hazo_auth 4.3.0 → 4.4.0

package/dist/lib/auth/hazo_get_auth.server.js

@@ -11,6 +11,8 @@ import { validate_session_token } from "../services/session_token_service";
 import { is_hrbac_enabled, get_scope_hierarchy_config } from "../scope_hierarchy_config.server";
 import { check_user_scope_access, get_user_scopes } from "../services/user_scope_service";
 import { is_valid_scope_level } from "../services/scope_service";
+import { is_multi_tenancy_enabled, get_multi_tenancy_config } from "../multi_tenancy_config.server";
+import { get_org_cache } from "./org_cache";
 // section: helpers
 /**
  * Gets client IP address from request
@@ -49,7 +51,7 @@ async function fetch_user_data_from_db(user_id) {
     if (user_db.is_active === false) {
         throw new Error("User is inactive");
     }
-    // Build user object
+    // Build user object with base fields
     const user = {
         id: user_db.id,
         name: user_db.name || null,
@@ -57,6 +59,64 @@ async function fetch_user_data_from_db(user_id) {
         is_active: user_db.is_active === true,
         profile_picture_url: user_db.profile_picture_url || null,
     };
+    // Fetch org info if multi-tenancy is enabled and user has org_id
+    if (is_multi_tenancy_enabled() && user_db.org_id) {
+        const mt_config = get_multi_tenancy_config();
+        const org_cache = get_org_cache(mt_config.org_cache_max_entries, mt_config.org_cache_ttl_minutes);
+        const user_org_id = user_db.org_id;
+        // Check org cache first
+        let cached_org = org_cache.get(user_org_id);
+        if (!cached_org) {
+            // Fetch org info from database
+            const org_service = createCrudService(hazoConnect, "hazo_org");
+            const orgs = await org_service.findBy({ id: user_org_id });
+            if (Array.isArray(orgs) && orgs.length > 0) {
+                const org = orgs[0];
+                const org_entry = {
+                    org_id: org.id,
+                    org_name: org.name,
+                    parent_org_id: org.parent_org_id || null,
+                    parent_org_name: null,
+                    root_org_id: org.root_org_id || null,
+                    root_org_name: null,
+                };
+                // Fetch parent org name if exists
+                if (org_entry.parent_org_id) {
+                    const parent_orgs = await org_service.findBy({ id: org_entry.parent_org_id });
+                    if (Array.isArray(parent_orgs) && parent_orgs.length > 0) {
+                        org_entry.parent_org_name = parent_orgs[0].name;
+                    }
+                }
+                // Fetch root org name if exists
+                if (org_entry.root_org_id) {
+                    const root_orgs = await org_service.findBy({ id: org_entry.root_org_id });
+                    if (Array.isArray(root_orgs) && root_orgs.length > 0) {
+                        org_entry.root_org_name = root_orgs[0].name;
+                    }
+                }
+                else if (user_db.root_org_id) {
+                    // Fallback to user's root_org_id if org doesn't have one
+                    const root_orgs = await org_service.findBy({ id: user_db.root_org_id });
+                    if (Array.isArray(root_orgs) && root_orgs.length > 0) {
+                        org_entry.root_org_id = root_orgs[0].id;
+                        org_entry.root_org_name = root_orgs[0].name;
+                    }
+                }
+                // Cache the org info
+                org_cache.set(user_org_id, org_entry);
+                cached_org = org_entry;
+            }
+        }
+        // Add org info to user object
+        if (cached_org) {
+            user.org_id = cached_org.org_id;
+            user.org_name = cached_org.org_name;
+            user.parent_org_id = cached_org.parent_org_id;
+            user.parent_org_name = cached_org.parent_org_name;
+            user.root_org_id = cached_org.root_org_id;
+            user.root_org_name = cached_org.root_org_name;
+        }
+    }
     // Fetch user roles
     const user_roles = await user_roles_service.findBy({ user_id });
     const role_ids = [];

package/dist/lib/auth/org_cache.d.ts

@@ -0,0 +1,65 @@
+/**
+ * Cached organization info for hazo_get_auth
+ */
+export type OrgCacheEntry = {
+    org_id: string;
+    org_name: string;
+    parent_org_id: string | null;
+    parent_org_name: string | null;
+    root_org_id: string | null;
+    root_org_name: string | null;
+};
+/**
+ * LRU cache implementation for organization lookups
+ * Uses Map to maintain insertion order for LRU eviction
+ */
+declare class OrgCache {
+    private cache;
+    private max_size;
+    private ttl_ms;
+    constructor(max_size: number, ttl_minutes: number);
+    /**
+     * Gets a cache entry for an organization
+     * Returns undefined if not found or expired
+     * @param org_id - Organization ID to look up
+     * @returns Cache entry or undefined
+     */
+    get(org_id: string): OrgCacheEntry | undefined;
+    /**
+     * Sets a cache entry for an organization
+     * Evicts least recently used entries if cache is full
+     * @param org_id - Organization ID
+     * @param entry - Organization cache entry
+     */
+    set(org_id: string, entry: OrgCacheEntry): void;
+    /**
+     * Invalidates cache for a specific organization
+     * @param org_id - Organization ID to invalidate
+     */
+    invalidate(org_id: string): void;
+    /**
+     * Invalidates all cache entries
+     */
+    invalidate_all(): void;
+    /**
+     * Gets cache statistics
+     * @returns Object with cache size and max size
+     */
+    get_stats(): {
+        size: number;
+        max_size: number;
+    };
+}
+/**
+ * Gets or creates the global org cache instance
+ * @param max_size - Maximum cache size (default: 1000)
+ * @param ttl_minutes - TTL in minutes (default: 15)
+ * @returns Org cache instance
+ */
+export declare function get_org_cache(max_size?: number, ttl_minutes?: number): OrgCache;
+/**
+ * Resets the global org cache instance (useful for testing)
+ */
+export declare function reset_org_cache(): void;
+export {};
+//# sourceMappingURL=org_cache.d.ts.map

package/dist/lib/auth/org_cache.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"org_cache.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/org_cache.ts"],"names":[],"mappings":"AAGA;;GAEG;AACH,MAAM,MAAM,aAAa,GAAG;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;CAC9B,CAAC;AAUF;;;GAGG;AACH,cAAM,QAAQ;IACZ,OAAO,CAAC,KAAK,CAAyB;IACtC,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,MAAM,CAAS;gBAEX,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM;IAMjD;;;;;OAKG;IACH,GAAG,CAAC,MAAM,EAAE,MAAM,GAAG,aAAa,GAAG,SAAS;IAuB9C;;;;;OAKG;IACH,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,aAAa,GAAG,IAAI;IAmB/C;;;OAGG;IACH,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI;IAIhC;;OAEG;IACH,cAAc,IAAI,IAAI;IAItB;;;OAGG;IACH,SAAS,IAAI;QACX,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;KAClB;CAMF;AAMD;;;;;GAKG;AACH,wBAAgB,aAAa,CAC3B,QAAQ,GAAE,MAAa,EACvB,WAAW,GAAE,MAAW,GACvB,QAAQ,CAKV;AAED;;GAEG;AACH,wBAAgB,eAAe,IAAI,IAAI,CAEtC"}

package/dist/lib/auth/org_cache.js

@@ -0,0 +1,103 @@
+// file_description: LRU cache implementation for organization lookups with TTL and size limits
+// section: types
+/**
+ * LRU cache implementation for organization lookups
+ * Uses Map to maintain insertion order for LRU eviction
+ */
+class OrgCache {
+    constructor(max_size, ttl_minutes) {
+        this.cache = new Map();
+        this.max_size = max_size;
+        this.ttl_ms = ttl_minutes * 60 * 1000;
+    }
+    /**
+     * Gets a cache entry for an organization
+     * Returns undefined if not found or expired
+     * @param org_id - Organization ID to look up
+     * @returns Cache entry or undefined
+     */
+    get(org_id) {
+        const item = this.cache.get(org_id);
+        if (!item) {
+            return undefined;
+        }
+        const now = Date.now();
+        const age = now - item.timestamp;
+        // Check if entry is expired (TTL)
+        if (age > this.ttl_ms) {
+            this.cache.delete(org_id);
+            return undefined;
+        }
+        // Move to end (most recently used)
+        this.cache.delete(org_id);
+        this.cache.set(org_id, item);
+        return item.entry;
+    }
+    /**
+     * Sets a cache entry for an organization
+     * Evicts least recently used entries if cache is full
+     * @param org_id - Organization ID
+     * @param entry - Organization cache entry
+     */
+    set(org_id, entry) {
+        // Evict LRU entries if cache is full
+        while (this.cache.size >= this.max_size) {
+            const first_key = this.cache.keys().next().value;
+            if (first_key) {
+                this.cache.delete(first_key);
+            }
+            else {
+                break;
+            }
+        }
+        const item = {
+            entry,
+            timestamp: Date.now(),
+        };
+        this.cache.set(org_id, item);
+    }
+    /**
+     * Invalidates cache for a specific organization
+     * @param org_id - Organization ID to invalidate
+     */
+    invalidate(org_id) {
+        this.cache.delete(org_id);
+    }
+    /**
+     * Invalidates all cache entries
+     */
+    invalidate_all() {
+        this.cache.clear();
+    }
+    /**
+     * Gets cache statistics
+     * @returns Object with cache size and max size
+     */
+    get_stats() {
+        return {
+            size: this.cache.size,
+            max_size: this.max_size,
+        };
+    }
+}
+// section: singleton
+// Global org cache instance (initialized with defaults, will be configured on first use)
+let org_cache_instance = null;
+/**
+ * Gets or creates the global org cache instance
+ * @param max_size - Maximum cache size (default: 1000)
+ * @param ttl_minutes - TTL in minutes (default: 15)
+ * @returns Org cache instance
+ */
+export function get_org_cache(max_size = 1000, ttl_minutes = 15) {
+    if (!org_cache_instance) {
+        org_cache_instance = new OrgCache(max_size, ttl_minutes);
+    }
+    return org_cache_instance;
+}
+/**
+ * Resets the global org cache instance (useful for testing)
+ */
+export function reset_org_cache() {
+    org_cache_instance = null;
+}

package/dist/lib/config/default_config.d.ts

@@ -123,6 +123,44 @@ export declare const DEFAULT_OAUTH: {
     /** Text displayed on the divider between OAuth and email/password form */
     readonly oauth_divider_text: "or continue with email";
 };
+export declare const DEFAULT_MULTI_TENANCY: {
+    /** Enable multi-tenancy support (default: false) */
+    readonly enable_multi_tenancy: false;
+    /** Cache TTL in minutes for org lookups (default: 15) */
+    readonly org_cache_ttl_minutes: 15;
+    /** Maximum entries in org cache (default: 1000) */
+    readonly org_cache_max_entries: 1000;
+    /** Default user limit per organization (0 = unlimited) */
+    readonly default_user_limit: 0;
+};
+export declare const DEFAULT_DEV_LOCK: {
+    /** Enable the development lock screen (also requires HAZO_AUTH_DEV_LOCK_ENABLED env var) */
+    readonly enable: false;
+    /** Session duration in days */
+    readonly session_duration_days: 7;
+    /** Background color (default: black) */
+    readonly background_color: "#000000";
+    /** Logo image path (default: /logo.png in public folder) */
+    readonly logo_path: "/logo.png";
+    /** Logo width in pixels */
+    readonly logo_width: 120;
+    /** Logo height in pixels */
+    readonly logo_height: 120;
+    /** Application name displayed below logo */
+    readonly application_name: "";
+    /** Limited access text displayed with lock icon */
+    readonly limited_access_text: "Limited Access";
+    /** Password input placeholder text */
+    readonly password_placeholder: "Enter access password";
+    /** Submit button text */
+    readonly submit_button_text: "Unlock";
+    /** Error message for incorrect password */
+    readonly error_message: "Incorrect password";
+    /** Text color for labels (default: white) */
+    readonly text_color: "#ffffff";
+    /** Accent color for button (default: blue) */
+    readonly accent_color: "#3b82f6";
+};
 /**
  * All default configuration values combined in one object
  * This makes it easy to see all defaults at a glance and export them as needed
@@ -253,6 +291,44 @@ export declare const HAZO_AUTH_DEFAULTS: {
         /** Text displayed on the divider between OAuth and email/password form */
         readonly oauth_divider_text: "or continue with email";
     };
+    readonly devLock: {
+        /** Enable the development lock screen (also requires HAZO_AUTH_DEV_LOCK_ENABLED env var) */
+        readonly enable: false;
+        /** Session duration in days */
+        readonly session_duration_days: 7;
+        /** Background color (default: black) */
+        readonly background_color: "#000000";
+        /** Logo image path (default: /logo.png in public folder) */
+        readonly logo_path: "/logo.png";
+        /** Logo width in pixels */
+        readonly logo_width: 120;
+        /** Logo height in pixels */
+        readonly logo_height: 120;
+        /** Application name displayed below logo */
+        readonly application_name: "";
+        /** Limited access text displayed with lock icon */
+        readonly limited_access_text: "Limited Access";
+        /** Password input placeholder text */
+        readonly password_placeholder: "Enter access password";
+        /** Submit button text */
+        readonly submit_button_text: "Unlock";
+        /** Error message for incorrect password */
+        readonly error_message: "Incorrect password";
+        /** Text color for labels (default: white) */
+        readonly text_color: "#ffffff";
+        /** Accent color for button (default: blue) */
+        readonly accent_color: "#3b82f6";
+    };
+    readonly multiTenancy: {
+        /** Enable multi-tenancy support (default: false) */
+        readonly enable_multi_tenancy: false;
+        /** Cache TTL in minutes for org lookups (default: 15) */
+        readonly org_cache_ttl_minutes: 15;
+        /** Maximum entries in org cache (default: 1000) */
+        readonly org_cache_max_entries: 1000;
+        /** Default user limit per organization (0 = unlimited) */
+        readonly default_user_limit: 0;
+    };
 };
 /**
  * Type representing the complete default configuration structure

package/dist/lib/config/default_config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"default_config.d.ts","sourceRoot":"","sources":["../../../src/lib/config/default_config.ts"],"names":[],"mappings":"AAKA,eAAO,MAAM,6BAA6B;;;;;;CAMhC,CAAC;AAGX,eAAO,MAAM,mBAAmB;;;;CAItB,CAAC;AAGX,eAAO,MAAM,uBAAuB;;;;;;;CAO1B,CAAC;AAGX,eAAO,MAAM,gBAAgB;;;;;;;;;CASnB,CAAC;AAGX,eAAO,MAAM,kBAAkB;;;CAGrB,CAAC;AAGX,eAAO,MAAM,gBAAgB;;;;;CAKnB,CAAC;AAGX,eAAO,MAAM,yBAAyB;;;;;;CAM5B,CAAC;AAGX,eAAO,MAAM,aAAa;4BACI,MAAM,GAAG,SAAS;;;;;;CAMtC,CAAC;AAGX,eAAO,MAAM,gBAAgB;4BACC,MAAM,GAAG,SAAS;;;;;CAKtC,CAAC;AAGX,eAAO,MAAM,uBAAuB;;;;CAI1B,CAAC;AAGX,eAAO,MAAM,sBAAsB;;;;CAIzB,CAAC;AAGX,eAAO,MAAM,0BAA0B;;;;;CAK7B,CAAC;AAGX,eAAO,MAAM,mBAAmB;;;;;CAKtB,CAAC;AAGX,eAAO,MAAM,uBAAuB;;;;CAI1B,CAAC;AAGX,eAAO,MAAM,oBAAoB;;;;CAIvB,CAAC;AAGX,eAAO,MAAM,gBAAgB;0BACE,YAAY,GAAG,cAAc;;;;;CAKlD,CAAC;AAGX,eAAO,MAAM,wBAAwB;;;;;;;;CAQ3B,CAAC;AAGX,eAAO,MAAM,iBAAiB;;CAEpB,CAAC;AAGX,eAAO,MAAM,aAAa;IACxB,kHAAkH;;IAElH,8CAA8C;;IAE9C,iGAAiG;;IAEjG,kDAAkD;;IAElD,0EAA0E;;CAElE,CAAC;AAGX;;;GAGG;AACH,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;gCAzGD,MAAM,GAAG,SAAS;;;;;;;;gCAUlB,MAAM,GAAG,SAAS;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;8BAqDjB,YAAY,GAAG,cAAc;;;;;;;;;;;;;;;;;;;QAyB1D,kHAAkH;;QAElH,8CAA8C;;QAE9C,iGAAiG;;QAEjG,kDAAkD;;QAElD,0EAA0E;;;CA6BlE,CAAC;AAGX;;GAEG;AACH,MAAM,MAAM,gBAAgB,GAAG,OAAO,kBAAkB,CAAC"}
+{"version":3,"file":"default_config.d.ts","sourceRoot":"","sources":["../../../src/lib/config/default_config.ts"],"names":[],"mappings":"AAKA,eAAO,MAAM,6BAA6B;;;;;;CAMhC,CAAC;AAGX,eAAO,MAAM,mBAAmB;;;;CAItB,CAAC;AAGX,eAAO,MAAM,uBAAuB;;;;;;;CAO1B,CAAC;AAGX,eAAO,MAAM,gBAAgB;;;;;;;;;CASnB,CAAC;AAGX,eAAO,MAAM,kBAAkB;;;CAGrB,CAAC;AAGX,eAAO,MAAM,gBAAgB;;;;;CAKnB,CAAC;AAGX,eAAO,MAAM,yBAAyB;;;;;;CAM5B,CAAC;AAGX,eAAO,MAAM,aAAa;4BACI,MAAM,GAAG,SAAS;;;;;;CAMtC,CAAC;AAGX,eAAO,MAAM,gBAAgB;4BACC,MAAM,GAAG,SAAS;;;;;CAKtC,CAAC;AAGX,eAAO,MAAM,uBAAuB;;;;CAI1B,CAAC;AAGX,eAAO,MAAM,sBAAsB;;;;CAIzB,CAAC;AAGX,eAAO,MAAM,0BAA0B;;;;;CAK7B,CAAC;AAGX,eAAO,MAAM,mBAAmB;;;;;CAKtB,CAAC;AAGX,eAAO,MAAM,uBAAuB;;;;CAI1B,CAAC;AAGX,eAAO,MAAM,oBAAoB;;;;CAIvB,CAAC;AAGX,eAAO,MAAM,gBAAgB;0BACE,YAAY,GAAG,cAAc;;;;;CAKlD,CAAC;AAGX,eAAO,MAAM,wBAAwB;;;;;;;;CAQ3B,CAAC;AAGX,eAAO,MAAM,iBAAiB;;CAEpB,CAAC;AAGX,eAAO,MAAM,aAAa;IACxB,kHAAkH;;IAElH,8CAA8C;;IAE9C,iGAAiG;;IAEjG,kDAAkD;;IAElD,0EAA0E;;CAElE,CAAC;AAGX,eAAO,MAAM,qBAAqB;IAChC,oDAAoD;;IAEpD,yDAAyD;;IAEzD,mDAAmD;;IAEnD,0DAA0D;;CAElD,CAAC;AAGX,eAAO,MAAM,gBAAgB;IAC3B,4FAA4F;;IAE5F,+BAA+B;;IAE/B,wCAAwC;;IAExC,4DAA4D;;IAE5D,2BAA2B;;IAE3B,4BAA4B;;IAE5B,4CAA4C;;IAE5C,mDAAmD;;IAEnD,sCAAsC;;IAEtC,yBAAyB;;IAEzB,2CAA2C;;IAE3C,6CAA6C;;IAE7C,8CAA8C;;CAEtC,CAAC;AAGX;;;GAGG;AACH,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;gCAnJD,MAAM,GAAG,SAAS;;;;;;;;gCAUlB,MAAM,GAAG,SAAS;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;8BAqDjB,YAAY,GAAG,cAAc;;;;;;;;;;;;;;;;;;;QAyB1D,kHAAkH;;QAElH,8CAA8C;;QAE9C,iGAAiG;;QAEjG,kDAAkD;;QAElD,0EAA0E;;;;QAkB1E,4FAA4F;;QAE5F,+BAA+B;;QAE/B,wCAAwC;;QAExC,4DAA4D;;QAE5D,2BAA2B;;QAE3B,4BAA4B;;QAE5B,4CAA4C;;QAE5C,mDAAmD;;QAEnD,sCAAsC;;QAEtC,yBAAyB;;QAEzB,2CAA2C;;QAE3C,6CAA6C;;QAE7C,8CAA8C;;;;QApC9C,oDAAoD;;QAEpD,yDAAyD;;QAEzD,mDAAmD;;QAEnD,0DAA0D;;;CA6DlD,CAAC;AAGX;;GAEG;AACH,MAAM,MAAM,gBAAgB,GAAG,OAAO,kBAAkB,CAAC"}

package/dist/lib/config/default_config.js

@@ -145,6 +145,46 @@ export const DEFAULT_OAUTH = {
     /** Text displayed on the divider between OAuth and email/password form */
     oauth_divider_text: "or continue with email",
 };
+// section: multi_tenancy
+export const DEFAULT_MULTI_TENANCY = {
+    /** Enable multi-tenancy support (default: false) */
+    enable_multi_tenancy: false,
+    /** Cache TTL in minutes for org lookups (default: 15) */
+    org_cache_ttl_minutes: 15,
+    /** Maximum entries in org cache (default: 1000) */
+    org_cache_max_entries: 1000,
+    /** Default user limit per organization (0 = unlimited) */
+    default_user_limit: 0,
+};
+// section: dev_lock
+export const DEFAULT_DEV_LOCK = {
+    /** Enable the development lock screen (also requires HAZO_AUTH_DEV_LOCK_ENABLED env var) */
+    enable: false,
+    /** Session duration in days */
+    session_duration_days: 7,
+    /** Background color (default: black) */
+    background_color: "#000000",
+    /** Logo image path (default: /logo.png in public folder) */
+    logo_path: "/logo.png",
+    /** Logo width in pixels */
+    logo_width: 120,
+    /** Logo height in pixels */
+    logo_height: 120,
+    /** Application name displayed below logo */
+    application_name: "",
+    /** Limited access text displayed with lock icon */
+    limited_access_text: "Limited Access",
+    /** Password input placeholder text */
+    password_placeholder: "Enter access password",
+    /** Submit button text */
+    submit_button_text: "Unlock",
+    /** Error message for incorrect password */
+    error_message: "Incorrect password",
+    /** Text color for labels (default: white) */
+    text_color: "#ffffff",
+    /** Accent color for button (default: blue) */
+    accent_color: "#3b82f6",
+};
 // section: combined_defaults
 /**
  * All default configuration values combined in one object
@@ -170,4 +210,6 @@ export const HAZO_AUTH_DEFAULTS = {
     profilePicMenu: DEFAULT_PROFILE_PIC_MENU,
     apiPaths: DEFAULT_API_PATHS,
     oauth: DEFAULT_OAUTH,
+    devLock: DEFAULT_DEV_LOCK,
+    multiTenancy: DEFAULT_MULTI_TENANCY,
 };

package/dist/lib/dev_lock_config.server.d.ts

@@ -0,0 +1,41 @@
+export type DevLockConfig = {
+    /** Enable the development lock screen */
+    enable: boolean;
+    /** Session duration in days */
+    session_duration_days: number;
+    /** Background color */
+    background_color: string;
+    /** Logo image path */
+    logo_path: string;
+    /** Logo width in pixels */
+    logo_width: number;
+    /** Logo height in pixels */
+    logo_height: number;
+    /** Application name displayed below logo */
+    application_name: string;
+    /** Limited access text displayed with lock icon */
+    limited_access_text: string;
+    /** Password input placeholder text */
+    password_placeholder: string;
+    /** Submit button text */
+    submit_button_text: string;
+    /** Error message for incorrect password */
+    error_message: string;
+    /** Text color for labels */
+    text_color: string;
+    /** Accent color for button */
+    accent_color: string;
+};
+/**
+ * Reads dev lock configuration from hazo_auth_config.ini file
+ * Falls back to defaults if hazo_auth_config.ini is not found or section is missing
+ * @returns Dev lock configuration options
+ */
+export declare function get_dev_lock_config(): DevLockConfig;
+/**
+ * Helper to check if dev lock is enabled in config
+ * Note: Also requires HAZO_AUTH_DEV_LOCK_ENABLED env var for actual enforcement
+ * @returns true if dev lock is enabled in config
+ */
+export declare function is_dev_lock_enabled(): boolean;
+//# sourceMappingURL=dev_lock_config.server.d.ts.map

package/dist/lib/dev_lock_config.server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dev_lock_config.server.d.ts","sourceRoot":"","sources":["../../src/lib/dev_lock_config.server.ts"],"names":[],"mappings":"AAMA,MAAM,MAAM,aAAa,GAAG;IAC1B,yCAAyC;IACzC,MAAM,EAAE,OAAO,CAAC;IAChB,+BAA+B;IAC/B,qBAAqB,EAAE,MAAM,CAAC;IAC9B,uBAAuB;IACvB,gBAAgB,EAAE,MAAM,CAAC;IACzB,sBAAsB;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,2BAA2B;IAC3B,UAAU,EAAE,MAAM,CAAC;IACnB,4BAA4B;IAC5B,WAAW,EAAE,MAAM,CAAC;IACpB,4CAA4C;IAC5C,gBAAgB,EAAE,MAAM,CAAC;IACzB,mDAAmD;IACnD,mBAAmB,EAAE,MAAM,CAAC;IAC5B,sCAAsC;IACtC,oBAAoB,EAAE,MAAM,CAAC;IAC7B,yBAAyB;IACzB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,2CAA2C;IAC3C,aAAa,EAAE,MAAM,CAAC;IACtB,4BAA4B;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,8BAA8B;IAC9B,YAAY,EAAE,MAAM,CAAC;CACtB,CAAC;AAMF;;;;GAIG;AACH,wBAAgB,mBAAmB,IAAI,aAAa,CA8FnD;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,IAAI,OAAO,CAE7C"}

package/dist/lib/dev_lock_config.server.js

@@ -0,0 +1,50 @@
+// file_description: server-only helper to read dev lock configuration from hazo_auth_config.ini
+// section: imports
+import { get_config_value, get_config_boolean, get_config_number } from "./config/config_loader.server";
+import { DEFAULT_DEV_LOCK } from "./config/default_config";
+// section: constants
+const SECTION_NAME = "hazo_auth__dev_lock";
+// section: helpers
+/**
+ * Reads dev lock configuration from hazo_auth_config.ini file
+ * Falls back to defaults if hazo_auth_config.ini is not found or section is missing
+ * @returns Dev lock configuration options
+ */
+export function get_dev_lock_config() {
+    const enable = get_config_boolean(SECTION_NAME, "enable", DEFAULT_DEV_LOCK.enable);
+    const session_duration_days = get_config_number(SECTION_NAME, "session_duration_days", DEFAULT_DEV_LOCK.session_duration_days);
+    const background_color = get_config_value(SECTION_NAME, "background_color", DEFAULT_DEV_LOCK.background_color);
+    const logo_path = get_config_value(SECTION_NAME, "logo_path", DEFAULT_DEV_LOCK.logo_path);
+    const logo_width = get_config_number(SECTION_NAME, "logo_width", DEFAULT_DEV_LOCK.logo_width);
+    const logo_height = get_config_number(SECTION_NAME, "logo_height", DEFAULT_DEV_LOCK.logo_height);
+    const application_name = get_config_value(SECTION_NAME, "application_name", DEFAULT_DEV_LOCK.application_name);
+    const limited_access_text = get_config_value(SECTION_NAME, "limited_access_text", DEFAULT_DEV_LOCK.limited_access_text);
+    const password_placeholder = get_config_value(SECTION_NAME, "password_placeholder", DEFAULT_DEV_LOCK.password_placeholder);
+    const submit_button_text = get_config_value(SECTION_NAME, "submit_button_text", DEFAULT_DEV_LOCK.submit_button_text);
+    const error_message = get_config_value(SECTION_NAME, "error_message", DEFAULT_DEV_LOCK.error_message);
+    const text_color = get_config_value(SECTION_NAME, "text_color", DEFAULT_DEV_LOCK.text_color);
+    const accent_color = get_config_value(SECTION_NAME, "accent_color", DEFAULT_DEV_LOCK.accent_color);
+    return {
+        enable,
+        session_duration_days,
+        background_color,
+        logo_path,
+        logo_width,
+        logo_height,
+        application_name,
+        limited_access_text,
+        password_placeholder,
+        submit_button_text,
+        error_message,
+        text_color,
+        accent_color,
+    };
+}
+/**
+ * Helper to check if dev lock is enabled in config
+ * Note: Also requires HAZO_AUTH_DEV_LOCK_ENABLED env var for actual enforcement
+ * @returns true if dev lock is enabled in config
+ */
+export function is_dev_lock_enabled() {
+    return get_config_boolean(SECTION_NAME, "enable", DEFAULT_DEV_LOCK.enable);
+}

package/dist/lib/multi_tenancy_config.server.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Multi-tenancy configuration options
+ */
+export type MultiTenancyConfig = {
+    /** Whether multi-tenancy is enabled (default: false) */
+    enable_multi_tenancy: boolean;
+    /** Cache TTL in minutes for org lookups (default: 15) */
+    org_cache_ttl_minutes: number;
+    /** Maximum entries in org cache (default: 1000) */
+    org_cache_max_entries: number;
+    /** Default user limit per organization (0 = unlimited) */
+    default_user_limit: number;
+};
+/**
+ * Reads multi-tenancy configuration from hazo_auth_config.ini file
+ * Falls back to defaults if config file is not found or section is missing
+ * @returns Multi-tenancy configuration options
+ */
+export declare function get_multi_tenancy_config(): MultiTenancyConfig;
+/**
+ * Checks if multi-tenancy is enabled in the configuration
+ * Convenience function for quick checks
+ */
+export declare function is_multi_tenancy_enabled(): boolean;
+/**
+ * Gets the default user limit from config
+ * Returns 0 if not configured (unlimited)
+ */
+export declare function get_default_user_limit(): number;
+//# sourceMappingURL=multi_tenancy_config.server.d.ts.map

package/dist/lib/multi_tenancy_config.server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"multi_tenancy_config.server.d.ts","sourceRoot":"","sources":["../../src/lib/multi_tenancy_config.server.ts"],"names":[],"mappings":"AAWA;;GAEG;AACH,MAAM,MAAM,kBAAkB,GAAG;IAC/B,wDAAwD;IACxD,oBAAoB,EAAE,OAAO,CAAC;IAC9B,yDAAyD;IACzD,qBAAqB,EAAE,MAAM,CAAC;IAC9B,mDAAmD;IACnD,qBAAqB,EAAE,MAAM,CAAC;IAC9B,0DAA0D;IAC1D,kBAAkB,EAAE,MAAM,CAAC;CAC5B,CAAC;AAQF;;;;GAIG;AACH,wBAAgB,wBAAwB,IAAI,kBAAkB,CAiC7D;AAED;;;GAGG;AACH,wBAAgB,wBAAwB,IAAI,OAAO,CAMlD;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,IAAI,MAAM,CAM/C"}

package/dist/lib/multi_tenancy_config.server.js

@@ -0,0 +1,41 @@
+// file_description: server-only helper to read multi-tenancy configuration from hazo_auth_config.ini
+// section: imports
+import { get_config_number, get_config_boolean, } from "./config/config_loader.server";
+import { DEFAULT_MULTI_TENANCY } from "./config/default_config";
+// section: constants
+const SECTION_NAME = "hazo_auth__multi_tenancy";
+// section: helpers
+/**
+ * Reads multi-tenancy configuration from hazo_auth_config.ini file
+ * Falls back to defaults if config file is not found or section is missing
+ * @returns Multi-tenancy configuration options
+ */
+export function get_multi_tenancy_config() {
+    // Core multi-tenancy enablement
+    const enable_multi_tenancy = get_config_boolean(SECTION_NAME, "enable_multi_tenancy", DEFAULT_MULTI_TENANCY.enable_multi_tenancy);
+    // Cache settings
+    const org_cache_ttl_minutes = get_config_number(SECTION_NAME, "org_cache_ttl_minutes", DEFAULT_MULTI_TENANCY.org_cache_ttl_minutes);
+    const org_cache_max_entries = get_config_number(SECTION_NAME, "org_cache_max_entries", DEFAULT_MULTI_TENANCY.org_cache_max_entries);
+    // Default user limit
+    const default_user_limit = get_config_number(SECTION_NAME, "default_user_limit", DEFAULT_MULTI_TENANCY.default_user_limit);
+    return {
+        enable_multi_tenancy,
+        org_cache_ttl_minutes,
+        org_cache_max_entries,
+        default_user_limit,
+    };
+}
+/**
+ * Checks if multi-tenancy is enabled in the configuration
+ * Convenience function for quick checks
+ */
+export function is_multi_tenancy_enabled() {
+    return get_config_boolean(SECTION_NAME, "enable_multi_tenancy", DEFAULT_MULTI_TENANCY.enable_multi_tenancy);
+}
+/**
+ * Gets the default user limit from config
+ * Returns 0 if not configured (unlimited)
+ */
+export function get_default_user_limit() {
+    return get_config_number(SECTION_NAME, "default_user_limit", DEFAULT_MULTI_TENANCY.default_user_limit);
+}