hazo_auth 3.0.4 → 4.0.0

package/dist/lib/auth/scope_cache.d.ts

@@ -0,0 +1,92 @@
+import type { ScopeLevel } from "../services/scope_service";
+/**
+ * User scope assignment record
+ */
+export type UserScopeEntry = {
+    scope_type: ScopeLevel;
+    scope_id: string;
+    scope_seq: string;
+};
+/**
+ * Cache entry structure for user scopes
+ */
+type ScopeCacheEntry = {
+    user_id: string;
+    scopes: UserScopeEntry[];
+    timestamp: number;
+    cache_version: number;
+};
+/**
+ * LRU cache implementation for user scope lookups
+ * Uses Map to maintain insertion order for LRU eviction
+ */
+declare class ScopeCache {
+    private cache;
+    private max_size;
+    private ttl_ms;
+    private scope_version_map;
+    constructor(max_size: number, ttl_minutes: number);
+    /**
+     * Gets a cache entry for a user's scopes
+     * Returns undefined if not found or expired
+     * @param user_id - User ID to look up
+     * @returns Cache entry or undefined
+     */
+    get(user_id: string): ScopeCacheEntry | undefined;
+    /**
+     * Sets a cache entry for a user's scopes
+     * Evicts least recently used entries if cache is full
+     * @param user_id - User ID
+     * @param scopes - User's scope assignments
+     */
+    set(user_id: string, scopes: UserScopeEntry[]): void;
+    /**
+     * Invalidates cache for a specific user
+     * @param user_id - User ID to invalidate
+     */
+    invalidate_user(user_id: string): void;
+    /**
+     * Invalidates cache for all users with a specific scope
+     * Uses cache version to determine if invalidation is needed
+     * @param scope_type - Scope level
+     * @param scope_id - Scope ID to invalidate
+     */
+    invalidate_by_scope(scope_type: ScopeLevel, scope_id: string): void;
+    /**
+     * Invalidates cache for all users with any scope of a specific level
+     * @param scope_type - Scope level to invalidate
+     */
+    invalidate_by_scope_level(scope_type: ScopeLevel): void;
+    /**
+     * Invalidates all cache entries
+     */
+    invalidate_all(): void;
+    /**
+     * Gets the maximum cache version for a set of scopes
+     * Used to determine if cache entry is stale
+     * @param scopes - Array of scope entries
+     * @returns Maximum version number
+     */
+    private get_max_scope_version;
+    /**
+     * Gets cache statistics
+     * @returns Object with cache size and max size
+     */
+    get_stats(): {
+        size: number;
+        max_size: number;
+    };
+}
+/**
+ * Gets or creates the global scope cache instance
+ * @param max_size - Maximum cache size (default: 5000)
+ * @param ttl_minutes - TTL in minutes (default: 15)
+ * @returns Scope cache instance
+ */
+export declare function get_scope_cache(max_size?: number, ttl_minutes?: number): ScopeCache;
+/**
+ * Resets the global scope cache instance (useful for testing)
+ */
+export declare function reset_scope_cache(): void;
+export {};
+//# sourceMappingURL=scope_cache.d.ts.map

package/dist/lib/auth/scope_cache.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scope_cache.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/scope_cache.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAC;AAI5D;;GAEG;AACH,MAAM,MAAM,cAAc,GAAG;IAC3B,UAAU,EAAE,UAAU,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF;;GAEG;AACH,KAAK,eAAe,GAAG;IACrB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,cAAc,EAAE,CAAC;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;CACvB,CAAC;AAEF;;;GAGG;AACH,cAAM,UAAU;IACd,OAAO,CAAC,KAAK,CAA+B;IAC5C,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,iBAAiB,CAAsB;gBAEnC,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM;IAOjD;;;;;OAKG;IACH,GAAG,CAAC,OAAO,EAAE,MAAM,GAAG,eAAe,GAAG,SAAS;IA8BjD;;;;;OAKG;IACH,GAAG,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,GAAG,IAAI;IAwBpD;;;OAGG;IACH,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI;IAItC;;;;;OAKG;IACH,mBAAmB,CAAC,UAAU,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,GAAG,IAAI;IAsBnE;;;OAGG;IACH,yBAAyB,CAAC,UAAU,EAAE,UAAU,GAAG,IAAI;IAevD;;OAEG;IACH,cAAc,IAAI,IAAI;IAKtB;;;;;OAKG;IACH,OAAO,CAAC,qBAAqB;IAe7B;;;OAGG;IACH,SAAS,IAAI;QACX,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;KAClB;CAMF;AAMD;;;;;GAKG;AACH,wBAAgB,eAAe,CAC7B,QAAQ,GAAE,MAAa,EACvB,WAAW,GAAE,MAAW,GACvB,UAAU,CAKZ;AAED;;GAEG;AACH,wBAAgB,iBAAiB,IAAI,IAAI,CAExC"}

package/dist/lib/auth/scope_cache.js

@@ -0,0 +1,171 @@
+/**
+ * LRU cache implementation for user scope lookups
+ * Uses Map to maintain insertion order for LRU eviction
+ */
+class ScopeCache {
+    constructor(max_size, ttl_minutes) {
+        this.cache = new Map();
+        this.max_size = max_size;
+        this.ttl_ms = ttl_minutes * 60 * 1000;
+        this.scope_version_map = new Map();
+    }
+    /**
+     * Gets a cache entry for a user's scopes
+     * Returns undefined if not found or expired
+     * @param user_id - User ID to look up
+     * @returns Cache entry or undefined
+     */
+    get(user_id) {
+        const entry = this.cache.get(user_id);
+        if (!entry) {
+            return undefined;
+        }
+        const now = Date.now();
+        const age = now - entry.timestamp;
+        // Check if entry is expired (TTL)
+        if (age > this.ttl_ms) {
+            this.cache.delete(user_id);
+            return undefined;
+        }
+        // Check if any of user's scopes have been invalidated
+        const max_scope_version = this.get_max_scope_version(entry.scopes);
+        if (max_scope_version > entry.cache_version) {
+            this.cache.delete(user_id);
+            return undefined;
+        }
+        // Move to end (most recently used)
+        this.cache.delete(user_id);
+        this.cache.set(user_id, entry);
+        return entry;
+    }
+    /**
+     * Sets a cache entry for a user's scopes
+     * Evicts least recently used entries if cache is full
+     * @param user_id - User ID
+     * @param scopes - User's scope assignments
+     */
+    set(user_id, scopes) {
+        // Evict LRU entries if cache is full
+        while (this.cache.size >= this.max_size) {
+            const first_key = this.cache.keys().next().value;
+            if (first_key) {
+                this.cache.delete(first_key);
+            }
+            else {
+                break;
+            }
+        }
+        // Get current cache version for user's scopes
+        const cache_version = this.get_max_scope_version(scopes);
+        const entry = {
+            user_id,
+            scopes,
+            timestamp: Date.now(),
+            cache_version,
+        };
+        this.cache.set(user_id, entry);
+    }
+    /**
+     * Invalidates cache for a specific user
+     * @param user_id - User ID to invalidate
+     */
+    invalidate_user(user_id) {
+        this.cache.delete(user_id);
+    }
+    /**
+     * Invalidates cache for all users with a specific scope
+     * Uses cache version to determine if invalidation is needed
+     * @param scope_type - Scope level
+     * @param scope_id - Scope ID to invalidate
+     */
+    invalidate_by_scope(scope_type, scope_id) {
+        const scope_key = `${scope_type}:${scope_id}`;
+        const current_version = this.scope_version_map.get(scope_key) || 0;
+        this.scope_version_map.set(scope_key, current_version + 1);
+        // Remove entries where cache version is older than scope version
+        const entries_to_remove = [];
+        for (const [user_id, entry] of this.cache.entries()) {
+            // Check if user has this scope
+            const has_scope = entry.scopes.some((s) => s.scope_type === scope_type && s.scope_id === scope_id);
+            if (has_scope) {
+                entries_to_remove.push(user_id);
+            }
+        }
+        for (const user_id of entries_to_remove) {
+            this.cache.delete(user_id);
+        }
+    }
+    /**
+     * Invalidates cache for all users with any scope of a specific level
+     * @param scope_type - Scope level to invalidate
+     */
+    invalidate_by_scope_level(scope_type) {
+        const entries_to_remove = [];
+        for (const [user_id, entry] of this.cache.entries()) {
+            // Check if user has any scope of this level
+            const has_level = entry.scopes.some((s) => s.scope_type === scope_type);
+            if (has_level) {
+                entries_to_remove.push(user_id);
+            }
+        }
+        for (const user_id of entries_to_remove) {
+            this.cache.delete(user_id);
+        }
+    }
+    /**
+     * Invalidates all cache entries
+     */
+    invalidate_all() {
+        this.cache.clear();
+        this.scope_version_map.clear();
+    }
+    /**
+     * Gets the maximum cache version for a set of scopes
+     * Used to determine if cache entry is stale
+     * @param scopes - Array of scope entries
+     * @returns Maximum version number
+     */
+    get_max_scope_version(scopes) {
+        if (scopes.length === 0) {
+            return 0;
+        }
+        let max_version = 0;
+        for (const scope of scopes) {
+            const scope_key = `${scope.scope_type}:${scope.scope_id}`;
+            const version = this.scope_version_map.get(scope_key) || 0;
+            max_version = Math.max(max_version, version);
+        }
+        return max_version;
+    }
+    /**
+     * Gets cache statistics
+     * @returns Object with cache size and max size
+     */
+    get_stats() {
+        return {
+            size: this.cache.size,
+            max_size: this.max_size,
+        };
+    }
+}
+// section: singleton
+// Global scope cache instance (initialized with defaults, will be configured on first use)
+let scope_cache_instance = null;
+/**
+ * Gets or creates the global scope cache instance
+ * @param max_size - Maximum cache size (default: 5000)
+ * @param ttl_minutes - TTL in minutes (default: 15)
+ * @returns Scope cache instance
+ */
+export function get_scope_cache(max_size = 5000, ttl_minutes = 15) {
+    if (!scope_cache_instance) {
+        scope_cache_instance = new ScopeCache(max_size, ttl_minutes);
+    }
+    return scope_cache_instance;
+}
+/**
+ * Resets the global scope cache instance (useful for testing)
+ */
+export function reset_scope_cache() {
+    scope_cache_instance = null;
+}

package/dist/lib/scope_hierarchy_config.server.d.ts

@@ -0,0 +1,39 @@
+import type { ScopeLevel } from "./services/scope_service";
+/**
+ * Scope hierarchy configuration options for HRBAC
+ */
+export type ScopeHierarchyConfig = {
+    /** Whether HRBAC is enabled (default: false) */
+    enable_hrbac: boolean;
+    /** Default organization for single-tenant apps (optional) */
+    default_org: string;
+    /** Cache TTL in minutes for scope lookups (default: 15) */
+    scope_cache_ttl_minutes: number;
+    /** Maximum entries in scope cache (default: 5000) */
+    scope_cache_max_entries: number;
+    /** Which scope levels are active/enabled */
+    active_levels: ScopeLevel[];
+    /** Default labels for each scope level */
+    default_labels: Record<ScopeLevel, string>;
+};
+/**
+ * Reads HRBAC scope hierarchy configuration from hazo_auth_config.ini file
+ * Falls back to defaults if config file is not found or section is missing
+ * @returns Scope hierarchy configuration options
+ */
+export declare function get_scope_hierarchy_config(): ScopeHierarchyConfig;
+/**
+ * Checks if HRBAC is enabled in the configuration
+ * Convenience function for quick checks
+ */
+export declare function is_hrbac_enabled(): boolean;
+/**
+ * Gets the default organization from config
+ * Returns empty string if not configured (multi-tenant mode)
+ */
+export declare function get_default_org(): string;
+/**
+ * Gets the default label for a scope level
+ */
+export declare function get_default_label(level: ScopeLevel): string;
+//# sourceMappingURL=scope_hierarchy_config.server.d.ts.map

package/dist/lib/scope_hierarchy_config.server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scope_hierarchy_config.server.d.ts","sourceRoot":"","sources":["../../src/lib/scope_hierarchy_config.server.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAC;AAK3D;;GAEG;AACH,MAAM,MAAM,oBAAoB,GAAG;IACjC,gDAAgD;IAChD,YAAY,EAAE,OAAO,CAAC;IACtB,6DAA6D;IAC7D,WAAW,EAAE,MAAM,CAAC;IACpB,2DAA2D;IAC3D,uBAAuB,EAAE,MAAM,CAAC;IAChC,qDAAqD;IACrD,uBAAuB,EAAE,MAAM,CAAC;IAChC,4CAA4C;IAC5C,aAAa,EAAE,UAAU,EAAE,CAAC;IAC5B,0CAA0C;IAC1C,cAAc,EAAE,MAAM,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;CAC5C,CAAC;AA0DF;;;;GAIG;AACH,wBAAgB,0BAA0B,IAAI,oBAAoB,CAkCjE;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,OAAO,CAE1C;AAED;;;GAGG;AACH,wBAAgB,eAAe,IAAI,MAAM,CAExC;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAG3D"}

package/dist/lib/scope_hierarchy_config.server.js

@@ -0,0 +1,96 @@
+// file_description: server-only helper to read HRBAC scope hierarchy configuration from hazo_auth_config.ini
+// section: imports
+import { get_config_value, get_config_number, get_config_boolean, } from "./config/config_loader.server";
+import { SCOPE_LEVELS } from "./services/scope_service";
+// section: constants
+const SECTION_NAME = "hazo_auth__scope_hierarchy";
+const DEFAULT_LABELS = {
+    hazo_scopes_l1: "Level 1",
+    hazo_scopes_l2: "Level 2",
+    hazo_scopes_l3: "Level 3",
+    hazo_scopes_l4: "Level 4",
+    hazo_scopes_l5: "Level 5",
+    hazo_scopes_l6: "Level 6",
+    hazo_scopes_l7: "Level 7",
+};
+// section: helpers
+/**
+ * Parses the active_levels config value into an array of ScopeLevel
+ * If not configured, returns all levels
+ */
+function parse_active_levels(config_value) {
+    if (!config_value || config_value.trim().length === 0) {
+        return [...SCOPE_LEVELS]; // All levels active by default
+    }
+    const levels = config_value.split(",").map((s) => s.trim());
+    const valid_levels = [];
+    for (const level of levels) {
+        if (SCOPE_LEVELS.includes(level)) {
+            valid_levels.push(level);
+        }
+    }
+    return valid_levels.length > 0 ? valid_levels : [...SCOPE_LEVELS];
+}
+/**
+ * Reads default labels from config, falling back to defaults
+ */
+function get_default_labels() {
+    const labels = Object.assign({}, DEFAULT_LABELS);
+    for (let i = 1; i <= 7; i++) {
+        const level = `hazo_scopes_l${i}`;
+        const config_key = `default_label_l${i}`;
+        const config_value = get_config_value(SECTION_NAME, config_key, "");
+        if (config_value && config_value.trim().length > 0) {
+            labels[level] = config_value.trim();
+        }
+    }
+    return labels;
+}
+/**
+ * Reads HRBAC scope hierarchy configuration from hazo_auth_config.ini file
+ * Falls back to defaults if config file is not found or section is missing
+ * @returns Scope hierarchy configuration options
+ */
+export function get_scope_hierarchy_config() {
+    // Core HRBAC enablement
+    const enable_hrbac = get_config_boolean(SECTION_NAME, "enable_hrbac", false);
+    // Default organization for single-tenant apps
+    const default_org = get_config_value(SECTION_NAME, "default_org", "");
+    // Cache settings
+    const scope_cache_ttl_minutes = get_config_number(SECTION_NAME, "scope_cache_ttl_minutes", 15);
+    const scope_cache_max_entries = get_config_number(SECTION_NAME, "scope_cache_max_entries", 5000);
+    // Active levels
+    const active_levels_str = get_config_value(SECTION_NAME, "active_levels", "");
+    const active_levels = parse_active_levels(active_levels_str);
+    // Default labels
+    const default_labels = get_default_labels();
+    return {
+        enable_hrbac,
+        default_org,
+        scope_cache_ttl_minutes,
+        scope_cache_max_entries,
+        active_levels,
+        default_labels,
+    };
+}
+/**
+ * Checks if HRBAC is enabled in the configuration
+ * Convenience function for quick checks
+ */
+export function is_hrbac_enabled() {
+    return get_config_boolean(SECTION_NAME, "enable_hrbac", false);
+}
+/**
+ * Gets the default organization from config
+ * Returns empty string if not configured (multi-tenant mode)
+ */
+export function get_default_org() {
+    return get_config_value(SECTION_NAME, "default_org", "");
+}
+/**
+ * Gets the default label for a scope level
+ */
+export function get_default_label(level) {
+    const config_key = `default_label_l${level.charAt(level.length - 1)}`;
+    return get_config_value(SECTION_NAME, config_key, DEFAULT_LABELS[level]);
+}

package/dist/lib/services/email_service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"email_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/email_service.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,aAAa,EAAoB,MAAM,aAAa,CAAC;AAGnE,MAAM,MAAM,YAAY,GAAG;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,iBAAiB,GAAG,iBAAiB,GAAG,oBAAoB,GAAG,kBAAkB,CAAC;AAE9F,MAAM,MAAM,iBAAiB,GAAG;IAC9B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;CACnC,CAAC;AAaF;;;;GAIG;AACH,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,aAAa,GAAG,IAAI,CAEpE;AA0YD;;;;GAIG;AACH,wBAAsB,UAAU,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAwErG;AAED;;;;;;GAMG;AACH,wBAAsB,mBAAmB,CACvC,aAAa,EAAE,iBAAiB,EAChC,EAAE,EAAE,MAAM,EACV,IAAI,EAAE,iBAAiB,GACtB,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAiD/C"}
+{"version":3,"file":"email_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/email_service.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,aAAa,EAAoB,MAAM,aAAa,CAAC;AAGnE,MAAM,MAAM,YAAY,GAAG;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,iBAAiB,GAAG,iBAAiB,GAAG,oBAAoB,GAAG,kBAAkB,CAAC;AAE9F,MAAM,MAAM,iBAAiB,GAAG;IAC9B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;CACnC,CAAC;AAmBF;;;;GAIG;AACH,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,aAAa,GAAG,IAAI,CAEpE;AA0YD;;;;GAIG;AACH,wBAAsB,UAAU,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAwErG;AAED;;;;;;GAMG;AACH,wBAAsB,mBAAmB,CACvC,aAAa,EAAE,iBAAiB,EAChC,EAAE,EAAE,MAAM,EACV,IAAI,EAAE,iBAAiB,GACtB,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAiD/C"}

package/dist/lib/services/email_service.js

@@ -6,7 +6,12 @@ import { create_app_logger } from "../app_logger";
 import { read_config_section } from "../config/config_loader.server";
 // section: constants
 const DEFAULT_EMAIL_FROM = "noreply@hazo_auth.local";
-const DEFAULT_EMAIL_TEMPLATE_DIR = path.resolve(process.cwd(), "email_templates");
+/**
+ * Gets the default email template directory (lazy-evaluated to avoid Edge Runtime issues)
+ */
+function get_default_email_template_dir() {
+    return path.resolve(process.cwd(), "email_templates");
+}
 // section: singleton
 /**
  * Singleton instance for hazo_notify emailer configuration
@@ -66,7 +71,7 @@ function get_email_template_directory() {
             ? template_dir
             : path.resolve(process.cwd(), template_dir);
     }
-    return DEFAULT_EMAIL_TEMPLATE_DIR;
+    return get_default_email_template_dir();
 }
 /**
  * Gets email from address from config

package/dist/lib/services/profile_picture_service.d.ts

@@ -55,13 +55,7 @@ export declare function get_library_source(): "project" | "node_modules" | null;
  * Clears the library path cache (useful for testing or after copying files)
  */
 export declare function clear_library_cache(): void;
-/**
- * Gets default profile picture based on configuration priority
- * @param user_email - User's email address
- * @param user_name - User's name (optional)
- * @returns Default profile picture URL and source, or null if no default available
- */
-export declare function get_default_profile_picture(user_email: string, user_name?: string): DefaultProfilePictureResult | null;
+export declare function get_default_profile_picture(user_email: string, user_name?: string): Promise<DefaultProfilePictureResult | null>;
 /**
  * Updates user profile picture in database
  * @param adapter - The hazo_connect adapter instance

package/dist/lib/services/profile_picture_service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"profile_picture_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/profile_picture_service.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AASvD,OAAO,EAAuB,KAAK,sBAAsB,EAAE,MAAM,iCAAiC,CAAC;AAGnG,MAAM,MAAM,oBAAoB,GAAG,sBAAsB,CAAC;AAE1D,MAAM,MAAM,2BAA2B,GAAG;IACxC,mBAAmB,EAAE,MAAM,CAAC;IAC5B,cAAc,EAAE,oBAAoB,CAAC;CACtC,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,OAAO,CAAC;IAClB,MAAM,EAAE,SAAS,GAAG,cAAc,CAAC;CACpC,CAAC;AA2DF;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,CAOrE;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,IAAI,MAAM,EAAE,CAyBjD;AAED;;;;;;GAMG;AACH,wBAAgB,4BAA4B,CAC1C,QAAQ,EAAE,MAAM,EAChB,IAAI,GAAE,MAAU,EAChB,SAAS,GAAE,MAAW,GACrB,mBAAmB,CA6FrB;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,EAAE,CAI7D;AAED;;;;;GAKG;AACH,wBAAgB,sBAAsB,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAcxF;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,IAAI,SAAS,GAAG,cAAc,GAAG,IAAI,CAGtE;AAED;;GAEG;AACH,wBAAgB,mBAAmB,IAAI,IAAI,CAG1C;AAED;;;;;GAKG;AACH,wBAAgB,2BAA2B,CACzC,UAAU,EAAE,MAAM,EAClB,SAAS,CAAC,EAAE,MAAM,GACjB,2BAA2B,GAAG,IAAI,CA2DpC;AAED;;;;;;;GAOG;AACH,wBAAsB,2BAA2B,CAC/C,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,EACf,mBAAmB,EAAE,MAAM,EAC3B,cAAc,EAAE,oBAAoB,GACnC,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAsB/C"}
+{"version":3,"file":"profile_picture_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/profile_picture_service.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AASvD,OAAO,EAAuB,KAAK,sBAAsB,EAAE,MAAM,iCAAiC,CAAC;AAGnG,MAAM,MAAM,oBAAoB,GAAG,sBAAsB,CAAC;AAE1D,MAAM,MAAM,2BAA2B,GAAG;IACxC,mBAAmB,EAAE,MAAM,CAAC;IAC5B,cAAc,EAAE,oBAAoB,CAAC;CACtC,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,OAAO,CAAC;IAClB,MAAM,EAAE,SAAS,GAAG,cAAc,CAAC;CACpC,CAAC;AA2DF;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,CAOrE;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,IAAI,MAAM,EAAE,CAyBjD;AAED;;;;;;GAMG;AACH,wBAAgB,4BAA4B,CAC1C,QAAQ,EAAE,MAAM,EAChB,IAAI,GAAE,MAAU,EAChB,SAAS,GAAE,MAAW,GACrB,mBAAmB,CA6FrB;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,EAAE,CAI7D;AAED;;;;;GAKG;AACH,wBAAgB,sBAAsB,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAcxF;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,IAAI,SAAS,GAAG,cAAc,GAAG,IAAI,CAGtE;AAED;;GAEG;AACH,wBAAgB,mBAAmB,IAAI,IAAI,CAG1C;AA4DD,wBAAsB,2BAA2B,CAC/C,UAAU,EAAE,MAAM,EAClB,SAAS,CAAC,EAAE,MAAM,GACjB,OAAO,CAAC,2BAA2B,GAAG,IAAI,CAAC,CA+D7C;AAED;;;;;;;GAOG;AACH,wBAAsB,2BAA2B,CAC/C,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,EACf,mBAAmB,EAAE,MAAM,EAC3B,cAAc,EAAE,oBAAoB,GACnC,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAsB/C"}

package/dist/lib/services/profile_picture_service.js

@@ -238,7 +238,50 @@ export function clear_library_cache() {
  * @param user_name - User's name (optional)
  * @returns Default profile picture URL and source, or null if no default available
  */
-export function get_default_profile_picture(user_email, user_name) {
+/**
+ * Checks if a Gravatar exists for the given email by making a HEAD request
+ * @param email - User email address
+ * @returns Promise<boolean> - true if Gravatar exists (status 200), false otherwise (404 or error)
+ */
+async function check_gravatar_exists(email) {
+    try {
+        const uiSizes = get_ui_sizes_config();
+        const gravatar_url = get_gravatar_url(email, uiSizes.gravatar_size);
+        // Make HEAD request to check if image exists without downloading it
+        const response = await fetch(gravatar_url, {
+            method: 'HEAD',
+            // Add timeout to prevent hanging
+            signal: AbortSignal.timeout(5000) // 5 second timeout
+        });
+        // Gravatar returns 200 if user has an image, 404 if using default/mystery-person
+        return response.ok;
+    }
+    catch (error) {
+        // If fetch fails (network error, timeout, etc.), assume no Gravatar
+        return false;
+    }
+}
+/**
+ * Gets a random image from a random category in the library
+ * @returns string | null - Random library photo URL or null if no photos available
+ */
+function get_random_library_photo() {
+    const categories = get_library_categories();
+    if (categories.length === 0) {
+        return null;
+    }
+    // Pick a random category
+    const random_category = categories[Math.floor(Math.random() * categories.length)];
+    // Get photos from that category
+    const photos = get_library_photos(random_category);
+    if (photos.length === 0) {
+        return null;
+    }
+    // Pick a random photo from that category
+    const random_photo = photos[Math.floor(Math.random() * photos.length)];
+    return random_photo;
+}
+export async function get_default_profile_picture(user_email, user_name) {
     const config = get_profile_picture_config();
     if (!config.user_photo_default) {
         return null;
@@ -246,25 +289,25 @@ export function get_default_profile_picture(user_email, user_name) {
     const uiSizes = get_ui_sizes_config();
     // Try priority 1
     if (config.user_photo_default_priority1 === "gravatar") {
-        const gravatar_url = get_gravatar_url(user_email, uiSizes.gravatar_size);
-        // Note: We can't check if Gravatar actually exists without making a request
-        // For now, we'll always return Gravatar URL and let the browser handle 404
-        return {
-            profile_picture_url: gravatar_url,
-            profile_source: "gravatar",
-        };
+        // Check if Gravatar actually exists for this email
+        const gravatar_exists = await check_gravatar_exists(user_email);
+        if (gravatar_exists) {
+            const gravatar_url = get_gravatar_url(user_email, uiSizes.gravatar_size);
+            return {
+                profile_picture_url: gravatar_url,
+                profile_source: "gravatar",
+            };
+        }
+        // If Gravatar doesn't exist, fall through to priority 2
     }
     else if (config.user_photo_default_priority1 === "library") {
-        const categories = get_library_categories();
-        if (categories.length > 0) {
-            // Use first category, first photo as default
-            const photos = get_library_photos(categories[0]);
-            if (photos.length > 0) {
-                return {
-                    profile_picture_url: photos[0],
-                    profile_source: "library",
-                };
-            }
+        // Use random library photo instead of first photo
+        const random_photo = get_random_library_photo();
+        if (random_photo) {
+            return {
+                profile_picture_url: random_photo,
+                profile_source: "library",
+            };
         }
     }
     // Try priority 2 if priority 1 didn't work (only if priority2 is different from priority1)
@@ -272,22 +315,24 @@ export function get_default_profile_picture(user_email, user_name) {
     const priority2 = config.user_photo_default_priority2;
     if (priority2 && priority2 !== priority1) {
         if (priority2 === "gravatar") {
-            const gravatar_url = get_gravatar_url(user_email, uiSizes.gravatar_size);
-            return {
-                profile_picture_url: gravatar_url,
-                profile_source: "gravatar",
-            };
+            // Check if Gravatar actually exists for this email
+            const gravatar_exists = await check_gravatar_exists(user_email);
+            if (gravatar_exists) {
+                const gravatar_url = get_gravatar_url(user_email, uiSizes.gravatar_size);
+                return {
+                    profile_picture_url: gravatar_url,
+                    profile_source: "gravatar",
+                };
+            }
         }
         else if (priority2 === "library") {
-            const categories = get_library_categories();
-            if (categories.length > 0) {
-                const photos = get_library_photos(categories[0]);
-                if (photos.length > 0) {
-                    return {
-                        profile_picture_url: photos[0],
-                        profile_source: "library",
-                    };
-                }
+            // Use random library photo instead of first photo
+            const random_photo = get_random_library_photo();
+            if (random_photo) {
+                return {
+                    profile_picture_url: random_photo,
+                    profile_source: "library",
+                };
             }
         }
     }

package/dist/lib/services/registration_service.js

@@ -61,7 +61,7 @@ export async function register_user(adapter, data) {
         // Set default profile picture if enabled
         const profile_picture_config = get_profile_picture_config();
         if (profile_picture_config.user_photo_default) {
-            const default_photo = get_default_profile_picture(email, name);
+            const default_photo = await get_default_profile_picture(email, name);
             if (default_photo) {
                 insert_data.profile_picture_url = default_photo.profile_picture_url;
                 // Map UI source value to database enum value

package/dist/lib/services/scope_labels_service.d.ts

@@ -0,0 +1,48 @@
+import type { HazoConnectAdapter } from "hazo_connect";
+import type { ScopeLevel } from "./scope_service";
+export type ScopeLabel = {
+    id: string;
+    org: string;
+    scope_type: ScopeLevel;
+    label: string;
+    created_at: string;
+    changed_at: string;
+};
+export type ScopeLabelResult = {
+    success: boolean;
+    label?: ScopeLabel;
+    labels?: ScopeLabel[];
+    error?: string;
+};
+export declare const DEFAULT_SCOPE_LABELS: Record<ScopeLevel, string>;
+/**
+ * Gets all scope labels for an organization
+ */
+export declare function get_scope_labels(adapter: HazoConnectAdapter, org: string): Promise<ScopeLabelResult>;
+/**
+ * Gets all scope labels for an organization, with defaults filled in for missing levels
+ */
+export declare function get_scope_labels_with_defaults(adapter: HazoConnectAdapter, org: string, custom_defaults?: Record<ScopeLevel, string>): Promise<ScopeLabelResult>;
+/**
+ * Gets the label for a specific scope level
+ * Returns the custom label if set, otherwise returns the default
+ */
+export declare function get_label_for_level(adapter: HazoConnectAdapter, org: string, scope_type: ScopeLevel, custom_default?: string): Promise<string>;
+/**
+ * Creates or updates a scope label for an organization
+ * Uses upsert pattern - creates if not exists, updates if exists
+ */
+export declare function upsert_scope_label(adapter: HazoConnectAdapter, org: string, scope_type: ScopeLevel, label: string): Promise<ScopeLabelResult>;
+/**
+ * Batch upsert scope labels for an organization
+ * Useful for saving all labels at once from the UI
+ */
+export declare function batch_upsert_scope_labels(adapter: HazoConnectAdapter, org: string, labels: Array<{
+    scope_type: ScopeLevel;
+    label: string;
+}>): Promise<ScopeLabelResult>;
+/**
+ * Deletes a scope label, reverting to default
+ */
+export declare function delete_scope_label(adapter: HazoConnectAdapter, org: string, scope_type: ScopeLevel): Promise<ScopeLabelResult>;
+//# sourceMappingURL=scope_labels_service.d.ts.map

package/dist/lib/services/scope_labels_service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scope_labels_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/scope_labels_service.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAKvD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAIlD,MAAM,MAAM,UAAU,GAAG;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,UAAU,CAAC;IACvB,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,gBAAgB,GAAG;IAC7B,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,UAAU,CAAC;IACnB,MAAM,CAAC,EAAE,UAAU,EAAE,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAGF,eAAO,MAAM,oBAAoB,EAAE,MAAM,CAAC,UAAU,EAAE,MAAM,CAQ3D,CAAC;AAIF;;GAEG;AACH,wBAAsB,gBAAgB,CACpC,OAAO,EAAE,kBAAkB,EAC3B,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,gBAAgB,CAAC,CA4B3B;AAED;;GAEG;AACH,wBAAsB,8BAA8B,CAClD,OAAO,EAAE,kBAAkB,EAC3B,GAAG,EAAE,MAAM,EACX,eAAe,CAAC,EAAE,MAAM,CAAC,UAAU,EAAE,MAAM,CAAC,GAC3C,OAAO,CAAC,gBAAgB,CAAC,CA0D3B;AAED;;;GAGG;AACH,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,kBAAkB,EAC3B,GAAG,EAAE,MAAM,EACX,UAAU,EAAE,UAAU,EACtB,cAAc,CAAC,EAAE,MAAM,GACtB,OAAO,CAAC,MAAM,CAAC,CAcjB;AAED;;;GAGG;AACH,wBAAsB,kBAAkB,CACtC,OAAO,EAAE,kBAAkB,EAC3B,GAAG,EAAE,MAAM,EACX,UAAU,EAAE,UAAU,EACtB,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,gBAAgB,CAAC,CAuE3B;AAED;;;GAGG;AACH,wBAAsB,yBAAyB,CAC7C,OAAO,EAAE,kBAAkB,EAC3B,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,KAAK,CAAC;IAAE,UAAU,EAAE,UAAU,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC,GACvD,OAAO,CAAC,gBAAgB,CAAC,CAwC3B;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CACtC,OAAO,EAAE,kBAAkB,EAC3B,GAAG,EAAE,MAAM,EACX,UAAU,EAAE,UAAU,GACrB,OAAO,CAAC,gBAAgB,CAAC,CAwC3B"}