npm - hazo_auth - Versions diffs - 4.2.0 → 4.4.0 - Mend

hazo_auth 4.2.0 → 4.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (136) hide show

package/bin/hazo_auth.mjs +35 -0
package/cli-src/assets/images/forgot_password_default.jpg +0 -0
package/cli-src/assets/images/login_default.jpg +0 -0
package/cli-src/assets/images/register_default.jpg +0 -0
package/cli-src/assets/images/reset_password_default.jpg +0 -0
package/cli-src/assets/images/verify_email_default.jpg +0 -0
package/cli-src/cli/generate.ts +276 -0
package/cli-src/cli/index.ts +207 -0
package/cli-src/cli/init.ts +254 -0
package/cli-src/cli/init_users.ts +376 -0
package/cli-src/cli/validate.ts +581 -0
package/cli-src/lib/already_logged_in_config.server.ts +46 -0
package/cli-src/lib/app_logger.ts +24 -0
package/cli-src/lib/auth/auth_cache.ts +220 -0
package/cli-src/lib/auth/auth_rate_limiter.ts +121 -0
package/cli-src/lib/auth/auth_types.ts +117 -0
package/cli-src/lib/auth/auth_utils.server.ts +196 -0
package/cli-src/lib/auth/dev_lock_validator.edge.ts +171 -0
package/cli-src/lib/auth/hazo_get_auth.server.ts +583 -0
package/cli-src/lib/auth/index.ts +23 -0
package/cli-src/lib/auth/nextauth_config.ts +227 -0
package/cli-src/lib/auth/org_cache.ts +148 -0
package/cli-src/lib/auth/scope_cache.ts +233 -0
package/cli-src/lib/auth/server_auth.ts +88 -0
package/cli-src/lib/auth/session_token_validator.edge.ts +92 -0
package/cli-src/lib/auth_utility_config.server.ts +136 -0
package/cli-src/lib/config/config_loader.server.ts +164 -0
package/cli-src/lib/config/default_config.ts +243 -0
package/cli-src/lib/dev_lock_config.server.ts +148 -0
package/cli-src/lib/email_verification_config.server.ts +63 -0
package/cli-src/lib/file_types_config.server.ts +25 -0
package/cli-src/lib/forgot_password_config.server.ts +63 -0
package/cli-src/lib/hazo_connect_instance.server.ts +101 -0
package/cli-src/lib/hazo_connect_setup.server.ts +194 -0
package/cli-src/lib/hazo_connect_setup.ts +54 -0
package/cli-src/lib/index.ts +46 -0
package/cli-src/lib/login_config.server.ts +106 -0
package/cli-src/lib/messages_config.server.ts +45 -0
package/cli-src/lib/migrations/apply_migration.ts +105 -0
package/cli-src/lib/multi_tenancy_config.server.ts +94 -0
package/cli-src/lib/my_settings_config.server.ts +135 -0
package/cli-src/lib/oauth_config.server.ts +87 -0
package/cli-src/lib/password_requirements_config.server.ts +40 -0
package/cli-src/lib/profile_pic_menu_config.server.ts +138 -0
package/cli-src/lib/profile_picture_config.server.ts +56 -0
package/cli-src/lib/register_config.server.ts +101 -0
package/cli-src/lib/reset_password_config.server.ts +103 -0
package/cli-src/lib/scope_hierarchy_config.server.ts +151 -0
package/cli-src/lib/services/email_service.ts +587 -0
package/cli-src/lib/services/email_verification_service.ts +270 -0
package/cli-src/lib/services/index.ts +16 -0
package/cli-src/lib/services/login_service.ts +150 -0
package/cli-src/lib/services/oauth_service.ts +494 -0
package/cli-src/lib/services/org_service.ts +965 -0
package/cli-src/lib/services/password_change_service.ts +154 -0
package/cli-src/lib/services/password_reset_service.ts +418 -0
package/cli-src/lib/services/profile_picture_remove_service.ts +120 -0
package/cli-src/lib/services/profile_picture_service.ts +451 -0
package/cli-src/lib/services/profile_picture_source_mapper.ts +62 -0
package/cli-src/lib/services/registration_service.ts +185 -0
package/cli-src/lib/services/scope_labels_service.ts +348 -0
package/cli-src/lib/services/scope_service.ts +778 -0
package/cli-src/lib/services/session_token_service.ts +178 -0
package/cli-src/lib/services/token_service.ts +240 -0
package/cli-src/lib/services/user_profiles_cache.ts +189 -0
package/cli-src/lib/services/user_profiles_service.ts +264 -0
package/cli-src/lib/services/user_scope_service.ts +554 -0
package/cli-src/lib/services/user_update_service.ts +141 -0
package/cli-src/lib/ui_shell_config.server.ts +73 -0
package/cli-src/lib/ui_sizes_config.server.ts +37 -0
package/cli-src/lib/user_fields_config.server.ts +31 -0
package/cli-src/lib/user_management_config.server.ts +39 -0
package/cli-src/lib/user_profiles_config.server.ts +55 -0
package/cli-src/lib/utils/api_route_helpers.ts +60 -0
package/cli-src/lib/utils/error_sanitizer.ts +75 -0
package/cli-src/lib/utils/password_validator.ts +65 -0
package/cli-src/lib/utils.ts +11 -0
package/cli-src/server/logging/logger_service.ts +56 -0
package/cli-src/server/types/app_types.ts +74 -0
package/cli-src/server/types/express.d.ts +16 -0
package/dist/cli/index.js +18 -0
package/dist/cli/init_users.d.ts +17 -0
package/dist/cli/init_users.d.ts.map +1 -0
package/dist/cli/init_users.js +307 -0
package/dist/components/layouts/dev_lock/index.d.ts +29 -0
package/dist/components/layouts/dev_lock/index.d.ts.map +1 -0
package/dist/components/layouts/dev_lock/index.js +60 -0
package/dist/components/layouts/index.d.ts +2 -0
package/dist/components/layouts/index.d.ts.map +1 -1
package/dist/components/layouts/index.js +1 -0
package/dist/components/layouts/org_management/index.d.ts +26 -0
package/dist/components/layouts/org_management/index.d.ts.map +1 -0
package/dist/components/layouts/org_management/index.js +75 -0
package/dist/components/layouts/shared/config/layout_customization.d.ts +2 -7
package/dist/components/layouts/shared/config/layout_customization.d.ts.map +1 -1
package/dist/components/layouts/user_management/components/org_hierarchy_tab.d.ts +13 -0
package/dist/components/layouts/user_management/components/org_hierarchy_tab.d.ts.map +1 -0
package/dist/components/layouts/user_management/components/org_hierarchy_tab.js +276 -0
package/dist/components/layouts/user_management/index.d.ts +3 -1
package/dist/components/layouts/user_management/index.d.ts.map +1 -1
package/dist/components/layouts/user_management/index.js +10 -4
package/dist/lib/auth/auth_types.d.ts +6 -0
package/dist/lib/auth/auth_types.d.ts.map +1 -1
package/dist/lib/auth/dev_lock_validator.edge.d.ts +38 -0
package/dist/lib/auth/dev_lock_validator.edge.d.ts.map +1 -0
package/dist/lib/auth/dev_lock_validator.edge.js +122 -0
package/dist/lib/auth/hazo_get_auth.server.d.ts.map +1 -1
package/dist/lib/auth/hazo_get_auth.server.js +61 -1
package/dist/lib/auth/org_cache.d.ts +65 -0
package/dist/lib/auth/org_cache.d.ts.map +1 -0
package/dist/lib/auth/org_cache.js +103 -0
package/dist/lib/config/default_config.d.ts +76 -0
package/dist/lib/config/default_config.d.ts.map +1 -1
package/dist/lib/config/default_config.js +42 -0
package/dist/lib/dev_lock_config.server.d.ts +41 -0
package/dist/lib/dev_lock_config.server.d.ts.map +1 -0
package/dist/lib/dev_lock_config.server.js +50 -0
package/dist/lib/multi_tenancy_config.server.d.ts +30 -0
package/dist/lib/multi_tenancy_config.server.d.ts.map +1 -0
package/dist/lib/multi_tenancy_config.server.js +41 -0
package/dist/lib/services/org_service.d.ts +191 -0
package/dist/lib/services/org_service.d.ts.map +1 -0
package/dist/lib/services/org_service.js +746 -0
package/dist/lib/utils/password_validator.d.ts +7 -1
package/dist/lib/utils/password_validator.d.ts.map +1 -1
package/dist/page_components/dev_lock.d.ts +11 -0
package/dist/page_components/dev_lock.d.ts.map +1 -0
package/dist/page_components/dev_lock.js +17 -0
package/dist/page_components/index.d.ts +1 -0
package/dist/page_components/index.d.ts.map +1 -1
package/dist/page_components/index.js +1 -0
package/dist/page_components/org_management.d.ts +27 -0
package/dist/page_components/org_management.d.ts.map +1 -0
package/dist/page_components/org_management.js +18 -0
package/hazo_auth_config.example.ini +30 -0
package/package.json +27 -3

package/cli-src/cli/init.ts ADDED Viewed

@@ -0,0 +1,254 @@
+// file_description: init command for hazo_auth
+// Creates directories and copies config files to consuming projects
+import { fileURLToPath } from "url";
+import * as fs from "fs";
+import * as path from "path";
+// section: esm_shim
+// ESM-compatible __dirname shim
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+// section: types
+type InitResult = {
+  directories_created: string[];
+  files_copied: string[];
+  skipped: string[];
+  errors: string[];
+};
+// section: constants
+const REQUIRED_DIRECTORIES = [
+  "public/profile_pictures/library",
+  "public/profile_pictures/uploads",
+  "data",
+];
+const CONFIG_FILES = [
+  { source: "hazo_auth_config.example.ini", target: "hazo_auth_config.ini" },
+  { source: "hazo_notify_config.example.ini", target: "hazo_notify_config.ini" },
+];
+// section: helpers
+function get_project_root(): string {
+  return process.cwd();
+}
+function get_package_root(): string {
+  // When running from node_modules, we need to find the hazo_auth package root
+  // When running in development, use the current directory
+  // Check if we're in node_modules
+  const parts = __dirname.split(path.sep);
+  const node_modules_index = parts.lastIndexOf("node_modules");
+  if (node_modules_index !== -1) {
+    // We're in node_modules/hazo_auth/dist/cli
+    return parts.slice(0, node_modules_index + 2).join(path.sep);
+  }
+  // Development mode - go up from src/cli or dist/cli
+  return path.resolve(__dirname, "..", "..");
+}
+function ensure_dir(dir_path: string): boolean {
+  if (!fs.existsSync(dir_path)) {
+    fs.mkdirSync(dir_path, { recursive: true });
+    return true;
+  }
+  return false;
+}
+function copy_file_if_not_exists(source: string, target: string): "created" | "skipped" | "error" {
+  if (fs.existsSync(target)) {
+    return "skipped";
+  }
+  if (!fs.existsSync(source)) {
+    return "error";
+  }
+  try {
+    fs.copyFileSync(source, target);
+    return "created";
+  } catch {
+    return "error";
+  }
+}
+function copy_directory(source: string, target: string): number {
+  let copied = 0;
+  if (!fs.existsSync(source)) {
+    return 0;
+  }
+  ensure_dir(target);
+  const items = fs.readdirSync(source);
+  for (const item of items) {
+    const source_path = path.join(source, item);
+    const target_path = path.join(target, item);
+    const stat = fs.statSync(source_path);
+    if (stat.isDirectory()) {
+      copied += copy_directory(source_path, target_path);
+    } else if (!fs.existsSync(target_path)) {
+      fs.copyFileSync(source_path, target_path);
+      copied++;
+    }
+  }
+  return copied;
+}
+function create_gitkeep(dir_path: string): void {
+  const gitkeep_path = path.join(dir_path, ".gitkeep");
+  if (!fs.existsSync(gitkeep_path)) {
+    const files = fs.readdirSync(dir_path);
+    if (files.length === 0) {
+      fs.writeFileSync(gitkeep_path, "# This file keeps the empty directory in git\n");
+    }
+  }
+}
+function create_env_template(project_root: string): boolean {
+  const env_example_path = path.join(project_root, ".env.local.example");
+  if (fs.existsSync(env_example_path)) {
+    return false;
+  }
+  const content = `# hazo_auth environment variables
+# Copy this file to .env.local and fill in the values
+# Required for email functionality (email verification, password reset)
+ZEPTOMAIL_API_KEY=your_zeptomail_api_key_here
+# Optional: Database path (defaults to data/hazo_auth.sqlite)
+# HAZO_AUTH_DB_PATH=./data/hazo_auth.sqlite
+`;
+  fs.writeFileSync(env_example_path, content);
+  return true;
+}
+// section: main
+export function handle_init(): void {
+  const project_root = get_project_root();
+  const package_root = get_package_root();
+  console.log("\n\x1b[1m🐸 hazo_auth Initialization\x1b[0m");
+  console.log("=".repeat(50));
+  console.log(`Project root: ${project_root}`);
+  console.log(`Package root: ${package_root}\n`);
+  const result: InitResult = {
+    directories_created: [],
+    files_copied: [],
+    skipped: [],
+    errors: [],
+  };
+  // Step 1: Create directories
+  console.log("\x1b[1m📁 Creating directories...\x1b[0m\n");
+  for (const dir of REQUIRED_DIRECTORIES) {
+    const full_path = path.join(project_root, dir);
+    if (ensure_dir(full_path)) {
+      console.log(`\x1b[32m[CREATE]\x1b[0m ${dir}/`);
+      result.directories_created.push(dir);
+    } else {
+      console.log(`\x1b[33m[EXISTS]\x1b[0m ${dir}/`);
+      result.skipped.push(dir);
+    }
+  }
+  // Step 2: Copy config files
+  console.log("\n\x1b[1m📄 Copying config files...\x1b[0m\n");
+  for (const config of CONFIG_FILES) {
+    const source_path = path.join(package_root, config.source);
+    const target_path = path.join(project_root, config.target);
+    const status = copy_file_if_not_exists(source_path, target_path);
+    if (status === "created") {
+      console.log(`\x1b[32m[CREATE]\x1b[0m ${config.target}`);
+      result.files_copied.push(config.target);
+    } else if (status === "skipped") {
+      console.log(`\x1b[33m[EXISTS]\x1b[0m ${config.target}`);
+      result.skipped.push(config.target);
+    } else {
+      console.log(`\x1b[31m[ERROR]\x1b[0m ${config.target} - source not found: ${source_path}`);
+      result.errors.push(config.target);
+    }
+  }
+  // Step 3: Copy profile picture library
+  console.log("\n\x1b[1m🖼️  Copying profile picture library...\x1b[0m\n");
+  const library_source = path.join(package_root, "public", "profile_pictures", "library");
+  const library_target = path.join(project_root, "public", "profile_pictures", "library");
+  if (fs.existsSync(library_source)) {
+    const copied_count = copy_directory(library_source, library_target);
+    if (copied_count > 0) {
+      console.log(`\x1b[32m[COPY]\x1b[0m ${copied_count} library images`);
+      result.files_copied.push(`${copied_count} library images`);
+    } else {
+      console.log(`\x1b[33m[EXISTS]\x1b[0m Library images already present`);
+      result.skipped.push("library images");
+    }
+  } else {
+    console.log(`\x1b[33m[SKIP]\x1b[0m Library not found at: ${library_source}`);
+    result.skipped.push("library images (source not found)");
+  }
+  // Step 4: Create .gitkeep files for empty directories
+  console.log("\n\x1b[1m📌 Creating .gitkeep files...\x1b[0m\n");
+  const empty_dirs = ["public/profile_pictures/uploads", "data"];
+  for (const dir of empty_dirs) {
+    const full_path = path.join(project_root, dir);
+    if (fs.existsSync(full_path)) {
+      create_gitkeep(full_path);
+      console.log(`\x1b[32m[CREATE]\x1b[0m ${dir}/.gitkeep`);
+    }
+  }
+  // Step 5: Create .env.local.example template
+  console.log("\n\x1b[1m🔑 Creating environment template...\x1b[0m\n");
+  if (create_env_template(project_root)) {
+    console.log(`\x1b[32m[CREATE]\x1b[0m .env.local.example`);
+    result.files_copied.push(".env.local.example");
+  } else {
+    console.log(`\x1b[33m[EXISTS]\x1b[0m .env.local.example`);
+    result.skipped.push(".env.local.example");
+  }
+  // Summary
+  console.log("\n" + "=".repeat(50));
+  console.log("\x1b[1mSummary:\x1b[0m");
+  console.log(`  \x1b[32m✓ Created:\x1b[0m ${result.directories_created.length} directories, ${result.files_copied.length} files`);
+  console.log(`  \x1b[33m⊘ Skipped:\x1b[0m ${result.skipped.length} items`);
+  if (result.errors.length > 0) {
+    console.log(`  \x1b[31m✗ Errors:\x1b[0m ${result.errors.length}`);
+  }
+  console.log("\n\x1b[32m🦊 Initialization complete!\x1b[0m");
+  console.log("\nNext steps:");
+  console.log("  1. Edit \x1b[36mhazo_auth_config.ini\x1b[0m with your settings");
+  console.log("  2. Copy \x1b[36m.env.local.example\x1b[0m to \x1b[36m.env.local\x1b[0m and add your API keys");
+  console.log("  3. Run \x1b[36mnpx hazo_auth generate-routes --pages\x1b[0m to generate routes and pages");
+  console.log("  4. Run \x1b[36mnpx hazo_auth validate\x1b[0m to check your setup");
+  console.log();
+}

package/cli-src/cli/init_users.ts ADDED Viewed

@@ -0,0 +1,376 @@
+// file_description: CLI command to initialize users, roles, and permissions from configuration
+// section: imports
+import { get_hazo_connect_instance } from "../lib/hazo_connect_instance.server.js";
+import { createCrudService } from "hazo_connect/server";
+import { get_user_management_config } from "../lib/user_management_config.server.js";
+import { get_config_value } from "../lib/config/config_loader.server.js";
+import { create_app_logger } from "../lib/app_logger.js";
+// section: types
+type InitSummary = {
+  permissions: {
+    inserted: string[];
+    existing: string[];
+  };
+  role: {
+    inserted: boolean;
+    existing: boolean;
+    role_id: string | null;
+  };
+  role_permissions: {
+    inserted: number;
+    existing: number;
+  };
+  user_role: {
+    inserted: boolean;
+    existing: boolean;
+  };
+};
+// section: helpers
+/**
+ * Prints a summary of what was inserted vs what already existed
+ */
+function print_summary(summary: InitSummary): void {
+  console.log("=".repeat(60));
+  console.log("INITIALIZATION SUMMARY");
+  console.log("=".repeat(60));
+  console.log();
+  // Permissions summary
+  console.log("Permissions:");
+  if (summary.permissions.inserted.length > 0) {
+    console.log(`  ✓ Inserted (${summary.permissions.inserted.length}):`);
+    summary.permissions.inserted.forEach((name) => console.log(`    - ${name}`));
+  }
+  if (summary.permissions.existing.length > 0) {
+    console.log(`  ⊙ Already existed (${summary.permissions.existing.length}):`);
+    summary.permissions.existing.forEach((name) => console.log(`    - ${name}`));
+  }
+  console.log();
+  // Role summary
+  console.log("Role:");
+  if (summary.role.inserted) {
+    console.log(`  ✓ Inserted: default_super_user_role (ID: ${summary.role.role_id})`);
+  }
+  if (summary.role.existing) {
+    console.log(`  ⊙ Already existed: default_super_user_role (ID: ${summary.role.role_id})`);
+  }
+  console.log();
+  // Role permissions summary
+  console.log("Role-Permission Assignments:");
+  if (summary.role_permissions.inserted > 0) {
+    console.log(`  ✓ Inserted: ${summary.role_permissions.inserted} assignment(s)`);
+  }
+  if (summary.role_permissions.existing > 0) {
+    console.log(`  ⊙ Already existed: ${summary.role_permissions.existing} assignment(s)`);
+  }
+  console.log();
+  // User role summary
+  console.log("User-Role Assignment:");
+  if (summary.user_role.inserted) {
+    console.log(`  ✓ Inserted: Super user role assigned to user`);
+  }
+  if (summary.user_role.existing) {
+    console.log(`  ⊙ Already existed: User already has super user role`);
+  }
+  console.log();
+  console.log("=".repeat(60));
+}
+// section: types_options
+export type InitUsersOptions = {
+  /** Email address of the user to assign super user role (overrides config) */
+  email?: string;
+};
+// section: main_function
+/**
+ * Initializes users, roles, and permissions from configuration
+ * This function reads from hazo_auth_config.ini and sets up:
+ * 1. Permissions from [hazo_auth__user_management] application_permission_list_defaults
+ * 2. A default_super_user_role with all permissions
+ * 3. Assigns the role to user from --email parameter or [hazo_auth__initial_setup] default_super_user_email
+ */
+export async function handle_init_users(options: InitUsersOptions = {}): Promise<void> {
+  const logger = create_app_logger();
+  const summary: InitSummary = {
+    permissions: {
+      inserted: [],
+      existing: [],
+    },
+    role: {
+      inserted: false,
+      existing: false,
+      role_id: null,
+    },
+    role_permissions: {
+      inserted: 0,
+      existing: 0,
+    },
+    user_role: {
+      inserted: false,
+      existing: false,
+    },
+  };
+  try {
+    console.log("\n🐸 hazo_auth init-users\n");
+    console.log("Initializing users, roles, and permissions from configuration...\n");
+    // Get hazo_connect instance
+    const hazoConnect = get_hazo_connect_instance();
+    const permissions_service = createCrudService(hazoConnect, "hazo_permissions");
+    const roles_service = createCrudService(hazoConnect, "hazo_roles");
+    const role_permissions_service = createCrudService(hazoConnect, "hazo_role_permissions");
+    const users_service = createCrudService(hazoConnect, "hazo_users");
+    const user_roles_service = createCrudService(hazoConnect, "hazo_user_roles");
+    // 1. Get permissions from config
+    const config = get_user_management_config();
+    const permission_names = config.application_permission_list_defaults || [];
+    if (permission_names.length === 0) {
+      console.log("⚠ No permissions found in configuration.");
+      console.log("  Add permissions to [hazo_auth__user_management] application_permission_list_defaults\n");
+      return;
+    }
+    console.log(`Found ${permission_names.length} permission(s) in configuration:`);
+    permission_names.forEach((name) => console.log(`  - ${name}`));
+    console.log();
+    // 2. Add permissions to hazo_permissions table
+    const permission_id_map: Record<string, string> = {};
+    const now = new Date().toISOString();
+    for (const permission_name of permission_names) {
+      const trimmed_name = permission_name.trim();
+      if (!trimmed_name) continue;
+      // Check if permission already exists
+      const existing_permissions = await permissions_service.findBy({
+        permission_name: trimmed_name,
+      });
+      if (Array.isArray(existing_permissions) && existing_permissions.length > 0) {
+        const existing_permission = existing_permissions[0];
+        const perm_id = existing_permission.id as string;
+        permission_id_map[trimmed_name] = perm_id;
+        summary.permissions.existing.push(trimmed_name);
+        console.log(`✓ Permission already exists: ${trimmed_name} (ID: ${perm_id})`);
+      } else {
+        // Insert new permission
+        const new_permission = await permissions_service.insert({
+          permission_name: trimmed_name,
+          description: `Permission for ${trimmed_name}`,
+          created_at: now,
+          changed_at: now,
+        });
+        const perm_id = Array.isArray(new_permission)
+          ? (new_permission[0] as { id: string }).id
+          : (new_permission as { id: string }).id;
+        permission_id_map[trimmed_name] = perm_id;
+        summary.permissions.inserted.push(trimmed_name);
+        console.log(`✓ Inserted permission: ${trimmed_name} (ID: ${perm_id})`);
+      }
+    }
+    console.log();
+    // 3. Create or get default_super_user_role
+    const role_name = "default_super_user_role";
+    const existing_roles = await roles_service.findBy({
+      role_name,
+    });
+    let role_id: string;
+    if (Array.isArray(existing_roles) && existing_roles.length > 0) {
+      role_id = existing_roles[0].id as string;
+      summary.role.existing = true;
+      summary.role.role_id = role_id;
+      console.log(`✓ Role already exists: ${role_name} (ID: ${role_id})`);
+    } else {
+      const new_role = await roles_service.insert({
+        role_name,
+        created_at: now,
+        changed_at: now,
+      });
+      role_id = Array.isArray(new_role)
+        ? (new_role[0] as { id: string }).id
+        : (new_role as { id: string }).id;
+      summary.role.inserted = true;
+      summary.role.role_id = role_id;
+      console.log(`✓ Created role: ${role_name} (ID: ${role_id})`);
+    }
+    console.log();
+    // 4. Assign all permissions to the role
+    const permission_ids = Object.values(permission_id_map);
+    for (const permission_id of permission_ids) {
+      // Check if role-permission assignment already exists
+      const existing_assignments = await role_permissions_service.findBy({
+        role_id,
+        permission_id,
+      });
+      if (Array.isArray(existing_assignments) && existing_assignments.length > 0) {
+        summary.role_permissions.existing++;
+        const perm_name = Object.keys(permission_id_map).find(
+          (key) => permission_id_map[key] === permission_id,
+        );
+        console.log(`✓ Role-permission already exists: ${role_name} -> ${perm_name}`);
+      } else {
+        await role_permissions_service.insert({
+          role_id,
+          permission_id,
+          created_at: now,
+          changed_at: now,
+        });
+        summary.role_permissions.inserted++;
+        const perm_name = Object.keys(permission_id_map).find(
+          (key) => permission_id_map[key] === permission_id,
+        );
+        console.log(`✓ Assigned permission to role: ${role_name} -> ${perm_name}`);
+      }
+    }
+    console.log();
+    // 5. Get super user email from options or config
+    const super_user_email = options.email?.trim() || get_config_value(
+      "hazo_auth__initial_setup",
+      "default_super_user_email",
+      "",
+    ).trim();
+    if (!super_user_email) {
+      console.log("⚠ No super user email provided.");
+      console.log("  Either use --email=user@example.com parameter");
+      console.log("  Or add [hazo_auth__initial_setup] default_super_user_email to config\n");
+      print_summary(summary);
+      return;
+    }
+    if (options.email) {
+      console.log(`Using email from --email parameter: ${super_user_email}`);
+    } else {
+      console.log(`Using email from config: ${super_user_email}`);
+    }
+    console.log(`Looking up user with email: ${super_user_email}`);
+    // 6. Find user by email
+    const users = await users_service.findBy({
+      email_address: super_user_email,
+    });
+    if (!Array.isArray(users) || users.length === 0) {
+      console.log(`✗ User not found with email: ${super_user_email}`);
+      console.log("  Please ensure the user exists in the database before running this script.\n");
+      print_summary(summary);
+      return;
+    }
+    const user = users[0];
+    const user_id = user.id as string;
+    console.log(`✓ Found user: ${super_user_email} (ID: ${user_id})`);
+    console.log();
+    // 7. Assign role to user
+    const existing_user_roles = await user_roles_service.findBy({
+      user_id,
+      role_id,
+    });
+    if (Array.isArray(existing_user_roles) && existing_user_roles.length > 0) {
+      summary.user_role.existing = true;
+      console.log(`✓ User already has role assigned: ${user_id} -> ${role_name}`);
+    } else {
+      await user_roles_service.insert({
+        user_id,
+        role_id,
+        created_at: now,
+        changed_at: now,
+      });
+      summary.user_role.inserted = true;
+      console.log(`✓ Assigned role to user: ${user_id} -> ${role_name}`);
+    }
+    console.log();
+    // 8. Print summary
+    print_summary(summary);
+    logger.info("init_users_completed", {
+      filename: "init_users.ts",
+      line_number: 0,
+      summary,
+    });
+  } catch (error) {
+    const error_message = error instanceof Error ? error.message : "Unknown error";
+    const error_stack = error instanceof Error ? error.stack : undefined;
+    console.error("\n✗ Error initializing users:");
+    console.error(`  ${error_message}`);
+    if (error_stack) {
+      console.error("\nStack trace:");
+      console.error(error_stack);
+    }
+    logger.error("init_users_failed", {
+      filename: "init_users.ts",
+      line_number: 0,
+      error_message,
+      error_stack,
+    });
+    process.exit(1);
+  }
+}
+// section: help
+/**
+ * Shows help for the init-users command
+ */
+export function show_init_users_help(): void {
+  console.log(`
+hazo_auth init-users
+Initialize users, roles, and permissions from configuration.
+This command reads from hazo_auth_config.ini and:
+  1. Creates permissions from [hazo_auth__user_management] application_permission_list_defaults
+  2. Creates a 'default_super_user_role' role
+  3. Assigns all permissions to the super user role
+  4. Finds user by email (from --email parameter or config)
+  5. Assigns the super user role to that user
+Options:
+  --email=<email>    Email address of the user to assign super user role
+                     (overrides [hazo_auth__initial_setup] default_super_user_email)
+  --help, -h         Show this help message
+Configuration required in hazo_auth_config.ini:
+  [hazo_auth__user_management]
+  application_permission_list_defaults = admin_user_management,admin_role_management,admin_permission_management
+  [hazo_auth__initial_setup]
+  default_super_user_email = admin@example.com   (optional if using --email)
+Note: The user must already exist in the database (registered) before running this command.
+Usage:
+  npx hazo_auth init-users
+  npx hazo_auth init-users --email=admin@example.com
+`);
+}