feat: disable user registration via DISABLE_REGISTRATION env var

- Add DISABLE_REGISTRATION setting (default False) in app/config.py
- Return 403 when registration is disabled in POST /auth/register
- Add test_register_disabled test

app/config.py

@@ -33,6 +33,7 @@ class Settings(BaseSettings):
     LOG_LEVEL: str = "INFO"
     INITIAL_ADMIN_USERNAME: str  # Required: admin user to auto-create
     INITIAL_ADMIN_PASSWORD: str  # Required: password for auto-created admin
+    DISABLE_REGISTRATION: bool = False
 
     @property
     def resolved_database_url(self) -> str:

app/routers/auth.py

@@ -69,6 +69,9 @@ async def get_current_agent(request: Request, db: AsyncSession) -> Agent:
 
 @router.post("/register", response_model=AgentResponse, status_code=201)
 async def register(payload: AgentCreate, db: AsyncSession = Depends(get_db)):
+    if settings.DISABLE_REGISTRATION:
+        raise HTTPException(status_code=403, detail="Registration is disabled")
+
     existing = await auth_service.get_agent_by_username(db, payload.username)
     if existing:
         raise HTTPException(status_code=400, detail="Username already exists")

tests/test_auth.py

@@ -68,3 +68,16 @@ async def test_me(client):
 async def test_me_unauthorized(client):
     response = await client.get("/api/v1/auth/me")
     assert response.status_code == 401
+
+
+@pytest.mark.asyncio
+async def test_register_disabled(client, monkeypatch):
+    from app.config import settings
+    monkeypatch.setattr(settings, "DISABLE_REGISTRATION", True)
+
+    response = await client.post(
+        "/api/v1/auth/register",
+        json={"username": "shouldfail", "password": "testpass123"}
+    )
+    assert response.status_code == 403
+    assert response.json()["detail"] == "Registration is disabled"