.52 1.744 2.367 2.333 4.07 2.145-2.495.37-4.71 1.278-1.805 4.512 3.196 3.309 4.38-.71 4.987-2.746.608 2.036 1.307 5.91 4.93 2.746 2.72-2.746.747-4.143-1.747-4.512 1.702.189 3.55-.4 4.07-2.145.156-.528.397-3.691.397-4.13s-.088-1.186-.575-1.406c-.42-.19-1.06-.395-2.741.79-1.755 1.24-3.64 3.752-4.334 5.099"/></g>
    <defs><clipPath id="bluesky-clip"><path fill="#fff" d="M.1.85h15.3v15.3H.1z"/></clipPath></defs>
  </symbol>
  <symbol id="discord-icon" viewBox="0 0 20 19">
    <path fill="#08060d" d="M16.224 3.768a14.5 14.5 0 0 0-3.67-1.153c-.158.286-.343.67-.47.976a13.5 13.5 0 0 0-4.067 0c-.128-.306-.317-.69-.476-.976A14.4 14.4 0 0 0 3.868 3.77C1.546 7.28.916 10.703 1.231 14.077a14.7 14.7 0 0 0 4.5 2.306q.545-.748.965-1.587a9.5 9.5 0 0 1-1.518-.74q.191-.14.372-.293c2.927 1.369 6.107 1.369 8.999 0q.183.152.372.294-.723.437-1.52.74.418.838.963 1.588a14.6 14.6 0 0 0 4.504-2.308c.37-3.911-.63-7.302-2.644-10.309m-9.13 8.234c-.878 0-1.599-.82-1.599-1.82 0-.998.705-1.82 1.6-1.82.894 0 1.614.82 1.599 1.82.001 1-.705 1.82-1.6 1.82m5.91 0c-.878 0-1.599-.82-1.599-1.82 0-.998.705-1.82 1.6-1.82.893 0 1.614.82 1.599 1.82 0 1-.706 1.82-1.6 1.82"/>
  </symbol>
  <symbol id="documentation-icon" viewBox="0 0 21 20">
    <path fill="none" stroke="#aa3bff" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.35" d="m15.5 13.333 1.533 1.322c.645.555.967.833.967 1.178s-.322.623-.967 1.179L15.5 18.333m-3.333-5-1.534 1.322c-.644.555-.966.833-.966 1.178s.322.623.966 1.179l1.534 1.321"/>
    <path fill="none" stroke="#aa3bff" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.35" d="M17.167 10.836v-4.32c0-1.41 0-2.117-.224-2.68-.359-.906-1.118-1.621-2.08-1.96-.599-.21-1.349-.21-2.848-.21-2.623 0-3.935 0-4.983.369-1.684.591-3.013 1.842-3.641 3.428C3 6.449 3 7.684 3 10.154v2.122c0 2.558 0 3.838.706 4.726q.306.383.713.671c.76.536 1.79.64 3.581.66"/>
    <path fill="none" stroke="#aa3bff" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.35" d="M3 10a2.78 2.78 0 0 1 2.778-2.778c.555 0 1.209.097 1.748-.047.48-.129.854-.503.982-.982.145-.54.048-1.194.048-1.749a2.78 2.78 0 0 1 2.777-2.777"/>
  </symbol>
  <symbol id="github-icon" viewBox="0 0 19 19">
    <path fill="#08060d" fill-rule="evenodd" d="M9.356 1.85C5.05 1.85 1.57 5.356 1.57 9.694a7.84 7.84 0 0 0 5.324 7.44c.387.079.528-.168.528-.376 0-.182-.013-.805-.013-1.454-2.165.467-2.616-.935-2.616-.935-.349-.91-.864-1.143-.864-1.143-.71-.48.051-.48.051-.48.787.051 1.2.805 1.2.805.695 1.194 1.817.857 2.268.649.064-.507.27-.857.49-1.052-1.728-.182-3.545-.857-3.545-3.87 0-.857.31-1.558.8-2.104-.078-.195-.349-1 .077-2.078 0 0 .657-.208 2.14.805a7.5 7.5 0 0 1 1.946-.26c.657 0 1.328.092 1.946.26 1.483-1.013 2.14-.805 2.14-.805.426 1.078.155 1.883.078 2.078.502.546.799 1.247.799 2.104 0 3.013-1.818 3.675-3.558 3.87.284.247.528.714.528 1.454 0 1.052-.012 1.896-.012 2.156 0 .208.142.455.528.377a7.84 7.84 0 0 0 5.324-7.441c.013-4.338-3.48-7.844-7.773-7.844" clip-rule="evenodd"/>
  </symbol>
  <symbol id="social-icon" viewBox="0 0 20 20">
    <path fill="none" stroke="#aa3bff" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.35" d="M12.5 6.667a4.167 4.167 0 1 0-8.334 0 4.167 4.167 0 0 0 8.334 0"/>
    <path fill="none" stroke="#aa3bff" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.35" d="M2.5 16.667a5.833 5.833 0 0 1 8.75-5.053m3.837.474.513 1.035c.07.144.257.282.414.309l.93.155c.596.1.736.536.307.965l-.723.73a.64.64 0 0 0-.152.531l.207.903c.164.715-.213.991-.84.618l-.872-.52a.63.63 0 0 0-.577 0l-.872.52c-.624.373-1.003.094-.84-.618l.207-.903a.64.64 0 0 0-.152-.532l-.723-.729c-.426-.43-.289-.864.306-.964l.93-.156a.64.64 0 0 0 .412-.31l.513-1.034c.28-.562.735-.562 1.012 0"/>
  </symbol>
  <symbol id="x-icon" viewBox="0 0 19 19">
    <path fill="#08060d" fill-rule="evenodd" d="M1.893 1.98c.052.072 1.245 1.769 2.653 3.77l2.892 4.114c.183.261.333.48.333.486s-.068.089-.152.183l-.522.593-.765.867-3.597 4.087c-.375.426-.734.834-.798.905a1 1 0 0 0-.118.148c0 .01.236.017.664.017h.663l.729-.83c.4-.457.796-.906.879-.999a692 692 0 0 0 1.794-2.038c.034-.037.301-.34.594-.675l.551-.624.345-.392a7 7 0 0 1 .34-.374c.006 0 .93 1.306 2.052 2.903l2.084 2.965.045.063h2.275c1.87 0 2.273-.003 2.266-.021-.008-.02-1.098-1.572-3.894-5.547-2.013-2.862-2.28-3.246-2.273-3.266.008-.019.282-.332 2.085-2.38l2-2.274 1.567-1.782c.022-.028-.016-.03-.65-.03h-.674l-.3.342a871 871 0 0 1-1.782 2.025c-.067.075-.405.458-.75.852a100 100 0 0 1-.803.91c-.148.172-.299.344-.99 1.127-.304.343-.32.358-.345.327-.015-.019-.904-1.282-1.976-2.808L6.365 1.85H1.8zm1.782.91 8.078 11.294c.772 1.08 1.413 1.973 1.425 1.984.016.017.241.02 1.05.017l1.03-.004-2.694-3.766L7.796 5.75 5.722 2.852l-1.039-.004-1.039-.004z" clip-rule="evenodd"/>
  </symbol>
 </svg>
--- a/src/web/src/App.css
+++ b/src/web/src/App.css
@@ -0,0 +1,184 @@
 .counter {
  font-size: 16px;
  padding: 5px 10px;
  border-radius: 5px;
  color: var(--accent);
  background: var(--accent-bg);
  border: 2px solid transparent;
  transition: border-color 0.3s;
  margin-bottom: 24px;
  &:hover {
    border-color: var(--accent-border);
  }
  &:focus-visible {
    outline: 2px solid var(--accent);
    outline-offset: 2px;
  }
 }
 .hero {
  position: relative;
  .base,
  .framework,
  .vite {
    inset-inline: 0;
    margin: 0 auto;
  }
  .base {
    width: 170px;
    position: relative;
    z-index: 0;
  }
  .framework,
  .vite {
    position: absolute;
  }
  .framework {
    z-index: 1;
    top: 34px;
    height: 28px;
    transform: perspective(2000px) rotateZ(300deg) rotateX(44deg) rotateY(39deg)
      scale(1.4);
  }
  .vite {
    z-index: 0;
    top: 107px;
    height: 26px;
    width: auto;
    transform: perspective(2000px) rotateZ(300deg) rotateX(40deg) rotateY(39deg)
      scale(0.8);
  }
 }
 #center {
  display: flex;
  flex-direction: column;
  gap: 25px;
  place-content: center;
  place-items: center;
  flex-grow: 1;
  @media (max-width: 1024px) {
    padding: 32px 20px 24px;
    gap: 18px;
  }
 }
 #next-steps {
  display: flex;
  border-top: 1px solid var(--border);
  text-align: left;
  & > div {
    flex: 1 1 0;
    padding: 32px;
    @media (max-width: 1024px) {
      padding: 24px 20px;
    }
  }
  .icon {
    margin-bottom: 16px;
    width: 22px;
    height: 22px;
  }
  @media (max-width: 1024px) {
    flex-direction: column;
    text-align: center;
  }
 }
 #docs {
  border-right: 1px solid var(--border);
  @media (max-width: 1024px) {
    border-right: none;
    border-bottom: 1px solid var(--border);
  }
 }
 #next-steps ul {
  list-style: none;
  padding: 0;
  display: flex;
  gap: 8px;
  margin: 32px 0 0;
  .logo {
    height: 18px;
  }
  a {
    color: var(--text-h);
    font-size: 16px;
    border-radius: 6px;
    background: var(--social-bg);
    display: flex;
    padding: 6px 12px;
    align-items: center;
    gap: 8px;
    text-decoration: none;
    transition: box-shadow 0.3s;
    &:hover {
      box-shadow: var(--shadow);
    }
    .button-icon {
      height: 18px;
      width: 18px;
    }
  }
  @media (max-width: 1024px) {
    margin-top: 20px;
    flex-wrap: wrap;
    justify-content: center;
    li {
      flex: 1 1 calc(50% - 8px);
    }
    a {
      width: 100%;
      justify-content: center;
      box-sizing: border-box;
    }
  }
 }
 #spacer {
  height: 88px;
  border-top: 1px solid var(--border);
  @media (max-width: 1024px) {
    height: 48px;
  }
 }
 .ticks {
  position: relative;
  width: 100%;
  &::before,
  &::after {
    content: '';
    position: absolute;
    top: -4.5px;
    border: 5px solid transparent;
  }
  &::before {
    left: 0;
    border-left-color: var(--border);
  }
  &::after {
    right: 0;
    border-right-color: var(--border);
  }
 }
--- a/src/web/src/App.tsx
+++ b/src/web/src/App.tsx
@@ -0,0 +1,22 @@
 import { BrowserRouter } from 'react-router-dom'
 import { QueryClient, QueryClientProvider } from '@tanstack/react-query'
 import { AppRoutes } from './router'
 const queryClient = new QueryClient({
  defaultOptions: {
    queries: { retry: 1, staleTime: 1000 * 60 * 5 },
    mutations: { retry: 0 },
  },
 })
 function App() {
  return (
    <QueryClientProvider client={queryClient}>
      <BrowserRouter>
        <AppRoutes />
      </BrowserRouter>
    </QueryClientProvider>
  )
 }
 export default App
--- a/src/web/src/api/axiosClient.ts
+++ b/src/web/src/api/axiosClient.ts
@@ -0,0 +1,10 @@
 import axios from 'axios'
 const API_URL = import.meta.env['VITE_API_URL'] ?? 'http://localhost:5000'
 export const axiosClient = axios.create({
  baseURL: API_URL,
  headers: {
    'Content-Type': 'application/json',
  },
 })
--- a/src/web/src/assets/hero.png
+++ b/src/web/src/assets/hero.png
--- a/src/web/src/assets/react.svg
+++ b/src/web/src/assets/react.svg
@@ -0,0 +1 @@
 <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true" role="img" class="iconify iconify--logos" width="35.93" height="32" preserveAspectRatio="xMidYMid meet" viewBox="0 0 256 228"><path fill="#00D8FF" d="M210.483 73.824a171.49 171.49 0 0 0-8.24-2.597c.465-1.9.893-3.777 1.273-5.621c6.238-30.281 2.16-54.676-11.769-62.708c-13.355-7.7-35.196.329-57.254 19.526a171.23 171.23 0 0 0-6.375 5.848a155.866 155.866 0 0 0-4.241-3.917C100.759 3.829 77.587-4.822 63.673 3.233C50.33 10.957 46.379 33.89 51.995 62.588a170.974 170.974 0 0 0 1.892 8.48c-3.28.932-6.445 1.924-9.474 2.98C17.309 83.498 0 98.307 0 113.668c0 15.865 18.582 31.778 46.812 41.427a145.52 145.52 0 0 0 6.921 2.165a167.467 167.467 0 0 0-2.01 9.138c-5.354 28.2-1.173 50.591 12.134 58.266c13.744 7.926 36.812-.22 59.273-19.855a145.567 145.567 0 0 0 5.342-4.923a168.064 168.064 0 0 0 6.92 6.314c21.758 18.722 43.246 26.282 56.54 18.586c13.731-7.949 18.194-32.003 12.4-61.268a145.016 145.016 0 0 0-1.535-6.842c1.62-.48 3.21-.974 4.76-1.488c29.348-9.723 48.443-25.443 48.443-41.52c0-15.417-17.868-30.326-45.517-39.844Zm-6.365 70.984c-1.4.463-2.836.91-4.3 1.345c-3.24-10.257-7.612-21.163-12.963-32.432c5.106-11 9.31-21.767 12.459-31.957c2.619.758 5.16 1.557 7.61 2.4c23.69 8.156 38.14 20.213 38.14 29.504c0 9.896-15.606 22.743-40.946 31.14Zm-10.514 20.834c2.562 12.94 2.927 24.64 1.23 33.787c-1.524 8.219-4.59 13.698-8.382 15.893c-8.067 4.67-25.32-1.4-43.927-17.412a156.726 156.726 0 0 1-6.437-5.87c7.214-7.889 14.423-17.06 21.459-27.246c12.376-1.098 24.068-2.894 34.671-5.345a134.17 134.17 0 0 1 1.386 6.193ZM87.276 214.515c-7.882 2.783-14.16 2.863-17.955.675c-8.075-4.657-11.432-22.636-6.853-46.752a156.923 156.923 0 0 1 1.869-8.499c10.486 2.32 22.093 3.988 34.498 4.994c7.084 9.967 14.501 19.128 21.976 27.15a134.668 134.668 0 0 1-4.877 4.492c-9.933 8.682-19.886 14.842-28.658 17.94ZM50.35 144.747c-12.483-4.267-22.792-9.812-29.858-15.863c-6.35-5.437-9.555-10.836-9.555-15.216c0-9.322 13.897-21.212 37.076-29.293c2.813-.98 5.757-1.905 8.812-2.773c3.204 10.42 7.406 21.315 12.477 32.332c-5.137 11.18-9.399 22.249-12.634 32.792a134.718 134.718 0 0 1-6.318-1.979Zm12.378-84.26c-4.811-24.587-1.616-43.134 6.425-47.789c8.564-4.958 27.502 2.111 47.463 19.835a144.318 144.318 0 0 1 3.841 3.545c-7.438 7.987-14.787 17.08-21.808 26.988c-12.04 1.116-23.565 2.908-34.161 5.309a160.342 160.342 0 0 1-1.76-7.887Zm110.427 27.268a347.8 347.8 0 0 0-7.785-12.803c8.168 1.033 15.994 2.404 23.343 4.08c-2.206 7.072-4.956 14.465-8.193 22.045a381.151 381.151 0 0 0-7.365-13.322Zm-45.032-43.861c5.044 5.465 10.096 11.566 15.065 18.186a322.04 322.04 0 0 0-30.257-.006c4.974-6.559 10.069-12.652 15.192-18.18ZM82.802 87.83a323.167 323.167 0 0 0-7.227 13.238c-3.184-7.553-5.909-14.98-8.134-22.152c7.304-1.634 15.093-2.97 23.209-3.984a321.524 321.524 0 0 0-7.848 12.897Zm8.081 65.352c-8.385-.936-16.291-2.203-23.593-3.793c2.26-7.3 5.045-14.885 8.298-22.6a321.187 321.187 0 0 0 7.257 13.246c2.594 4.48 5.28 8.868 8.038 13.147Zm37.542 31.03c-5.184-5.592-10.354-11.779-15.403-18.433c4.902.192 9.899.29 14.978.29c5.218 0 10.376-.117 15.453-.343c-4.985 6.774-10.018 12.97-15.028 18.486Zm52.198-57.817c3.422 7.8 6.306 15.345 8.596 22.52c-7.422 1.694-15.436 3.058-23.88 4.071a382.417 382.417 0 0 0 7.859-13.026a347.403 347.403 0 0 0 7.425-13.565Zm-16.898 8.101a358.557 358.557 0 0 1-12.281 19.815a329.4 329.4 0 0 1-23.444.823c-7.967 0-15.716-.248-23.178-.732a310.202 310.202 0 0 1-12.513-19.846h.001a307.41 307.41 0 0 1-10.923-20.627a310.278 310.278 0 0 1 10.89-20.637l-.001.001a307.318 307.318 0 0 1 12.413-19.761c7.613-.576 15.42-.876 23.31-.876H128c7.926 0 15.743.303 23.354.883a329.357 329.357 0 0 1 12.335 19.695a358.489 358.489 0 0 1 11.036 20.54a329.472 329.472 0 0 1-11 20.722Zm22.56-122.124c8.572 4.944 11.906 24.881 6.52 51.026c-.344 1.668-.73 3.367-1.15 5.09c-10.622-2.452-22.155-4.275-34.23-5.408c-7.034-10.017-14.323-19.124-21.64-27.008a160.789 160.789 0 0 1 5.888-5.4c18.9-16.447 36.564-22.941 44.612-18.3ZM128 90.808c12.625 0 22.86 10.235 22.86 22.86s-10.235 22.86-22.86 22.86s-22.86-10.235-22.86-22.86s10.235-22.86 22.86-22.86Z"></path></svg>
--- a/src/web/src/assets/vite.svg
+++ b/src/web/src/assets/vite.svg
--- a/src/web/src/features/auth/api/authApi.ts
+++ b/src/web/src/features/auth/api/authApi.ts
@@ -0,0 +1,21 @@
 import { axiosClient } from '../../../api/axiosClient'
 export interface LoginResponseDto {
  accessToken: string
  refreshToken: string
  expiresIn: number
  usuario: {
    id: number
    username: string
    nombre: string
    rol: string
  }
 }
 export async function login(username: string, password: string): Promise<LoginResponseDto> {
  const response = await axiosClient.post<LoginResponseDto>('/api/v1/auth/login', {
    username,
    password,
  })
  return response.data
 }
--- a/src/web/src/features/auth/components/LoginForm.tsx
+++ b/src/web/src/features/auth/components/LoginForm.tsx
@@ -0,0 +1,66 @@
 import type { FormEvent } from 'react'
 interface LoginFormProps {
  onSubmit: (username: string, password: string) => void
  isLoading: boolean
  error: string | null
 }
 export function LoginForm({ onSubmit, isLoading, error }: LoginFormProps) {
  function handleSubmit(e: FormEvent<HTMLFormElement>) {
    e.preventDefault()
    const form = e.currentTarget
    const data = new FormData(form)
    const username = data.get('username') as string
    const password = data.get('password') as string
    onSubmit(username, password)
  }
  return (
    <form onSubmit={handleSubmit} className="flex flex-col gap-4 w-full max-w-sm">
      <div className="flex flex-col gap-1">
        <label htmlFor="username" className="text-sm font-medium text-gray-700">
          Usuario
        </label>
        <input
          id="username"
          name="username"
          type="text"
          required
          autoComplete="username"
          disabled={isLoading}
          className="rounded border border-gray-300 px-3 py-2 text-sm focus:outline-none focus:ring-2 focus:ring-blue-500 disabled:opacity-50"
        />
      </div>
      <div className="flex flex-col gap-1">
        <label htmlFor="password" className="text-sm font-medium text-gray-700">
          Contraseña
        </label>
        <input
          id="password"
          name="password"
          type="password"
          required
          autoComplete="current-password"
          disabled={isLoading}
          className="rounded border border-gray-300 px-3 py-2 text-sm focus:outline-none focus:ring-2 focus:ring-blue-500 disabled:opacity-50"
        />
      </div>
      {error && (
        <p role="alert" className="text-sm text-red-600">
          {error}
        </p>
      )}
      <button
        type="submit"
        disabled={isLoading}
        className="rounded bg-blue-600 px-4 py-2 text-sm font-medium text-white hover:bg-blue-700 focus:outline-none focus:ring-2 focus:ring-blue-500 disabled:opacity-50 disabled:cursor-not-allowed"
      >
        {isLoading ? 'Ingresando...' : 'Ingresar'}
      </button>
    </form>
  )
 }
--- a/src/web/src/features/auth/hooks/useLogin.ts
+++ b/src/web/src/features/auth/hooks/useLogin.ts
@@ -0,0 +1,29 @@
 import { useMutation } from '@tanstack/react-query'
 import { login } from '../api/authApi'
 import { useAuthStore } from '../../../stores/authStore'
 interface LoginVars {
  username: string
  password: string
 }
 export function useLogin() {
  const setAuth = useAuthStore((s) => s.setAuth)
  return useMutation({
    mutationFn: ({ username, password }: LoginVars) => login(username, password),
    onSuccess: (data) => {
      setAuth({
        user: {
          id: data.usuario.id,
          username: data.usuario.username,
          nombre: data.usuario.nombre,
          rol: data.usuario.rol,
        },
        accessToken: data.accessToken,
        refreshToken: data.refreshToken,
        expiresIn: data.expiresIn,
      })
    },
  })
 }
--- a/src/web/src/features/auth/pages/LoginPage.tsx
+++ b/src/web/src/features/auth/pages/LoginPage.tsx
@@ -0,0 +1,44 @@
 import { useNavigate } from 'react-router-dom'
 import { useLogin } from '../hooks/useLogin'
 import { LoginForm } from '../components/LoginForm'
 import { isAxiosError } from 'axios'
 export function LoginPage() {
  const navigate = useNavigate()
  const { mutate, isPending, error } = useLogin()
  function handleSubmit(username: string, password: string) {
    mutate(
      { username, password },
      {
        onSuccess: () => {
          void navigate('/')
        },
      },
    )
  }
  function resolveErrorMessage(err: unknown): string | null {
    if (!err) return null
    if (isAxiosError(err) && err.response?.data) {
      const data = err.response.data as { error?: string }
      return data.error ?? 'Error al iniciar sesión'
    }
    return 'Error al iniciar sesión'
  }
  return (
    <div className="flex min-h-screen items-center justify-center bg-gray-50">
      <div className="rounded-lg bg-white p-8 shadow-md w-full max-w-sm">
        <h1 className="mb-6 text-center text-2xl font-semibold text-gray-900">
          SIG-CM2
        </h1>
        <LoginForm
          onSubmit={handleSubmit}
          isLoading={isPending}
          error={resolveErrorMessage(error)}
        />
      </div>
    </div>
  )
 }
--- a/src/web/src/index.css
+++ b/src/web/src/index.css
@@ -0,0 +1,81 @@
@import "tailwindcss";
@media (prefers-color-scheme: dark) {
  :root {
    --text: #9ca3af;
    --text-h: #f3f4f6;
    --bg: #16171d;
    --border: #2e303a;
    --code-bg: #1f2028;
    --accent: #c084fc;
    --accent-bg: rgba(192, 132, 252, 0.15);
    --accent-border: rgba(192, 132, 252, 0.5);
    --social-bg: rgba(47, 48, 58, 0.5);
    --shadow:
      rgba(0, 0, 0, 0.4) 0 10px 15px -3px, rgba(0, 0, 0, 0.25) 0 4px 6px -2px;
  }
  #social .button-icon {
    filter: invert(1) brightness(2);
  }
 }
 #root {
  width: 1126px;
  max-width: 100%;
  margin: 0 auto;
  text-align: center;
  border-inline: 1px solid var(--border);
  min-height: 100svh;
  display: flex;
  flex-direction: column;
  box-sizing: border-box;
 }
 body {
  margin: 0;
 }
 h1,
 h2 {
  font-family: var(--heading);
  font-weight: 500;
  color: var(--text-h);
 }
 h1 {
  font-size: 56px;
  letter-spacing: -1.68px;
  margin: 32px 0;
  @media (max-width: 1024px) {
    font-size: 36px;
    margin: 20px 0;
  }
 }
 h2 {
  font-size: 24px;
  line-height: 118%;
  letter-spacing: -0.24px;
  margin: 0 0 8px;
  @media (max-width: 1024px) {
    font-size: 20px;
  }
 }
 p {
  margin: 0;
 }
 code,
 .counter {
  font-family: var(--mono);
  display: inline-flex;
  border-radius: 4px;
  color: var(--text-h);
 }
 code {
  font-size: 15px;
  line-height: 135%;
  padding: 4px 8px;
  background: var(--code-bg);
 }
--- a/src/web/src/layouts/ProtectedLayout.tsx
+++ b/src/web/src/layouts/ProtectedLayout.tsx
@@ -0,0 +1,13 @@
 import type { ReactNode } from 'react'
 interface ProtectedLayoutProps {
  children: ReactNode
 }
 export function ProtectedLayout({ children }: ProtectedLayoutProps) {
  return (
    <div className="min-h-screen bg-white">
      {children}
    </div>
  )
 }
--- a/src/web/src/layouts/PublicLayout.tsx
+++ b/src/web/src/layouts/PublicLayout.tsx
@@ -0,0 +1,13 @@
 import type { ReactNode } from 'react'
 interface PublicLayoutProps {
  children: ReactNode
 }
 export function PublicLayout({ children }: PublicLayoutProps) {
  return (
    <div className="min-h-screen bg-gray-50">
      {children}
    </div>
  )
 }
--- a/src/web/src/main.tsx
+++ b/src/web/src/main.tsx
@@ -0,0 +1,10 @@
 import { StrictMode } from 'react'
 import { createRoot } from 'react-dom/client'
 import './index.css'
 import App from './App.tsx'
 createRoot(document.getElementById('root')!).render(
  <StrictMode>
    <App />
  </StrictMode>,
 )
--- a/src/web/src/pages/HomePage.tsx
+++ b/src/web/src/pages/HomePage.tsx
@@ -0,0 +1,8 @@
 export function HomePage() {
  return (
    <div className="p-8">
      <h1 className="text-2xl font-semibold text-gray-900">Dashboard</h1>
      <p className="mt-2 text-gray-600">Bienvenido al SIG-CM2.</p>
    </div>
  )
 }
--- a/src/web/src/router.tsx
+++ b/src/web/src/router.tsx
@@ -0,0 +1,50 @@
 import { Navigate, Route, Routes } from 'react-router-dom'
 import { useAuthStore } from './stores/authStore'
 import { LoginPage } from './features/auth/pages/LoginPage'
 import { HomePage } from './pages/HomePage'
 import { PublicLayout } from './layouts/PublicLayout'
 import { ProtectedLayout } from './layouts/ProtectedLayout'
 function ProtectedRoute({ children }: { children: React.ReactNode }) {
  const user = useAuthStore((s) => s.user)
  if (!user) {
    return <Navigate to="/login" replace />
  }
  return <>{children}</>
 }
 function PublicRoute({ children }: { children: React.ReactNode }) {
  const user = useAuthStore((s) => s.user)
  if (user) {
    return <Navigate to="/" replace />
  }
  return <>{children}</>
 }
 export function AppRoutes() {
  return (
    <Routes>
      <Route
        path="/login"
        element={
          <PublicRoute>
            <PublicLayout>
              <LoginPage />
            </PublicLayout>
          </PublicRoute>
        }
      />
      <Route
        path="/"
        element={
          <ProtectedRoute>
            <ProtectedLayout>
              <HomePage />
            </ProtectedLayout>
          </ProtectedRoute>
        }
      />
      <Route path="*" element={<Navigate to="/" replace />} />
    </Routes>
  )
 }
--- a/src/web/src/stores/authStore.ts
+++ b/src/web/src/stores/authStore.ts
@@ -0,0 +1,53 @@
 import { create } from 'zustand'
 import { persist } from 'zustand/middleware'
 export interface AuthUser {
  id: number
  username: string
  nombre: string
  rol: string
 }
 interface SetAuthPayload {
  user: AuthUser
  accessToken: string
  refreshToken: string
  expiresIn: number
 }
 interface AuthState {
  user: AuthUser | null
  accessToken: string | null
  setAuth: (payload: SetAuthPayload) => void
  logout: () => void
 }
 export const useAuthStore = create<AuthState>()(
  persist(
    (set) => ({
      user: null,
      accessToken: null,
      setAuth: (payload: SetAuthPayload) => {
        set({
          user: payload.user,
          accessToken: payload.accessToken,
        })
      },
      logout: () => {
        set({
          user: null,
          accessToken: null,
        })
      },
    }),
    {
      name: 'auth-storage',
      partialize: (state) => ({
        user: state.user,
        accessToken: state.accessToken,
      }),
    },
  ),
 )
--- a/src/web/src/tests/features/auth/LoginPage.test.tsx
+++ b/src/web/src/tests/features/auth/LoginPage.test.tsx
@@ -0,0 +1,117 @@
 import { describe, it, expect, beforeAll, afterAll, afterEach, vi } from 'vitest'
 import { render, screen, waitFor } from '@testing-library/react'
 import userEvent from '@testing-library/user-event'
 import { http, HttpResponse } from 'msw'
 import { setupServer } from 'msw/node'
 import { QueryClient, QueryClientProvider } from '@tanstack/react-query'
 import { MemoryRouter } from 'react-router-dom'
 import { LoginPage } from '../../../features/auth/pages/LoginPage'
 import { useAuthStore } from '../../../stores/authStore'
 // Must be at top level for Vitest hoisting
 const mockNavigate = vi.fn()
 vi.mock('react-router-dom', async (importOriginal) => {
  const actual = await importOriginal<typeof import('react-router-dom')>()
  return { ...actual, useNavigate: () => mockNavigate }
 })
 const API_URL = 'http://localhost:5000'
 const mockLoginResponse = {
  accessToken: 'eyJhbGciOiJSUzI1NiJ9.payload.sig',
  refreshToken: 'refresh-token-abc',
  expiresIn: 3600,
  usuario: { id: 1, username: 'admin', nombre: 'Admin', rol: 'admin' },
 }
 const server = setupServer(
  http.post(`${API_URL}/api/v1/auth/login`, async ({ request }) => {
    const body = await request.json() as { username: string; password: string }
    if (body.username === 'admin' && body.password === '@Diego550@') {
      return HttpResponse.json(mockLoginResponse, { status: 200 })
    }
    return HttpResponse.json({ error: 'Credenciales inválidas' }, { status: 401 })
  }),
 )
 beforeAll(() => server.listen({ onUnhandledRequest: 'error' }))
 afterEach(() => {
  server.resetHandlers()
  useAuthStore.getState().logout()
  localStorage.clear()
  mockNavigate.mockClear()
 })
 afterAll(() => server.close())
 function renderLoginPage() {
  const queryClient = new QueryClient({
    defaultOptions: { queries: { retry: false }, mutations: { retry: false } },
  })
  return render(
    <QueryClientProvider client={queryClient}>
      <MemoryRouter>
        <LoginPage />
      </MemoryRouter>
    </QueryClientProvider>,
  )
 }
 describe('LoginPage', () => {
  it('renders username and password inputs and submit button', () => {
    renderLoginPage()
    expect(screen.getByLabelText(/usuario/i)).toBeInTheDocument()
    expect(screen.getByLabelText(/contraseña/i)).toBeInTheDocument()
    expect(screen.getByRole('button', { name: /ingresar/i })).toBeInTheDocument()
  })
  it('shows error message on 401 invalid credentials', async () => {
    const user = userEvent.setup()
    renderLoginPage()
    await user.type(screen.getByLabelText(/usuario/i), 'admin')
    await user.type(screen.getByLabelText(/contraseña/i), 'wrongpassword')
    await user.click(screen.getByRole('button', { name: /ingresar/i }))
    await waitFor(() => {
      expect(screen.getByRole('alert')).toHaveTextContent(/credenciales/i)
    })
  })
  it('disables submit button while loading', async () => {
    const user = userEvent.setup()
    renderLoginPage()
    server.use(
      http.post(`${API_URL}/api/v1/auth/login`, async () => {
        await new Promise((resolve) => setTimeout(resolve, 300))
        return HttpResponse.json(mockLoginResponse)
      }),
    )
    await user.type(screen.getByLabelText(/usuario/i), 'admin')
    await user.type(screen.getByLabelText(/contraseña/i), '@Diego550@')
    const button = screen.getByRole('button', { name: /ingresar/i })
    await user.click(button)
    // Button should be disabled during the pending request
    expect(button).toBeDisabled()
  })
  it('saves auth to store on successful login', async () => {
    const user = userEvent.setup()
    renderLoginPage()
    await user.type(screen.getByLabelText(/usuario/i), 'admin')
    await user.type(screen.getByLabelText(/contraseña/i), '@Diego550@')
    await user.click(screen.getByRole('button', { name: /ingresar/i }))
    await waitFor(() => {
      const state = useAuthStore.getState()
      expect(state.accessToken).toBe(mockLoginResponse.accessToken)
      expect(state.user?.username).toBe('admin')
    })
  })
 })
--- a/src/web/src/tests/features/auth/authApi.test.ts
+++ b/src/web/src/tests/features/auth/authApi.test.ts
@@ -0,0 +1,47 @@
 import { describe, it, expect, beforeAll, afterAll, afterEach } from 'vitest'
 import { http, HttpResponse } from 'msw'
 import { setupServer } from 'msw/node'
 import { login } from '../../../features/auth/api/authApi'
 const API_URL = 'http://localhost:5000'
 const mockLoginResponse = {
  accessToken: 'eyJhbGciOiJSUzI1NiJ9.payload.signature',
  refreshToken: 'opaque-refresh-token-abc123',
  expiresIn: 3600,
  usuario: {
    id: 1,
    username: 'admin',
    nombre: 'Admin',
    rol: 'admin',
  },
 }
 const server = setupServer(
  http.post(`${API_URL}/api/v1/auth/login`, async ({ request }) => {
    const body = await request.json() as { username: string; password: string }
    if (body.username === 'admin' && body.password === '@Diego550@') {
      return HttpResponse.json(mockLoginResponse, { status: 200 })
    }
    return HttpResponse.json({ error: 'Credenciales inválidas' }, { status: 401 })
  }),
 )
 beforeAll(() => server.listen({ onUnhandledRequest: 'error' }))
 afterEach(() => server.resetHandlers())
 afterAll(() => server.close())
 describe('login()', () => {
  it('returns auth data on valid credentials', async () => {
    const result = await login('admin', '@Diego550@')
    expect(result.accessToken).toBe(mockLoginResponse.accessToken)
    expect(result.refreshToken).toBe(mockLoginResponse.refreshToken)
    expect(result.expiresIn).toBe(3600)
    expect(result.usuario.username).toBe('admin')
  })
  it('throws on invalid credentials (401)', async () => {
    await expect(login('admin', 'wrongpassword')).rejects.toThrow()
  })
 })
--- a/src/web/src/tests/setup.ts
+++ b/src/web/src/tests/setup.ts
@@ -0,0 +1 @@
 import '@testing-library/jest-dom'
--- a/src/web/src/tests/stores/authStore.test.ts
+++ b/src/web/src/tests/stores/authStore.test.ts
@@ -0,0 +1,89 @@
 import { describe, it, expect, beforeEach } from 'vitest'
 import { useAuthStore } from '../../stores/authStore'
 describe('authStore', () => {
  beforeEach(() => {
    // Reset store state before each test
    useAuthStore.getState().logout()
    localStorage.clear()
  })
  describe('initial state', () => {
    it('starts with null user and null accessToken', () => {
      const state = useAuthStore.getState()
      expect(state.user).toBeNull()
      expect(state.accessToken).toBeNull()
    })
  })
  describe('setAuth', () => {
    it('stores user and accessToken in state', () => {
      const payload = {
        user: { id: 1, username: 'admin', nombre: 'Admin', rol: 'admin' },
        accessToken: 'eyJhbGciOiJSUzI1NiJ9.test.signature',
        refreshToken: 'opaque-refresh-token',
        expiresIn: 3600,
      }
      useAuthStore.getState().setAuth(payload)
      const state = useAuthStore.getState()
      expect(state.user).toEqual(payload.user)
      expect(state.accessToken).toBe(payload.accessToken)
    })
    it('persists auth data to localStorage under auth-storage key', () => {
      const payload = {
        user: { id: 1, username: 'admin', nombre: 'Admin', rol: 'admin' },
        accessToken: 'eyJhbGciOiJSUzI1NiJ9.test.signature',
        refreshToken: 'opaque-refresh-token',
        expiresIn: 3600,
      }
      useAuthStore.getState().setAuth(payload)
      const stored = localStorage.getItem('auth-storage')
      expect(stored).not.toBeNull()
      const parsed = JSON.parse(stored!)
      expect(parsed.state.accessToken).toBe(payload.accessToken)
      expect(parsed.state.user.username).toBe('admin')
    })
  })
  describe('logout', () => {
    it('clears user and accessToken from state', () => {
      // Setup: set auth first
      useAuthStore.getState().setAuth({
        user: { id: 1, username: 'admin', nombre: 'Admin', rol: 'admin' },
        accessToken: 'some-token',
        refreshToken: 'some-refresh',
        expiresIn: 3600,
      })
      useAuthStore.getState().logout()
      const state = useAuthStore.getState()
      expect(state.user).toBeNull()
      expect(state.accessToken).toBeNull()
    })
    it('removes auth-storage from localStorage on logout', () => {
      useAuthStore.getState().setAuth({
        user: { id: 1, username: 'admin', nombre: 'Admin', rol: 'admin' },
        accessToken: 'some-token',
        refreshToken: 'some-refresh',
        expiresIn: 3600,
      })
      useAuthStore.getState().logout()
      const stored = localStorage.getItem('auth-storage')
      // After logout the persisted state should have null user/token
      if (stored !== null) {
        const parsed = JSON.parse(stored)
        expect(parsed.state.user).toBeNull()
        expect(parsed.state.accessToken).toBeNull()
      }
    })
  })
 })
--- a/src/web/tsconfig.app.json
+++ b/src/web/tsconfig.app.json
@@ -0,0 +1,27 @@
 {
  "compilerOptions": {
    "tsBuildInfoFile": "./node_modules/.tmp/tsconfig.app.tsbuildinfo",
    "target": "es2023",
    "lib": ["ES2023", "DOM", "DOM.Iterable"],
    "module": "esnext",
    "types": ["vite/client", "vitest/globals"],
    "skipLibCheck": true,
    /* Bundler mode */
    "moduleResolution": "bundler",
    "allowImportingTsExtensions": true,
    "verbatimModuleSyntax": true,
    "moduleDetection": "force",
    "noEmit": true,
    "jsx": "react-jsx",
    /* Strict mode */
    "strict": true,
    "noUnusedLocals": true,
    "noUnusedParameters": true,
    "erasableSyntaxOnly": true,
    "noFallthroughCasesInSwitch": true,
    "exactOptionalPropertyTypes": false
  },
  "include": ["src"]
 }
--- a/src/web/tsconfig.json
+++ b/src/web/tsconfig.json
@@ -0,0 +1,7 @@
 {
  "files": [],
  "references": [
    { "path": "./tsconfig.app.json" },
    { "path": "./tsconfig.node.json" }
  ]
 }
--- a/src/web/tsconfig.node.json
+++ b/src/web/tsconfig.node.json
@@ -0,0 +1,24 @@
 {
  "compilerOptions": {
    "tsBuildInfoFile": "./node_modules/.tmp/tsconfig.node.tsbuildinfo",
    "target": "es2023",
    "lib": ["ES2023"],
    "module": "esnext",
    "types": ["node"],
    "skipLibCheck": true,
    /* Bundler mode */
    "moduleResolution": "bundler",
    "allowImportingTsExtensions": true,
    "verbatimModuleSyntax": true,
    "moduleDetection": "force",
    "noEmit": true,
    /* Linting */
    "noUnusedLocals": true,
    "noUnusedParameters": true,
    "erasableSyntaxOnly": true,
    "noFallthroughCasesInSwitch": true
  },
  "include": ["vite.config.ts"]
 }
--- a/src/web/vite.config.ts
+++ b/src/web/vite.config.ts
@@ -0,0 +1,11 @@
 import { defineConfig } from 'vite'
 import react from '@vitejs/plugin-react'
 import tailwindcss from '@tailwindcss/vite'
 // https://vite.dev/config/
 export default defineConfig({
  plugins: [
    react(),
    tailwindcss(),
  ],
 })
--- a/src/web/vitest.config.ts
+++ b/src/web/vitest.config.ts
@@ -0,0 +1,17 @@
 import { defineConfig } from 'vitest/config'
 import react from '@vitejs/plugin-react'
 export default defineConfig({
  plugins: [react()],
  test: {
    environment: 'jsdom',
    globals: true,
    setupFiles: ['./src/tests/setup.ts'],
    coverage: {
      provider: 'v8',
      reporter: ['text', 'json', 'html'],
      include: ['src/**/*.{ts,tsx}'],
      exclude: ['src/**/*.d.ts', 'src/**/*.test.{ts,tsx}', 'src/tests/**'],
    },
  },
 })
--- a/tests/SIGCM2.Api.Tests/Auth/AuthControllerTests.cs
+++ b/tests/SIGCM2.Api.Tests/Auth/AuthControllerTests.cs
@@ -0,0 +1,97 @@
 using System.Net;
 using System.Net.Http.Json;
 using System.Text.Json;
 using SIGCM2.TestSupport;
 namespace SIGCM2.Api.Tests.Auth;
 [Collection("ApiIntegration")]
 public class AuthControllerTests : IClassFixture<TestWebAppFactory>
 {
    private readonly HttpClient _client;
    public AuthControllerTests(TestWebAppFactory factory)
    {
        _client = factory.CreateClient();
    }
    // Scenario: happy path — valid admin credentials return 200 with token shape + usuario
    [Fact]
    public async Task Login_ValidCredentials_Returns200WithTokenShape()
    {
        var response = await _client.PostAsJsonAsync("/api/v1/auth/login", new
        {
            username = "admin",
            password = "@Diego550@"
        });
        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
        var json = await response.Content.ReadFromJsonAsync<JsonElement>();
        Assert.True(json.TryGetProperty("accessToken", out var token), "Response missing 'accessToken'");
        Assert.True(json.TryGetProperty("refreshToken", out var refresh), "Response missing 'refreshToken'");
        Assert.True(json.TryGetProperty("expiresIn", out var expires), "Response missing 'expiresIn'");
        Assert.False(string.IsNullOrWhiteSpace(token.GetString()), "'accessToken' must not be empty");
        Assert.False(string.IsNullOrWhiteSpace(refresh.GetString()), "'refreshToken' must not be empty");
        Assert.Equal(3600, expires.GetInt32());
        // Contract: response must include usuario object
        Assert.True(json.TryGetProperty("usuario", out var usuario), "Response missing 'usuario'");
        Assert.True(usuario.TryGetProperty("id", out var id), "usuario missing 'id'");
        Assert.True(usuario.TryGetProperty("nombre", out var nombre), "usuario missing 'nombre'");
        Assert.True(usuario.TryGetProperty("rol", out var rol), "usuario missing 'rol'");
        Assert.True(usuario.TryGetProperty("permisos", out var permisos), "usuario missing 'permisos'");
        Assert.True(id.GetInt32() > 0, "'usuario.id' must be positive");
        Assert.False(string.IsNullOrWhiteSpace(nombre.GetString()), "'usuario.nombre' must not be empty");
        Assert.False(string.IsNullOrWhiteSpace(rol.GetString()), "'usuario.rol' must not be empty");
        Assert.Equal(JsonValueKind.Array, permisos.ValueKind);
    }
    // Scenario: invalid credentials return 401 with opaque error
    [Fact]
    public async Task Login_InvalidCredentials_Returns401()
    {
        var response = await _client.PostAsJsonAsync("/api/v1/auth/login", new
        {
            username = "admin",
            password = "WrongPassword1!"
        });
        Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
        var json = await response.Content.ReadFromJsonAsync<JsonElement>();
        Assert.True(json.TryGetProperty("error", out var error));
        Assert.Equal("Credenciales inválidas", error.GetString());
    }
    // Scenario: malformed body (missing password) returns 400
    [Fact]
    public async Task Login_MissingPassword_Returns400()
    {
        var response = await _client.PostAsJsonAsync("/api/v1/auth/login", new
        {
            username = "admin"
            // password intentionally missing — JSON serializes as no field
        });
        Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
        var json = await response.Content.ReadFromJsonAsync<JsonElement>();
        Assert.True(json.TryGetProperty("errors", out var errors), "Response missing 'errors'");
    }
    // Triangulation: empty username returns 400
    [Fact]
    public async Task Login_EmptyUsername_Returns400()
    {
        var response = await _client.PostAsJsonAsync("/api/v1/auth/login", new
        {
            username = "",
            password = "@Diego550@"
        });
        Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
    }
 }
--- a/tests/SIGCM2.Api.Tests/SIGCM2.Api.Tests.csproj
+++ b/tests/SIGCM2.Api.Tests/SIGCM2.Api.Tests.csproj
@@ -0,0 +1,32 @@
 <Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <TargetFramework>net10.0</TargetFramework>
    <ImplicitUsings>enable</ImplicitUsings>
    <Nullable>enable</Nullable>
    <IsPackable>false</IsPackable>
    <RootNamespace>SIGCM2.Api.Tests</RootNamespace>
  </PropertyGroup>
  <ItemGroup>
    <PackageReference Include="coverlet.collector" />
    <PackageReference Include="Microsoft.NET.Test.Sdk" />
    <PackageReference Include="xunit" />
    <PackageReference Include="xunit.runner.visualstudio" />
    <PackageReference Include="Microsoft.AspNetCore.Mvc.Testing" />
    <PackageReference Include="NSubstitute" />
    <PackageReference Include="FluentAssertions" />
    <PackageReference Include="Respawn" />
    <PackageReference Include="Microsoft.Data.SqlClient" />
  </ItemGroup>
  <ItemGroup>
    <ProjectReference Include="..\..\src\api\SIGCM2.Api\SIGCM2.Api.csproj" />
    <ProjectReference Include="..\SIGCM2.TestSupport\SIGCM2.TestSupport.csproj" />
  </ItemGroup>
  <ItemGroup>
    <Using Include="Xunit" />
  </ItemGroup>
 </Project>
--- a/tests/SIGCM2.Application.Tests/Auth/Login/LoginCommandHandlerTests.cs
+++ b/tests/SIGCM2.Application.Tests/Auth/Login/LoginCommandHandlerTests.cs
@@ -0,0 +1,103 @@
 using NSubstitute;
 using SIGCM2.Application.Abstractions.Persistence;
 using SIGCM2.Application.Abstractions.Security;
 using SIGCM2.Application.Auth.Login;
 using SIGCM2.Domain.Entities;
 using SIGCM2.Domain.Exceptions;
 namespace SIGCM2.Application.Tests.Auth.Login;
 public class LoginCommandHandlerTests
 {
    private readonly IUsuarioRepository _repository = Substitute.For<IUsuarioRepository>();
    private readonly IPasswordHasher _hasher = Substitute.For<IPasswordHasher>();
    private readonly IJwtService _jwtService = Substitute.For<IJwtService>();
    private readonly LoginCommandHandler _handler;
    public LoginCommandHandlerTests()
    {
        _handler = new LoginCommandHandler(_repository, _hasher, _jwtService);
    }
    // Scenario: valid credentials → returns token response with usuario populated
    [Fact]
    public async Task Handle_ValidCredentials_ReturnsTokenResponse()
    {
        var usuario = new Usuario(1, "admin", "$2a$12$hash", "Admin", "Sys", null, "admin", "[\"*\"]", true);
        _repository.GetByUsernameAsync("admin").Returns(usuario);
        _hasher.Verify("@Diego550@", "$2a$12$hash").Returns(true);
        _jwtService.GenerateAccessToken(usuario).Returns("jwt.token.here");
        var command = new LoginCommand("admin", "@Diego550@");
        var result = await _handler.Handle(command);
        Assert.Equal("jwt.token.here", result.AccessToken);
        Assert.False(string.IsNullOrWhiteSpace(result.RefreshToken));
        Assert.Equal(3600, result.ExpiresIn);
        // Contract: Usuario must be populated
        Assert.NotNull(result.Usuario);
        Assert.Equal(1, result.Usuario.Id);
        Assert.Equal("Admin Sys", result.Usuario.Nombre);
        Assert.Equal("admin", result.Usuario.Rol);
        Assert.NotNull(result.Usuario.Permisos);
        Assert.Contains("*", result.Usuario.Permisos);
    }
    // Triangulation: Usuario object maps id/nombre/rol/permisos from authenticated user
    [Fact]
    public async Task Handle_ValidCredentials_UsuarioMatchesAuthenticatedUser()
    {
        var usuario = new Usuario(42, "cajero1", "$2a$12$hash3", "María", "González", null, "Cajero",
            "[\"ventas:contado:create\",\"ventas:contado:read\"]", true);
        _repository.GetByUsernameAsync("cajero1").Returns(usuario);
        _hasher.Verify("pass123", "$2a$12$hash3").Returns(true);
        _jwtService.GenerateAccessToken(usuario).Returns("jwt.cajero.token");
        var command = new LoginCommand("cajero1", "pass123");
        var result = await _handler.Handle(command);
        Assert.Equal(42, result.Usuario.Id);
        Assert.Equal("María González", result.Usuario.Nombre);
        Assert.Equal("Cajero", result.Usuario.Rol);
        Assert.Equal(2, result.Usuario.Permisos.Length);
        Assert.Contains("ventas:contado:create", result.Usuario.Permisos);
        Assert.Contains("ventas:contado:read", result.Usuario.Permisos);
    }
    // Scenario: user does not exist → throws InvalidCredentialsException
    [Fact]
    public async Task Handle_UserNotFound_ThrowsInvalidCredentialsException()
    {
        _repository.GetByUsernameAsync("noexiste").Returns((Usuario?)null);
        var command = new LoginCommand("noexiste", "anything");
        await Assert.ThrowsAsync<InvalidCredentialsException>(() => _handler.Handle(command));
    }
    // Scenario: user is inactive → throws InvalidCredentialsException
    [Fact]
    public async Task Handle_InactiveUser_ThrowsInvalidCredentialsException()
    {
        var inactive = new Usuario(2, "operador", "$2a$12$hash2", "Juan", "Pérez", null, "vendedor", "[]", false);
        _repository.GetByUsernameAsync("operador").Returns(inactive);
        var command = new LoginCommand("operador", "correctpassword");
        await Assert.ThrowsAsync<InvalidCredentialsException>(() => _handler.Handle(command));
    }
    // Scenario: wrong password → throws InvalidCredentialsException
    [Fact]
    public async Task Handle_WrongPassword_ThrowsInvalidCredentialsException()
    {
        var usuario = new Usuario(1, "admin", "$2a$12$hash", "Admin", "Sys", null, "admin", "[\"*\"]", true);
        _repository.GetByUsernameAsync("admin").Returns(usuario);
        _hasher.Verify("WrongPass1", "$2a$12$hash").Returns(false);
        var command = new LoginCommand("admin", "WrongPass1");
        await Assert.ThrowsAsync<InvalidCredentialsException>(() => _handler.Handle(command));
    }
 }
--- a/tests/SIGCM2.Application.Tests/Auth/Login/LoginCommandValidatorTests.cs
+++ b/tests/SIGCM2.Application.Tests/Auth/Login/LoginCommandValidatorTests.cs
@@ -0,0 +1,55 @@
 using FluentValidation.TestHelper;
 using SIGCM2.Application.Auth.Login;
 namespace SIGCM2.Application.Tests.Auth.Login;
 public class LoginCommandValidatorTests
 {
    private readonly LoginCommandValidator _validator = new();
    // Happy path: valid command passes validation
    [Fact]
    public void Validate_ValidCommand_ShouldHaveNoErrors()
    {
        var command = new LoginCommand("admin", "@Diego550@");
        var result = _validator.TestValidate(command);
        result.ShouldNotHaveAnyValidationErrors();
    }
    // Scenario: empty username → validation error referencing Username
    [Fact]
    public void Validate_EmptyUsername_ShouldHaveErrorForUsername()
    {
        var command = new LoginCommand("", "@Diego550@");
        var result = _validator.TestValidate(command);
        result.ShouldHaveValidationErrorFor(c => c.Username);
    }
    // Triangulation: whitespace-only username
    [Fact]
    public void Validate_WhitespaceUsername_ShouldHaveErrorForUsername()
    {
        var command = new LoginCommand("   ", "@Diego550@");
        var result = _validator.TestValidate(command);
        result.ShouldHaveValidationErrorFor(c => c.Username);
    }
    // Scenario: missing password → validation error referencing Password
    [Fact]
    public void Validate_EmptyPassword_ShouldHaveErrorForPassword()
    {
        var command = new LoginCommand("admin", "");
        var result = _validator.TestValidate(command);
        result.ShouldHaveValidationErrorFor(c => c.Password);
    }
    // Triangulation: null-equivalent (empty string is how records serialize missing fields)
    [Fact]
    public void Validate_BothEmpty_ShouldHaveErrorsForBothFields()
    {
        var command = new LoginCommand("", "");
        var result = _validator.TestValidate(command);
        result.ShouldHaveValidationErrorFor(c => c.Username);
        result.ShouldHaveValidationErrorFor(c => c.Password);
    }
 }
--- a/tests/SIGCM2.Application.Tests/Domain/UsuarioTests.cs
+++ b/tests/SIGCM2.Application.Tests/Domain/UsuarioTests.cs
@@ -0,0 +1,72 @@
 using SIGCM2.Domain.Entities;
 namespace SIGCM2.Application.Tests.Domain;
 public class UsuarioTests
 {
    // Happy path: constructor sets all properties correctly
    [Fact]
    public void Constructor_SetsAllProperties()
    {
        var usuario = new Usuario(
            id: 1,
            username: "admin",
            passwordHash: "$2a$12$hash",
            nombre: "Administrador",
            apellido: "Sistema",
            email: null,
            rol: "admin",
            permisosJson: "[\"*\"]",
            activo: true
        );
        Assert.Equal(1, usuario.Id);
        Assert.Equal("admin", usuario.Username);
        Assert.Equal("$2a$12$hash", usuario.PasswordHash);
        Assert.Equal("Administrador", usuario.Nombre);
        Assert.Equal("Sistema", usuario.Apellido);
        Assert.Null(usuario.Email);
        Assert.Equal("admin", usuario.Rol);
        Assert.Equal("[\"*\"]", usuario.PermisosJson);
        Assert.True(usuario.Activo);
    }
    // Triangulation: inactive user
    [Fact]
    public void Constructor_WithActivo_False_SetsActivo_False()
    {
        var usuario = new Usuario(
            id: 2,
            username: "vendedor",
            passwordHash: "$2a$12$hash2",
            nombre: "Juan",
            apellido: "Pérez",
            email: "juan@example.com",
            rol: "vendedor",
            permisosJson: "[]",
            activo: false
        );
        Assert.Equal(2, usuario.Id);
        Assert.Equal("vendedor", usuario.Username);
        Assert.Equal("juan@example.com", usuario.Email);
        Assert.Equal("vendedor", usuario.Rol);
        Assert.Equal("[]", usuario.PermisosJson);
        Assert.False(usuario.Activo);
    }
    // Activo property reflects the actual state
    [Fact]
    public void Activo_IsTrue_WhenConstructedActive()
    {
        var usuario = new Usuario(1, "admin", "$2a$12$hash", "Admin", "Sys", null, "admin", "[\"*\"]", true);
        Assert.True(usuario.Activo);
    }
    [Fact]
    public void Activo_IsFalse_WhenConstructedInactive()
    {
        var usuario = new Usuario(2, "inactive", "$2a$12$hash", "Old", "User", null, "consulta", "[]", false);
        Assert.False(usuario.Activo);
    }
 }
--- a/tests/SIGCM2.Application.Tests/Infrastructure/BcryptPasswordHasherTests.cs
+++ b/tests/SIGCM2.Application.Tests/Infrastructure/BcryptPasswordHasherTests.cs
@@ -0,0 +1,46 @@
 using SIGCM2.Infrastructure.Security;
 namespace SIGCM2.Application.Tests.Infrastructure;
 public class BcryptPasswordHasherTests
 {
    private readonly BcryptPasswordHasher _hasher = new();
    // The seed hash for '@Diego550@' generated at cost 12
    private const string SeedHash = "$2a$12$rmq6tlSAQ8WXhR2CwLCSeuwCJKz/.8Eab95UQCUNfwe4dokeOqMcW";
    // Scenario: correct password verifies against seed hash
    [Fact]
    public void Verify_CorrectPassword_ReturnsTrue()
    {
        var result = _hasher.Verify("@Diego550@", SeedHash);
        Assert.True(result);
    }
    // Triangulation: wrong password does not verify
    [Fact]
    public void Verify_WrongPassword_ReturnsFalse()
    {
        var result = _hasher.Verify("WrongPass1", SeedHash);
        Assert.False(result);
    }
    // Hash + Verify round-trip: hash a new password and verify it
    [Fact]
    public void Hash_ThenVerify_ReturnsTrue()
    {
        var plain = "TestPassword123!";
        var hash = _hasher.Hash(plain);
        Assert.StartsWith("$2a$", hash); // BCrypt format
        Assert.True(_hasher.Verify(plain, hash));
    }
    // Triangulation: verification of different password against generated hash fails
    [Fact]
    public void Hash_ThenVerifyWrong_ReturnsFalse()
    {
        var hash = _hasher.Hash("OriginalPassword1!");
        Assert.False(_hasher.Verify("DifferentPassword1!", hash));
    }
 }
--- a/tests/SIGCM2.Application.Tests/Infrastructure/JwtServiceTests.cs
+++ b/tests/SIGCM2.Application.Tests/Infrastructure/JwtServiceTests.cs
@@ -0,0 +1,127 @@
 using System.IdentityModel.Tokens.Jwt;
 using System.Security.Cryptography;
 using Microsoft.IdentityModel.Tokens;
 using SIGCM2.Domain.Entities;
 using SIGCM2.Infrastructure.Security;
 namespace SIGCM2.Application.Tests.Infrastructure;
 public class JwtServiceTests : IDisposable
 {
    private readonly RSA _rsa;
    private readonly JwtOptions _options;
    private readonly JwtService _jwtService;
    public JwtServiceTests()
    {
        // Generate a test RSA key pair inline (no files needed for unit tests)
        _rsa = RSA.Create(2048);
        _options = new JwtOptions
        {
            Issuer = "sigcm2.api",
            Audience = "sigcm2.web",
            AccessTokenMinutes = 60
        };
        _jwtService = new JwtService(_rsa, _options);
    }
    public void Dispose() => _rsa.Dispose();
    // Scenario: generated token uses RS256 algorithm
    [Fact]
    public void GenerateAccessToken_UsesRS256Algorithm()
    {
        var usuario = MakeUsuario();
        var token = _jwtService.GenerateAccessToken(usuario);
        var handler = new JwtSecurityTokenHandler();
        var parsed = handler.ReadJwtToken(token);
        Assert.Equal("RS256", parsed.Header.Alg);
    }
    // Scenario: claims contain expected values
    [Fact]
    public void GenerateAccessToken_ContainsExpectedClaims()
    {
        var usuario = MakeUsuario();
        var token = _jwtService.GenerateAccessToken(usuario);
        var handler = new JwtSecurityTokenHandler();
        var parsed = handler.ReadJwtToken(token);
        Assert.Equal("1", parsed.Subject);                          // sub = user ID
        Assert.Equal("sigcm2.api", parsed.Issuer);                 // iss
        Assert.Contains("sigcm2.web", parsed.Audiences);           // aud
        Assert.Contains(parsed.Claims, c => c.Type == "name" && c.Value == "admin");
        Assert.Contains(parsed.Claims, c => c.Type == "rol" && c.Value == "admin");
    }
    // Scenario: token is verifiable with the public key
    [Fact]
    public void GenerateAccessToken_IsVerifiableWithPublicKey()
    {
        var usuario = MakeUsuario();
        var token = _jwtService.GenerateAccessToken(usuario);
        var publicKey = RSA.Create();
        publicKey.ImportRSAPublicKey(_rsa.ExportRSAPublicKey(), out _);
        var validationParams = new TokenValidationParameters
        {
            ValidateIssuerSigningKey = true,
            IssuerSigningKey = new RsaSecurityKey(publicKey),
            ValidIssuer = "sigcm2.api",
            ValidAudience = "sigcm2.web",
            ValidateLifetime = true,
            ClockSkew = TimeSpan.Zero
        };
        var handler = new JwtSecurityTokenHandler();
        var principal = handler.ValidateToken(token, validationParams, out var validatedToken);
        Assert.NotNull(principal);
        Assert.IsType<JwtSecurityToken>(validatedToken);
    }
    // Scenario: expiry is 60 minutes from now
    [Fact]
    public void GenerateAccessToken_ExpiryIs60MinutesFromNow()
    {
        var usuario = MakeUsuario();
        var before = DateTime.UtcNow;
        var token = _jwtService.GenerateAccessToken(usuario);
        var after = DateTime.UtcNow;
        var handler = new JwtSecurityTokenHandler();
        var parsed = handler.ReadJwtToken(token);
        var expectedMinExpiry = before.AddMinutes(59).AddSeconds(55);
        var expectedMaxExpiry = after.AddMinutes(60).AddSeconds(5);
        Assert.True(parsed.ValidTo >= expectedMinExpiry, $"exp {parsed.ValidTo} < expected min {expectedMinExpiry}");
        Assert.True(parsed.ValidTo <= expectedMaxExpiry, $"exp {parsed.ValidTo} > expected max {expectedMaxExpiry}");
    }
    // Triangulation: different user produces token with different sub claim
    [Fact]
    public void GenerateAccessToken_DifferentUser_DifferentSubClaim()
    {
        var user1 = MakeUsuario(id: 1, username: "admin");
        var user2 = MakeUsuario(id: 2, username: "vendedor");
        var token1 = _jwtService.GenerateAccessToken(user1);
        var token2 = _jwtService.GenerateAccessToken(user2);
        var handler = new JwtSecurityTokenHandler();
        var parsed1 = handler.ReadJwtToken(token1);
        var parsed2 = handler.ReadJwtToken(token2);
        Assert.NotEqual(parsed1.Subject, parsed2.Subject);
        Assert.Equal("1", parsed1.Subject);
        Assert.Equal("2", parsed2.Subject);
    }
    private static Usuario MakeUsuario(int id = 1, string username = "admin")
        => new(id, username, "$2a$12$hash", "Administrador", "Sistema", null, "admin", "[\"*\"]", true);
 }
--- a/tests/SIGCM2.Application.Tests/Integration/UsuarioRepositoryTests.cs
+++ b/tests/SIGCM2.Application.Tests/Integration/UsuarioRepositoryTests.cs
@@ -0,0 +1,102 @@
 using Microsoft.Data.SqlClient;
 using Respawn;
 using SIGCM2.Infrastructure.Persistence;
 namespace SIGCM2.Application.Tests.Integration;
 [Collection("Database")]
 public class UsuarioRepositoryTests : IAsyncLifetime
 {
    private const string ConnectionString =
        "Server=TECNICA3;Database=SIGCM2_Test;User Id=desarrollo;Password=desarrollo2026;TrustServerCertificate=True;";
    private SqlConnection _connection = null!;
    private Respawner _respawner = null!;
    private UsuarioRepository _repository = null!;
    public async Task InitializeAsync()
    {
        _connection = new SqlConnection(ConnectionString);
        await _connection.OpenAsync();
        _respawner = await Respawner.CreateAsync(_connection, new RespawnerOptions
        {
            DbAdapter = DbAdapter.SqlServer
        });
        // Reset DB and seed admin user for each test class run
        await _respawner.ResetAsync(_connection);
        await SeedAdminAsync();
        var factory = new SqlConnectionFactory(ConnectionString);
        _repository = new UsuarioRepository(factory);
    }
    public async Task DisposeAsync()
    {
        await _respawner.ResetAsync(_connection);
        await _connection.CloseAsync();
        await _connection.DisposeAsync();
    }
    // Scenario: GetByUsername returns correct entity when user exists
    [Fact]
    public async Task GetByUsernameAsync_ExistingUser_ReturnsUsuario()
    {
        var usuario = await _repository.GetByUsernameAsync("admin");
        Assert.NotNull(usuario);
        Assert.Equal("admin", usuario.Username);
        Assert.Equal("admin", usuario.Rol);
        Assert.True(usuario.Activo);
        Assert.False(string.IsNullOrWhiteSpace(usuario.PasswordHash));
    }
    // Triangulation: GetByUsername returns null when user does not exist
    [Fact]
    public async Task GetByUsernameAsync_NonExistentUser_ReturnsNull()
    {
        var usuario = await _repository.GetByUsernameAsync("noexiste");
        Assert.Null(usuario);
    }
    // Triangulation: case-sensitive username lookup (SQL Server UNIQUE constraint is case-insensitive by default)
    [Fact]
    public async Task GetByUsernameAsync_DifferentUser_ReturnsCorrectUser()
    {
        // Insert a second user
        await _connection.ExecuteAsync(
            "INSERT INTO dbo.Usuario (Username, PasswordHash, Nombre, Apellido, Rol, PermisosJson) " +
            "VALUES ('vendedor1', '$2a$12$hash2', 'Juan', 'Pérez', 'vendedor', '[]')");
        var admin = await _repository.GetByUsernameAsync("admin");
        var vendedor = await _repository.GetByUsernameAsync("vendedor1");
        Assert.NotNull(admin);
        Assert.NotNull(vendedor);
        Assert.NotEqual(admin.Id, vendedor.Id);
        Assert.Equal("admin", admin.Rol);
        Assert.Equal("vendedor", vendedor.Rol);
    }
    private async Task SeedAdminAsync()
    {
        await _connection.ExecuteAsync(
            "SET QUOTED_IDENTIFIER ON; " +
            "IF NOT EXISTS (SELECT 1 FROM dbo.Usuario WHERE Username = 'admin') " +
            "INSERT INTO dbo.Usuario (Username, PasswordHash, Nombre, Apellido, Rol, PermisosJson, Activo) " +
            "VALUES ('admin', '$2a$12$rmq6tlSAQ8WXhR2CwLCSeuwCJKz/.8Eab95UQCUNfwe4dokeOqMcW', " +
            "'Administrador', 'Sistema', 'admin', '[\"*\"]', 1)");
    }
 }
 // Dapper extension helper for IDbConnection
 file static class DapperHelper
 {
    public static async Task ExecuteAsync(this SqlConnection conn, string sql)
    {
        using var cmd = conn.CreateCommand();
        cmd.CommandText = sql;
        await cmd.ExecuteNonQueryAsync();
    }
 }
--- a/tests/SIGCM2.Application.Tests/SIGCM2.Application.Tests.csproj
+++ b/tests/SIGCM2.Application.Tests/SIGCM2.Application.Tests.csproj
@@ -0,0 +1,32 @@
 <Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <TargetFramework>net10.0</TargetFramework>
    <ImplicitUsings>enable</ImplicitUsings>
    <Nullable>enable</Nullable>
    <IsPackable>false</IsPackable>
    <RootNamespace>SIGCM2.Application.Tests</RootNamespace>
  </PropertyGroup>
  <ItemGroup>
    <PackageReference Include="coverlet.collector" />
    <PackageReference Include="Microsoft.NET.Test.Sdk" />
    <PackageReference Include="xunit" />
    <PackageReference Include="xunit.runner.visualstudio" />
    <PackageReference Include="NSubstitute" />
    <PackageReference Include="FluentAssertions" />
    <PackageReference Include="Respawn" />
    <PackageReference Include="Microsoft.Data.SqlClient" />
  </ItemGroup>
  <ItemGroup>
    <ProjectReference Include="..\..\src\api\SIGCM2.Application\SIGCM2.Application.csproj" />
    <ProjectReference Include="..\..\src\api\SIGCM2.Infrastructure\SIGCM2.Infrastructure.csproj" />
    <ProjectReference Include="..\..\src\api\SIGCM2.Domain\SIGCM2.Domain.csproj" />
  </ItemGroup>
  <ItemGroup>
    <Using Include="Xunit" />
  </ItemGroup>
 </Project>
--- a/tests/SIGCM2.TestSupport/SIGCM2.TestSupport.csproj
+++ b/tests/SIGCM2.TestSupport/SIGCM2.TestSupport.csproj
@@ -0,0 +1,25 @@
 <Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <TargetFramework>net10.0</TargetFramework>
    <ImplicitUsings>enable</ImplicitUsings>
    <Nullable>enable</Nullable>
    <IsPackable>false</IsPackable>
    <RootNamespace>SIGCM2.TestSupport</RootNamespace>
  </PropertyGroup>
  <ItemGroup>
    <PackageReference Include="Microsoft.AspNetCore.Mvc.Testing" />
    <PackageReference Include="Microsoft.NET.Test.Sdk" />
    <PackageReference Include="Respawn" />
    <PackageReference Include="Microsoft.Data.SqlClient" />
    <PackageReference Include="xunit" />
    <PackageReference Include="Dapper" />
  </ItemGroup>
  <ItemGroup>
    <ProjectReference Include="..\..\src\api\SIGCM2.Api\SIGCM2.Api.csproj" />
    <ProjectReference Include="..\..\src\api\SIGCM2.Infrastructure\SIGCM2.Infrastructure.csproj" />
  </ItemGroup>
 </Project>
--- a/tests/SIGCM2.TestSupport/SqlTestFixture.cs
+++ b/tests/SIGCM2.TestSupport/SqlTestFixture.cs
@@ -0,0 +1,66 @@
 using Dapper;
 using Microsoft.Data.SqlClient;
 using Respawn;
 using Xunit;
 namespace SIGCM2.TestSupport;
 /// <summary>
 /// Manages a real SQL Server test database.
 /// Resets state between test runs using Respawn.
 /// Seeds the admin user after each reset.
 /// </summary>
 public sealed class SqlTestFixture : IAsyncLifetime
 {
    private readonly string _connectionString;
    private SqlConnection _connection = null!;
    private Respawner _respawner = null!;
    public SqlTestFixture(string connectionString)
    {
        _connectionString = connectionString;
    }
    public async Task InitializeAsync()
    {
        _connection = new SqlConnection(_connectionString);
        await _connection.OpenAsync();
        _respawner = await Respawner.CreateAsync(_connection, new RespawnerOptions
        {
            DbAdapter = DbAdapter.SqlServer
        });
        await ResetAndSeedAsync();
    }
    public async Task ResetAndSeedAsync()
    {
        await _respawner.ResetAsync(_connection);
        await SeedAdminAsync();
    }
    public async Task DisposeAsync()
    {
        if (_connection is not null)
        {
            await _connection.CloseAsync();
            await _connection.DisposeAsync();
        }
    }
    private async Task SeedAdminAsync()
    {
        const string sql = """
            SET QUOTED_IDENTIFIER ON;
            IF NOT EXISTS (SELECT 1 FROM dbo.Usuario WHERE Username = 'admin')
            INSERT INTO dbo.Usuario (Username, PasswordHash, Nombre, Apellido, Rol, PermisosJson, Activo)
            VALUES (
                'admin',
                '$2a$12$rmq6tlSAQ8WXhR2CwLCSeuwCJKz/.8Eab95UQCUNfwe4dokeOqMcW',
                'Administrador', 'Sistema', 'admin', '["*"]', 1
            );
            """;
        await _connection.ExecuteAsync(sql);
    }
 }
--- a/tests/SIGCM2.TestSupport/TestWebAppFactory.cs
+++ b/tests/SIGCM2.TestSupport/TestWebAppFactory.cs
@@ -0,0 +1,94 @@
 using System.Security.Cryptography;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Mvc.Testing;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using SIGCM2.Application.Abstractions.Security;
 using SIGCM2.Infrastructure.Security;
 using Xunit;
 namespace SIGCM2.TestSupport;
 /// <summary>
 /// WebApplicationFactory for integration tests against SIGCM2.Api.
 /// Uses SIGCM2_Test database (separate from production SIGCM2).
 /// </summary>
 public sealed class TestWebAppFactory : WebApplicationFactory<Program>, IAsyncLifetime
 {
    private const string TestConnectionString =
        "Server=TECNICA3;Database=SIGCM2_Test;User Id=desarrollo;Password=desarrollo2026;TrustServerCertificate=True;";
    // Resolved once — absolute paths independent of working directory
    private static readonly string RepoRoot = ResolveRepoRoot();
    private static readonly string PrivateKeyPath = Path.Combine(RepoRoot, "src", "api", "SIGCM2.Api", "keys", "private.pem");
    private static readonly string PublicKeyPath  = Path.Combine(RepoRoot, "src", "api", "SIGCM2.Api", "keys", "public.pem");
    private readonly SqlTestFixture _dbFixture = new(TestConnectionString);
    protected override void ConfigureWebHost(IWebHostBuilder builder)
    {
        // Step 1: Override configuration BEFORE services are built
        builder.ConfigureAppConfiguration((ctx, config) =>
        {
            // Clear all existing sources and rebuild with test values
            // This ensures our paths win over appsettings.json
            config.AddInMemoryCollection(new Dictionary<string, string?>
            {
                ["ConnectionStrings:SqlServer"]  = TestConnectionString,
                ["Jwt:Issuer"]                   = "sigcm2.api",
                ["Jwt:Audience"]                 = "sigcm2.web",
                ["Jwt:AccessTokenMinutes"]        = "60",
                ["Jwt:PrivateKeyPath"]            = PrivateKeyPath,
                ["Jwt:PublicKeyPath"]             = PublicKeyPath,
                ["Jwt:PrivateKey"]                = null,
                ["Jwt:PublicKey"]                 = null,
                ["Cors:AllowedOrigins:0"]         = "http://localhost:5173",
                ["Serilog:MinimumLevel:Default"]  = "Warning",
            });
        });
        builder.UseEnvironment("Testing");
    }
    public async Task InitializeAsync()
    {
        await _dbFixture.InitializeAsync();
    }
    public new async Task DisposeAsync()
    {
        await _dbFixture.DisposeAsync();
        await base.DisposeAsync();
    }
    private static string ResolveRepoRoot()
    {
        // Walk up from AppContext.BaseDirectory looking for SIGCM2.slnx
        var dir = new DirectoryInfo(AppContext.BaseDirectory);
        while (dir is not null)
        {
            if (dir.GetFiles("SIGCM2.slnx").Length > 0)
                return dir.FullName;
            dir = dir.Parent;
        }
        // Walk up from assembly location
        var assemblyLocation = typeof(TestWebAppFactory).Assembly.Location;
        dir = new DirectoryInfo(Path.GetDirectoryName(assemblyLocation)!);
        while (dir is not null)
        {
            if (dir.GetFiles("SIGCM2.slnx").Length > 0)
                return dir.FullName;
            dir = dir.Parent;
        }
        // Known absolute path (last resort for this machine)
        const string knownPath = @"E:\SIG-CM2.0";
        if (Directory.Exists(knownPath) && File.Exists(Path.Combine(knownPath, "SIGCM2.slnx")))
            return knownPath;
        throw new InvalidOperationException(
            $"Could not find repo root containing SIGCM2.slnx. " +
            $"AppContext.BaseDirectory: {AppContext.BaseDirectory}");
    }
 }
		`@@ -0,0 +1,3 @@`
							`namespace SIGCM2.Application.Auth.Login;`

							`public sealed record LoginCommand(string Username, string Password);`
		`@@ -0,0 +1 @@`
							<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true" role="img" class="iconify iconify--logos" width="35.93" height="32" preserveAspectRatio="xMidYMid meet" viewBox="0 0 256 228"><path fill="#00D8FF" d="M210.483 73.824a171.49 171.49 0 0 0-8.24-2.597c.465-1.9.893-3.777 1.273-5.621c6.238-30.281 2.16-54.676-11.769-62.708c-13.355-7.7-35.196.329-57.254 19.526a171.23 171.23 0 0 0-6.375 5.848a155.866 155.866 0 0 0-4.241-3.917C100.759 3.829 77.587-4.822 63.673 3.233C50.33 10.957 46.379 33.89 51.995 62.588a170.974 170.974 0 0 0 1.892 8.48c-3.28.932-6.445 1.924-9.474 2.98C17.309 83.498 0 98.307 0 113.668c0 15.865 18.582 31.778 46.812 41.427a145.52 145.52 0 0 0 6.921 2.165a167.467 167.467 0 0 0-2.01 9.138c-5.354 28.2-1.173 50.591 12.134 58.266c13.744 7.926 36.812-.22 59.273-19.855a145.567 145.567 0 0 0 5.342-4.923a168.064 168.064 0 0 0 6.92 6.314c21.758 18.722 43.246 26.282 56.54 18.586c13.731-7.949 18.194-32.003 12.4-61.268a145.016 145.016 0 0 0-1.535-6.842c1.62-.48 3.21-.974 4.76-1.488c29.348-9.723 48.443-25.443 48.443-41.52c0-15.417-17.868-30.326-45.517-39.844Zm-6.365 70.984c-1.4.463-2.836.91-4.3 1.345c-3.24-10.257-7.612-21.163-12.963-32.432c5.106-11 9.31-21.767 12.459-31.957c2.619.758 5.16 1.557 7.61 2.4c23.69 8.156 38.14 20.213 38.14 29.504c0 9.896-15.606 22.743-40.946 31.14Zm-10.514 20.834c2.562 12.94 2.927 24.64 1.23 33.787c-1.524 8.219-4.59 13.698-8.382 15.893c-8.067 4.67-25.32-1.4-43.927-17.412a156.726 156.726 0 0 1-6.437-5.87c7.214-7.889 14.423-17.06 21.459-27.246c12.376-1.098 24.068-2.894 34.671-5.345a134.17 134.17 0 0 1 1.386 6.193ZM87.276 214.515c-7.882 2.783-14.16 2.863-17.955.675c-8.075-4.657-11.432-22.636-6.853-46.752a156.923 156.923 0 0 1 1.869-8.499c10.486 2.32 22.093 3.988 34.498 4.994c7.084 9.967 14.501 19.128 21.976 27.15a134.668 134.668 0 0 1-4.877 4.492c-9.933 8.682-19.886 14.842-28.658 17.94ZM50.35 144.747c-12.483-4.267-22.792-9.812-29.858-15.863c-6.35-5.437-9.555-10.836-9.555-15.216c0-9.322 13.897-21.212 37.076-29.293c2.813-.98 5.757-1.905 8.812-2.773c3.204 10.42 7.406 21.315 12.477 32.332c-5.137 11.18-9.399 22.249-12.634 32.792a134.718 134.718 0 0 1-6.318-1.979Zm12.378-84.26c-4.811-24.587-1.616-43.134 6.425-47.789c8.564-4.958 27.502 2.111 47.463 19.835a144.318 144.318 0 0 1 3.841 3.545c-7.438 7.987-14.787 17.08-21.808 26.988c-12.04 1.116-23.565 2.908-34.161 5.309a160.342 160.342 0 0 1-1.76-7.887Zm110.427 27.268a347.8 347.8 0 0 0-7.785-12.803c8.168 1.033 15.994 2.404 23.343 4.08c-2.206 7.072-4.956 14.465-8.193 22.045a381.151 381.151 0 0 0-7.365-13.322Zm-45.032-43.861c5.044 5.465 10.096 11.566 15.065 18.186a322.04 322.04 0 0 0-30.257-.006c4.974-6.559 10.069-12.652 15.192-18.18ZM82.802 87.83a323.167 323.167 0 0 0-7.227 13.238c-3.184-7.553-5.909-14.98-8.134-22.152c7.304-1.634 15.093-2.97 23.209-3.984a321.524 321.524 0 0 0-7.848 12.897Zm8.081 65.352c-8.385-.936-16.291-2.203-23.593-3.793c2.26-7.3 5.045-14.885 8.298-22.6a321.187 321.187 0 0 0 7.257 13.246c2.594 4.48 5.28 8.868 8.038 13.147Zm37.542 31.03c-5.184-5.592-10.354-11.779-15.403-18.433c4.902.192 9.899.29 14.978.29c5.218 0 10.376-.117 15.453-.343c-4.985 6.774-10.018 12.97-15.028 18.486Zm52.198-57.817c3.422 7.8 6.306 15.345 8.596 22.52c-7.422 1.694-15.436 3.058-23.88 4.071a382.417 382.417 0 0 0 7.859-13.026a347.403 347.403 0 0 0 7.425-13.565Zm-16.898 8.101a358.557 358.557 0 0 1-12.281 19.815a329.4 329.4 0 0 1-23.444.823c-7.967 0-15.716-.248-23.178-.732a310.202 310.202 0 0 1-12.513-19.846h.001a307.41 307.41 0 0 1-10.923-20.627a310.278 310.278 0 0 1 10.89-20.637l-.001.001a307.318 307.318 0 0 1 12.413-19.761c7.613-.576 15.42-.876 23.31-.876H128c7.926 0 15.743.303 23.354.883a329.357 329.357 0 0 1 12.335 19.695a358.489 358.489 0 0 1 11.036 20.54a329.472 329.472 0 0 1-11 20.722Zm22.56-122.124c8.572 4.944 11.906 24.881 6.52 51.026c-.344 1.668-.73 3.367-1.15 5.09c-10.622-2.452-22.155-4.275-34.23-5.408c-7.034-10.017-14.323-19.124-21.64-27.008a160.789 160.789 0 0 1 5.888-5.4c18.9-16.447 36.564-22.941 44.612-18.3ZM128 90.808c12.625 0 22.86 10.235 22.86 22.86s-10.235 22.86-22.86 22.86s-22.86-10.235-22.86-22.86s10.235-22.86 22.86-22.86Z"></path></svg>