hazo_auth 10.2.1 → 10.2.3

package/README.md

@@ -381,6 +381,29 @@ npx hazo_auth validate              # Check your setup and configuration
 npx hazo_auth --help                # Show all commands
 ```
 
+#### Dev-only demo account seeder
+
+Seed a **login-ready** test user (email pre-verified, assigned to the default
+system scope with a role, no verification email sent) for local development.
+This is **physically incapable of running in production**: it refuses unless the
+resolved env (`HAZO_ENV ?? NODE_ENV`) is non-production **and**
+`HAZO_AUTH_ALLOW_DEMO_SEED=true` is set.
+
+```bash
+# Create (member by default; --admin grants the global-admin role)
+HAZO_AUTH_ALLOW_DEMO_SEED=true npx hazo_auth demo-create --admin --email=demo@example.com
+# or via npm script
+HAZO_AUTH_ALLOW_DEMO_SEED=true npm run demo:create -- --admin
+
+# Delete (by email, prefix, or all __demo_* users)
+HAZO_AUTH_ALLOW_DEMO_SEED=true npx hazo_auth demo-delete --email=demo@example.com
+HAZO_AUTH_ALLOW_DEMO_SEED=true npm run demo:delete -- --all
+```
+
+Programmatic equivalents are exported from `hazo_auth/server-lib`:
+`create_demo_user`, `delete_demo_users`, `assert_demo_seed_allowed`,
+`DemoSeedNotAllowed`.
+
 ### Using Zero-Config Page Components (v2.0+)
 
 **NEW in v2.0:** All pages are now React Server Components that initialize everything on the server. No configuration, no loading state, no hassle!

package/cli-src/cli/demo.ts

@@ -0,0 +1,72 @@
+// file_description: CLI command handlers for demo account seeding (dev-only)
+
+// section: imports
+import { get_hazo_connect_instance } from "../lib/hazo_connect_instance.server.js";
+import {
+  create_demo_user,
+  delete_demo_users,
+  DemoSeedNotAllowed,
+  type CreateDemoUserOptions,
+  type DeleteDemoUsersOptions,
+} from "../lib/services/demo_account_service.js";
+
+// section: create_handler
+/**
+ * Creates a login-ready demo user and prints a summary.
+ * Exits with code 1 if demo seeding is not allowed or an error occurs.
+ */
+export async function handle_demo_create(opts: CreateDemoUserOptions): Promise<void> {
+  try {
+    const adapter = get_hazo_connect_instance();
+    const result = await create_demo_user(adapter, opts);
+
+    console.log("");
+    console.log("=".repeat(60));
+    console.log("DEMO USER CREATED");
+    console.log("=".repeat(60));
+    console.log("");
+    console.log(`  Email:    ${result.email}`);
+    console.log(`  Password: ${result.password}`);
+    console.log(`  User ID:  ${result.user_id}`);
+    console.log("");
+    console.log("  ✓ Email pre-verified — account is login-ready.");
+    console.log("  ✓ Assigned to the default system scope.");
+    if (opts.admin) {
+      console.log("  ✓ Admin account — global-admin role assigned.");
+    }
+    console.log("=".repeat(60));
+    console.log("");
+  } catch (error) {
+    if (error instanceof DemoSeedNotAllowed) {
+      console.error(
+        "Demo seeding is disabled. Set HAZO_AUTH_ALLOW_DEMO_SEED=true in a non-production env.",
+      );
+      process.exit(1);
+    }
+    console.error(error instanceof Error ? error.message : String(error));
+    process.exit(1);
+  }
+}
+
+// section: delete_handler
+/**
+ * Deletes demo users matching the given email or prefix(es) and prints a summary.
+ * Exits with code 1 if demo seeding is not allowed or an error occurs.
+ */
+export async function handle_demo_delete(opts: DeleteDemoUsersOptions): Promise<void> {
+  try {
+    const adapter = get_hazo_connect_instance();
+    const result = await delete_demo_users(adapter, opts);
+
+    console.log(`✓ Deleted ${result.deleted} demo user(s).`);
+  } catch (error) {
+    if (error instanceof DemoSeedNotAllowed) {
+      console.error(
+        "Demo seeding is disabled. Set HAZO_AUTH_ALLOW_DEMO_SEED=true in a non-production env.",
+      );
+      process.exit(1);
+    }
+    console.error(error instanceof Error ? error.message : String(error));
+    process.exit(1);
+  }
+}

package/cli-src/cli/index.ts

@@ -9,6 +9,7 @@ import { handle_init } from "./init.js";
 import { handle_init_users, show_init_users_help } from "./init_users.js";
 import { handle_init_db } from "./init_db.js";
 import { handle_init_permissions, show_init_permissions_help } from "./init_permissions.js";
+import { handle_demo_create, handle_demo_delete } from "./demo.js";
 
 // section: constants
 const VERSION = "1.6.0";
@@ -23,6 +24,8 @@ Commands:
   init-db            Create SQLite database with hazo_auth schema (standalone)
   init-permissions   Create default permissions from config (no user required)
   init-users         Initialize permissions, roles, and super user from config
+  demo-create        [DEV ONLY] Create a login-ready demo user (needs HAZO_AUTH_ALLOW_DEMO_SEED=true)
+  demo-delete        [DEV ONLY] Delete demo users by email/prefix (needs HAZO_AUTH_ALLOW_DEMO_SEED=true)
   validate           Check your hazo_auth setup and configuration
   generate-routes    Generate API route files and pages in your project
   schema             Print the canonical SQLite schema SQL
@@ -41,6 +44,8 @@ Examples:
   npx hazo_auth generate-routes --pages
   npx hazo_auth generate-routes --all --dir=src/app
   npx hazo_auth schema
+  HAZO_AUTH_ALLOW_DEMO_SEED=true npx hazo_auth demo-create --admin
+  HAZO_AUTH_ALLOW_DEMO_SEED=true npx hazo_auth demo-delete --all
 
 Documentation:
   https://github.com/your-repo/hazo_auth/blob/main/SETUP_CHECKLIST.md
@@ -216,6 +221,58 @@ Requires: better-sqlite3 (npm install better-sqlite3)
       break;
     }
 
+    case "demo-create": {
+      if (help) {
+        console.log(`
+hazo_auth demo-create  [DEV ONLY]
+
+Create a login-ready demo user (email pre-verified, assigned to the default system scope).
+Refuses to run unless the env is non-production AND HAZO_AUTH_ALLOW_DEMO_SEED=true.
+
+Options:
+  --email=<addr>     Email for the demo user (default: __demo_<timestamp>@hazo.test)
+  --password=<pw>    Password (default: Demo_Pass123!)
+  --name=<name>      Display name (default: Demo User)
+  --admin            Grant the global-admin role instead of a plain member role
+`);
+        return;
+      }
+      const demoCreateOpts: { email?: string; password?: string; name?: string; admin?: boolean } = {};
+      for (const arg of args) {
+        if (arg.startsWith("--email=")) demoCreateOpts.email = arg.replace("--email=", "");
+        else if (arg.startsWith("--password=")) demoCreateOpts.password = arg.replace("--password=", "");
+        else if (arg.startsWith("--name=")) demoCreateOpts.name = arg.replace("--name=", "");
+        else if (arg === "--admin") demoCreateOpts.admin = true;
+      }
+      await handle_demo_create(demoCreateOpts);
+      break;
+    }
+
+    case "demo-delete": {
+      if (help) {
+        console.log(`
+hazo_auth demo-delete  [DEV ONLY]
+
+Delete demo users (and their scope rows) by email or prefix. Defaults to the __demo_ prefix.
+Refuses to run unless the env is non-production AND HAZO_AUTH_ALLOW_DEMO_SEED=true.
+
+Options:
+  --email=<addr>     Delete only the user with this exact email
+  --prefix=<p>       Delete users whose email starts with this prefix (default: __demo_)
+  --all              Delete all __demo_-prefixed users (the default behaviour)
+`);
+        return;
+      }
+      const demoDeleteOpts: { email?: string; prefixes?: string[] } = {};
+      for (const arg of args) {
+        if (arg.startsWith("--email=")) demoDeleteOpts.email = arg.replace("--email=", "");
+        else if (arg.startsWith("--prefix=")) demoDeleteOpts.prefixes = [arg.replace("--prefix=", "")];
+      }
+      // --all is a no-op / explicit default (prefixes stays undefined → service defaults to ['__demo_'])
+      await handle_demo_delete(demoDeleteOpts);
+      break;
+    }
+
     case "validate":
       if (help) {
         console.log(`

package/cli-src/lib/services/demo_account_service.ts

@@ -0,0 +1,227 @@
+// file_description: dev-only service for seeding demo accounts in hazo_auth; physically blocked in production
+
+// section: imports
+import type { HazoConnectAdapter } from "hazo_connect";
+import { createCrudService } from "hazo_connect/server";
+import argon2 from "argon2";
+import { randomUUID } from "crypto";
+import { DEFAULT_SYSTEM_SCOPE_ID } from "./scope_service.js";
+import { GLOBAL_ADMIN_PERMISSION } from "../constants.js";
+
+// section: errors
+
+export class DemoSeedNotAllowed extends Error {
+  constructor(message: string) {
+    super(message);
+    this.name = "DemoSeedNotAllowed";
+  }
+}
+
+// section: guards
+
+/**
+ * Throws DemoSeedNotAllowed if the current environment is production
+ * or if HAZO_AUTH_ALLOW_DEMO_SEED is not set to "true".
+ * This must be called at the top of every exported function in this module.
+ */
+export function assert_demo_seed_allowed(): void {
+  const env = process.env.HAZO_ENV ?? process.env.NODE_ENV ?? "development";
+  if (env === "production") {
+    throw new DemoSeedNotAllowed(
+      "Demo seeding is disabled. Requires a non-production env AND HAZO_AUTH_ALLOW_DEMO_SEED=true.",
+    );
+  }
+  if (process.env.HAZO_AUTH_ALLOW_DEMO_SEED !== "true") {
+    throw new DemoSeedNotAllowed(
+      "Demo seeding is disabled. Requires a non-production env AND HAZO_AUTH_ALLOW_DEMO_SEED=true.",
+    );
+  }
+}
+
+// section: types
+
+export type CreateDemoUserOptions = {
+  email?: string;     // default: `__demo_${Date.now()}@hazo.test`
+  password?: string;  // default: 'Demo_Pass123!'
+  name?: string;      // default: 'Demo User'
+  admin?: boolean;    // default: false
+};
+
+export type CreateDemoUserResult = {
+  user_id: string;
+  email: string;
+  password: string;
+};
+
+export type DeleteDemoUsersOptions = {
+  email?: string;
+  prefixes?: string[];
+};
+
+// section: helpers
+
+/**
+ * Creates a demo user in the database, assigning them to the default system scope.
+ * Idempotent on email — if the user already exists their id is reused and the
+ * scope/role assignment is still ensured.
+ *
+ * REQUIRES: non-production env + HAZO_AUTH_ALLOW_DEMO_SEED=true
+ */
+export async function create_demo_user(
+  adapter: HazoConnectAdapter,
+  opts: CreateDemoUserOptions = {},
+): Promise<CreateDemoUserResult> {
+  assert_demo_seed_allowed();
+
+  const email = opts.email ?? `__demo_${Date.now()}@hazo.test`;
+  const password = opts.password ?? "Demo_Pass123!";
+  const name = opts.name ?? "Demo User";
+  const admin = opts.admin ?? false;
+
+  const now = new Date().toISOString();
+
+  const users_service = createCrudService(adapter, "hazo_users");
+  const roles_service = createCrudService(adapter, "hazo_roles");
+  const permissions_service = createCrudService(adapter, "hazo_permissions");
+  const role_permissions_service = createCrudService(
+    adapter,
+    "hazo_role_permissions",
+    { primaryKeys: ["role_id", "permission_id"], autoId: false },
+  );
+  const user_scopes_service = createCrudService(adapter, "hazo_user_scopes", {
+    primaryKeys: ["user_id", "scope_id"],
+    autoId: false,
+  });
+
+  // Idempotent: reuse existing user if email already registered
+  let user_id: string;
+  const existing_users = await users_service.findBy({ email_address: email });
+  if (Array.isArray(existing_users) && existing_users.length > 0) {
+    user_id = existing_users[0].id as string;
+  } else {
+    const password_hash = await argon2.hash(password);
+    user_id = randomUUID();
+
+    await users_service.insert({
+      id: user_id,
+      email_address: email,
+      password_hash,
+      email_verified: true,
+      status: "ACTIVE",
+      login_attempts: 0,
+      auth_providers: "email",
+      name,
+      created_at: now,
+      changed_at: now,
+    });
+  }
+
+  // Ensure role exists
+  const role_name = admin ? "default_super_user_role" : "demo_member_role";
+  const existing_roles = await roles_service.findBy({ role_name });
+  let role_id: string;
+  if (Array.isArray(existing_roles) && existing_roles.length > 0) {
+    role_id = existing_roles[0].id as string;
+  } else {
+    const new_role = await roles_service.insert({ role_name, created_at: now, changed_at: now });
+    role_id = Array.isArray(new_role)
+      ? (new_role[0] as { id: string }).id
+      : (new_role as { id: string }).id;
+  }
+
+  // Admin users: ensure GLOBAL_ADMIN_PERMISSION is in the catalog and linked to the role
+  if (admin) {
+    // Ensure permission exists
+    const existing_perms = await permissions_service.findBy({
+      permission_name: GLOBAL_ADMIN_PERMISSION,
+    });
+    let permission_id: string;
+    if (Array.isArray(existing_perms) && existing_perms.length > 0) {
+      permission_id = existing_perms[0].id as string;
+    } else {
+      const new_perm = await permissions_service.insert({
+        permission_name: GLOBAL_ADMIN_PERMISSION,
+        description: "Global admin — access to all scopes and operations",
+        created_at: now,
+        changed_at: now,
+      });
+      permission_id = Array.isArray(new_perm)
+        ? (new_perm[0] as { id: string }).id
+        : (new_perm as { id: string }).id;
+    }
+
+    // Ensure role→permission link
+    const existing_rp = await role_permissions_service.findBy({ role_id, permission_id });
+    if (!Array.isArray(existing_rp) || existing_rp.length === 0) {
+      await role_permissions_service.insert({ role_id, permission_id });
+    }
+  }
+
+  // Ensure user→scope assignment
+  const existing_user_scopes = await user_scopes_service.findBy({
+    user_id,
+    scope_id: DEFAULT_SYSTEM_SCOPE_ID,
+  });
+  if (!Array.isArray(existing_user_scopes) || existing_user_scopes.length === 0) {
+    await user_scopes_service.insert({
+      user_id,
+      scope_id: DEFAULT_SYSTEM_SCOPE_ID,
+      root_scope_id: DEFAULT_SYSTEM_SCOPE_ID,
+      role_id,
+      created_at: now,
+      changed_at: now,
+    });
+  }
+
+  return { user_id, email, password };
+}
+
+/**
+ * Deletes demo users (and their scope rows) whose email matches the given
+ * address or any of the given prefixes.  Defaults to the "__demo_" prefix.
+ *
+ * REQUIRES: non-production env + HAZO_AUTH_ALLOW_DEMO_SEED=true
+ */
+export async function delete_demo_users(
+  adapter: HazoConnectAdapter,
+  opts: DeleteDemoUsersOptions = {},
+): Promise<{ deleted: number }> {
+  assert_demo_seed_allowed();
+
+  const prefixes = opts.prefixes ?? ["__demo_"];
+
+  const users = createCrudService<{ id: string; email_address: string }>(
+    adapter,
+    "hazo_users",
+  );
+  const user_scopes_service = createCrudService(adapter, "hazo_user_scopes", {
+    primaryKeys: ["user_id", "scope_id"],
+    autoId: false,
+  });
+
+  const all = await users.list((qb) => qb.limit(500));
+  const targets = all.filter((u) => {
+    if (opts.email && u.email_address === opts.email) return true;
+    return prefixes.some(
+      (p) => typeof u.email_address === "string" && u.email_address.startsWith(p),
+    );
+  });
+
+  let deleted = 0;
+  for (const u of targets) {
+    const uid = u.id;
+    try {
+      // Best-effort: delete this user's scope rows. hazo_user_scopes has a
+      // composite PK (no `id` column); deleteById on a multi-key table falls
+      // back to the first primary key (user_id), so this removes all of the
+      // user's scope rows in one call.
+      await user_scopes_service.deleteById(uid).catch(() => {});
+      await users.deleteById(uid);
+      deleted += 1;
+    } catch {
+      // best-effort — skip users that can't be deleted
+    }
+  }
+
+  return { deleted };
+}

package/cli-src/lib/services/index.ts

@@ -21,4 +21,5 @@ export * from "./user_scope_service.js";
 export * from "./oauth_service.js";
 export * from "./branding_service.js";
 export * from "./google_token_service.js";
+export * from "./demo_account_service.js";
 

package/dist/cli/demo.d.ts

@@ -0,0 +1,12 @@
+import { type CreateDemoUserOptions, type DeleteDemoUsersOptions } from "../lib/services/demo_account_service.js";
+/**
+ * Creates a login-ready demo user and prints a summary.
+ * Exits with code 1 if demo seeding is not allowed or an error occurs.
+ */
+export declare function handle_demo_create(opts: CreateDemoUserOptions): Promise<void>;
+/**
+ * Deletes demo users matching the given email or prefix(es) and prints a summary.
+ * Exits with code 1 if demo seeding is not allowed or an error occurs.
+ */
+export declare function handle_demo_delete(opts: DeleteDemoUsersOptions): Promise<void>;
+//# sourceMappingURL=demo.d.ts.map

package/dist/cli/demo.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"demo.d.ts","sourceRoot":"","sources":["../../src/cli/demo.ts"],"names":[],"mappings":"AAIA,OAAO,EAIL,KAAK,qBAAqB,EAC1B,KAAK,sBAAsB,EAC5B,MAAM,yCAAyC,CAAC;AAGjD;;;GAGG;AACH,wBAAsB,kBAAkB,CAAC,IAAI,EAAE,qBAAqB,GAAG,OAAO,CAAC,IAAI,CAAC,CA+BnF;AAGD;;;GAGG;AACH,wBAAsB,kBAAkB,CAAC,IAAI,EAAE,sBAAsB,GAAG,OAAO,CAAC,IAAI,CAAC,CAgBpF"}

package/dist/cli/demo.js

@@ -0,0 +1,59 @@
+// file_description: CLI command handlers for demo account seeding (dev-only)
+// section: imports
+import { get_hazo_connect_instance } from "../lib/hazo_connect_instance.server.js";
+import { create_demo_user, delete_demo_users, DemoSeedNotAllowed, } from "../lib/services/demo_account_service.js";
+// section: create_handler
+/**
+ * Creates a login-ready demo user and prints a summary.
+ * Exits with code 1 if demo seeding is not allowed or an error occurs.
+ */
+export async function handle_demo_create(opts) {
+    try {
+        const adapter = get_hazo_connect_instance();
+        const result = await create_demo_user(adapter, opts);
+        console.log("");
+        console.log("=".repeat(60));
+        console.log("DEMO USER CREATED");
+        console.log("=".repeat(60));
+        console.log("");
+        console.log(`  Email:    ${result.email}`);
+        console.log(`  Password: ${result.password}`);
+        console.log(`  User ID:  ${result.user_id}`);
+        console.log("");
+        console.log("  ✓ Email pre-verified — account is login-ready.");
+        console.log("  ✓ Assigned to the default system scope.");
+        if (opts.admin) {
+            console.log("  ✓ Admin account — global-admin role assigned.");
+        }
+        console.log("=".repeat(60));
+        console.log("");
+    }
+    catch (error) {
+        if (error instanceof DemoSeedNotAllowed) {
+            console.error("Demo seeding is disabled. Set HAZO_AUTH_ALLOW_DEMO_SEED=true in a non-production env.");
+            process.exit(1);
+        }
+        console.error(error instanceof Error ? error.message : String(error));
+        process.exit(1);
+    }
+}
+// section: delete_handler
+/**
+ * Deletes demo users matching the given email or prefix(es) and prints a summary.
+ * Exits with code 1 if demo seeding is not allowed or an error occurs.
+ */
+export async function handle_demo_delete(opts) {
+    try {
+        const adapter = get_hazo_connect_instance();
+        const result = await delete_demo_users(adapter, opts);
+        console.log(`✓ Deleted ${result.deleted} demo user(s).`);
+    }
+    catch (error) {
+        if (error instanceof DemoSeedNotAllowed) {
+            console.error("Demo seeding is disabled. Set HAZO_AUTH_ALLOW_DEMO_SEED=true in a non-production env.");
+            process.exit(1);
+        }
+        console.error(error instanceof Error ? error.message : String(error));
+        process.exit(1);
+    }
+}

package/dist/cli/index.js

@@ -8,6 +8,7 @@ import { handle_init } from "./init.js";
 import { handle_init_users, show_init_users_help } from "./init_users.js";
 import { handle_init_db } from "./init_db.js";
 import { handle_init_permissions, show_init_permissions_help } from "./init_permissions.js";
+import { handle_demo_create, handle_demo_delete } from "./demo.js";
 // section: constants
 const VERSION = "1.6.0";
 const HELP_TEXT = `
@@ -20,6 +21,8 @@ Commands:
   init-db            Create SQLite database with hazo_auth schema (standalone)
   init-permissions   Create default permissions from config (no user required)
   init-users         Initialize permissions, roles, and super user from config
+  demo-create        [DEV ONLY] Create a login-ready demo user (needs HAZO_AUTH_ALLOW_DEMO_SEED=true)
+  demo-delete        [DEV ONLY] Delete demo users by email/prefix (needs HAZO_AUTH_ALLOW_DEMO_SEED=true)
   validate           Check your hazo_auth setup and configuration
   generate-routes    Generate API route files and pages in your project
   schema             Print the canonical SQLite schema SQL
@@ -38,6 +41,8 @@ Examples:
   npx hazo_auth generate-routes --pages
   npx hazo_auth generate-routes --all --dir=src/app
   npx hazo_auth schema
+  HAZO_AUTH_ALLOW_DEMO_SEED=true npx hazo_auth demo-create --admin
+  HAZO_AUTH_ALLOW_DEMO_SEED=true npx hazo_auth demo-delete --all
 
 Documentation:
   https://github.com/your-repo/hazo_auth/blob/main/SETUP_CHECKLIST.md
@@ -200,6 +205,62 @@ Requires: better-sqlite3 (npm install better-sqlite3)
             await handle_init_users({ email });
             break;
         }
+        case "demo-create": {
+            if (help) {
+                console.log(`
+hazo_auth demo-create  [DEV ONLY]
+
+Create a login-ready demo user (email pre-verified, assigned to the default system scope).
+Refuses to run unless the env is non-production AND HAZO_AUTH_ALLOW_DEMO_SEED=true.
+
+Options:
+  --email=<addr>     Email for the demo user (default: __demo_<timestamp>@hazo.test)
+  --password=<pw>    Password (default: Demo_Pass123!)
+  --name=<name>      Display name (default: Demo User)
+  --admin            Grant the global-admin role instead of a plain member role
+`);
+                return;
+            }
+            const demoCreateOpts = {};
+            for (const arg of args) {
+                if (arg.startsWith("--email="))
+                    demoCreateOpts.email = arg.replace("--email=", "");
+                else if (arg.startsWith("--password="))
+                    demoCreateOpts.password = arg.replace("--password=", "");
+                else if (arg.startsWith("--name="))
+                    demoCreateOpts.name = arg.replace("--name=", "");
+                else if (arg === "--admin")
+                    demoCreateOpts.admin = true;
+            }
+            await handle_demo_create(demoCreateOpts);
+            break;
+        }
+        case "demo-delete": {
+            if (help) {
+                console.log(`
+hazo_auth demo-delete  [DEV ONLY]
+
+Delete demo users (and their scope rows) by email or prefix. Defaults to the __demo_ prefix.
+Refuses to run unless the env is non-production AND HAZO_AUTH_ALLOW_DEMO_SEED=true.
+
+Options:
+  --email=<addr>     Delete only the user with this exact email
+  --prefix=<p>       Delete users whose email starts with this prefix (default: __demo_)
+  --all              Delete all __demo_-prefixed users (the default behaviour)
+`);
+                return;
+            }
+            const demoDeleteOpts = {};
+            for (const arg of args) {
+                if (arg.startsWith("--email="))
+                    demoDeleteOpts.email = arg.replace("--email=", "");
+                else if (arg.startsWith("--prefix="))
+                    demoDeleteOpts.prefixes = [arg.replace("--prefix=", "")];
+            }
+            // --all is a no-op / explicit default (prefixes stays undefined → service defaults to ['__demo_'])
+            await handle_demo_delete(demoDeleteOpts);
+            break;
+        }
         case "validate":
             if (help) {
                 console.log(`

package/dist/components/layouts/my_settings/components/profile_picture_upload_tab.d.ts

@@ -10,14 +10,20 @@ export type ProfilePictureUploadTabProps = {
     imageCompressionMaxDimension?: number;
     uploadFileHardLimitBytes?: number;
     allowedImageMimeTypes?: string[];
+    cropTitle?: string;
+    cropConfirmLabel?: string;
+    cropCancelLabel?: string;
+    cropZoomLabel?: string;
 };
 /**
  * Upload tab component for profile picture dialog
  * Two columns: left = dropzone, right = preview
  * Uses browser-image-compression for client-side compression
+ * Routes decodable images through HazoUiImageCropperDialog (round crop, 512² WebP)
+ * Falls back to direct upload for HEIC and other browser-undecodable formats
  * @param props - Component props including upload state, file handler, and configuration
  * @returns Upload tab component
  */
 export declare function ProfilePictureUploadTab({ useUpload, onUseUploadChange, onFileSelect, maxSize, uploadEnabled, disabled, currentPreview, photoUploadDisabledMessage, imageCompressionMaxDimension, uploadFileHardLimitBytes, // 10MB default
-allowedImageMimeTypes, }: ProfilePictureUploadTabProps): import("react/jsx-runtime").JSX.Element;
+allowedImageMimeTypes, cropTitle, cropConfirmLabel, cropCancelLabel, cropZoomLabel, }: ProfilePictureUploadTabProps): import("react/jsx-runtime").JSX.Element;
 //# sourceMappingURL=profile_picture_upload_tab.d.ts.map

package/dist/components/layouts/my_settings/components/profile_picture_upload_tab.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"profile_picture_upload_tab.d.ts","sourceRoot":"","sources":["../../../../../src/components/layouts/my_settings/components/profile_picture_upload_tab.tsx"],"names":[],"mappings":"AAcA,MAAM,MAAM,4BAA4B,GAAG;IACzC,SAAS,EAAE,OAAO,CAAC;IACnB,iBAAiB,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,IAAI,CAAC;IAC1C,YAAY,EAAE,CAAC,IAAI,EAAE,IAAI,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC5C,OAAO,EAAE,MAAM,CAAC;IAChB,aAAa,EAAE,OAAO,CAAC;IACvB,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,0BAA0B,CAAC,EAAE,MAAM,CAAC;IACpC,4BAA4B,CAAC,EAAE,MAAM,CAAC;IACtC,wBAAwB,CAAC,EAAE,MAAM,CAAC;IAClC,qBAAqB,CAAC,EAAE,MAAM,EAAE,CAAC;CAClC,CAAC;AAGF;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,EACtC,SAAS,EACT,iBAAiB,EACjB,YAAY,EACZ,OAAO,EACP,aAAa,EACb,QAAgB,EAChB,cAAc,EACd,0BAA0B,EAC1B,4BAAkC,EAClC,wBAAmC,EAAE,eAAe;AACpD,qBAAgE,GACjE,EAAE,4BAA4B,2CAmS9B"}
+{"version":3,"file":"profile_picture_upload_tab.d.ts","sourceRoot":"","sources":["../../../../../src/components/layouts/my_settings/components/profile_picture_upload_tab.tsx"],"names":[],"mappings":"AA2BA,MAAM,MAAM,4BAA4B,GAAG;IACzC,SAAS,EAAE,OAAO,CAAC;IACnB,iBAAiB,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,IAAI,CAAC;IAC1C,YAAY,EAAE,CAAC,IAAI,EAAE,IAAI,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC5C,OAAO,EAAE,MAAM,CAAC;IAChB,aAAa,EAAE,OAAO,CAAC;IACvB,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,0BAA0B,CAAC,EAAE,MAAM,CAAC;IACpC,4BAA4B,CAAC,EAAE,MAAM,CAAC;IACtC,wBAAwB,CAAC,EAAE,MAAM,CAAC;IAClC,qBAAqB,CAAC,EAAE,MAAM,EAAE,CAAC;IACjC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAGF;;;;;;;;GAQG;AACH,wBAAgB,uBAAuB,CAAC,EACtC,SAAS,EACT,iBAAiB,EACjB,YAAY,EACZ,OAAO,EACP,aAAa,EACb,QAAgB,EAChB,cAAc,EACd,0BAA0B,EAC1B,4BAAkC,EAClC,wBAAmC,EAAE,eAAe;AACpD,qBAAgE,EAChE,SAAwB,EACxB,gBAA+B,EAC/B,eAA0B,EAC1B,aAAsB,GACvB,EAAE,4BAA4B,2CAgU9B"}

package/dist/components/layouts/my_settings/components/profile_picture_upload_tab.js

@@ -1,4 +1,4 @@
-// file_description: Upload tab component for profile picture dialog with dropzone and preview
+// file_description: Upload tab component for profile picture dialog with dropzone, crop step, and preview
 // section: client_directive
 "use client";
 import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
@@ -10,22 +10,37 @@ import { Avatar, AvatarImage, AvatarFallback } from "../../../ui/avatar.js";
 import { Upload, X, Loader2, Info } from "lucide-react";
 import { Button } from "../../../ui/button.js";
 import imageCompression from "browser-image-compression";
+import { HazoUiImageCropperDialog } from "hazo_ui";
+// section: helpers
+/** Resolves true if the browser can decode this image file, false otherwise (e.g. desktop HEIC). */
+function can_decode_image(file) {
+    return new Promise((resolve) => {
+        const url = URL.createObjectURL(file);
+        const img = new Image();
+        img.onload = () => { URL.revokeObjectURL(url); resolve(true); };
+        img.onerror = () => { URL.revokeObjectURL(url); resolve(false); };
+        img.src = url;
+    });
+}
 // section: component
 /**
  * Upload tab component for profile picture dialog
  * Two columns: left = dropzone, right = preview
  * Uses browser-image-compression for client-side compression
+ * Routes decodable images through HazoUiImageCropperDialog (round crop, 512² WebP)
+ * Falls back to direct upload for HEIC and other browser-undecodable formats
  * @param props - Component props including upload state, file handler, and configuration
  * @returns Upload tab component
  */
 export function ProfilePictureUploadTab({ useUpload, onUseUploadChange, onFileSelect, maxSize, uploadEnabled, disabled = false, currentPreview, photoUploadDisabledMessage, imageCompressionMaxDimension = 200, uploadFileHardLimitBytes = 10485760, // 10MB default
-allowedImageMimeTypes = ["image/jpeg", "image/jpg", "image/png"], }) {
+allowedImageMimeTypes = ["image/jpeg", "image/jpg", "image/png"], cropTitle = "Crop photo", cropConfirmLabel = "Save photo", cropCancelLabel = "Cancel", cropZoomLabel = "Zoom", }) {
     const [dragActive, setDragActive] = useState(false);
     const [preview, setPreview] = useState(currentPreview || null);
     const [isNewImage, setIsNewImage] = useState(false); // Track if preview is showing a newly uploaded image
     const [uploading, setUploading] = useState(false);
     const [compressing, setCompressing] = useState(false);
     const [error, setError] = useState(null);
+    const [cropFile, setCropFile] = useState(null);
     // Update preview when currentPreview changes (e.g., when dialog opens)
     useEffect(() => {
         if (currentPreview) {
@@ -40,17 +55,7 @@ allowedImageMimeTypes = ["image/jpeg", "image/jpg", "image/png"], }) {
         }
         // eslint-disable-next-line react-hooks/exhaustive-deps
     }, [currentPreview]); // Only depend on currentPreview to avoid loops, isNewImage check is intentional
-    const handleFile = useCallback(async (file) => {
-        // Validate file type
-        if (!allowedImageMimeTypes.includes(file.type)) {
-            setError(`Invalid file type. Only ${allowedImageMimeTypes.map(t => t.split("/")[1].toUpperCase()).join(", ")} files are allowed.`);
-            return;
-        }
-        // Hard limit: reject files larger than configured limit (too large to process efficiently)
-        if (file.size > uploadFileHardLimitBytes) {
-            setError(`File is too large. Maximum size is ${Math.round(maxSize / 1024)}KB.`);
-            return;
-        }
+    const process_and_upload = useCallback(async (file) => {
         setError(null);
         setCompressing(false);
         setUploading(false);
@@ -112,7 +117,32 @@ allowedImageMimeTypes = ["image/jpeg", "image/jpg", "image/png"], }) {
                 setUploading(false);
             }
         }
-    }, [maxSize, onFileSelect]);
+    }, [maxSize, onFileSelect, imageCompressionMaxDimension]);
+    const handleFile = useCallback(async (file) => {
+        // Validate file type
+        if (!allowedImageMimeTypes.includes(file.type)) {
+            setError(`Invalid file type. Only ${allowedImageMimeTypes.map(t => t.split("/")[1].toUpperCase()).join(", ")} files are allowed.`);
+            return;
+        }
+        // Hard limit: reject files larger than configured limit (too large to process efficiently)
+        if (file.size > uploadFileHardLimitBytes) {
+            setError(`File is too large. Maximum size is ${Math.round(maxSize / 1024)}KB.`);
+            return;
+        }
+        setError(null);
+        const decodable = await can_decode_image(file);
+        if (decodable) {
+            setCropFile(file); // opens the crop dialog
+        }
+        else {
+            await process_and_upload(file); // HEIC/undecodable fallback: direct path
+        }
+    }, [allowedImageMimeTypes, uploadFileHardLimitBytes, maxSize, process_and_upload]);
+    const handle_crop_confirm = useCallback(async (blob) => {
+        const cropped = new File([blob], "avatar.webp", { type: "image/webp" });
+        await process_and_upload(cropped);
+        setCropFile(null);
+    }, [process_and_upload]);
     const handleDrag = useCallback((e) => {
         e.preventDefault();
         e.stopPropagation();
@@ -165,5 +195,6 @@ allowedImageMimeTypes = ["image/jpeg", "image/jpg", "image/png"], }) {
                                     if (!disabled && uploadEnabled) {
                                         (_a = document.getElementById("file-upload-input")) === null || _a === void 0 ? void 0 : _a.click();
                                     }
-                                }, children: [_jsx("input", { id: "file-upload-input", type: "file", accept: allowedImageMimeTypes.join(","), onChange: handleChange, disabled: disabled || !uploadEnabled, className: "hidden", "aria-label": "Upload profile picture" }), _jsx(Upload, { className: "h-8 w-8 text-[var(--hazo-text-subtle)] mb-2", "aria-hidden": "true" }), _jsx("p", { className: "cls_profile_picture_upload_tab_dropzone_text text-sm text-[var(--hazo-text-muted)] text-center", children: "Drag and drop an image here, or click to select" }), _jsxs("p", { className: "cls_profile_picture_upload_tab_dropzone_hint text-xs text-[var(--hazo-text-muted)] text-center mt-1", children: ["JPG or PNG, max ", Math.round(maxSize / 1024), "KB"] })] }), error && (_jsx("p", { className: "cls_profile_picture_upload_tab_error text-sm text-red-600", role: "alert", children: error }))] }), _jsxs("div", { className: "cls_profile_picture_upload_tab_preview_container flex flex-col gap-2", children: [_jsx(Label, { className: "cls_profile_picture_upload_tab_preview_label text-sm font-medium text-[var(--hazo-text-secondary)]", children: isNewImage ? "Preview (new)" : "Preview (current)" }), _jsx("div", { className: "cls_profile_picture_upload_tab_preview_content flex flex-col items-center justify-center border border-[var(--hazo-border)] rounded-lg p-6 bg-[var(--hazo-bg-subtle)] min-h-[200px]", children: compressing ? (_jsxs("div", { className: "cls_profile_picture_upload_tab_compressing flex flex-col items-center gap-2", children: [_jsx(Loader2, { className: "h-8 w-8 text-[var(--hazo-text-subtle)] animate-spin", "aria-hidden": "true" }), _jsx("p", { className: "cls_profile_picture_upload_tab_compressing_text text-sm text-[var(--hazo-text-muted)]", children: "Compressing image..." })] })) : uploading ? (_jsxs("div", { className: "cls_profile_picture_upload_tab_uploading flex flex-col items-center gap-2", children: [_jsx(Loader2, { className: "h-8 w-8 text-[var(--hazo-text-subtle)] animate-spin", "aria-hidden": "true" }), _jsx("p", { className: "cls_profile_picture_upload_tab_uploading_text text-sm text-[var(--hazo-text-muted)]", children: "Uploading..." })] })) : preview ? (_jsxs("div", { className: "cls_profile_picture_upload_tab_preview_image_container flex flex-col items-center gap-4", children: [_jsxs("div", { className: "cls_profile_picture_upload_tab_preview_image_wrapper relative", children: [_jsxs(Avatar, { className: "cls_profile_picture_upload_tab_preview_avatar h-32 w-32", children: [_jsx(AvatarImage, { src: preview, alt: "Uploaded profile picture preview", className: "cls_profile_picture_upload_tab_preview_avatar_image" }), _jsx(AvatarFallback, { className: "cls_profile_picture_upload_tab_preview_avatar_fallback bg-[var(--hazo-bg-emphasis)] text-[var(--hazo-text-muted)] text-3xl", children: getInitials() })] }), _jsx(Button, { type: "button", onClick: handleRemove, variant: "ghost", size: "icon", className: "cls_profile_picture_upload_tab_preview_remove absolute -top-2 -right-2 rounded-full h-6 w-6 border border-[var(--hazo-border-emphasis)] bg-white hover:bg-[var(--hazo-bg-subtle)]", "aria-label": "Remove preview", children: _jsx(X, { className: "h-4 w-4", "aria-hidden": "true" }) })] }), _jsx("p", { className: "cls_profile_picture_upload_tab_preview_success_text text-sm text-[var(--hazo-text-muted)] text-center", children: "Preview of your uploaded photo" })] })) : (_jsxs("div", { className: "cls_profile_picture_upload_tab_preview_empty flex flex-col items-center gap-2", children: [_jsx(Avatar, { className: "cls_profile_picture_upload_tab_preview_empty_avatar h-32 w-32", children: _jsx(AvatarFallback, { className: "cls_profile_picture_upload_tab_preview_empty_avatar_fallback bg-[var(--hazo-bg-emphasis)] text-[var(--hazo-text-muted)] text-3xl", children: getInitials() }) }), _jsx("p", { className: "cls_profile_picture_upload_tab_preview_empty_text text-sm text-[var(--hazo-text-muted)] text-center", children: "Upload an image to see preview" })] })) })] })] })] }));
+                                }, children: [_jsx("input", { id: "file-upload-input", type: "file", accept: allowedImageMimeTypes.join(","), onChange: handleChange, disabled: disabled || !uploadEnabled, className: "hidden", "aria-label": "Upload profile picture" }), _jsx(Upload, { className: "h-8 w-8 text-[var(--hazo-text-subtle)] mb-2", "aria-hidden": "true" }), _jsx("p", { className: "cls_profile_picture_upload_tab_dropzone_text text-sm text-[var(--hazo-text-muted)] text-center", children: "Drag and drop an image here, or click to select" }), _jsxs("p", { className: "cls_profile_picture_upload_tab_dropzone_hint text-xs text-[var(--hazo-text-muted)] text-center mt-1", children: ["JPG or PNG, max ", Math.round(maxSize / 1024), "KB"] })] }), error && (_jsx("p", { className: "cls_profile_picture_upload_tab_error text-sm text-red-600", role: "alert", children: error }))] }), _jsxs("div", { className: "cls_profile_picture_upload_tab_preview_container flex flex-col gap-2", children: [_jsx(Label, { className: "cls_profile_picture_upload_tab_preview_label text-sm font-medium text-[var(--hazo-text-secondary)]", children: isNewImage ? "Preview (new)" : "Preview (current)" }), _jsx("div", { className: "cls_profile_picture_upload_tab_preview_content flex flex-col items-center justify-center border border-[var(--hazo-border)] rounded-lg p-6 bg-[var(--hazo-bg-subtle)] min-h-[200px]", children: compressing ? (_jsxs("div", { className: "cls_profile_picture_upload_tab_compressing flex flex-col items-center gap-2", children: [_jsx(Loader2, { className: "h-8 w-8 text-[var(--hazo-text-subtle)] animate-spin", "aria-hidden": "true" }), _jsx("p", { className: "cls_profile_picture_upload_tab_compressing_text text-sm text-[var(--hazo-text-muted)]", children: "Compressing image..." })] })) : uploading ? (_jsxs("div", { className: "cls_profile_picture_upload_tab_uploading flex flex-col items-center gap-2", children: [_jsx(Loader2, { className: "h-8 w-8 text-[var(--hazo-text-subtle)] animate-spin", "aria-hidden": "true" }), _jsx("p", { className: "cls_profile_picture_upload_tab_uploading_text text-sm text-[var(--hazo-text-muted)]", children: "Uploading..." })] })) : preview ? (_jsxs("div", { className: "cls_profile_picture_upload_tab_preview_image_container flex flex-col items-center gap-4", children: [_jsxs("div", { className: "cls_profile_picture_upload_tab_preview_image_wrapper relative", children: [_jsxs(Avatar, { className: "cls_profile_picture_upload_tab_preview_avatar h-32 w-32", children: [_jsx(AvatarImage, { src: preview, alt: "Uploaded profile picture preview", className: "cls_profile_picture_upload_tab_preview_avatar_image" }), _jsx(AvatarFallback, { className: "cls_profile_picture_upload_tab_preview_avatar_fallback bg-[var(--hazo-bg-emphasis)] text-[var(--hazo-text-muted)] text-3xl", children: getInitials() })] }), _jsx(Button, { type: "button", onClick: handleRemove, variant: "ghost", size: "icon", className: "cls_profile_picture_upload_tab_preview_remove absolute -top-2 -right-2 rounded-full h-6 w-6 border border-[var(--hazo-border-emphasis)] bg-white hover:bg-[var(--hazo-bg-subtle)]", "aria-label": "Remove preview", children: _jsx(X, { className: "h-4 w-4", "aria-hidden": "true" }) })] }), _jsx("p", { className: "cls_profile_picture_upload_tab_preview_success_text text-sm text-[var(--hazo-text-muted)] text-center", children: "Preview of your uploaded photo" })] })) : (_jsxs("div", { className: "cls_profile_picture_upload_tab_preview_empty flex flex-col items-center gap-2", children: [_jsx(Avatar, { className: "cls_profile_picture_upload_tab_preview_empty_avatar h-32 w-32", children: _jsx(AvatarFallback, { className: "cls_profile_picture_upload_tab_preview_empty_avatar_fallback bg-[var(--hazo-bg-emphasis)] text-[var(--hazo-text-muted)] text-3xl", children: getInitials() }) }), _jsx("p", { className: "cls_profile_picture_upload_tab_preview_empty_text text-sm text-[var(--hazo-text-muted)] text-center", children: "Upload an image to see preview" })] })) })] })] }), _jsx(HazoUiImageCropperDialog, { open: cropFile !== null, onOpenChange: (open) => { if (!open && !uploading && !compressing)
+                    setCropFile(null); }, file: cropFile, onConfirm: handle_crop_confirm, title: cropTitle, confirmLabel: cropConfirmLabel, cancelLabel: cropCancelLabel, zoomLabel: cropZoomLabel })] }));
 }

package/dist/lib/services/demo_account_service.d.ts

@@ -0,0 +1,43 @@
+import type { HazoConnectAdapter } from "hazo_connect";
+export declare class DemoSeedNotAllowed extends Error {
+    constructor(message: string);
+}
+/**
+ * Throws DemoSeedNotAllowed if the current environment is production
+ * or if HAZO_AUTH_ALLOW_DEMO_SEED is not set to "true".
+ * This must be called at the top of every exported function in this module.
+ */
+export declare function assert_demo_seed_allowed(): void;
+export type CreateDemoUserOptions = {
+    email?: string;
+    password?: string;
+    name?: string;
+    admin?: boolean;
+};
+export type CreateDemoUserResult = {
+    user_id: string;
+    email: string;
+    password: string;
+};
+export type DeleteDemoUsersOptions = {
+    email?: string;
+    prefixes?: string[];
+};
+/**
+ * Creates a demo user in the database, assigning them to the default system scope.
+ * Idempotent on email — if the user already exists their id is reused and the
+ * scope/role assignment is still ensured.
+ *
+ * REQUIRES: non-production env + HAZO_AUTH_ALLOW_DEMO_SEED=true
+ */
+export declare function create_demo_user(adapter: HazoConnectAdapter, opts?: CreateDemoUserOptions): Promise<CreateDemoUserResult>;
+/**
+ * Deletes demo users (and their scope rows) whose email matches the given
+ * address or any of the given prefixes.  Defaults to the "__demo_" prefix.
+ *
+ * REQUIRES: non-production env + HAZO_AUTH_ALLOW_DEMO_SEED=true
+ */
+export declare function delete_demo_users(adapter: HazoConnectAdapter, opts?: DeleteDemoUsersOptions): Promise<{
+    deleted: number;
+}>;
+//# sourceMappingURL=demo_account_service.d.ts.map

package/dist/lib/services/demo_account_service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"demo_account_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/demo_account_service.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AASvD,qBAAa,kBAAmB,SAAQ,KAAK;gBAC/B,OAAO,EAAE,MAAM;CAI5B;AAID;;;;GAIG;AACH,wBAAgB,wBAAwB,IAAI,IAAI,CAY/C;AAID,MAAM,MAAM,qBAAqB,GAAG;IAClC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,MAAM,MAAM,sBAAsB,GAAG;IACnC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;CACrB,CAAC;AAIF;;;;;;GAMG;AACH,wBAAsB,gBAAgB,CACpC,OAAO,EAAE,kBAAkB,EAC3B,IAAI,GAAE,qBAA0B,GAC/B,OAAO,CAAC,oBAAoB,CAAC,CAwG/B;AAED;;;;;GAKG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,kBAAkB,EAC3B,IAAI,GAAE,sBAA2B,GAChC,OAAO,CAAC;IAAE,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CAuC9B"}

package/dist/lib/services/demo_account_service.js

@@ -0,0 +1,171 @@
+// file_description: dev-only service for seeding demo accounts in hazo_auth; physically blocked in production
+import { createCrudService } from "hazo_connect/server";
+import argon2 from "argon2";
+import { randomUUID } from "crypto";
+import { DEFAULT_SYSTEM_SCOPE_ID } from "./scope_service.js";
+import { GLOBAL_ADMIN_PERMISSION } from "../constants.js";
+// section: errors
+export class DemoSeedNotAllowed extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "DemoSeedNotAllowed";
+    }
+}
+// section: guards
+/**
+ * Throws DemoSeedNotAllowed if the current environment is production
+ * or if HAZO_AUTH_ALLOW_DEMO_SEED is not set to "true".
+ * This must be called at the top of every exported function in this module.
+ */
+export function assert_demo_seed_allowed() {
+    var _a, _b;
+    const env = (_b = (_a = process.env.HAZO_ENV) !== null && _a !== void 0 ? _a : process.env.NODE_ENV) !== null && _b !== void 0 ? _b : "development";
+    if (env === "production") {
+        throw new DemoSeedNotAllowed("Demo seeding is disabled. Requires a non-production env AND HAZO_AUTH_ALLOW_DEMO_SEED=true.");
+    }
+    if (process.env.HAZO_AUTH_ALLOW_DEMO_SEED !== "true") {
+        throw new DemoSeedNotAllowed("Demo seeding is disabled. Requires a non-production env AND HAZO_AUTH_ALLOW_DEMO_SEED=true.");
+    }
+}
+// section: helpers
+/**
+ * Creates a demo user in the database, assigning them to the default system scope.
+ * Idempotent on email — if the user already exists their id is reused and the
+ * scope/role assignment is still ensured.
+ *
+ * REQUIRES: non-production env + HAZO_AUTH_ALLOW_DEMO_SEED=true
+ */
+export async function create_demo_user(adapter, opts = {}) {
+    var _a, _b, _c, _d;
+    assert_demo_seed_allowed();
+    const email = (_a = opts.email) !== null && _a !== void 0 ? _a : `__demo_${Date.now()}@hazo.test`;
+    const password = (_b = opts.password) !== null && _b !== void 0 ? _b : "Demo_Pass123!";
+    const name = (_c = opts.name) !== null && _c !== void 0 ? _c : "Demo User";
+    const admin = (_d = opts.admin) !== null && _d !== void 0 ? _d : false;
+    const now = new Date().toISOString();
+    const users_service = createCrudService(adapter, "hazo_users");
+    const roles_service = createCrudService(adapter, "hazo_roles");
+    const permissions_service = createCrudService(adapter, "hazo_permissions");
+    const role_permissions_service = createCrudService(adapter, "hazo_role_permissions", { primaryKeys: ["role_id", "permission_id"], autoId: false });
+    const user_scopes_service = createCrudService(adapter, "hazo_user_scopes", {
+        primaryKeys: ["user_id", "scope_id"],
+        autoId: false,
+    });
+    // Idempotent: reuse existing user if email already registered
+    let user_id;
+    const existing_users = await users_service.findBy({ email_address: email });
+    if (Array.isArray(existing_users) && existing_users.length > 0) {
+        user_id = existing_users[0].id;
+    }
+    else {
+        const password_hash = await argon2.hash(password);
+        user_id = randomUUID();
+        await users_service.insert({
+            id: user_id,
+            email_address: email,
+            password_hash,
+            email_verified: true,
+            status: "ACTIVE",
+            login_attempts: 0,
+            auth_providers: "email",
+            name,
+            created_at: now,
+            changed_at: now,
+        });
+    }
+    // Ensure role exists
+    const role_name = admin ? "default_super_user_role" : "demo_member_role";
+    const existing_roles = await roles_service.findBy({ role_name });
+    let role_id;
+    if (Array.isArray(existing_roles) && existing_roles.length > 0) {
+        role_id = existing_roles[0].id;
+    }
+    else {
+        const new_role = await roles_service.insert({ role_name, created_at: now, changed_at: now });
+        role_id = Array.isArray(new_role)
+            ? new_role[0].id
+            : new_role.id;
+    }
+    // Admin users: ensure GLOBAL_ADMIN_PERMISSION is in the catalog and linked to the role
+    if (admin) {
+        // Ensure permission exists
+        const existing_perms = await permissions_service.findBy({
+            permission_name: GLOBAL_ADMIN_PERMISSION,
+        });
+        let permission_id;
+        if (Array.isArray(existing_perms) && existing_perms.length > 0) {
+            permission_id = existing_perms[0].id;
+        }
+        else {
+            const new_perm = await permissions_service.insert({
+                permission_name: GLOBAL_ADMIN_PERMISSION,
+                description: "Global admin — access to all scopes and operations",
+                created_at: now,
+                changed_at: now,
+            });
+            permission_id = Array.isArray(new_perm)
+                ? new_perm[0].id
+                : new_perm.id;
+        }
+        // Ensure role→permission link
+        const existing_rp = await role_permissions_service.findBy({ role_id, permission_id });
+        if (!Array.isArray(existing_rp) || existing_rp.length === 0) {
+            await role_permissions_service.insert({ role_id, permission_id });
+        }
+    }
+    // Ensure user→scope assignment
+    const existing_user_scopes = await user_scopes_service.findBy({
+        user_id,
+        scope_id: DEFAULT_SYSTEM_SCOPE_ID,
+    });
+    if (!Array.isArray(existing_user_scopes) || existing_user_scopes.length === 0) {
+        await user_scopes_service.insert({
+            user_id,
+            scope_id: DEFAULT_SYSTEM_SCOPE_ID,
+            root_scope_id: DEFAULT_SYSTEM_SCOPE_ID,
+            role_id,
+            created_at: now,
+            changed_at: now,
+        });
+    }
+    return { user_id, email, password };
+}
+/**
+ * Deletes demo users (and their scope rows) whose email matches the given
+ * address or any of the given prefixes.  Defaults to the "__demo_" prefix.
+ *
+ * REQUIRES: non-production env + HAZO_AUTH_ALLOW_DEMO_SEED=true
+ */
+export async function delete_demo_users(adapter, opts = {}) {
+    var _a;
+    assert_demo_seed_allowed();
+    const prefixes = (_a = opts.prefixes) !== null && _a !== void 0 ? _a : ["__demo_"];
+    const users = createCrudService(adapter, "hazo_users");
+    const user_scopes_service = createCrudService(adapter, "hazo_user_scopes", {
+        primaryKeys: ["user_id", "scope_id"],
+        autoId: false,
+    });
+    const all = await users.list((qb) => qb.limit(500));
+    const targets = all.filter((u) => {
+        if (opts.email && u.email_address === opts.email)
+            return true;
+        return prefixes.some((p) => typeof u.email_address === "string" && u.email_address.startsWith(p));
+    });
+    let deleted = 0;
+    for (const u of targets) {
+        const uid = u.id;
+        try {
+            // Best-effort: delete this user's scope rows. hazo_user_scopes has a
+            // composite PK (no `id` column); deleteById on a multi-key table falls
+            // back to the first primary key (user_id), so this removes all of the
+            // user's scope rows in one call.
+            await user_scopes_service.deleteById(uid).catch(() => { });
+            await users.deleteById(uid);
+            deleted += 1;
+        }
+        catch (_b) {
+            // best-effort — skip users that can't be deleted
+        }
+    }
+    return { deleted };
+}

package/dist/lib/services/index.d.ts

@@ -19,4 +19,5 @@ export * from "./user_scope_service.js";
 export * from "./oauth_service.js";
 export * from "./branding_service.js";
 export * from "./google_token_service.js";
+export * from "./demo_account_service.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/lib/services/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/lib/services/index.ts"],"names":[],"mappings":"AAEA,cAAc,iBAAiB,CAAC;AAChC,cAAc,8BAA8B,CAAC;AAC7C,cAAc,iBAAiB,CAAC;AAChC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,0BAA0B,CAAC;AACzC,cAAc,kCAAkC,CAAC;AACjD,cAAc,2BAA2B,CAAC;AAC1C,cAAc,iCAAiC,CAAC;AAChD,cAAc,wBAAwB,CAAC;AACvC,cAAc,iBAAiB,CAAC;AAChC,cAAc,yBAAyB,CAAC;AACxC,cAAc,uBAAuB,CAAC;AACtC,cAAc,yBAAyB,CAAC;AACxC,cAAc,sBAAsB,CAAC;AACrC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,6BAA6B,CAAC;AAC5C,cAAc,iBAAiB,CAAC;AAChC,cAAc,sBAAsB,CAAC;AACrC,cAAc,iBAAiB,CAAC;AAChC,cAAc,oBAAoB,CAAC;AACnC,cAAc,wBAAwB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/lib/services/index.ts"],"names":[],"mappings":"AAEA,cAAc,iBAAiB,CAAC;AAChC,cAAc,8BAA8B,CAAC;AAC7C,cAAc,iBAAiB,CAAC;AAChC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,0BAA0B,CAAC;AACzC,cAAc,kCAAkC,CAAC;AACjD,cAAc,2BAA2B,CAAC;AAC1C,cAAc,iCAAiC,CAAC;AAChD,cAAc,wBAAwB,CAAC;AACvC,cAAc,iBAAiB,CAAC;AAChC,cAAc,yBAAyB,CAAC;AACxC,cAAc,uBAAuB,CAAC;AACtC,cAAc,yBAAyB,CAAC;AACxC,cAAc,sBAAsB,CAAC;AACrC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,6BAA6B,CAAC;AAC5C,cAAc,iBAAiB,CAAC;AAChC,cAAc,sBAAsB,CAAC;AACrC,cAAc,iBAAiB,CAAC;AAChC,cAAc,oBAAoB,CAAC;AACnC,cAAc,wBAAwB,CAAC;AACvC,cAAc,wBAAwB,CAAC"}

package/dist/lib/services/index.js

@@ -21,3 +21,4 @@ export * from "./user_scope_service.js";
 export * from "./oauth_service.js";
 export * from "./branding_service.js";
 export * from "./google_token_service.js";
+export * from "./demo_account_service.js";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "hazo_auth",
-  "version": "10.2.1",
+  "version": "10.2.3",
   "description": "Zero-config authentication UI components for Next.js with RBAC, OAuth, scope-based multi-tenancy, and invitations",
   "keywords": [
     "authentication",
@@ -206,6 +206,8 @@
     "dev:server": "tsx src/server/index.ts",
     "migrate": "tsx scripts/apply_migration.ts",
     "init-users": "tsx scripts/init_users.ts init_users",
+    "demo:create": "tsx --conditions react-server scripts/demo.ts create",
+    "demo:delete": "tsx --conditions react-server scripts/demo.ts delete",
     "test": "cross-env NODE_ENV=test jest --runInBand",
     "test:watch": "cross-env NODE_ENV=test jest --watch"
   },
@@ -259,7 +261,7 @@
     "hazo_logs": "^2.0.3",
     "hazo_notify": "^6.1.3",
     "hazo_secure": "^1.1.0",
-    "hazo_ui": "^4.0.0",
+    "hazo_ui": "^4.2.0",
     "input-otp": "^1.4.0",
     "lucide-react": "^0.553.0",
     "next": "^14.0.0",
@@ -392,13 +394,13 @@
     "eslint": "^9.39.1",
     "eslint-config-next": "^16.0.4",
     "eslint-plugin-storybook": "^10.0.6",
-    "hazo_api": "^2.4.0",
+    "hazo_api": "^2.5.0",
     "hazo_config": "^2.1.11",
     "hazo_connect": "^3.7.0",
     "hazo_core": "^1.2.0",
     "hazo_logs": "^2.0.3",
     "hazo_notify": "^6.1.3",
-    "hazo_ui": "^4.0.0",
+    "hazo_ui": "^4.2.0",
     "input-otp": "^1.4.0",
     "jest": "^30.2.0",
     "jest-environment-jsdom": "^30.0.0",