hazo_auth 4.2.0 → 4.4.0

package/dist/components/layouts/user_management/components/org_hierarchy_tab.js

@@ -0,0 +1,276 @@
+// file_description: Organization Hierarchy tab component for managing multi-tenancy organizations using tree view
+// section: client_directive
+"use client";
+import { jsx as _jsx, jsxs as _jsxs, Fragment as _Fragment } from "react/jsx-runtime";
+// section: imports
+import { useState, useEffect, useCallback, useMemo } from "react";
+import { TreeView } from "../../../ui/tree-view";
+import { Button } from "../../../ui/button";
+import { Dialog, DialogContent, DialogDescription, DialogFooter, DialogHeader, DialogTitle, } from "../../../ui/dialog";
+import { AlertDialog, AlertDialogAction, AlertDialogCancel, AlertDialogContent, AlertDialogDescription, AlertDialogFooter, AlertDialogHeader, AlertDialogTitle, } from "../../../ui/alert-dialog";
+import { Input } from "../../../ui/input";
+import { Label } from "../../../ui/label";
+import { Loader2, Plus, Edit, Trash2, CircleCheck, CircleX, Building2, FolderTree, RefreshCw, AlertCircle, } from "lucide-react";
+import { toast } from "sonner";
+import { useHazoAuthConfig } from "../../../../contexts/hazo_auth_provider";
+// section: helpers
+function getUserCountDisplay(org) {
+    var _a;
+    const count = (_a = org.current_user_count) !== null && _a !== void 0 ? _a : 0;
+    if (org.user_limit === 0) {
+        return `${count} users`;
+    }
+    return `${count}/${org.user_limit} users`;
+}
+// Convert OrgTreeNode to TreeDataItem format
+function convertToTreeData(nodes, onEdit, onDelete, onAddChild) {
+    return nodes.map((node) => {
+        const hasChildren = node.children && node.children.length > 0;
+        const isInactive = node.active === false;
+        // Build display name with user count and status
+        const displayName = isInactive
+            ? `${node.name} (${getUserCountDisplay(node)}) [Inactive]`
+            : `${node.name} (${getUserCountDisplay(node)})`;
+        const item = {
+            id: node.id,
+            name: displayName,
+            icon: Building2,
+            orgData: node,
+            className: isInactive ? "text-muted-foreground line-through" : undefined,
+            actions: (_jsxs("div", { className: "flex items-center gap-1", children: [_jsx(Button, { variant: "ghost", size: "sm", className: "h-6 w-6 p-0", onClick: (e) => {
+                            e.stopPropagation();
+                            onAddChild(node);
+                        }, title: "Add child organization", children: _jsx(Plus, { className: "h-3 w-3" }) }), _jsx(Button, { variant: "ghost", size: "sm", className: "h-6 w-6 p-0", onClick: (e) => {
+                            e.stopPropagation();
+                            onEdit(node);
+                        }, title: "Edit organization", children: _jsx(Edit, { className: "h-3 w-3" }) }), node.active !== false && (_jsx(Button, { variant: "ghost", size: "sm", className: "h-6 w-6 p-0 text-destructive hover:text-destructive", onClick: (e) => {
+                            e.stopPropagation();
+                            onDelete(node);
+                        }, title: "Deactivate organization", children: _jsx(Trash2, { className: "h-3 w-3" }) }))] })),
+        };
+        if (hasChildren) {
+            item.children = convertToTreeData(node.children, onEdit, onDelete, onAddChild);
+        }
+        return item;
+    });
+}
+// section: component
+/**
+ * Organization Hierarchy tab component for managing multi-tenancy organizations
+ * Displays organizations in a tree view for intuitive hierarchy configuration
+ * @param props - Component props
+ * @returns Organization Hierarchy tab component
+ */
+export function OrgHierarchyTab({ className, isGlobalAdmin = false, }) {
+    const { apiBasePath } = useHazoAuthConfig();
+    // State
+    const [tree, setTree] = useState([]);
+    const [loading, setLoading] = useState(true);
+    const [actionLoading, setActionLoading] = useState(false);
+    const [selectedItem, setSelectedItem] = useState();
+    const [showInactive, setShowInactive] = useState(false);
+    // Dialog state
+    const [addDialogOpen, setAddDialogOpen] = useState(false);
+    const [editDialogOpen, setEditDialogOpen] = useState(false);
+    const [deleteDialogOpen, setDeleteDialogOpen] = useState(false);
+    const [selectedOrg, setSelectedOrg] = useState(null);
+    const [addParentOrg, setAddParentOrg] = useState(null);
+    // Form state
+    const [newName, setNewName] = useState("");
+    const [newUserLimit, setNewUserLimit] = useState(0);
+    const [editName, setEditName] = useState("");
+    const [editUserLimit, setEditUserLimit] = useState(0);
+    // Load tree data
+    const loadTree = useCallback(async () => {
+        setLoading(true);
+        try {
+            const params = new URLSearchParams({
+                action: "tree",
+                include_inactive: showInactive.toString(),
+            });
+            const response = await fetch(`${apiBasePath}/org_management/orgs?${params}`);
+            const data = await response.json();
+            if (data.success) {
+                setTree(data.tree || []);
+            }
+            else {
+                if (data.code === "MULTI_TENANCY_DISABLED") {
+                    toast.error("Multi-tenancy is not enabled");
+                }
+                else {
+                    toast.error(data.error || "Failed to load organization hierarchy");
+                }
+                setTree([]);
+            }
+        }
+        catch (error) {
+            toast.error("Failed to load organization hierarchy");
+            setTree([]);
+        }
+        finally {
+            setLoading(false);
+        }
+    }, [apiBasePath, showInactive]);
+    // Load data on mount and when showInactive changes
+    useEffect(() => {
+        void loadTree();
+    }, [loadTree]);
+    // Handle add org (root level) - only for global admins
+    const handleAddRootOrg = () => {
+        if (!isGlobalAdmin) {
+            toast.error("Only global admins can create root organizations");
+            return;
+        }
+        setAddParentOrg(null);
+        setNewName("");
+        setNewUserLimit(0);
+        setAddDialogOpen(true);
+    };
+    // Handle add child org
+    const handleAddChildOrg = (parent) => {
+        setAddParentOrg(parent);
+        setNewName("");
+        setNewUserLimit(0);
+        setAddDialogOpen(true);
+    };
+    // Handle edit org
+    const openEditDialog = (org) => {
+        setSelectedOrg(org);
+        setEditName(org.name);
+        setEditUserLimit(org.user_limit || 0);
+        setEditDialogOpen(true);
+    };
+    // Handle delete org
+    const openDeleteDialog = (org) => {
+        setSelectedOrg(org);
+        setDeleteDialogOpen(true);
+    };
+    // Create org
+    const handleCreateOrg = async () => {
+        if (!newName.trim()) {
+            toast.error("Name is required");
+            return;
+        }
+        setActionLoading(true);
+        try {
+            const body = {
+                name: newName.trim(),
+                user_limit: newUserLimit,
+            };
+            if (addParentOrg) {
+                body.parent_org_id = addParentOrg.id;
+            }
+            const response = await fetch(`${apiBasePath}/org_management/orgs`, {
+                method: "POST",
+                headers: { "Content-Type": "application/json" },
+                body: JSON.stringify(body),
+            });
+            const data = await response.json();
+            if (data.success) {
+                toast.success("Organization created successfully");
+                setAddDialogOpen(false);
+                setNewName("");
+                setNewUserLimit(0);
+                setAddParentOrg(null);
+                await loadTree();
+            }
+            else {
+                toast.error(data.error || "Failed to create organization");
+            }
+        }
+        catch (error) {
+            toast.error("Failed to create organization");
+        }
+        finally {
+            setActionLoading(false);
+        }
+    };
+    // Update org
+    const handleUpdateOrg = async () => {
+        if (!selectedOrg)
+            return;
+        if (!editName.trim()) {
+            toast.error("Name is required");
+            return;
+        }
+        setActionLoading(true);
+        try {
+            const body = {
+                org_id: selectedOrg.id,
+                name: editName.trim(),
+                user_limit: editUserLimit,
+            };
+            const response = await fetch(`${apiBasePath}/org_management/orgs`, {
+                method: "PATCH",
+                headers: { "Content-Type": "application/json" },
+                body: JSON.stringify(body),
+            });
+            const data = await response.json();
+            if (data.success) {
+                toast.success("Organization updated successfully");
+                setEditDialogOpen(false);
+                setSelectedOrg(null);
+                setEditName("");
+                setEditUserLimit(0);
+                await loadTree();
+            }
+            else {
+                toast.error(data.error || "Failed to update organization");
+            }
+        }
+        catch (error) {
+            toast.error("Failed to update organization");
+        }
+        finally {
+            setActionLoading(false);
+        }
+    };
+    // Delete (deactivate) org
+    const handleDeleteOrg = async () => {
+        if (!selectedOrg)
+            return;
+        setActionLoading(true);
+        try {
+            const params = new URLSearchParams({
+                org_id: selectedOrg.id,
+            });
+            const response = await fetch(`${apiBasePath}/org_management/orgs?${params}`, {
+                method: "DELETE",
+            });
+            const data = await response.json();
+            if (data.success) {
+                toast.success("Organization deactivated successfully");
+                setDeleteDialogOpen(false);
+                setSelectedOrg(null);
+                await loadTree();
+            }
+            else {
+                toast.error(data.error || "Failed to deactivate organization");
+            }
+        }
+        catch (error) {
+            toast.error("Failed to deactivate organization");
+        }
+        finally {
+            setActionLoading(false);
+        }
+    };
+    // Convert tree to TreeDataItem format
+    const treeData = useMemo(() => {
+        return convertToTreeData(tree, openEditDialog, openDeleteDialog, handleAddChildOrg);
+    }, [tree]);
+    // Handle tree item selection
+    const handleSelectChange = (item) => {
+        setSelectedItem(item);
+    };
+    return (_jsxs("div", { className: `cls_org_hierarchy_tab flex flex-col gap-4 w-full ${className || ""}`, children: [_jsxs("div", { className: "cls_org_hierarchy_header flex items-center justify-between gap-4 flex-wrap", children: [_jsxs("div", { className: "cls_org_hierarchy_header_left flex items-center gap-4", children: [_jsxs("div", { className: "cls_org_hierarchy_inactive_toggle flex items-center gap-2", children: [_jsx("input", { type: "checkbox", id: "show_inactive", checked: showInactive, onChange: (e) => setShowInactive(e.target.checked), className: "h-4 w-4 rounded border-gray-300" }), _jsx(Label, { htmlFor: "show_inactive", className: "text-sm font-medium cursor-pointer", children: "Show inactive" })] }), _jsxs(Button, { variant: "outline", size: "sm", onClick: () => void loadTree(), disabled: loading, children: [_jsx(RefreshCw, { className: `h-4 w-4 mr-2 ${loading ? "animate-spin" : ""}` }), "Refresh"] })] }), _jsx("div", { className: "cls_org_hierarchy_header_right", children: isGlobalAdmin && (_jsxs(Button, { onClick: handleAddRootOrg, variant: "default", size: "sm", children: [_jsx(Plus, { className: "h-4 w-4 mr-2" }), "Add Root Organization"] })) })] }), loading ? (_jsx("div", { className: "cls_org_hierarchy_loading flex items-center justify-center p-8", children: _jsx(Loader2, { className: "h-6 w-6 animate-spin text-slate-400" }) })) : tree.length === 0 ? (_jsxs("div", { className: "cls_org_hierarchy_empty flex flex-col items-center justify-center p-8 border rounded-lg border-dashed", children: [_jsx(FolderTree, { className: "h-12 w-12 text-muted-foreground mb-4" }), _jsx("p", { className: "text-muted-foreground text-center mb-4", children: "No organizations found" }), isGlobalAdmin && (_jsxs(Button, { onClick: handleAddRootOrg, variant: "outline", size: "sm", children: [_jsx(Plus, { className: "h-4 w-4 mr-2" }), "Create First Organization"] }))] })) : (_jsx("div", { className: "cls_org_hierarchy_tree_container border rounded-lg overflow-auto w-full min-h-[300px]", children: _jsx(TreeView, { data: treeData, expandAll: true, defaultNodeIcon: Building2, defaultLeafIcon: Building2, onSelectChange: handleSelectChange, className: "w-full" }) })), (selectedItem === null || selectedItem === void 0 ? void 0 : selectedItem.orgData) && (_jsxs("div", { className: "cls_org_hierarchy_selected_info p-4 border rounded-lg bg-muted/50", children: [_jsx("h4", { className: "font-medium mb-2", children: "Selected Organization" }), _jsxs("div", { className: "grid grid-cols-2 gap-2 text-sm", children: [_jsxs("div", { children: [_jsx("span", { className: "text-muted-foreground", children: "Name:" }), " ", selectedItem.orgData.name] }), _jsxs("div", { children: [_jsx("span", { className: "text-muted-foreground", children: "Users:" }), " ", getUserCountDisplay(selectedItem.orgData)] }), _jsxs("div", { children: [_jsx("span", { className: "text-muted-foreground", children: "Status:" }), " ", selectedItem.orgData.active === false ? (_jsx("span", { className: "text-destructive", children: "Inactive" })) : (_jsx("span", { className: "text-green-600", children: "Active" }))] }), _jsxs("div", { children: [_jsx("span", { className: "text-muted-foreground", children: "ID:" }), " ", _jsxs("span", { className: "font-mono text-xs", children: [selectedItem.orgData.id.slice(0, 8), "..."] })] })] })] })), _jsx(Dialog, { open: addDialogOpen, onOpenChange: setAddDialogOpen, children: _jsxs(DialogContent, { className: "cls_org_hierarchy_add_dialog", children: [_jsxs(DialogHeader, { children: [_jsx(DialogTitle, { children: addParentOrg
+                                        ? `Add Child Organization to "${addParentOrg.name}"`
+                                        : "Add Root Organization" }), _jsxs(DialogDescription, { children: ["Create a new organization", addParentOrg &&
+                                            ` as a child of "${addParentOrg.name}".`] })] }), _jsxs("div", { className: "flex flex-col gap-4 py-4", children: [_jsxs("div", { className: "flex flex-col gap-2", children: [_jsx(Label, { htmlFor: "new_org_name", children: "Name *" }), _jsx(Input, { id: "new_org_name", value: newName, onChange: (e) => setNewName(e.target.value), placeholder: "Enter organization name" })] }), _jsxs("div", { className: "flex flex-col gap-2", children: [_jsx(Label, { htmlFor: "new_org_user_limit", children: "User Limit (0 = unlimited)" }), _jsx(Input, { id: "new_org_user_limit", type: "number", min: 0, value: newUserLimit, onChange: (e) => setNewUserLimit(parseInt(e.target.value) || 0), placeholder: "0" })] })] }), _jsxs(DialogFooter, { children: [_jsx(Button, { onClick: handleCreateOrg, disabled: actionLoading, variant: "default", children: actionLoading ? (_jsxs(_Fragment, { children: [_jsx(Loader2, { className: "h-4 w-4 mr-2 animate-spin" }), "Creating..."] })) : (_jsxs(_Fragment, { children: [_jsx(CircleCheck, { className: "h-4 w-4 mr-2" }), "Create"] })) }), _jsxs(Button, { onClick: () => setAddDialogOpen(false), variant: "outline", children: [_jsx(CircleX, { className: "h-4 w-4 mr-2" }), "Cancel"] })] })] }) }), _jsx(Dialog, { open: editDialogOpen, onOpenChange: setEditDialogOpen, children: _jsxs(DialogContent, { className: "cls_org_hierarchy_edit_dialog", children: [_jsxs(DialogHeader, { children: [_jsx(DialogTitle, { children: "Edit Organization" }), _jsxs(DialogDescription, { children: ["Update organization: ", selectedOrg === null || selectedOrg === void 0 ? void 0 : selectedOrg.name] })] }), _jsxs("div", { className: "flex flex-col gap-4 py-4", children: [_jsxs("div", { className: "flex flex-col gap-2", children: [_jsx(Label, { htmlFor: "edit_org_name", children: "Name *" }), _jsx(Input, { id: "edit_org_name", value: editName, onChange: (e) => setEditName(e.target.value), placeholder: "Enter organization name" })] }), _jsxs("div", { className: "flex flex-col gap-2", children: [_jsx(Label, { htmlFor: "edit_org_user_limit", children: "User Limit (0 = unlimited)" }), _jsx(Input, { id: "edit_org_user_limit", type: "number", min: 0, value: editUserLimit, onChange: (e) => setEditUserLimit(parseInt(e.target.value) || 0), placeholder: "0" })] })] }), _jsxs(DialogFooter, { children: [_jsx(Button, { onClick: handleUpdateOrg, disabled: actionLoading, variant: "default", children: actionLoading ? (_jsxs(_Fragment, { children: [_jsx(Loader2, { className: "h-4 w-4 mr-2 animate-spin" }), "Saving..."] })) : (_jsxs(_Fragment, { children: [_jsx(CircleCheck, { className: "h-4 w-4 mr-2" }), "Save"] })) }), _jsxs(Button, { onClick: () => {
+                                        setEditDialogOpen(false);
+                                        setSelectedOrg(null);
+                                    }, variant: "outline", children: [_jsx(CircleX, { className: "h-4 w-4 mr-2" }), "Cancel"] })] })] }) }), _jsx(AlertDialog, { open: deleteDialogOpen, onOpenChange: setDeleteDialogOpen, children: _jsxs(AlertDialogContent, { children: [_jsxs(AlertDialogHeader, { children: [_jsx(AlertDialogTitle, { children: "Deactivate Organization" }), _jsx(AlertDialogDescription, { children: _jsxs("div", { className: "flex items-start gap-2", children: [_jsx(AlertCircle, { className: "h-5 w-5 text-amber-500 mt-0.5 flex-shrink-0" }), _jsxs("span", { children: ["Are you sure you want to deactivate \"", selectedOrg === null || selectedOrg === void 0 ? void 0 : selectedOrg.name, "\"? This will mark the organization as inactive but will not delete it. Users in this organization may lose access."] })] }) })] }), _jsxs(AlertDialogFooter, { children: [_jsx(AlertDialogAction, { onClick: handleDeleteOrg, disabled: actionLoading, className: "bg-destructive text-destructive-foreground hover:bg-destructive/90", children: actionLoading ? (_jsxs(_Fragment, { children: [_jsx(Loader2, { className: "h-4 w-4 mr-2 animate-spin" }), "Deactivating..."] })) : ("Deactivate") }), _jsx(AlertDialogCancel, { onClick: () => {
+                                        setDeleteDialogOpen(false);
+                                        setSelectedOrg(null);
+                                    }, children: "Cancel" })] })] }) })] }));
+}

package/dist/components/layouts/user_management/index.d.ts

@@ -2,6 +2,8 @@ export type UserManagementLayoutProps = {
     className?: string;
     /** Whether HRBAC is enabled (passed from server) */
     hrbacEnabled?: boolean;
+    /** Whether multi-tenancy is enabled (passed from server) */
+    multiTenancyEnabled?: boolean;
     /** Default organization for HRBAC scopes */
     defaultOrg?: string;
 };
@@ -16,5 +18,5 @@ export type UserManagementLayoutProps = {
  * @param props - Component props
  * @returns User Management layout component
  */
-export declare function UserManagementLayout({ className, hrbacEnabled, defaultOrg }: UserManagementLayoutProps): import("react/jsx-runtime").JSX.Element;
+export declare function UserManagementLayout({ className, hrbacEnabled, multiTenancyEnabled, defaultOrg }: UserManagementLayoutProps): import("react/jsx-runtime").JSX.Element;
 //# sourceMappingURL=index.d.ts.map

package/dist/components/layouts/user_management/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/components/layouts/user_management/index.tsx"],"names":[],"mappings":"AAgDA,MAAM,MAAM,yBAAyB,GAAG;IACtC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,oDAAoD;IACpD,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,4CAA4C;IAC5C,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAsBF;;;;;;;;;;GAUG;AACH,wBAAgB,oBAAoB,CAAC,EAAE,SAAS,EAAE,YAAoB,EAAE,UAAe,EAAE,EAAE,yBAAyB,2CAivCnH"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/components/layouts/user_management/index.tsx"],"names":[],"mappings":"AAiDA,MAAM,MAAM,yBAAyB,GAAG;IACtC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,oDAAoD;IACpD,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,4DAA4D;IAC5D,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,4CAA4C;IAC5C,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAsBF;;;;;;;;;;GAUG;AACH,wBAAgB,oBAAoB,CAAC,EAAE,SAAS,EAAE,YAAoB,EAAE,mBAA2B,EAAE,UAAe,EAAE,EAAE,yBAAyB,2CAkwChJ"}

package/dist/components/layouts/user_management/index.js

@@ -17,6 +17,7 @@ import { RolesMatrix } from "./components/roles_matrix";
 import { ScopeHierarchyTab } from "./components/scope_hierarchy_tab";
 import { ScopeLabelsTab } from "./components/scope_labels_tab";
 import { UserScopesTab } from "./components/user_scopes_tab";
+import { OrgHierarchyTab } from "./components/org_hierarchy_tab";
 import { UserX, KeyRound, Edit, Trash2, Loader2, CircleCheck, CircleX, Plus, UserPlus } from "lucide-react";
 import { toast } from "sonner";
 import { Tooltip, TooltipContent, TooltipProvider, TooltipTrigger } from "../../ui/tooltip";
@@ -33,7 +34,7 @@ import { useHazoAuthConfig } from "../../../contexts/hazo_auth_provider";
  * @param props - Component props
  * @returns User Management layout component
  */
-export function UserManagementLayout({ className, hrbacEnabled = false, defaultOrg = "" }) {
+export function UserManagementLayout({ className, hrbacEnabled = false, multiTenancyEnabled = false, defaultOrg = "" }) {
     const { apiBasePath } = useHazoAuthConfig();
     // Permission checks
     const authResult = use_hazo_auth();
@@ -47,6 +48,10 @@ export function UserManagementLayout({ className, hrbacEnabled = false, defaultO
         authResult.permissions.includes("admin_scope_hierarchy_management");
     const hasUserScopeAssignmentPermission = authResult.authenticated &&
         authResult.permissions.includes("admin_user_scope_assignment");
+    const hasOrgManagementPermission = authResult.authenticated &&
+        authResult.permissions.includes("hazo_perm_org_management");
+    const hasOrgGlobalAdminPermission = authResult.authenticated &&
+        authResult.permissions.includes("hazo_org_global_admin");
     // Determine which tabs to show
     const showUsersTab = hasUserManagementPermission;
     const showRolesTab = hasRoleManagementPermission;
@@ -54,7 +59,8 @@ export function UserManagementLayout({ className, hrbacEnabled = false, defaultO
     const showScopeHierarchyTab = hrbacEnabled && hasScopeHierarchyPermission;
     const showScopeLabelsTab = hrbacEnabled && hasScopeHierarchyPermission;
     const showUserScopesTab = hrbacEnabled && hasUserScopeAssignmentPermission;
-    const hasAnyPermission = showUsersTab || showRolesTab || showPermissionsTab || showScopeHierarchyTab || showScopeLabelsTab || showUserScopesTab;
+    const showOrgsTab = multiTenancyEnabled && hasOrgManagementPermission;
+    const hasAnyPermission = showUsersTab || showRolesTab || showPermissionsTab || showScopeHierarchyTab || showScopeLabelsTab || showUserScopesTab || showOrgsTab;
     // Tab 1: Users state
     const [users, setUsers] = useState([]);
     const [usersLoading, setUsersLoading] = useState(true);
@@ -436,7 +442,7 @@ export function UserManagementLayout({ className, hrbacEnabled = false, defaultO
                         showPermissionsTab ? "permissions" :
                             showScopeLabelsTab ? "scope_labels" :
                                 showScopeHierarchyTab ? "scope_hierarchy" :
-                                    showUserScopesTab ? "user_scopes" : "users", className: "cls_user_management_tabs w-full", children: [_jsxs(TabsList, { className: "cls_user_management_tabs_list flex w-full flex-wrap", children: [showUsersTab && (_jsx(TabsTrigger, { value: "users", className: "cls_user_management_tabs_trigger flex-1", children: "Manage Users" })), showRolesTab && (_jsx(TabsTrigger, { value: "roles", className: "cls_user_management_tabs_trigger flex-1", children: "Roles" })), showPermissionsTab && (_jsx(TabsTrigger, { value: "permissions", className: "cls_user_management_tabs_trigger flex-1", children: "Permissions" })), showScopeLabelsTab && (_jsx(TabsTrigger, { value: "scope_labels", className: "cls_user_management_tabs_trigger flex-1", children: "Scope Labels" })), showScopeHierarchyTab && (_jsx(TabsTrigger, { value: "scope_hierarchy", className: "cls_user_management_tabs_trigger flex-1", children: "Scope Hierarchy" })), showUserScopesTab && (_jsx(TabsTrigger, { value: "user_scopes", className: "cls_user_management_tabs_trigger flex-1", children: "User Scopes" }))] }), showUsersTab && (_jsx(TabsContent, { value: "users", className: "cls_user_management_tab_users w-full", children: usersLoading ? (_jsx("div", { className: "cls_user_management_users_loading flex items-center justify-center p-8", children: _jsx(Loader2, { className: "h-6 w-6 animate-spin text-slate-400" }) })) : (_jsx("div", { className: "cls_user_management_users_table_container border rounded-lg overflow-auto w-full", children: _jsxs(Table, { className: "cls_user_management_users_table w-full", children: [_jsx(TableHeader, { className: "cls_user_management_users_table_header", children: _jsxs(TableRow, { className: "cls_user_management_users_table_header_row", children: [_jsx(TableHead, { className: "cls_user_management_users_table_header_profile_pic w-16", children: "Photo" }), _jsx(TableHead, { className: "cls_user_management_users_table_header_id", children: "ID" }), _jsx(TableHead, { className: "cls_user_management_users_table_header_name", children: "Name" }), _jsx(TableHead, { className: "cls_user_management_users_table_header_email", children: "Email" }), _jsx(TableHead, { className: "cls_user_management_users_table_header_email_verified", children: "Email Verified" }), _jsx(TableHead, { className: "cls_user_management_users_table_header_is_active", children: "Active" }), _jsx(TableHead, { className: "cls_user_management_users_table_header_last_logon", children: "Last Logon" }), _jsx(TableHead, { className: "cls_user_management_users_table_header_created_at", children: "Created At" }), _jsx(TableHead, { className: "cls_user_management_users_table_header_actions text-right", children: "Actions" })] }) }), _jsx(TableBody, { className: "cls_user_management_users_table_body", children: users.length === 0 ? (_jsx(TableRow, { className: "cls_user_management_users_table_row_empty", children: _jsx(TableCell, { colSpan: 9, className: "text-center text-muted-foreground py-8", children: "No users found." }) })) : (users.map((user) => (_jsxs(TableRow, { className: "cls_user_management_users_table_row cursor-pointer hover:bg-muted/50", onClick: () => {
+                                    showUserScopesTab ? "user_scopes" : "users", className: "cls_user_management_tabs w-full", children: [_jsxs(TabsList, { className: "cls_user_management_tabs_list flex w-full flex-wrap", children: [showUsersTab && (_jsx(TabsTrigger, { value: "users", className: "cls_user_management_tabs_trigger flex-1", children: "Manage Users" })), showRolesTab && (_jsx(TabsTrigger, { value: "roles", className: "cls_user_management_tabs_trigger flex-1", children: "Roles" })), showPermissionsTab && (_jsx(TabsTrigger, { value: "permissions", className: "cls_user_management_tabs_trigger flex-1", children: "Permissions" })), showScopeLabelsTab && (_jsx(TabsTrigger, { value: "scope_labels", className: "cls_user_management_tabs_trigger flex-1", children: "Scope Labels" })), showScopeHierarchyTab && (_jsx(TabsTrigger, { value: "scope_hierarchy", className: "cls_user_management_tabs_trigger flex-1", children: "Scope Hierarchy" })), showUserScopesTab && (_jsx(TabsTrigger, { value: "user_scopes", className: "cls_user_management_tabs_trigger flex-1", children: "User Scopes" })), showOrgsTab && (_jsx(TabsTrigger, { value: "organizations", className: "cls_user_management_tabs_trigger flex-1", children: "Organizations" }))] }), showUsersTab && (_jsx(TabsContent, { value: "users", className: "cls_user_management_tab_users w-full", children: usersLoading ? (_jsx("div", { className: "cls_user_management_users_loading flex items-center justify-center p-8", children: _jsx(Loader2, { className: "h-6 w-6 animate-spin text-slate-400" }) })) : (_jsx("div", { className: "cls_user_management_users_table_container border rounded-lg overflow-auto w-full", children: _jsxs(Table, { className: "cls_user_management_users_table w-full", children: [_jsx(TableHeader, { className: "cls_user_management_users_table_header", children: _jsxs(TableRow, { className: "cls_user_management_users_table_header_row", children: [_jsx(TableHead, { className: "cls_user_management_users_table_header_profile_pic w-16", children: "Photo" }), _jsx(TableHead, { className: "cls_user_management_users_table_header_id", children: "ID" }), _jsx(TableHead, { className: "cls_user_management_users_table_header_name", children: "Name" }), _jsx(TableHead, { className: "cls_user_management_users_table_header_email", children: "Email" }), _jsx(TableHead, { className: "cls_user_management_users_table_header_email_verified", children: "Email Verified" }), _jsx(TableHead, { className: "cls_user_management_users_table_header_is_active", children: "Active" }), _jsx(TableHead, { className: "cls_user_management_users_table_header_last_logon", children: "Last Logon" }), _jsx(TableHead, { className: "cls_user_management_users_table_header_created_at", children: "Created At" }), _jsx(TableHead, { className: "cls_user_management_users_table_header_actions text-right", children: "Actions" })] }) }), _jsx(TableBody, { className: "cls_user_management_users_table_body", children: users.length === 0 ? (_jsx(TableRow, { className: "cls_user_management_users_table_row_empty", children: _jsx(TableCell, { colSpan: 9, className: "text-center text-muted-foreground py-8", children: "No users found." }) })) : (users.map((user) => (_jsxs(TableRow, { className: "cls_user_management_users_table_row cursor-pointer hover:bg-muted/50", onClick: () => {
                                                 setSelectedUser(user);
                                                 setUserDetailDialogOpen(true);
                                             }, children: [_jsx(TableCell, { className: "cls_user_management_users_table_cell_profile_pic", children: _jsxs(Avatar, { className: "cls_user_management_users_table_avatar h-8 w-8", children: [_jsx(AvatarImage, { src: user.profile_picture_url || undefined, alt: user.name ? `Profile picture of ${user.name}` : "Profile picture", className: "cls_user_management_users_table_avatar_image" }), _jsx(AvatarFallback, { className: "cls_user_management_users_table_avatar_fallback bg-slate-200 text-slate-600 text-xs", children: getUserInitials(user) })] }) }), _jsxs(TableCell, { className: "cls_user_management_users_table_cell_id font-mono text-xs", children: [user.id.substring(0, 8), "..."] }), _jsx(TableCell, { className: "cls_user_management_users_table_cell_name", children: user.name || "-" }), _jsx(TableCell, { className: "cls_user_management_users_table_cell_email", children: user.email_address }), _jsx(TableCell, { className: "cls_user_management_users_table_cell_email_verified", children: user.email_verified ? (_jsx("span", { className: "text-green-600", children: "Yes" })) : (_jsx("span", { className: "text-red-600", children: "No" })) }), _jsx(TableCell, { className: "cls_user_management_users_table_cell_is_active", children: user.is_active ? (_jsx("span", { className: "text-green-600", children: "Active" })) : (_jsx("span", { className: "text-red-600", children: "Inactive" })) }), _jsx(TableCell, { className: "cls_user_management_users_table_cell_last_logon", children: user.last_logon
@@ -461,7 +467,7 @@ export function UserManagementLayout({ className, hrbacEnabled = false, defaultO
                                                                                 setEditingPermission(permission);
                                                                                 setEditDescription(permission.description);
                                                                                 setEditPermissionDialogOpen(true);
-                                                                            }, variant: "outline", size: "sm", className: "cls_user_management_permissions_table_action_edit", children: [_jsx(Edit, { className: "h-4 w-4 mr-1" }), "Edit"] }), _jsxs(Button, { onClick: () => handleDeletePermission(permission), disabled: permissionsActionLoading, variant: "outline", size: "sm", className: "cls_user_management_permissions_table_action_delete text-destructive", children: [_jsx(Trash2, { className: "h-4 w-4 mr-1" }), "Delete"] })] })) }) })] }, `${permission.source}-${permission.id}-${permission.permission_name}`)))) })] }) }))] }) })), showScopeLabelsTab && (_jsx(TabsContent, { value: "scope_labels", className: "cls_user_management_tab_scope_labels w-full", children: _jsx(ScopeLabelsTab, { defaultOrg: defaultOrg }) })), showScopeHierarchyTab && (_jsx(TabsContent, { value: "scope_hierarchy", className: "cls_user_management_tab_scope_hierarchy w-full", children: _jsx(ScopeHierarchyTab, { defaultOrg: defaultOrg }) })), showUserScopesTab && (_jsx(TabsContent, { value: "user_scopes", className: "cls_user_management_tab_user_scopes w-full", children: _jsx(UserScopesTab, {}) }))] })), _jsx(AlertDialog, { open: deactivateDialogOpen, onOpenChange: setDeactivateDialogOpen, children: _jsxs(AlertDialogContent, { className: "cls_user_management_deactivate_dialog", children: [_jsxs(AlertDialogHeader, { children: [_jsx(AlertDialogTitle, { children: "Deactivate User" }), _jsxs(AlertDialogDescription, { children: ["Are you sure you want to deactivate ", (selectedUser === null || selectedUser === void 0 ? void 0 : selectedUser.name) || (selectedUser === null || selectedUser === void 0 ? void 0 : selectedUser.email_address), "? They will not be able to log in until reactivated."] })] }), _jsxs(AlertDialogFooter, { className: "cls_user_management_deactivate_dialog_footer", children: [_jsx(AlertDialogAction, { onClick: handleDeactivateUser, disabled: usersActionLoading, className: "cls_user_management_deactivate_dialog_confirm", children: usersActionLoading ? (_jsxs(_Fragment, { children: [_jsx(Loader2, { className: "h-4 w-4 mr-2 animate-spin" }), "Deactivating..."] })) : ("Deactivate") }), _jsx(AlertDialogCancel, { onClick: () => {
+                                                                            }, variant: "outline", size: "sm", className: "cls_user_management_permissions_table_action_edit", children: [_jsx(Edit, { className: "h-4 w-4 mr-1" }), "Edit"] }), _jsxs(Button, { onClick: () => handleDeletePermission(permission), disabled: permissionsActionLoading, variant: "outline", size: "sm", className: "cls_user_management_permissions_table_action_delete text-destructive", children: [_jsx(Trash2, { className: "h-4 w-4 mr-1" }), "Delete"] })] })) }) })] }, `${permission.source}-${permission.id}-${permission.permission_name}`)))) })] }) }))] }) })), showScopeLabelsTab && (_jsx(TabsContent, { value: "scope_labels", className: "cls_user_management_tab_scope_labels w-full", children: _jsx(ScopeLabelsTab, { defaultOrg: defaultOrg }) })), showScopeHierarchyTab && (_jsx(TabsContent, { value: "scope_hierarchy", className: "cls_user_management_tab_scope_hierarchy w-full", children: _jsx(ScopeHierarchyTab, { defaultOrg: defaultOrg }) })), showUserScopesTab && (_jsx(TabsContent, { value: "user_scopes", className: "cls_user_management_tab_user_scopes w-full", children: _jsx(UserScopesTab, {}) })), showOrgsTab && (_jsx(TabsContent, { value: "organizations", className: "cls_user_management_tab_organizations w-full", children: _jsx(OrgHierarchyTab, { isGlobalAdmin: hasOrgGlobalAdminPermission }) }))] })), _jsx(AlertDialog, { open: deactivateDialogOpen, onOpenChange: setDeactivateDialogOpen, children: _jsxs(AlertDialogContent, { className: "cls_user_management_deactivate_dialog", children: [_jsxs(AlertDialogHeader, { children: [_jsx(AlertDialogTitle, { children: "Deactivate User" }), _jsxs(AlertDialogDescription, { children: ["Are you sure you want to deactivate ", (selectedUser === null || selectedUser === void 0 ? void 0 : selectedUser.name) || (selectedUser === null || selectedUser === void 0 ? void 0 : selectedUser.email_address), "? They will not be able to log in until reactivated."] })] }), _jsxs(AlertDialogFooter, { className: "cls_user_management_deactivate_dialog_footer", children: [_jsx(AlertDialogAction, { onClick: handleDeactivateUser, disabled: usersActionLoading, className: "cls_user_management_deactivate_dialog_confirm", children: usersActionLoading ? (_jsxs(_Fragment, { children: [_jsx(Loader2, { className: "h-4 w-4 mr-2 animate-spin" }), "Deactivating..."] })) : ("Deactivate") }), _jsx(AlertDialogCancel, { onClick: () => {
                                         setDeactivateDialogOpen(false);
                                         setSelectedUser(null);
                                     }, className: "cls_user_management_deactivate_dialog_cancel", children: "Cancel" })] })] }) }), _jsx(AlertDialog, { open: resetPasswordDialogOpen, onOpenChange: setResetPasswordDialogOpen, children: _jsxs(AlertDialogContent, { className: "cls_user_management_reset_password_dialog", children: [_jsxs(AlertDialogHeader, { children: [_jsx(AlertDialogTitle, { children: "Reset Password" }), _jsxs(AlertDialogDescription, { children: ["Send a password reset email to ", selectedUser === null || selectedUser === void 0 ? void 0 : selectedUser.email_address, "? They will receive a link to reset their password."] })] }), _jsxs(AlertDialogFooter, { className: "cls_user_management_reset_password_dialog_footer", children: [_jsx(AlertDialogAction, { onClick: handleResetPassword, disabled: usersActionLoading, className: "cls_user_management_reset_password_dialog_confirm", children: usersActionLoading ? (_jsxs(_Fragment, { children: [_jsx(Loader2, { className: "h-4 w-4 mr-2 animate-spin" }), "Sending..."] })) : ("Send Reset Email") }), _jsx(AlertDialogCancel, { onClick: () => {

package/dist/lib/auth/auth_types.d.ts

@@ -7,6 +7,12 @@ export type HazoAuthUser = {
     email_address: string;
     is_active: boolean;
     profile_picture_url: string | null;
+    org_id?: string | null;
+    org_name?: string | null;
+    parent_org_id?: string | null;
+    parent_org_name?: string | null;
+    root_org_id?: string | null;
+    root_org_name?: string | null;
 };
 /**
  * Scope access information returned when HRBAC scope checking is used

package/dist/lib/auth/auth_types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth_types.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/auth_types.ts"],"names":[],"mappings":"AAGA;;GAEG;AACH,MAAM,MAAM,YAAY,GAAG;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,OAAO,CAAC;IACnB,mBAAmB,EAAE,MAAM,GAAG,IAAI,CAAC;CACpC,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF;;;;GAIG;AACH,MAAM,MAAM,cAAc,GACtB;IACE,aAAa,EAAE,IAAI,CAAC;IACpB,IAAI,EAAE,YAAY,CAAC;IACnB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,aAAa,EAAE,OAAO,CAAC;IACvB,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAE/B,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,gBAAgB,CAAC,EAAE,eAAe,CAAC;CACpC,GACD;IACE,aAAa,EAAE,KAAK,CAAC;IACrB,IAAI,EAAE,IAAI,CAAC;IACX,WAAW,EAAE,EAAE,CAAC;IAChB,aAAa,EAAE,KAAK,CAAC;IACrB,QAAQ,CAAC,EAAE,KAAK,CAAC;CAClB,CAAC;AAEN;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG;IAC5B;;;OAGG;IACH,oBAAoB,CAAC,EAAE,MAAM,EAAE,CAAC;IAChC;;;OAGG;IACH,MAAM,CAAC,EAAE,OAAO,CAAC;IAEjB;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF;;;GAGG;AACH,qBAAa,eAAgB,SAAQ,KAAK;IAE/B,mBAAmB,EAAE,MAAM,EAAE;IAC7B,gBAAgB,EAAE,MAAM,EAAE;IAC1B,oBAAoB,EAAE,MAAM,EAAE;IAC9B,qBAAqB,CAAC,EAAE,MAAM;gBAH9B,mBAAmB,EAAE,MAAM,EAAE,EAC7B,gBAAgB,EAAE,MAAM,EAAE,EAC1B,oBAAoB,EAAE,MAAM,EAAE,EAC9B,qBAAqB,CAAC,EAAE,MAAM,YAAA;CAKxC;AAED;;;GAGG;AACH,qBAAa,gBAAiB,SAAQ,KAAK;IAEhC,UAAU,EAAE,MAAM;IAClB,gBAAgB,EAAE,MAAM;IACxB,WAAW,EAAE,KAAK,CAAC;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC;gBAF/E,UAAU,EAAE,MAAM,EAClB,gBAAgB,EAAE,MAAM,EACxB,WAAW,EAAE,KAAK,CAAC;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC;CAKzF"}
+{"version":3,"file":"auth_types.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/auth_types.ts"],"names":[],"mappings":"AAGA;;GAEG;AACH,MAAM,MAAM,YAAY,GAAG;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,OAAO,CAAC;IACnB,mBAAmB,EAAE,MAAM,GAAG,IAAI,CAAC;IAEnC,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,eAAe,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC/B,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF;;;;GAIG;AACH,MAAM,MAAM,cAAc,GACtB;IACE,aAAa,EAAE,IAAI,CAAC;IACpB,IAAI,EAAE,YAAY,CAAC;IACnB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,aAAa,EAAE,OAAO,CAAC;IACvB,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAE/B,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,gBAAgB,CAAC,EAAE,eAAe,CAAC;CACpC,GACD;IACE,aAAa,EAAE,KAAK,CAAC;IACrB,IAAI,EAAE,IAAI,CAAC;IACX,WAAW,EAAE,EAAE,CAAC;IAChB,aAAa,EAAE,KAAK,CAAC;IACrB,QAAQ,CAAC,EAAE,KAAK,CAAC;CAClB,CAAC;AAEN;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG;IAC5B;;;OAGG;IACH,oBAAoB,CAAC,EAAE,MAAM,EAAE,CAAC;IAChC;;;OAGG;IACH,MAAM,CAAC,EAAE,OAAO,CAAC;IAEjB;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF;;;GAGG;AACH,qBAAa,eAAgB,SAAQ,KAAK;IAE/B,mBAAmB,EAAE,MAAM,EAAE;IAC7B,gBAAgB,EAAE,MAAM,EAAE;IAC1B,oBAAoB,EAAE,MAAM,EAAE;IAC9B,qBAAqB,CAAC,EAAE,MAAM;gBAH9B,mBAAmB,EAAE,MAAM,EAAE,EAC7B,gBAAgB,EAAE,MAAM,EAAE,EAC1B,oBAAoB,EAAE,MAAM,EAAE,EAC9B,qBAAqB,CAAC,EAAE,MAAM,YAAA;CAKxC;AAED;;;GAGG;AACH,qBAAa,gBAAiB,SAAQ,KAAK;IAEhC,UAAU,EAAE,MAAM;IAClB,gBAAgB,EAAE,MAAM;IACxB,WAAW,EAAE,KAAK,CAAC;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC;gBAF/E,UAAU,EAAE,MAAM,EAClB,gBAAgB,EAAE,MAAM,EACxB,WAAW,EAAE,KAAK,CAAC;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC;CAKzF"}

package/dist/lib/auth/dev_lock_validator.edge.d.ts

@@ -0,0 +1,38 @@
+import type { NextRequest } from "next/server";
+export type DevLockValidationResult = {
+    valid: boolean;
+    expired?: boolean;
+};
+export type DevLockCookieData = {
+    value: string;
+    max_age: number;
+};
+/**
+ * Creates a signed dev lock cookie value
+ * Cookie format: timestamp|expiry_timestamp|signature
+ * @param password - The dev lock password (used as signing key)
+ * @param expiry_days - Number of days until cookie expires (default: 7)
+ * @returns Cookie value and max_age in seconds
+ */
+export declare function create_dev_lock_cookie(password: string, expiry_days?: number): Promise<DevLockCookieData>;
+/**
+ * Validates dev lock cookie from request (Edge-compatible)
+ * Checks signature validity and expiration
+ * @param request - NextRequest object
+ * @returns Validation result with valid flag and optional expired flag
+ */
+export declare function validate_dev_lock_cookie(request: NextRequest): Promise<DevLockValidationResult>;
+/**
+ * Validates password against environment variable (for unlock endpoint)
+ * Uses constant-time comparison to prevent timing attacks
+ * @param password - Password to validate
+ * @returns true if password matches
+ */
+export declare function validate_dev_lock_password(password: string): boolean;
+/**
+ * Gets the dev lock cookie name
+ * Exported for use in API routes when setting the cookie
+ * @returns Cookie name string
+ */
+export declare function get_dev_lock_cookie_name(): string;
+//# sourceMappingURL=dev_lock_validator.edge.d.ts.map

package/dist/lib/auth/dev_lock_validator.edge.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dev_lock_validator.edge.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/dev_lock_validator.edge.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAO/C,MAAM,MAAM,uBAAuB,GAAG;IACpC,KAAK,EAAE,OAAO,CAAC;IACf,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,iBAAiB,GAAG;IAC9B,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;CACjB,CAAC;AAmDF;;;;;;GAMG;AACH,wBAAsB,sBAAsB,CAC1C,QAAQ,EAAE,MAAM,EAChB,WAAW,GAAE,MAAU,GACtB,OAAO,CAAC,iBAAiB,CAAC,CAU5B;AAED;;;;;GAKG;AACH,wBAAsB,wBAAwB,CAC5C,OAAO,EAAE,WAAW,GACnB,OAAO,CAAC,uBAAuB,CAAC,CA8ClC;AAED;;;;;GAKG;AACH,wBAAgB,0BAA0B,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAQpE;AAED;;;;GAIG;AACH,wBAAgB,wBAAwB,IAAI,MAAM,CAEjD"}

package/dist/lib/auth/dev_lock_validator.edge.js

@@ -0,0 +1,122 @@
+// section: constants
+const COOKIE_NAME = "hazo_auth_dev_lock";
+const SEPARATOR = "|";
+// section: helpers
+/**
+ * Creates HMAC-SHA256 signature using Web Crypto API (Edge compatible)
+ * @param data - Data to sign
+ * @param secret - Secret key for signing
+ * @returns Hex string signature
+ */
+async function create_signature(data, secret) {
+    const encoder = new TextEncoder();
+    const key_data = encoder.encode(secret);
+    const message_data = encoder.encode(data);
+    const crypto_key = await crypto.subtle.importKey("raw", key_data, { name: "HMAC", hash: "SHA-256" }, false, ["sign"]);
+    const signature = await crypto.subtle.sign("HMAC", crypto_key, message_data);
+    // Convert ArrayBuffer to hex string
+    return Array.from(new Uint8Array(signature))
+        .map((b) => b.toString(16).padStart(2, "0"))
+        .join("");
+}
+/**
+ * Performs constant-time comparison of two strings
+ * Prevents timing attacks
+ * @param a - First string
+ * @param b - Second string
+ * @returns true if strings are equal
+ */
+function constant_time_compare(a, b) {
+    if (a.length !== b.length) {
+        return false;
+    }
+    let result = 0;
+    for (let i = 0; i < a.length; i++) {
+        result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+    }
+    return result === 0;
+}
+// section: main_functions
+/**
+ * Creates a signed dev lock cookie value
+ * Cookie format: timestamp|expiry_timestamp|signature
+ * @param password - The dev lock password (used as signing key)
+ * @param expiry_days - Number of days until cookie expires (default: 7)
+ * @returns Cookie value and max_age in seconds
+ */
+export async function create_dev_lock_cookie(password, expiry_days = 7) {
+    const timestamp = Date.now();
+    const expiry_timestamp = timestamp + expiry_days * 24 * 60 * 60 * 1000;
+    const data = `${timestamp}${SEPARATOR}${expiry_timestamp}`;
+    const signature = await create_signature(data, password);
+    return {
+        value: `${data}${SEPARATOR}${signature}`,
+        max_age: expiry_days * 24 * 60 * 60, // in seconds
+    };
+}
+/**
+ * Validates dev lock cookie from request (Edge-compatible)
+ * Checks signature validity and expiration
+ * @param request - NextRequest object
+ * @returns Validation result with valid flag and optional expired flag
+ */
+export async function validate_dev_lock_cookie(request) {
+    var _a;
+    const password = process.env.HAZO_AUTH_DEV_LOCK_PASSWORD;
+    if (!password) {
+        // No password set - cannot validate
+        return { valid: false };
+    }
+    const cookie = (_a = request.cookies.get(COOKIE_NAME)) === null || _a === void 0 ? void 0 : _a.value;
+    if (!cookie) {
+        return { valid: false };
+    }
+    try {
+        const parts = cookie.split(SEPARATOR);
+        if (parts.length !== 3) {
+            return { valid: false };
+        }
+        const [timestamp_str, expiry_str, signature] = parts;
+        const timestamp = parseInt(timestamp_str, 10);
+        const expiry_timestamp = parseInt(expiry_str, 10);
+        if (isNaN(timestamp) || isNaN(expiry_timestamp)) {
+            return { valid: false };
+        }
+        // Check expiry
+        if (Date.now() > expiry_timestamp) {
+            return { valid: false, expired: true };
+        }
+        // Verify signature
+        const data = `${timestamp}${SEPARATOR}${expiry_timestamp}`;
+        const expected_signature = await create_signature(data, password);
+        // Constant-time comparison to prevent timing attacks
+        if (!constant_time_compare(signature, expected_signature)) {
+            return { valid: false };
+        }
+        return { valid: true };
+    }
+    catch (_b) {
+        return { valid: false };
+    }
+}
+/**
+ * Validates password against environment variable (for unlock endpoint)
+ * Uses constant-time comparison to prevent timing attacks
+ * @param password - Password to validate
+ * @returns true if password matches
+ */
+export function validate_dev_lock_password(password) {
+    const expected = process.env.HAZO_AUTH_DEV_LOCK_PASSWORD;
+    if (!expected || !password) {
+        return false;
+    }
+    return constant_time_compare(password, expected);
+}
+/**
+ * Gets the dev lock cookie name
+ * Exported for use in API routes when setting the cookie
+ * @returns Cookie name string
+ */
+export function get_dev_lock_cookie_name() {
+    return COOKIE_NAME;
+}

package/dist/lib/auth/hazo_get_auth.server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"hazo_get_auth.server.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/hazo_get_auth.server.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAK1C,OAAO,KAAK,EAAE,cAAc,EAAgB,eAAe,EAAmB,MAAM,cAAc,CAAC;AA0RnG;;;;;;;;;GASG;AACH,wBAAsB,aAAa,CACjC,OAAO,EAAE,WAAW,EACpB,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,cAAc,CAAC,CAgNzB"}
+{"version":3,"file":"hazo_get_auth.server.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/hazo_get_auth.server.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAK1C,OAAO,KAAK,EAAE,cAAc,EAAgB,eAAe,EAAmB,MAAM,cAAc,CAAC;AAiWnG;;;;;;;;;GASG;AACH,wBAAsB,aAAa,CACjC,OAAO,EAAE,WAAW,EACpB,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,cAAc,CAAC,CAgNzB"}