hazo_auth 10.2.0 → 10.2.2

package/README.md

@@ -54,6 +54,16 @@ HAZO_AUTH_OAUTH_KEY_V1=$(openssl rand -base64 32)
 npm install hazo_secure
 ```
 
+```js
+// 4. Add hazo_secure to serverExternalPackages in next.config.mjs / next.config.js
+//    so the bundler leaves the literal import("hazo_secure/crypto") as a native
+//    external import. Without this, Google sign-in fails with
+//    GoogleTokenStorageUnconfigured even when hazo_secure is installed.
+const nextConfig = {
+  serverExternalPackages: ["hazo_secure", /* ...existing entries */],
+};
+```
+
 **Client Usage:**
 ```tsx
 import { requestGoogleScopes } from "hazo_auth/client";
@@ -371,6 +381,29 @@ npx hazo_auth validate              # Check your setup and configuration
 npx hazo_auth --help                # Show all commands
 ```
 
+#### Dev-only demo account seeder
+
+Seed a **login-ready** test user (email pre-verified, assigned to the default
+system scope with a role, no verification email sent) for local development.
+This is **physically incapable of running in production**: it refuses unless the
+resolved env (`HAZO_ENV ?? NODE_ENV`) is non-production **and**
+`HAZO_AUTH_ALLOW_DEMO_SEED=true` is set.
+
+```bash
+# Create (member by default; --admin grants the global-admin role)
+HAZO_AUTH_ALLOW_DEMO_SEED=true npx hazo_auth demo-create --admin --email=demo@example.com
+# or via npm script
+HAZO_AUTH_ALLOW_DEMO_SEED=true npm run demo:create -- --admin
+
+# Delete (by email, prefix, or all __demo_* users)
+HAZO_AUTH_ALLOW_DEMO_SEED=true npx hazo_auth demo-delete --email=demo@example.com
+HAZO_AUTH_ALLOW_DEMO_SEED=true npm run demo:delete -- --all
+```
+
+Programmatic equivalents are exported from `hazo_auth/server-lib`:
+`create_demo_user`, `delete_demo_users`, `assert_demo_seed_allowed`,
+`DemoSeedNotAllowed`.
+
 ### Using Zero-Config Page Components (v2.0+)
 
 **NEW in v2.0:** All pages are now React Server Components that initialize everything on the server. No configuration, no loading state, no hassle!
@@ -1340,6 +1373,10 @@ Google OAuth adds one new dependency:
    HAZO_AUTH_OAUTH_KEY_V1=$(openssl rand -base64 32)
    ```
 3. Install the optional peer: `npm install hazo_secure`
+4. Add `hazo_secure` to `serverExternalPackages` in `next.config.mjs` / `next.config.js`. The
+   service loads encryption via a literal `import("hazo_secure/crypto")`; if the bundler inlines
+   `hazo_secure` instead of treating it as an external import, Google sign-in fails with
+   `GoogleTokenStorageUnconfigured` even when the peer is installed and keys are set.
 
 **Usage:**
 

package/SETUP_CHECKLIST.md

@@ -13,6 +13,7 @@ const nextConfig = {
   serverExternalPackages: [
     "hazo_notify", "argon2",
     "hazo_core", "hazo_config",  // required for Next 16 + Turbopack
+    "hazo_secure",               // required if using Google API token storage (getGoogleToken)
   ],
 };
 ```
@@ -1138,13 +1139,17 @@ ls app/api/hazo_auth/set_password/route.ts
 Only needed if you use `requestGoogleScopes` / `getGoogleToken` for Google API access beyond sign-in:
 
 1. Install optional peer: `npm install hazo_secure`
-2. Run migration: `npm run migrate -- migrations/021_hazo_google_oauth_tokens.sql`
-3. Set env vars:
+2. Add `hazo_secure` to `serverExternalPackages` in `next.config.mjs` / `next.config.js`. The
+   service loads encryption via a literal `import("hazo_secure/crypto")`; if the bundler inlines
+   `hazo_secure` rather than leaving it as a native external import, Google sign-in fails with
+   `GoogleTokenStorageUnconfigured` even when the peer is installed and keys are configured.
+3. Run migration: `npm run migrate -- migrations/021_hazo_google_oauth_tokens.sql`
+4. Set env vars:
    ```env
    HAZO_AUTH_OAUTH_KEY_CURRENT=v1
    HAZO_AUTH_OAUTH_KEY_V1=<base64-32-bytes from: openssl rand -base64 32>
    ```
-4. Wire the new routes in your Next.js app (same pattern as other hazo_auth routes):
+5. Wire the new routes in your Next.js app (same pattern as other hazo_auth routes):
    ```ts
    // app/api/hazo_auth/google/token/route.ts
    export { GET as googleTokenGET, DELETE as googleTokenDELETE } from "hazo_auth/server/routes";

package/cli-src/cli/demo.ts

@@ -0,0 +1,72 @@
+// file_description: CLI command handlers for demo account seeding (dev-only)
+
+// section: imports
+import { get_hazo_connect_instance } from "../lib/hazo_connect_instance.server.js";
+import {
+  create_demo_user,
+  delete_demo_users,
+  DemoSeedNotAllowed,
+  type CreateDemoUserOptions,
+  type DeleteDemoUsersOptions,
+} from "../lib/services/demo_account_service.js";
+
+// section: create_handler
+/**
+ * Creates a login-ready demo user and prints a summary.
+ * Exits with code 1 if demo seeding is not allowed or an error occurs.
+ */
+export async function handle_demo_create(opts: CreateDemoUserOptions): Promise<void> {
+  try {
+    const adapter = get_hazo_connect_instance();
+    const result = await create_demo_user(adapter, opts);
+
+    console.log("");
+    console.log("=".repeat(60));
+    console.log("DEMO USER CREATED");
+    console.log("=".repeat(60));
+    console.log("");
+    console.log(`  Email:    ${result.email}`);
+    console.log(`  Password: ${result.password}`);
+    console.log(`  User ID:  ${result.user_id}`);
+    console.log("");
+    console.log("  ✓ Email pre-verified — account is login-ready.");
+    console.log("  ✓ Assigned to the default system scope.");
+    if (opts.admin) {
+      console.log("  ✓ Admin account — global-admin role assigned.");
+    }
+    console.log("=".repeat(60));
+    console.log("");
+  } catch (error) {
+    if (error instanceof DemoSeedNotAllowed) {
+      console.error(
+        "Demo seeding is disabled. Set HAZO_AUTH_ALLOW_DEMO_SEED=true in a non-production env.",
+      );
+      process.exit(1);
+    }
+    console.error(error instanceof Error ? error.message : String(error));
+    process.exit(1);
+  }
+}
+
+// section: delete_handler
+/**
+ * Deletes demo users matching the given email or prefix(es) and prints a summary.
+ * Exits with code 1 if demo seeding is not allowed or an error occurs.
+ */
+export async function handle_demo_delete(opts: DeleteDemoUsersOptions): Promise<void> {
+  try {
+    const adapter = get_hazo_connect_instance();
+    const result = await delete_demo_users(adapter, opts);
+
+    console.log(`✓ Deleted ${result.deleted} demo user(s).`);
+  } catch (error) {
+    if (error instanceof DemoSeedNotAllowed) {
+      console.error(
+        "Demo seeding is disabled. Set HAZO_AUTH_ALLOW_DEMO_SEED=true in a non-production env.",
+      );
+      process.exit(1);
+    }
+    console.error(error instanceof Error ? error.message : String(error));
+    process.exit(1);
+  }
+}

package/cli-src/cli/index.ts

@@ -9,6 +9,7 @@ import { handle_init } from "./init.js";
 import { handle_init_users, show_init_users_help } from "./init_users.js";
 import { handle_init_db } from "./init_db.js";
 import { handle_init_permissions, show_init_permissions_help } from "./init_permissions.js";
+import { handle_demo_create, handle_demo_delete } from "./demo.js";
 
 // section: constants
 const VERSION = "1.6.0";
@@ -23,6 +24,8 @@ Commands:
   init-db            Create SQLite database with hazo_auth schema (standalone)
   init-permissions   Create default permissions from config (no user required)
   init-users         Initialize permissions, roles, and super user from config
+  demo-create        [DEV ONLY] Create a login-ready demo user (needs HAZO_AUTH_ALLOW_DEMO_SEED=true)
+  demo-delete        [DEV ONLY] Delete demo users by email/prefix (needs HAZO_AUTH_ALLOW_DEMO_SEED=true)
   validate           Check your hazo_auth setup and configuration
   generate-routes    Generate API route files and pages in your project
   schema             Print the canonical SQLite schema SQL
@@ -41,6 +44,8 @@ Examples:
   npx hazo_auth generate-routes --pages
   npx hazo_auth generate-routes --all --dir=src/app
   npx hazo_auth schema
+  HAZO_AUTH_ALLOW_DEMO_SEED=true npx hazo_auth demo-create --admin
+  HAZO_AUTH_ALLOW_DEMO_SEED=true npx hazo_auth demo-delete --all
 
 Documentation:
   https://github.com/your-repo/hazo_auth/blob/main/SETUP_CHECKLIST.md
@@ -216,6 +221,58 @@ Requires: better-sqlite3 (npm install better-sqlite3)
       break;
     }
 
+    case "demo-create": {
+      if (help) {
+        console.log(`
+hazo_auth demo-create  [DEV ONLY]
+
+Create a login-ready demo user (email pre-verified, assigned to the default system scope).
+Refuses to run unless the env is non-production AND HAZO_AUTH_ALLOW_DEMO_SEED=true.
+
+Options:
+  --email=<addr>     Email for the demo user (default: __demo_<timestamp>@hazo.test)
+  --password=<pw>    Password (default: Demo_Pass123!)
+  --name=<name>      Display name (default: Demo User)
+  --admin            Grant the global-admin role instead of a plain member role
+`);
+        return;
+      }
+      const demoCreateOpts: { email?: string; password?: string; name?: string; admin?: boolean } = {};
+      for (const arg of args) {
+        if (arg.startsWith("--email=")) demoCreateOpts.email = arg.replace("--email=", "");
+        else if (arg.startsWith("--password=")) demoCreateOpts.password = arg.replace("--password=", "");
+        else if (arg.startsWith("--name=")) demoCreateOpts.name = arg.replace("--name=", "");
+        else if (arg === "--admin") demoCreateOpts.admin = true;
+      }
+      await handle_demo_create(demoCreateOpts);
+      break;
+    }
+
+    case "demo-delete": {
+      if (help) {
+        console.log(`
+hazo_auth demo-delete  [DEV ONLY]
+
+Delete demo users (and their scope rows) by email or prefix. Defaults to the __demo_ prefix.
+Refuses to run unless the env is non-production AND HAZO_AUTH_ALLOW_DEMO_SEED=true.
+
+Options:
+  --email=<addr>     Delete only the user with this exact email
+  --prefix=<p>       Delete users whose email starts with this prefix (default: __demo_)
+  --all              Delete all __demo_-prefixed users (the default behaviour)
+`);
+        return;
+      }
+      const demoDeleteOpts: { email?: string; prefixes?: string[] } = {};
+      for (const arg of args) {
+        if (arg.startsWith("--email=")) demoDeleteOpts.email = arg.replace("--email=", "");
+        else if (arg.startsWith("--prefix=")) demoDeleteOpts.prefixes = [arg.replace("--prefix=", "")];
+      }
+      // --all is a no-op / explicit default (prefixes stays undefined → service defaults to ['__demo_'])
+      await handle_demo_delete(demoDeleteOpts);
+      break;
+    }
+
     case "validate":
       if (help) {
         console.log(`

package/cli-src/lib/services/demo_account_service.ts

@@ -0,0 +1,227 @@
+// file_description: dev-only service for seeding demo accounts in hazo_auth; physically blocked in production
+
+// section: imports
+import type { HazoConnectAdapter } from "hazo_connect";
+import { createCrudService } from "hazo_connect/server";
+import argon2 from "argon2";
+import { randomUUID } from "crypto";
+import { DEFAULT_SYSTEM_SCOPE_ID } from "./scope_service.js";
+import { GLOBAL_ADMIN_PERMISSION } from "../constants.js";
+
+// section: errors
+
+export class DemoSeedNotAllowed extends Error {
+  constructor(message: string) {
+    super(message);
+    this.name = "DemoSeedNotAllowed";
+  }
+}
+
+// section: guards
+
+/**
+ * Throws DemoSeedNotAllowed if the current environment is production
+ * or if HAZO_AUTH_ALLOW_DEMO_SEED is not set to "true".
+ * This must be called at the top of every exported function in this module.
+ */
+export function assert_demo_seed_allowed(): void {
+  const env = process.env.HAZO_ENV ?? process.env.NODE_ENV ?? "development";
+  if (env === "production") {
+    throw new DemoSeedNotAllowed(
+      "Demo seeding is disabled. Requires a non-production env AND HAZO_AUTH_ALLOW_DEMO_SEED=true.",
+    );
+  }
+  if (process.env.HAZO_AUTH_ALLOW_DEMO_SEED !== "true") {
+    throw new DemoSeedNotAllowed(
+      "Demo seeding is disabled. Requires a non-production env AND HAZO_AUTH_ALLOW_DEMO_SEED=true.",
+    );
+  }
+}
+
+// section: types
+
+export type CreateDemoUserOptions = {
+  email?: string;     // default: `__demo_${Date.now()}@hazo.test`
+  password?: string;  // default: 'Demo_Pass123!'
+  name?: string;      // default: 'Demo User'
+  admin?: boolean;    // default: false
+};
+
+export type CreateDemoUserResult = {
+  user_id: string;
+  email: string;
+  password: string;
+};
+
+export type DeleteDemoUsersOptions = {
+  email?: string;
+  prefixes?: string[];
+};
+
+// section: helpers
+
+/**
+ * Creates a demo user in the database, assigning them to the default system scope.
+ * Idempotent on email — if the user already exists their id is reused and the
+ * scope/role assignment is still ensured.
+ *
+ * REQUIRES: non-production env + HAZO_AUTH_ALLOW_DEMO_SEED=true
+ */
+export async function create_demo_user(
+  adapter: HazoConnectAdapter,
+  opts: CreateDemoUserOptions = {},
+): Promise<CreateDemoUserResult> {
+  assert_demo_seed_allowed();
+
+  const email = opts.email ?? `__demo_${Date.now()}@hazo.test`;
+  const password = opts.password ?? "Demo_Pass123!";
+  const name = opts.name ?? "Demo User";
+  const admin = opts.admin ?? false;
+
+  const now = new Date().toISOString();
+
+  const users_service = createCrudService(adapter, "hazo_users");
+  const roles_service = createCrudService(adapter, "hazo_roles");
+  const permissions_service = createCrudService(adapter, "hazo_permissions");
+  const role_permissions_service = createCrudService(
+    adapter,
+    "hazo_role_permissions",
+    { primaryKeys: ["role_id", "permission_id"], autoId: false },
+  );
+  const user_scopes_service = createCrudService(adapter, "hazo_user_scopes", {
+    primaryKeys: ["user_id", "scope_id"],
+    autoId: false,
+  });
+
+  // Idempotent: reuse existing user if email already registered
+  let user_id: string;
+  const existing_users = await users_service.findBy({ email_address: email });
+  if (Array.isArray(existing_users) && existing_users.length > 0) {
+    user_id = existing_users[0].id as string;
+  } else {
+    const password_hash = await argon2.hash(password);
+    user_id = randomUUID();
+
+    await users_service.insert({
+      id: user_id,
+      email_address: email,
+      password_hash,
+      email_verified: true,
+      status: "ACTIVE",
+      login_attempts: 0,
+      auth_providers: "email",
+      name,
+      created_at: now,
+      changed_at: now,
+    });
+  }
+
+  // Ensure role exists
+  const role_name = admin ? "default_super_user_role" : "demo_member_role";
+  const existing_roles = await roles_service.findBy({ role_name });
+  let role_id: string;
+  if (Array.isArray(existing_roles) && existing_roles.length > 0) {
+    role_id = existing_roles[0].id as string;
+  } else {
+    const new_role = await roles_service.insert({ role_name, created_at: now, changed_at: now });
+    role_id = Array.isArray(new_role)
+      ? (new_role[0] as { id: string }).id
+      : (new_role as { id: string }).id;
+  }
+
+  // Admin users: ensure GLOBAL_ADMIN_PERMISSION is in the catalog and linked to the role
+  if (admin) {
+    // Ensure permission exists
+    const existing_perms = await permissions_service.findBy({
+      permission_name: GLOBAL_ADMIN_PERMISSION,
+    });
+    let permission_id: string;
+    if (Array.isArray(existing_perms) && existing_perms.length > 0) {
+      permission_id = existing_perms[0].id as string;
+    } else {
+      const new_perm = await permissions_service.insert({
+        permission_name: GLOBAL_ADMIN_PERMISSION,
+        description: "Global admin — access to all scopes and operations",
+        created_at: now,
+        changed_at: now,
+      });
+      permission_id = Array.isArray(new_perm)
+        ? (new_perm[0] as { id: string }).id
+        : (new_perm as { id: string }).id;
+    }
+
+    // Ensure role→permission link
+    const existing_rp = await role_permissions_service.findBy({ role_id, permission_id });
+    if (!Array.isArray(existing_rp) || existing_rp.length === 0) {
+      await role_permissions_service.insert({ role_id, permission_id });
+    }
+  }
+
+  // Ensure user→scope assignment
+  const existing_user_scopes = await user_scopes_service.findBy({
+    user_id,
+    scope_id: DEFAULT_SYSTEM_SCOPE_ID,
+  });
+  if (!Array.isArray(existing_user_scopes) || existing_user_scopes.length === 0) {
+    await user_scopes_service.insert({
+      user_id,
+      scope_id: DEFAULT_SYSTEM_SCOPE_ID,
+      root_scope_id: DEFAULT_SYSTEM_SCOPE_ID,
+      role_id,
+      created_at: now,
+      changed_at: now,
+    });
+  }
+
+  return { user_id, email, password };
+}
+
+/**
+ * Deletes demo users (and their scope rows) whose email matches the given
+ * address or any of the given prefixes.  Defaults to the "__demo_" prefix.
+ *
+ * REQUIRES: non-production env + HAZO_AUTH_ALLOW_DEMO_SEED=true
+ */
+export async function delete_demo_users(
+  adapter: HazoConnectAdapter,
+  opts: DeleteDemoUsersOptions = {},
+): Promise<{ deleted: number }> {
+  assert_demo_seed_allowed();
+
+  const prefixes = opts.prefixes ?? ["__demo_"];
+
+  const users = createCrudService<{ id: string; email_address: string }>(
+    adapter,
+    "hazo_users",
+  );
+  const user_scopes_service = createCrudService(adapter, "hazo_user_scopes", {
+    primaryKeys: ["user_id", "scope_id"],
+    autoId: false,
+  });
+
+  const all = await users.list((qb) => qb.limit(500));
+  const targets = all.filter((u) => {
+    if (opts.email && u.email_address === opts.email) return true;
+    return prefixes.some(
+      (p) => typeof u.email_address === "string" && u.email_address.startsWith(p),
+    );
+  });
+
+  let deleted = 0;
+  for (const u of targets) {
+    const uid = u.id;
+    try {
+      // Best-effort: delete this user's scope rows. hazo_user_scopes has a
+      // composite PK (no `id` column); deleteById on a multi-key table falls
+      // back to the first primary key (user_id), so this removes all of the
+      // user's scope rows in one call.
+      await user_scopes_service.deleteById(uid).catch(() => {});
+      await users.deleteById(uid);
+      deleted += 1;
+    } catch {
+      // best-effort — skip users that can't be deleted
+    }
+  }
+
+  return { deleted };
+}

package/cli-src/lib/services/google_token_service.ts

@@ -3,7 +3,6 @@
 import { createCrudService } from "hazo_connect/server";
 import { get_hazo_connect_instance } from "../hazo_connect_instance.server.js";
 import { create_app_logger } from "../app_logger.js";
-import { optional_import } from "hazo_core";
 import { randomUUID } from "crypto";
 
 // section: errors
@@ -70,10 +69,32 @@ function makeKeyProvider(
   });
 }
 
+/**
+ * Indirection around the hazo_secure/crypto dynamic import.
+ *
+ * The import specifier MUST be a string literal. hazo_secure is an optional
+ * peer dep, so this used to go through hazo_core's `optional_import(pkg)` — but
+ * that performs a dynamic `import(variable)`, which Turbopack/webpack cannot
+ * statically resolve when consumers bundle their server. The import then fails
+ * unconditionally and sign-in dies on GoogleTokenStorageUnconfigured even when
+ * hazo_secure is installed. A literal `import("hazo_secure/crypto")` is left as
+ * a native external import and resolves at runtime (consumers must list
+ * hazo_secure in serverExternalPackages so it isn't bundled).
+ *
+ * Wrapped in an object so tests can stub `_cryptoLoader.load` without touching
+ * the literal specifier. Not part of the public API (underscore-prefixed).
+ */
+export const _cryptoLoader = {
+  load: (): Promise<typeof import("hazo_secure/crypto")> => import("hazo_secure/crypto"),
+};
+
 async function load_crypto_module() {
-  const cryptoModule = await optional_import<typeof import("hazo_secure/crypto")>(
-    "hazo_secure/crypto"
-  );
+  let cryptoModule: typeof import("hazo_secure/crypto") | null;
+  try {
+    cryptoModule = await _cryptoLoader.load();
+  } catch {
+    cryptoModule = null;
+  }
   if (!cryptoModule) throw new GoogleTokenStorageUnconfigured();
   return cryptoModule;
 }

package/cli-src/lib/services/index.ts

@@ -21,4 +21,5 @@ export * from "./user_scope_service.js";
 export * from "./oauth_service.js";
 export * from "./branding_service.js";
 export * from "./google_token_service.js";
+export * from "./demo_account_service.js";
 

package/dist/cli/demo.d.ts

@@ -0,0 +1,12 @@
+import { type CreateDemoUserOptions, type DeleteDemoUsersOptions } from "../lib/services/demo_account_service.js";
+/**
+ * Creates a login-ready demo user and prints a summary.
+ * Exits with code 1 if demo seeding is not allowed or an error occurs.
+ */
+export declare function handle_demo_create(opts: CreateDemoUserOptions): Promise<void>;
+/**
+ * Deletes demo users matching the given email or prefix(es) and prints a summary.
+ * Exits with code 1 if demo seeding is not allowed or an error occurs.
+ */
+export declare function handle_demo_delete(opts: DeleteDemoUsersOptions): Promise<void>;
+//# sourceMappingURL=demo.d.ts.map

package/dist/cli/demo.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"demo.d.ts","sourceRoot":"","sources":["../../src/cli/demo.ts"],"names":[],"mappings":"AAIA,OAAO,EAIL,KAAK,qBAAqB,EAC1B,KAAK,sBAAsB,EAC5B,MAAM,yCAAyC,CAAC;AAGjD;;;GAGG;AACH,wBAAsB,kBAAkB,CAAC,IAAI,EAAE,qBAAqB,GAAG,OAAO,CAAC,IAAI,CAAC,CA+BnF;AAGD;;;GAGG;AACH,wBAAsB,kBAAkB,CAAC,IAAI,EAAE,sBAAsB,GAAG,OAAO,CAAC,IAAI,CAAC,CAgBpF"}

package/dist/cli/demo.js

@@ -0,0 +1,59 @@
+// file_description: CLI command handlers for demo account seeding (dev-only)
+// section: imports
+import { get_hazo_connect_instance } from "../lib/hazo_connect_instance.server.js";
+import { create_demo_user, delete_demo_users, DemoSeedNotAllowed, } from "../lib/services/demo_account_service.js";
+// section: create_handler
+/**
+ * Creates a login-ready demo user and prints a summary.
+ * Exits with code 1 if demo seeding is not allowed or an error occurs.
+ */
+export async function handle_demo_create(opts) {
+    try {
+        const adapter = get_hazo_connect_instance();
+        const result = await create_demo_user(adapter, opts);
+        console.log("");
+        console.log("=".repeat(60));
+        console.log("DEMO USER CREATED");
+        console.log("=".repeat(60));
+        console.log("");
+        console.log(`  Email:    ${result.email}`);
+        console.log(`  Password: ${result.password}`);
+        console.log(`  User ID:  ${result.user_id}`);
+        console.log("");
+        console.log("  ✓ Email pre-verified — account is login-ready.");
+        console.log("  ✓ Assigned to the default system scope.");
+        if (opts.admin) {
+            console.log("  ✓ Admin account — global-admin role assigned.");
+        }
+        console.log("=".repeat(60));
+        console.log("");
+    }
+    catch (error) {
+        if (error instanceof DemoSeedNotAllowed) {
+            console.error("Demo seeding is disabled. Set HAZO_AUTH_ALLOW_DEMO_SEED=true in a non-production env.");
+            process.exit(1);
+        }
+        console.error(error instanceof Error ? error.message : String(error));
+        process.exit(1);
+    }
+}
+// section: delete_handler
+/**
+ * Deletes demo users matching the given email or prefix(es) and prints a summary.
+ * Exits with code 1 if demo seeding is not allowed or an error occurs.
+ */
+export async function handle_demo_delete(opts) {
+    try {
+        const adapter = get_hazo_connect_instance();
+        const result = await delete_demo_users(adapter, opts);
+        console.log(`✓ Deleted ${result.deleted} demo user(s).`);
+    }
+    catch (error) {
+        if (error instanceof DemoSeedNotAllowed) {
+            console.error("Demo seeding is disabled. Set HAZO_AUTH_ALLOW_DEMO_SEED=true in a non-production env.");
+            process.exit(1);
+        }
+        console.error(error instanceof Error ? error.message : String(error));
+        process.exit(1);
+    }
+}

package/dist/cli/index.js

@@ -8,6 +8,7 @@ import { handle_init } from "./init.js";
 import { handle_init_users, show_init_users_help } from "./init_users.js";
 import { handle_init_db } from "./init_db.js";
 import { handle_init_permissions, show_init_permissions_help } from "./init_permissions.js";
+import { handle_demo_create, handle_demo_delete } from "./demo.js";
 // section: constants
 const VERSION = "1.6.0";
 const HELP_TEXT = `
@@ -20,6 +21,8 @@ Commands:
   init-db            Create SQLite database with hazo_auth schema (standalone)
   init-permissions   Create default permissions from config (no user required)
   init-users         Initialize permissions, roles, and super user from config
+  demo-create        [DEV ONLY] Create a login-ready demo user (needs HAZO_AUTH_ALLOW_DEMO_SEED=true)
+  demo-delete        [DEV ONLY] Delete demo users by email/prefix (needs HAZO_AUTH_ALLOW_DEMO_SEED=true)
   validate           Check your hazo_auth setup and configuration
   generate-routes    Generate API route files and pages in your project
   schema             Print the canonical SQLite schema SQL
@@ -38,6 +41,8 @@ Examples:
   npx hazo_auth generate-routes --pages
   npx hazo_auth generate-routes --all --dir=src/app
   npx hazo_auth schema
+  HAZO_AUTH_ALLOW_DEMO_SEED=true npx hazo_auth demo-create --admin
+  HAZO_AUTH_ALLOW_DEMO_SEED=true npx hazo_auth demo-delete --all
 
 Documentation:
   https://github.com/your-repo/hazo_auth/blob/main/SETUP_CHECKLIST.md
@@ -200,6 +205,62 @@ Requires: better-sqlite3 (npm install better-sqlite3)
             await handle_init_users({ email });
             break;
         }
+        case "demo-create": {
+            if (help) {
+                console.log(`
+hazo_auth demo-create  [DEV ONLY]
+
+Create a login-ready demo user (email pre-verified, assigned to the default system scope).
+Refuses to run unless the env is non-production AND HAZO_AUTH_ALLOW_DEMO_SEED=true.
+
+Options:
+  --email=<addr>     Email for the demo user (default: __demo_<timestamp>@hazo.test)
+  --password=<pw>    Password (default: Demo_Pass123!)
+  --name=<name>      Display name (default: Demo User)
+  --admin            Grant the global-admin role instead of a plain member role
+`);
+                return;
+            }
+            const demoCreateOpts = {};
+            for (const arg of args) {
+                if (arg.startsWith("--email="))
+                    demoCreateOpts.email = arg.replace("--email=", "");
+                else if (arg.startsWith("--password="))
+                    demoCreateOpts.password = arg.replace("--password=", "");
+                else if (arg.startsWith("--name="))
+                    demoCreateOpts.name = arg.replace("--name=", "");
+                else if (arg === "--admin")
+                    demoCreateOpts.admin = true;
+            }
+            await handle_demo_create(demoCreateOpts);
+            break;
+        }
+        case "demo-delete": {
+            if (help) {
+                console.log(`
+hazo_auth demo-delete  [DEV ONLY]
+
+Delete demo users (and their scope rows) by email or prefix. Defaults to the __demo_ prefix.
+Refuses to run unless the env is non-production AND HAZO_AUTH_ALLOW_DEMO_SEED=true.
+
+Options:
+  --email=<addr>     Delete only the user with this exact email
+  --prefix=<p>       Delete users whose email starts with this prefix (default: __demo_)
+  --all              Delete all __demo_-prefixed users (the default behaviour)
+`);
+                return;
+            }
+            const demoDeleteOpts = {};
+            for (const arg of args) {
+                if (arg.startsWith("--email="))
+                    demoDeleteOpts.email = arg.replace("--email=", "");
+                else if (arg.startsWith("--prefix="))
+                    demoDeleteOpts.prefixes = [arg.replace("--prefix=", "")];
+            }
+            // --all is a no-op / explicit default (prefixes stays undefined → service defaults to ['__demo_'])
+            await handle_demo_delete(demoDeleteOpts);
+            break;
+        }
         case "validate":
             if (help) {
                 console.log(`

package/dist/lib/services/demo_account_service.d.ts

@@ -0,0 +1,43 @@
+import type { HazoConnectAdapter } from "hazo_connect";
+export declare class DemoSeedNotAllowed extends Error {
+    constructor(message: string);
+}
+/**
+ * Throws DemoSeedNotAllowed if the current environment is production
+ * or if HAZO_AUTH_ALLOW_DEMO_SEED is not set to "true".
+ * This must be called at the top of every exported function in this module.
+ */
+export declare function assert_demo_seed_allowed(): void;
+export type CreateDemoUserOptions = {
+    email?: string;
+    password?: string;
+    name?: string;
+    admin?: boolean;
+};
+export type CreateDemoUserResult = {
+    user_id: string;
+    email: string;
+    password: string;
+};
+export type DeleteDemoUsersOptions = {
+    email?: string;
+    prefixes?: string[];
+};
+/**
+ * Creates a demo user in the database, assigning them to the default system scope.
+ * Idempotent on email — if the user already exists their id is reused and the
+ * scope/role assignment is still ensured.
+ *
+ * REQUIRES: non-production env + HAZO_AUTH_ALLOW_DEMO_SEED=true
+ */
+export declare function create_demo_user(adapter: HazoConnectAdapter, opts?: CreateDemoUserOptions): Promise<CreateDemoUserResult>;
+/**
+ * Deletes demo users (and their scope rows) whose email matches the given
+ * address or any of the given prefixes.  Defaults to the "__demo_" prefix.
+ *
+ * REQUIRES: non-production env + HAZO_AUTH_ALLOW_DEMO_SEED=true
+ */
+export declare function delete_demo_users(adapter: HazoConnectAdapter, opts?: DeleteDemoUsersOptions): Promise<{
+    deleted: number;
+}>;
+//# sourceMappingURL=demo_account_service.d.ts.map

package/dist/lib/services/demo_account_service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"demo_account_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/demo_account_service.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AASvD,qBAAa,kBAAmB,SAAQ,KAAK;gBAC/B,OAAO,EAAE,MAAM;CAI5B;AAID;;;;GAIG;AACH,wBAAgB,wBAAwB,IAAI,IAAI,CAY/C;AAID,MAAM,MAAM,qBAAqB,GAAG;IAClC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,MAAM,MAAM,sBAAsB,GAAG;IACnC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;CACrB,CAAC;AAIF;;;;;;GAMG;AACH,wBAAsB,gBAAgB,CACpC,OAAO,EAAE,kBAAkB,EAC3B,IAAI,GAAE,qBAA0B,GAC/B,OAAO,CAAC,oBAAoB,CAAC,CAwG/B;AAED;;;;;GAKG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,kBAAkB,EAC3B,IAAI,GAAE,sBAA2B,GAChC,OAAO,CAAC;IAAE,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CAuC9B"}

package/dist/lib/services/demo_account_service.js

@@ -0,0 +1,171 @@
+// file_description: dev-only service for seeding demo accounts in hazo_auth; physically blocked in production
+import { createCrudService } from "hazo_connect/server";
+import argon2 from "argon2";
+import { randomUUID } from "crypto";
+import { DEFAULT_SYSTEM_SCOPE_ID } from "./scope_service.js";
+import { GLOBAL_ADMIN_PERMISSION } from "../constants.js";
+// section: errors
+export class DemoSeedNotAllowed extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "DemoSeedNotAllowed";
+    }
+}
+// section: guards
+/**
+ * Throws DemoSeedNotAllowed if the current environment is production
+ * or if HAZO_AUTH_ALLOW_DEMO_SEED is not set to "true".
+ * This must be called at the top of every exported function in this module.
+ */
+export function assert_demo_seed_allowed() {
+    var _a, _b;
+    const env = (_b = (_a = process.env.HAZO_ENV) !== null && _a !== void 0 ? _a : process.env.NODE_ENV) !== null && _b !== void 0 ? _b : "development";
+    if (env === "production") {
+        throw new DemoSeedNotAllowed("Demo seeding is disabled. Requires a non-production env AND HAZO_AUTH_ALLOW_DEMO_SEED=true.");
+    }
+    if (process.env.HAZO_AUTH_ALLOW_DEMO_SEED !== "true") {
+        throw new DemoSeedNotAllowed("Demo seeding is disabled. Requires a non-production env AND HAZO_AUTH_ALLOW_DEMO_SEED=true.");
+    }
+}
+// section: helpers
+/**
+ * Creates a demo user in the database, assigning them to the default system scope.
+ * Idempotent on email — if the user already exists their id is reused and the
+ * scope/role assignment is still ensured.
+ *
+ * REQUIRES: non-production env + HAZO_AUTH_ALLOW_DEMO_SEED=true
+ */
+export async function create_demo_user(adapter, opts = {}) {
+    var _a, _b, _c, _d;
+    assert_demo_seed_allowed();
+    const email = (_a = opts.email) !== null && _a !== void 0 ? _a : `__demo_${Date.now()}@hazo.test`;
+    const password = (_b = opts.password) !== null && _b !== void 0 ? _b : "Demo_Pass123!";
+    const name = (_c = opts.name) !== null && _c !== void 0 ? _c : "Demo User";
+    const admin = (_d = opts.admin) !== null && _d !== void 0 ? _d : false;
+    const now = new Date().toISOString();
+    const users_service = createCrudService(adapter, "hazo_users");
+    const roles_service = createCrudService(adapter, "hazo_roles");
+    const permissions_service = createCrudService(adapter, "hazo_permissions");
+    const role_permissions_service = createCrudService(adapter, "hazo_role_permissions", { primaryKeys: ["role_id", "permission_id"], autoId: false });
+    const user_scopes_service = createCrudService(adapter, "hazo_user_scopes", {
+        primaryKeys: ["user_id", "scope_id"],
+        autoId: false,
+    });
+    // Idempotent: reuse existing user if email already registered
+    let user_id;
+    const existing_users = await users_service.findBy({ email_address: email });
+    if (Array.isArray(existing_users) && existing_users.length > 0) {
+        user_id = existing_users[0].id;
+    }
+    else {
+        const password_hash = await argon2.hash(password);
+        user_id = randomUUID();
+        await users_service.insert({
+            id: user_id,
+            email_address: email,
+            password_hash,
+            email_verified: true,
+            status: "ACTIVE",
+            login_attempts: 0,
+            auth_providers: "email",
+            name,
+            created_at: now,
+            changed_at: now,
+        });
+    }
+    // Ensure role exists
+    const role_name = admin ? "default_super_user_role" : "demo_member_role";
+    const existing_roles = await roles_service.findBy({ role_name });
+    let role_id;
+    if (Array.isArray(existing_roles) && existing_roles.length > 0) {
+        role_id = existing_roles[0].id;
+    }
+    else {
+        const new_role = await roles_service.insert({ role_name, created_at: now, changed_at: now });
+        role_id = Array.isArray(new_role)
+            ? new_role[0].id
+            : new_role.id;
+    }
+    // Admin users: ensure GLOBAL_ADMIN_PERMISSION is in the catalog and linked to the role
+    if (admin) {
+        // Ensure permission exists
+        const existing_perms = await permissions_service.findBy({
+            permission_name: GLOBAL_ADMIN_PERMISSION,
+        });
+        let permission_id;
+        if (Array.isArray(existing_perms) && existing_perms.length > 0) {
+            permission_id = existing_perms[0].id;
+        }
+        else {
+            const new_perm = await permissions_service.insert({
+                permission_name: GLOBAL_ADMIN_PERMISSION,
+                description: "Global admin — access to all scopes and operations",
+                created_at: now,
+                changed_at: now,
+            });
+            permission_id = Array.isArray(new_perm)
+                ? new_perm[0].id
+                : new_perm.id;
+        }
+        // Ensure role→permission link
+        const existing_rp = await role_permissions_service.findBy({ role_id, permission_id });
+        if (!Array.isArray(existing_rp) || existing_rp.length === 0) {
+            await role_permissions_service.insert({ role_id, permission_id });
+        }
+    }
+    // Ensure user→scope assignment
+    const existing_user_scopes = await user_scopes_service.findBy({
+        user_id,
+        scope_id: DEFAULT_SYSTEM_SCOPE_ID,
+    });
+    if (!Array.isArray(existing_user_scopes) || existing_user_scopes.length === 0) {
+        await user_scopes_service.insert({
+            user_id,
+            scope_id: DEFAULT_SYSTEM_SCOPE_ID,
+            root_scope_id: DEFAULT_SYSTEM_SCOPE_ID,
+            role_id,
+            created_at: now,
+            changed_at: now,
+        });
+    }
+    return { user_id, email, password };
+}
+/**
+ * Deletes demo users (and their scope rows) whose email matches the given
+ * address or any of the given prefixes.  Defaults to the "__demo_" prefix.
+ *
+ * REQUIRES: non-production env + HAZO_AUTH_ALLOW_DEMO_SEED=true
+ */
+export async function delete_demo_users(adapter, opts = {}) {
+    var _a;
+    assert_demo_seed_allowed();
+    const prefixes = (_a = opts.prefixes) !== null && _a !== void 0 ? _a : ["__demo_"];
+    const users = createCrudService(adapter, "hazo_users");
+    const user_scopes_service = createCrudService(adapter, "hazo_user_scopes", {
+        primaryKeys: ["user_id", "scope_id"],
+        autoId: false,
+    });
+    const all = await users.list((qb) => qb.limit(500));
+    const targets = all.filter((u) => {
+        if (opts.email && u.email_address === opts.email)
+            return true;
+        return prefixes.some((p) => typeof u.email_address === "string" && u.email_address.startsWith(p));
+    });
+    let deleted = 0;
+    for (const u of targets) {
+        const uid = u.id;
+        try {
+            // Best-effort: delete this user's scope rows. hazo_user_scopes has a
+            // composite PK (no `id` column); deleteById on a multi-key table falls
+            // back to the first primary key (user_id), so this removes all of the
+            // user's scope rows in one call.
+            await user_scopes_service.deleteById(uid).catch(() => { });
+            await users.deleteById(uid);
+            deleted += 1;
+        }
+        catch (_b) {
+            // best-effort — skip users that can't be deleted
+        }
+    }
+    return { deleted };
+}

package/dist/lib/services/google_token_service.d.ts

@@ -21,6 +21,24 @@ export type GoogleTokenStatus = {
     scopes: string;
     expires_at: string | null;
 };
+/**
+ * Indirection around the hazo_secure/crypto dynamic import.
+ *
+ * The import specifier MUST be a string literal. hazo_secure is an optional
+ * peer dep, so this used to go through hazo_core's `optional_import(pkg)` — but
+ * that performs a dynamic `import(variable)`, which Turbopack/webpack cannot
+ * statically resolve when consumers bundle their server. The import then fails
+ * unconditionally and sign-in dies on GoogleTokenStorageUnconfigured even when
+ * hazo_secure is installed. A literal `import("hazo_secure/crypto")` is left as
+ * a native external import and resolves at runtime (consumers must list
+ * hazo_secure in serverExternalPackages so it isn't bundled).
+ *
+ * Wrapped in an object so tests can stub `_cryptoLoader.load` without touching
+ * the literal specifier. Not part of the public API (underscore-prefixed).
+ */
+export declare const _cryptoLoader: {
+    load: () => Promise<typeof import("hazo_secure/crypto")>;
+};
 /**
  * Stores (inserts or updates) Google OAuth tokens for a user, encrypting sensitive fields.
  * Throws GoogleTokenStorageUnconfigured if hazo_secure/crypto is unavailable or keys are missing.

package/dist/lib/services/google_token_service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"google_token_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/google_token_service.ts"],"names":[],"mappings":"AAUA,qBAAa,8BAA+B,SAAQ,KAAK;;CAOxD;AAID,MAAM,MAAM,2BAA2B,GAAG;IACxC,OAAO,EAAE,MAAM,CAAC;IAChB,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,iBAAiB,GACzB;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,YAAY,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAClD;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,eAAe,GAAG,oBAAoB,GAAG,gBAAgB,GAAG,cAAc,CAAA;CAAE,CAAC;AAErG,MAAM,MAAM,iBAAiB,GAAG;IAC9B,SAAS,EAAE,OAAO,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B,CAAC;AA6CF;;;GAGG;AACH,wBAAsB,wBAAwB,CAC5C,MAAM,EAAE,2BAA2B,GAClC,OAAO,CAAC,IAAI,CAAC,CA0Ef;AAID;;;GAGG;AACH,wBAAsB,cAAc,CAClC,MAAM,EAAE,MAAM,EACd,IAAI,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;CAAE,GAC3B,OAAO,CAAC,iBAAiB,CAAC,CA6I5B;AAID;;GAEG;AACH,wBAAsB,yBAAyB,CAC7C,MAAM,EAAE,MAAM,GACb,OAAO,CAAC;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CA6D1C;AAID;;;GAGG;AACH,wBAAsB,uBAAuB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAexF"}
+{"version":3,"file":"google_token_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/google_token_service.ts"],"names":[],"mappings":"AASA,qBAAa,8BAA+B,SAAQ,KAAK;;CAOxD;AAID,MAAM,MAAM,2BAA2B,GAAG;IACxC,OAAO,EAAE,MAAM,CAAC;IAChB,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,iBAAiB,GACzB;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,YAAY,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAClD;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,eAAe,GAAG,oBAAoB,GAAG,gBAAgB,GAAG,cAAc,CAAA;CAAE,CAAC;AAErG,MAAM,MAAM,iBAAiB,GAAG;IAC9B,SAAS,EAAE,OAAO,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B,CAAC;AAmCF;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,aAAa;gBACd,OAAO,CAAC,cAAc,oBAAoB,CAAC,CAAC;CACvD,CAAC;AAeF;;;GAGG;AACH,wBAAsB,wBAAwB,CAC5C,MAAM,EAAE,2BAA2B,GAClC,OAAO,CAAC,IAAI,CAAC,CA0Ef;AAID;;;GAGG;AACH,wBAAsB,cAAc,CAClC,MAAM,EAAE,MAAM,EACd,IAAI,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;CAAE,GAC3B,OAAO,CAAC,iBAAiB,CAAC,CA6I5B;AAID;;GAEG;AACH,wBAAsB,yBAAyB,CAC7C,MAAM,EAAE,MAAM,GACb,OAAO,CAAC;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CA6D1C;AAID;;;GAGG;AACH,wBAAsB,uBAAuB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAexF"}

package/dist/lib/services/google_token_service.js

@@ -3,7 +3,6 @@
 import { createCrudService } from "hazo_connect/server";
 import { get_hazo_connect_instance } from "../hazo_connect_instance.server.js";
 import { create_app_logger } from "../app_logger.js";
-import { optional_import } from "hazo_core";
 import { randomUUID } from "crypto";
 // section: errors
 export class GoogleTokenStorageUnconfigured extends Error {
@@ -26,8 +25,32 @@ function makeKeyProvider(LookupKeyProvider) {
         return undefined;
     });
 }
+/**
+ * Indirection around the hazo_secure/crypto dynamic import.
+ *
+ * The import specifier MUST be a string literal. hazo_secure is an optional
+ * peer dep, so this used to go through hazo_core's `optional_import(pkg)` — but
+ * that performs a dynamic `import(variable)`, which Turbopack/webpack cannot
+ * statically resolve when consumers bundle their server. The import then fails
+ * unconditionally and sign-in dies on GoogleTokenStorageUnconfigured even when
+ * hazo_secure is installed. A literal `import("hazo_secure/crypto")` is left as
+ * a native external import and resolves at runtime (consumers must list
+ * hazo_secure in serverExternalPackages so it isn't bundled).
+ *
+ * Wrapped in an object so tests can stub `_cryptoLoader.load` without touching
+ * the literal specifier. Not part of the public API (underscore-prefixed).
+ */
+export const _cryptoLoader = {
+    load: () => import("hazo_secure/crypto"),
+};
 async function load_crypto_module() {
-    const cryptoModule = await optional_import("hazo_secure/crypto");
+    let cryptoModule;
+    try {
+        cryptoModule = await _cryptoLoader.load();
+    }
+    catch (_a) {
+        cryptoModule = null;
+    }
     if (!cryptoModule)
         throw new GoogleTokenStorageUnconfigured();
     return cryptoModule;

package/dist/lib/services/index.d.ts

@@ -19,4 +19,5 @@ export * from "./user_scope_service.js";
 export * from "./oauth_service.js";
 export * from "./branding_service.js";
 export * from "./google_token_service.js";
+export * from "./demo_account_service.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/lib/services/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/lib/services/index.ts"],"names":[],"mappings":"AAEA,cAAc,iBAAiB,CAAC;AAChC,cAAc,8BAA8B,CAAC;AAC7C,cAAc,iBAAiB,CAAC;AAChC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,0BAA0B,CAAC;AACzC,cAAc,kCAAkC,CAAC;AACjD,cAAc,2BAA2B,CAAC;AAC1C,cAAc,iCAAiC,CAAC;AAChD,cAAc,wBAAwB,CAAC;AACvC,cAAc,iBAAiB,CAAC;AAChC,cAAc,yBAAyB,CAAC;AACxC,cAAc,uBAAuB,CAAC;AACtC,cAAc,yBAAyB,CAAC;AACxC,cAAc,sBAAsB,CAAC;AACrC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,6BAA6B,CAAC;AAC5C,cAAc,iBAAiB,CAAC;AAChC,cAAc,sBAAsB,CAAC;AACrC,cAAc,iBAAiB,CAAC;AAChC,cAAc,oBAAoB,CAAC;AACnC,cAAc,wBAAwB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/lib/services/index.ts"],"names":[],"mappings":"AAEA,cAAc,iBAAiB,CAAC;AAChC,cAAc,8BAA8B,CAAC;AAC7C,cAAc,iBAAiB,CAAC;AAChC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,0BAA0B,CAAC;AACzC,cAAc,kCAAkC,CAAC;AACjD,cAAc,2BAA2B,CAAC;AAC1C,cAAc,iCAAiC,CAAC;AAChD,cAAc,wBAAwB,CAAC;AACvC,cAAc,iBAAiB,CAAC;AAChC,cAAc,yBAAyB,CAAC;AACxC,cAAc,uBAAuB,CAAC;AACtC,cAAc,yBAAyB,CAAC;AACxC,cAAc,sBAAsB,CAAC;AACrC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,6BAA6B,CAAC;AAC5C,cAAc,iBAAiB,CAAC;AAChC,cAAc,sBAAsB,CAAC;AACrC,cAAc,iBAAiB,CAAC;AAChC,cAAc,oBAAoB,CAAC;AACnC,cAAc,wBAAwB,CAAC;AACvC,cAAc,wBAAwB,CAAC"}

package/dist/lib/services/index.js

@@ -21,3 +21,4 @@ export * from "./user_scope_service.js";
 export * from "./oauth_service.js";
 export * from "./branding_service.js";
 export * from "./google_token_service.js";
+export * from "./demo_account_service.js";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "hazo_auth",
-  "version": "10.2.0",
+  "version": "10.2.2",
   "description": "Zero-config authentication UI components for Next.js with RBAC, OAuth, scope-based multi-tenancy, and invitations",
   "keywords": [
     "authentication",
@@ -206,6 +206,8 @@
     "dev:server": "tsx src/server/index.ts",
     "migrate": "tsx scripts/apply_migration.ts",
     "init-users": "tsx scripts/init_users.ts init_users",
+    "demo:create": "tsx --conditions react-server scripts/demo.ts create",
+    "demo:delete": "tsx --conditions react-server scripts/demo.ts delete",
     "test": "cross-env NODE_ENV=test jest --runInBand",
     "test:watch": "cross-env NODE_ENV=test jest --watch"
   },
@@ -253,9 +255,9 @@
     "@radix-ui/react-tabs": "^1.1.0",
     "@radix-ui/react-tooltip": "^1.2.0",
     "hazo_api": "^2.4.0",
-    "hazo_config": "^2.1.10",
-    "hazo_connect": "^3.6.0",
-    "hazo_core": "^1.1.0",
+    "hazo_config": "^2.1.11",
+    "hazo_connect": "^3.7.0",
+    "hazo_core": "^1.2.0",
     "hazo_logs": "^2.0.3",
     "hazo_notify": "^6.1.3",
     "hazo_secure": "^1.1.0",
@@ -392,13 +394,13 @@
     "eslint": "^9.39.1",
     "eslint-config-next": "^16.0.4",
     "eslint-plugin-storybook": "^10.0.6",
-    "hazo_api": "^2.4.0",
-    "hazo_config": "^2.1.10",
-    "hazo_connect": "^3.6.0",
-    "hazo_core": "^1.1.0",
+    "hazo_api": "^2.5.0",
+    "hazo_config": "^2.1.11",
+    "hazo_connect": "^3.7.0",
+    "hazo_core": "^1.2.0",
     "hazo_logs": "^2.0.3",
     "hazo_notify": "^6.1.3",
-    "hazo_ui": "^4.0.0",
+    "hazo_ui": "^4.2.0",
     "input-otp": "^1.4.0",
     "jest": "^30.2.0",
     "jest-environment-jsdom": "^30.0.0",