hazo_auth 4.5.7 → 4.6.0

package/README.md

@@ -382,6 +382,22 @@ HAZO_AUTH_GOOGLE_CLIENT_SECRET=your_google_client_secret
 
 See [Google OAuth Setup](#google-oauth-setup) for detailed instructions.
 
+**For Cookie Customization (optional):**
+```env
+# Cookie prefix (prevents conflicts when running multiple apps on localhost)
+HAZO_AUTH_COOKIE_PREFIX=myapp_
+
+# Cookie domain (optional, for cross-subdomain sharing)
+HAZO_AUTH_COOKIE_DOMAIN=.example.com
+```
+
+These environment variables are required for Edge Runtime (middleware) when using cookie customization. Also set in `hazo_auth_config.ini`:
+```ini
+[hazo_auth__cookies]
+cookie_prefix = myapp_
+cookie_domain = .example.com
+```
+
 **Important:** The configuration files must be located in your project root directory (where `process.cwd()` points to), not inside `node_modules`. The package reads configuration from `process.cwd()` at runtime, so storing them elsewhere (including `node_modules/hazo_auth`) will break runtime access.
 
 ---

package/SETUP_CHECKLIST.md

@@ -197,6 +197,10 @@ HAZO_CONNECT_POSTGREST_API_KEY=your_postgrest_api_key_here
 # Required for JWT authentication
 JWT_SECRET=your_secure_random_string_at_least_32_characters
 # Note: JWT_SECRET is required for JWT session token functionality (Edge-compatible proxy/middleware authentication)
+
+# Optional: Cookie customization (prevents conflicts when running multiple apps)
+HAZO_AUTH_COOKIE_PREFIX=myapp_
+HAZO_AUTH_COOKIE_DOMAIN=
 ```
 
 **Generate a secure JWT secret:**
@@ -204,6 +208,18 @@ JWT_SECRET=your_secure_random_string_at_least_32_characters
 openssl rand -base64 32
 ```
 
+**Cookie Customization (Optional):**
+If you're running multiple apps that use hazo_auth on localhost (different ports), set `HAZO_AUTH_COOKIE_PREFIX` to prevent cookie conflicts. For example:
+- App 1 (port 3000): `HAZO_AUTH_COOKIE_PREFIX=app1_`
+- App 2 (port 3001): `HAZO_AUTH_COOKIE_PREFIX=app2_`
+
+Also configure in `hazo_auth_config.ini`:
+```ini
+[hazo_auth__cookies]
+cookie_prefix = myapp_
+cookie_domain =
+```
+
 ### Step 2.2: Configure email settings
 
 Edit `hazo_notify_config.ini`:

package/cli-src/lib/auth/auth_utils.server.ts

@@ -4,6 +4,7 @@ import { NextRequest, NextResponse } from "next/server";
 import { get_hazo_connect_instance } from "../hazo_connect_instance.server.js";
 import { createCrudService } from "hazo_connect/server";
 import { map_db_source_to_ui } from "../services/profile_picture_source_mapper.js";
+import { get_cookie_name, get_cookie_options, BASE_COOKIE_NAMES } from "../cookies_config.server.js";
 
 // section: types
 export type AuthUser = {
@@ -24,19 +25,17 @@ export type AuthResult =
 
 // section: helpers
 /**
- * Clears authentication cookies from response
+ * Clears authentication cookies from response (with configurable prefix and domain)
  * @param response - NextResponse object to clear cookies from
  * @returns The response with cleared cookies
  */
 function clear_auth_cookies(response: NextResponse): NextResponse {
-  response.cookies.set("hazo_auth_user_email", "", {
-    expires: new Date(0),
-    path: "/",
-  });
-  response.cookies.set("hazo_auth_user_id", "", {
+  const clear_cookie_options = get_cookie_options({
     expires: new Date(0),
     path: "/",
   });
+  response.cookies.set(get_cookie_name(BASE_COOKIE_NAMES.USER_EMAIL), "", clear_cookie_options);
+  response.cookies.set(get_cookie_name(BASE_COOKIE_NAMES.USER_ID), "", clear_cookie_options);
   return response;
 }
 
@@ -48,8 +47,8 @@ function clear_auth_cookies(response: NextResponse): NextResponse {
  * @returns AuthResult with user info or authenticated: false
  */
 export async function get_authenticated_user(request: NextRequest): Promise<AuthResult> {
-  const user_id = request.cookies.get("hazo_auth_user_id")?.value;
-  const user_email = request.cookies.get("hazo_auth_user_email")?.value;
+  const user_id = request.cookies.get(get_cookie_name(BASE_COOKIE_NAMES.USER_ID))?.value;
+  const user_email = request.cookies.get(get_cookie_name(BASE_COOKIE_NAMES.USER_EMAIL))?.value;
 
   if (!user_id || !user_email) {
     return { authenticated: false };
@@ -132,8 +131,8 @@ export async function get_authenticated_user_with_response(request: NextRequest)
   auth_result: AuthResult;
   response?: NextResponse;
 }> {
-  const user_id = request.cookies.get("hazo_auth_user_id")?.value;
-  const user_email = request.cookies.get("hazo_auth_user_email")?.value;
+  const user_id = request.cookies.get(get_cookie_name(BASE_COOKIE_NAMES.USER_ID))?.value;
+  const user_email = request.cookies.get(get_cookie_name(BASE_COOKIE_NAMES.USER_EMAIL))?.value;
 
   if (!user_id || !user_email) {
     return { auth_result: { authenticated: false } };

package/cli-src/lib/auth/dev_lock_validator.edge.ts

@@ -2,9 +2,9 @@
 // Uses Web Crypto API which works in Edge Runtime (no Node.js crypto module)
 // section: imports
 import type { NextRequest } from "next/server";
+import { get_cookie_name_edge, BASE_COOKIE_NAMES } from "../cookies_config.edge.js";
 
 // section: constants
-const COOKIE_NAME = "hazo_auth_dev_lock";
 const SEPARATOR = "|";
 
 // section: types
@@ -105,7 +105,7 @@ export async function validate_dev_lock_cookie(
     return { valid: false };
   }
 
-  const cookie = request.cookies.get(COOKIE_NAME)?.value;
+  const cookie = request.cookies.get(get_cookie_name_edge(BASE_COOKIE_NAMES.DEV_LOCK))?.value;
 
   if (!cookie) {
     return { valid: false };
@@ -162,10 +162,11 @@ export function validate_dev_lock_password(password: string): boolean {
 }
 
 /**
- * Gets the dev lock cookie name
+ * Gets the dev lock cookie name (with configurable prefix)
  * Exported for use in API routes when setting the cookie
+ * Uses HAZO_AUTH_COOKIE_PREFIX env var for configurable prefix
  * @returns Cookie name string
  */
 export function get_dev_lock_cookie_name(): string {
-  return COOKIE_NAME;
+  return get_cookie_name_edge(BASE_COOKIE_NAMES.DEV_LOCK);
 }

package/cli-src/lib/auth/hazo_get_auth.server.ts

@@ -17,6 +17,7 @@ import { check_user_scope_access, get_user_scopes, type UserScope } from "../ser
 import { is_valid_scope_level, type ScopeLevel } from "../services/scope_service.js";
 import { is_multi_tenancy_enabled, get_multi_tenancy_config } from "../multi_tenancy_config.server.js";
 import { get_org_cache, type OrgCacheEntry } from "./org_cache.js";
+import { get_cookie_name, BASE_COOKIE_NAMES } from "../cookies_config.server.js";
 
 // section: helpers
 
@@ -407,13 +408,13 @@ export async function hazo_get_auth(
   );
   const rate_limiter = get_rate_limiter();
 
-  // Fast path: Check for authentication cookies
+  // Fast path: Check for authentication cookies (with configurable prefix)
   // Priority: 1. JWT session token (new), 2. Simple cookies (backward compatibility)
   let user_id: string | undefined;
   let user_email: string | undefined;
-  
+
   // Check for JWT session token first
-  const session_token = request.cookies.get("hazo_auth_session")?.value;
+  const session_token = request.cookies.get(get_cookie_name(BASE_COOKIE_NAMES.SESSION))?.value;
   if (session_token) {
     try {
       const token_result = await validate_session_token(session_token);
@@ -435,8 +436,8 @@ export async function hazo_get_auth(
   
   // Fall back to simple cookies if JWT not present or invalid (backward compatibility)
   if (!user_id || !user_email) {
-    user_id = request.cookies.get("hazo_auth_user_id")?.value;
-    user_email = request.cookies.get("hazo_auth_user_email")?.value;
+    user_id = request.cookies.get(get_cookie_name(BASE_COOKIE_NAMES.USER_ID))?.value;
+    user_email = request.cookies.get(get_cookie_name(BASE_COOKIE_NAMES.USER_EMAIL))?.value;
   }
 
   if (!user_id || !user_email) {

package/cli-src/lib/auth/server_auth.ts

@@ -4,6 +4,7 @@ import { cookies } from "next/headers";
 import { get_hazo_connect_instance } from "../hazo_connect_instance.server.js";
 import { createCrudService } from "hazo_connect/server";
 import { map_db_source_to_ui } from "../services/profile_picture_source_mapper.js";
+import { get_cookie_name, BASE_COOKIE_NAMES } from "../cookies_config.server.js";
 
 // section: types
 export type ServerAuthUser = {
@@ -30,8 +31,8 @@ export type ServerAuthResult =
  */
 export async function get_server_auth_user(): Promise<ServerAuthResult> {
   const cookie_store = await cookies();
-  const user_id = cookie_store.get("hazo_auth_user_id")?.value;
-  const user_email = cookie_store.get("hazo_auth_user_email")?.value;
+  const user_id = cookie_store.get(get_cookie_name(BASE_COOKIE_NAMES.USER_ID))?.value;
+  const user_email = cookie_store.get(get_cookie_name(BASE_COOKIE_NAMES.USER_EMAIL))?.value;
 
   if (!user_id || !user_email) {
     return { authenticated: false };

package/cli-src/lib/auth/session_token_validator.edge.ts

@@ -3,6 +3,7 @@
 // section: imports
 import { jwtVerify } from "jose";
 import type { NextRequest } from "next/server";
+import { get_cookie_name_edge, BASE_COOKIE_NAMES } from "../cookies_config.edge.js";
 
 // section: types
 export type ValidateSessionCookieResult = {
@@ -35,6 +36,7 @@ function get_jwt_secret(): Uint8Array | null {
  * Validates session cookie from NextRequest (Edge-compatible)
  * Extracts hazo_auth_session cookie and validates JWT signature and expiry
  * Works in Edge Runtime (Next.js proxy/middleware)
+ * Uses HAZO_AUTH_COOKIE_PREFIX env var for configurable cookie name
  * @param request - NextRequest object
  * @returns Validation result with user_id and email if valid
  */
@@ -42,8 +44,8 @@ export async function validate_session_cookie(
   request: NextRequest,
 ): Promise<ValidateSessionCookieResult> {
   try {
-    // Extract session cookie
-    const session_cookie = request.cookies.get("hazo_auth_session")?.value;
+    // Extract session cookie (with configurable prefix from env var)
+    const session_cookie = request.cookies.get(get_cookie_name_edge(BASE_COOKIE_NAMES.SESSION))?.value;
     
     if (!session_cookie) {
       return { valid: false };

package/cli-src/lib/cookies_config.edge.ts

@@ -0,0 +1,55 @@
+// file_description: Edge-compatible cookie configuration helper
+// Uses environment variables since Edge runtime can't read config files
+
+// section: constants
+// Base cookie names (without prefix)
+export const BASE_COOKIE_NAMES = {
+  USER_ID: "hazo_auth_user_id",
+  USER_EMAIL: "hazo_auth_user_email",
+  SESSION: "hazo_auth_session",
+  DEV_LOCK: "hazo_auth_dev_lock",
+} as const;
+
+// section: main_functions
+/**
+ * Gets the cookie prefix from environment variable
+ * For Edge runtime, use HAZO_AUTH_COOKIE_PREFIX env var
+ * @returns Cookie prefix string (empty string if not set)
+ */
+export function get_cookie_prefix_edge(): string {
+  return process.env.HAZO_AUTH_COOKIE_PREFIX || "";
+}
+
+/**
+ * Gets the cookie domain from environment variable
+ * For Edge runtime, use HAZO_AUTH_COOKIE_DOMAIN env var
+ * @returns Cookie domain string (empty string if not set)
+ */
+export function get_cookie_domain_edge(): string {
+  return process.env.HAZO_AUTH_COOKIE_DOMAIN || "";
+}
+
+/**
+ * Gets the full cookie name with prefix applied (Edge-compatible)
+ * @param base_name - Base cookie name from BASE_COOKIE_NAMES
+ * @returns Full cookie name with prefix
+ */
+export function get_cookie_name_edge(base_name: string): string {
+  const prefix = get_cookie_prefix_edge();
+  return `${prefix}${base_name}`;
+}
+
+/**
+ * Gets cookie options with domain if configured (Edge-compatible)
+ * @param options - Base cookie options
+ * @returns Cookie options with domain added if configured
+ */
+export function get_cookie_options_edge<T extends Record<string, unknown>>(options: T): T & { domain?: string } {
+  const domain = get_cookie_domain_edge();
+
+  if (domain) {
+    return { ...options, domain };
+  }
+
+  return options;
+}

package/cli-src/lib/cookies_config.server.ts

@@ -0,0 +1,93 @@
+// file_description: server-only helper to read cookie configuration from hazo_auth_config.ini
+
+import { read_config_section } from "./config/config_loader.server.js";
+
+// section: types
+export type CookiesConfig = {
+  /** Prefix for all hazo_auth cookies (e.g., "myapp_" results in "myapp_hazo_auth_session") */
+  cookie_prefix: string;
+  /** Optional domain for cookies (e.g., ".example.com" for cross-subdomain) */
+  cookie_domain: string;
+};
+
+// section: defaults
+const DEFAULT_CONFIG: CookiesConfig = {
+  cookie_prefix: "",
+  cookie_domain: "",
+};
+
+// section: constants
+const SECTION_NAME = "hazo_auth__cookies";
+
+// Base cookie names (without prefix)
+export const BASE_COOKIE_NAMES = {
+  USER_ID: "hazo_auth_user_id",
+  USER_EMAIL: "hazo_auth_user_email",
+  SESSION: "hazo_auth_session",
+  DEV_LOCK: "hazo_auth_dev_lock",
+} as const;
+
+// section: main_function
+/**
+ * Reads cookie configuration from hazo_auth_config.ini file
+ * Falls back to defaults if hazo_auth_config.ini is not found or section is missing
+ * @returns CookiesConfig object with all cookie settings
+ */
+export function get_cookies_config(): CookiesConfig {
+  const section = read_config_section(SECTION_NAME);
+
+  if (!section) {
+    return DEFAULT_CONFIG;
+  }
+
+  return {
+    cookie_prefix: section.cookie_prefix || DEFAULT_CONFIG.cookie_prefix,
+    cookie_domain: section.cookie_domain || DEFAULT_CONFIG.cookie_domain,
+  };
+}
+
+/**
+ * Gets the full cookie name with prefix applied
+ * @param base_name - Base cookie name from BASE_COOKIE_NAMES
+ * @returns Full cookie name with prefix
+ */
+export function get_cookie_name(base_name: string): string {
+  const config = get_cookies_config();
+  return `${config.cookie_prefix}${base_name}`;
+}
+
+/**
+ * Gets cookie options with domain if configured
+ * @param options - Base cookie options
+ * @returns Cookie options with domain added if configured
+ */
+export function get_cookie_options<T extends Record<string, unknown>>(options: T): T & { domain?: string } {
+  const config = get_cookies_config();
+
+  if (config.cookie_domain) {
+    return { ...options, domain: config.cookie_domain };
+  }
+
+  return options;
+}
+
+// Cached config for performance (module-level cache)
+let cached_config: CookiesConfig | null = null;
+
+/**
+ * Gets cached cookie configuration for performance-critical paths
+ * @returns CookiesConfig object
+ */
+export function get_cached_cookies_config(): CookiesConfig {
+  if (!cached_config) {
+    cached_config = get_cookies_config();
+  }
+  return cached_config;
+}
+
+/**
+ * Clears the cached config (useful for testing)
+ */
+export function clear_cookies_config_cache(): void {
+  cached_config = null;
+}

package/dist/app/api/hazo_auth/login/route.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"route.d.ts","sourceRoot":"","sources":["../../../../../src/app/api/hazo_auth/login/route.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAUxD,wBAAsB,IAAI,CAAC,OAAO,EAAE,WAAW;;;;;;;;;IAgM9C"}
+{"version":3,"file":"route.d.ts","sourceRoot":"","sources":["../../../../../src/app/api/hazo_auth/login/route.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAWxD,wBAAsB,IAAI,CAAC,OAAO,EAAE,WAAW;;;;;;;;;IAuL9C"}

package/dist/app/api/hazo_auth/login/route.js

@@ -8,6 +8,7 @@ import { createCrudService } from "hazo_connect/server";
 import { get_filename, get_line_number } from "../../../../lib/utils/api_route_helpers";
 import { get_login_config } from "../../../../lib/login_config.server";
 import { create_session_token } from "../../../../lib/services/session_token_service";
+import { get_cookie_name, get_cookie_options, BASE_COOKIE_NAMES } from "../../../../lib/cookies_config.server";
 // section: api_handler
 export async function POST(request) {
     const logger = create_app_logger();
@@ -110,31 +111,21 @@ export async function POST(request) {
             name: user_name,
             redirectUrl,
         }, { status: 200 });
-        // Set authentication cookies
-        response.cookies.set("hazo_auth_user_id", user_id, {
+        // Set authentication cookies (with configurable prefix and domain)
+        const base_cookie_options = {
             httpOnly: true,
             secure: process.env.NODE_ENV === "production",
             sameSite: "lax",
             path: "/",
             maxAge: 60 * 60 * 24 * 30, // 30 days
-        });
-        response.cookies.set("hazo_auth_user_email", email, {
-            httpOnly: true,
-            secure: process.env.NODE_ENV === "production",
-            sameSite: "lax",
-            path: "/",
-            maxAge: 60 * 60 * 24 * 30, // 30 days
-        });
+        };
+        const cookie_options = get_cookie_options(base_cookie_options);
+        response.cookies.set(get_cookie_name(BASE_COOKIE_NAMES.USER_ID), user_id, cookie_options);
+        response.cookies.set(get_cookie_name(BASE_COOKIE_NAMES.USER_EMAIL), email, cookie_options);
         // Create and set JWT session token (for Edge-compatible proxy/middleware)
         try {
             const session_token = await create_session_token(user_id, email);
-            response.cookies.set("hazo_auth_session", session_token, {
-                httpOnly: true,
-                secure: process.env.NODE_ENV === "production",
-                sameSite: "lax",
-                path: "/",
-                maxAge: 60 * 60 * 24 * 30, // 30 days
-            });
+            response.cookies.set(get_cookie_name(BASE_COOKIE_NAMES.SESSION), session_token, cookie_options);
         }
         catch (token_error) {
             // Log error but don't fail login if token creation fails

package/dist/app/api/hazo_auth/logout/route.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"route.d.ts","sourceRoot":"","sources":["../../../../../src/app/api/hazo_auth/logout/route.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAOxD,wBAAsB,IAAI,CAAC,OAAO,EAAE,WAAW;;;;;IAkH9C"}
+{"version":3,"file":"route.d.ts","sourceRoot":"","sources":["../../../../../src/app/api/hazo_auth/logout/route.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAQxD,wBAAsB,IAAI,CAAC,OAAO,EAAE,WAAW;;;;;IA8G9C"}

package/dist/app/api/hazo_auth/logout/route.js

@@ -5,33 +5,29 @@ import { create_app_logger } from "../../../../lib/app_logger";
 import { get_filename, get_line_number } from "../../../../lib/utils/api_route_helpers";
 import { get_auth_cache } from "../../../../lib/auth/auth_cache";
 import { get_auth_utility_config } from "../../../../lib/auth_utility_config.server";
+import { get_cookie_name, get_cookie_options, BASE_COOKIE_NAMES } from "../../../../lib/cookies_config.server";
 // section: api_handler
 export async function POST(request) {
     var _a, _b;
     const logger = create_app_logger();
     try {
-        // Get user info from cookie before clearing
-        const user_email = (_a = request.cookies.get("hazo_auth_user_email")) === null || _a === void 0 ? void 0 : _a.value;
-        const user_id = (_b = request.cookies.get("hazo_auth_user_id")) === null || _b === void 0 ? void 0 : _b.value;
+        // Get user info from cookie before clearing (using configurable cookie names)
+        const user_email = (_a = request.cookies.get(get_cookie_name(BASE_COOKIE_NAMES.USER_EMAIL))) === null || _a === void 0 ? void 0 : _a.value;
+        const user_id = (_b = request.cookies.get(get_cookie_name(BASE_COOKIE_NAMES.USER_ID))) === null || _b === void 0 ? void 0 : _b.value;
         // Clear authentication cookies
         const response = NextResponse.json({
             success: true,
             message: "Logout successful",
         }, { status: 200 });
-        // Clear cookies by setting them to expire in the past
-        response.cookies.set("hazo_auth_user_email", "", {
-            expires: new Date(0),
-            path: "/",
-        });
-        response.cookies.set("hazo_auth_user_id", "", {
+        // Clear cookies by setting them to expire in the past (with configurable domain)
+        const clear_cookie_options = get_cookie_options({
             expires: new Date(0),
             path: "/",
         });
+        response.cookies.set(get_cookie_name(BASE_COOKIE_NAMES.USER_EMAIL), "", clear_cookie_options);
+        response.cookies.set(get_cookie_name(BASE_COOKIE_NAMES.USER_ID), "", clear_cookie_options);
         // Clear JWT session token cookie
-        response.cookies.set("hazo_auth_session", "", {
-            expires: new Date(0),
-            path: "/",
-        });
+        response.cookies.set(get_cookie_name(BASE_COOKIE_NAMES.SESSION), "", clear_cookie_options);
         // Clear NextAuth session cookies (for OAuth users)
         response.cookies.set("next-auth.session-token", "", {
             expires: new Date(0),

package/dist/app/api/hazo_auth/update_user/route.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"route.d.ts","sourceRoot":"","sources":["../../../../../src/app/api/hazo_auth/update_user/route.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAQxD,wBAAsB,KAAK,CAAC,OAAO,EAAE,WAAW;;;;;;IAkH/C"}
+{"version":3,"file":"route.d.ts","sourceRoot":"","sources":["../../../../../src/app/api/hazo_auth/update_user/route.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AASxD,wBAAsB,KAAK,CAAC,OAAO,EAAE,WAAW;;;;;;IAoH/C"}

package/dist/app/api/hazo_auth/update_user/route.js

@@ -6,6 +6,7 @@ import { create_app_logger } from "../../../../lib/app_logger";
 import { update_user_profile } from "../../../../lib/services/user_update_service";
 import { get_filename, get_line_number } from "../../../../lib/utils/api_route_helpers";
 import { require_auth } from "../../../../lib/auth/auth_utils.server";
+import { get_cookie_name, get_cookie_options, BASE_COOKIE_NAMES } from "../../../../lib/cookies_config.server";
 // section: api_handler
 export async function PATCH(request) {
     const logger = create_app_logger();
@@ -69,15 +70,17 @@ export async function PATCH(request) {
             message: "Profile updated successfully",
             email_changed: result.email_changed,
         }, { status: 200 });
-        // If email changed, update the cookie (match login route cookie settings)
+        // If email changed, update the cookie (match login route cookie settings, with configurable prefix and domain)
         if (result.email_changed && email) {
-            response.cookies.set("hazo_auth_user_email", email, {
+            const base_cookie_options = {
                 httpOnly: true,
                 secure: process.env.NODE_ENV === "production",
                 sameSite: "lax",
                 path: "/",
                 maxAge: 60 * 60 * 24 * 30, // 30 days
-            });
+            };
+            const cookie_options = get_cookie_options(base_cookie_options);
+            response.cookies.set(get_cookie_name(BASE_COOKIE_NAMES.USER_EMAIL), email, cookie_options);
         }
         return response;
     }

package/dist/components/layouts/shared/components/profile_pic_menu.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"profile_pic_menu.d.ts","sourceRoot":"","sources":["../../../../../src/components/layouts/shared/components/profile_pic_menu.tsx"],"names":[],"mappings":"AA6BA,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,gDAAgD,CAAC;AAI7F,MAAM,MAAM,mBAAmB,GAAG;IAChC,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,iBAAiB,CAAC,EAAE,sBAAsB,EAAE,CAAC;IAC7C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,SAAS,GAAG,IAAI,GAAG,IAAI,CAAC;IACtC,OAAO,CAAC,EAAE,UAAU,GAAG,SAAS,CAAC;IACjC,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B,CAAC;AAGF;;;;;;;;GAQG;AACH,wBAAgB,cAAc,CAAC,EAC7B,kBAA0B,EAC1B,aAAyB,EACzB,aAAyB,EACzB,aAAqC,EACrC,UAA+B,EAC/B,aAAwC,EACxC,WAAW,EACX,iBAAsB,EACtB,SAAS,EACT,WAAuB,EACvB,OAAoB,EACpB,mBAA+B,GAChC,EAAE,mBAAmB,2CAuarB"}
+{"version":3,"file":"profile_pic_menu.d.ts","sourceRoot":"","sources":["../../../../../src/components/layouts/shared/components/profile_pic_menu.tsx"],"names":[],"mappings":"AAqCA,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,gDAAgD,CAAC;AAI7F,MAAM,MAAM,mBAAmB,GAAG;IAChC,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,iBAAiB,CAAC,EAAE,sBAAsB,EAAE,CAAC;IAC7C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,SAAS,GAAG,IAAI,GAAG,IAAI,CAAC;IACtC,OAAO,CAAC,EAAE,UAAU,GAAG,SAAS,CAAC;IACjC,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B,CAAC;AAGF;;;;;;;;GAQG;AACH,wBAAgB,cAAc,CAAC,EAC7B,kBAA0B,EAC1B,aAAyB,EACzB,aAAyB,EACzB,aAAqC,EACrC,UAA+B,EAC/B,aAAwC,EACxC,WAAW,EACX,iBAAsB,EACtB,SAAS,EACT,WAAuB,EACvB,OAAoB,EACpB,mBAA+B,GAChC,EAAE,mBAAmB,2CA6erB"}

package/dist/components/layouts/shared/components/profile_pic_menu.js

@@ -10,8 +10,10 @@ import Link from "next/link";
 import { Avatar, AvatarImage, AvatarFallback } from "../../../ui/avatar";
 import { Button } from "../../../ui/button";
 import { DropdownMenu, DropdownMenuContent, DropdownMenuItem, DropdownMenuSeparator, DropdownMenuTrigger, } from "../../../ui/dropdown-menu";
+import { Dialog, DialogContent, DialogDescription, DialogHeader, DialogTitle, } from "../../../ui/dialog";
+import { RolesMatrix } from "../../user_management/components/roles_matrix";
 import { SidebarGroup, SidebarGroupLabel, SidebarMenu, SidebarMenuItem, SidebarMenuButton, } from "../../../ui/sidebar";
-import { Settings, LogOut } from "lucide-react";
+import { Settings, LogOut, Shield } from "lucide-react";
 import { toast } from "sonner";
 import { use_auth_status, trigger_auth_status_refresh } from "../hooks/use_auth_status";
 import { useHazoAuthConfig } from "../../../../contexts/hazo_auth_provider";
@@ -30,6 +32,8 @@ export function ProfilePicMenu({ show_single_button = false, sign_up_label = "Si
     const router = useRouter();
     const authStatus = use_auth_status();
     const [isLoggingOut, setIsLoggingOut] = useState(false);
+    const [shiftKeyHeld, setShiftKeyHeld] = useState(false);
+    const [showPermissionsDialog, setShowPermissionsDialog] = useState(false);
     // Use provided logout_path or default to context-based path
     const effectiveLogoutPath = logout_path || `${apiBasePath}/logout`;
     // Get initials from name or email
@@ -161,48 +165,50 @@ export function ProfilePicMenu({ show_single_button = false, sign_up_label = "Si
     // Authenticated - render based on variant
     if (variant === "sidebar") {
         // Sidebar variant: show profile picture and name only, clicking opens dropdown
-        return (_jsxs(SidebarGroup, { className: `cls_profile_pic_menu_sidebar ${className || ""}`, children: [_jsx(SidebarGroupLabel, { className: "cls_profile_pic_menu_sidebar_label", children: sidebar_group_label }), _jsx(SidebarMenu, { className: "cls_profile_pic_menu_sidebar_menu", children: _jsx(SidebarMenuItem, { className: "cls_profile_pic_menu_sidebar_user_info", children: _jsxs(DropdownMenu, { children: [_jsx(DropdownMenuTrigger, { asChild: true, children: _jsx("button", { className: "cls_profile_pic_menu_sidebar_trigger w-full focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary rounded-md", "aria-label": "Profile menu", children: _jsxs("div", { className: "cls_profile_pic_menu_sidebar_user flex items-center gap-3 px-2 py-2 hover:bg-sidebar-accent rounded-md transition-colors", children: [_jsxs(Avatar, { className: `cls_profile_pic_menu_avatar ${avatarSizeClasses[avatar_size]} cursor-pointer`, children: [_jsx(AvatarImage, { src: authStatus.profile_picture_url, alt: authStatus.name ? `Profile picture of ${authStatus.name}` : "Profile picture", className: "cls_profile_pic_menu_image" }), _jsx(AvatarFallback, { className: "cls_profile_pic_menu_fallback bg-[var(--hazo-bg-emphasis)] text-[var(--hazo-text-muted)]", children: getInitials() })] }), authStatus.name && (_jsx("span", { className: "cls_profile_pic_menu_sidebar_user_name text-sm font-medium text-sidebar-foreground truncate", children: authStatus.name }))] }) }) }), _jsx(DropdownMenuContent, { align: "end", className: "cls_profile_pic_menu_dropdown w-56", children: menuItems.map((item) => {
-                                        if (item.type === "separator") {
-                                            return _jsx(DropdownMenuSeparator, { className: "cls_profile_pic_menu_separator" }, item.id);
-                                        }
-                                        if (item.type === "info") {
-                                            return (_jsx("div", { className: "cls_profile_pic_menu_info", children: item.value && (_jsx("div", { className: "cls_profile_pic_menu_info_value px-2 py-1.5 text-sm text-foreground", children: item.value })) }, item.id));
-                                        }
-                                        if (item.type === "link") {
-                                            // Special handling for logout
-                                            if (item.id === "default_logout") {
-                                                return (_jsxs(DropdownMenuItem, { onClick: handleLogout, disabled: isLoggingOut, className: "cls_profile_pic_menu_logout cursor-pointer text-destructive focus:text-destructive", children: [_jsx(LogOut, { className: "mr-2 h-4 w-4" }), isLoggingOut ? "Logging out..." : item.label] }, item.id));
-                                            }
-                                            // Special handling for settings
-                                            if (item.id === "default_settings") {
-                                                return (_jsx(DropdownMenuItem, { asChild: true, className: "cls_profile_pic_menu_settings cursor-pointer", children: _jsxs(Link, { href: item.href || settings_path, children: [_jsx(Settings, { className: "mr-2 h-4 w-4" }), item.label] }) }, item.id));
-                                            }
-                                            // Generic link handling
-                                            return (_jsx(DropdownMenuItem, { asChild: true, className: "cls_profile_pic_menu_link cursor-pointer", children: _jsx(Link, { href: item.href || "#", children: item.label }) }, item.id));
-                                        }
-                                        return null;
-                                    }) })] }) }) })] }));
+        return (_jsxs(SidebarGroup, { className: `cls_profile_pic_menu_sidebar ${className || ""}`, children: [_jsx(SidebarGroupLabel, { className: "cls_profile_pic_menu_sidebar_label", children: sidebar_group_label }), _jsx(SidebarMenu, { className: "cls_profile_pic_menu_sidebar_menu", children: _jsxs(SidebarMenuItem, { className: "cls_profile_pic_menu_sidebar_user_info", children: [_jsxs(DropdownMenu, { onOpenChange: (open) => { if (!open)
+                                    setShiftKeyHeld(false); }, children: [_jsx(DropdownMenuTrigger, { asChild: true, children: _jsx("button", { className: "cls_profile_pic_menu_sidebar_trigger w-full focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary rounded-md", "aria-label": "Profile menu", onClick: (e) => setShiftKeyHeld(e.shiftKey), children: _jsxs("div", { className: "cls_profile_pic_menu_sidebar_user flex items-center gap-3 px-2 py-2 hover:bg-sidebar-accent rounded-md transition-colors", children: [_jsxs(Avatar, { className: `cls_profile_pic_menu_avatar ${avatarSizeClasses[avatar_size]} cursor-pointer`, children: [_jsx(AvatarImage, { src: authStatus.profile_picture_url, alt: authStatus.name ? `Profile picture of ${authStatus.name}` : "Profile picture", className: "cls_profile_pic_menu_image" }), _jsx(AvatarFallback, { className: "cls_profile_pic_menu_fallback bg-[var(--hazo-bg-emphasis)] text-[var(--hazo-text-muted)]", children: getInitials() })] }), authStatus.name && (_jsx("span", { className: "cls_profile_pic_menu_sidebar_user_name text-sm font-medium text-sidebar-foreground truncate", children: authStatus.name }))] }) }) }), _jsxs(DropdownMenuContent, { align: "end", className: "cls_profile_pic_menu_dropdown w-56", children: [menuItems.map((item) => {
+                                                if (item.type === "separator") {
+                                                    return _jsx(DropdownMenuSeparator, { className: "cls_profile_pic_menu_separator" }, item.id);
+                                                }
+                                                if (item.type === "info") {
+                                                    return (_jsx("div", { className: "cls_profile_pic_menu_info", children: item.value && (_jsx("div", { className: "cls_profile_pic_menu_info_value px-2 py-1.5 text-sm text-foreground", children: item.value })) }, item.id));
+                                                }
+                                                if (item.type === "link") {
+                                                    // Special handling for logout
+                                                    if (item.id === "default_logout") {
+                                                        return (_jsxs(DropdownMenuItem, { onClick: handleLogout, disabled: isLoggingOut, className: "cls_profile_pic_menu_logout cursor-pointer text-destructive focus:text-destructive", children: [_jsx(LogOut, { className: "mr-2 h-4 w-4" }), isLoggingOut ? "Logging out..." : item.label] }, item.id));
+                                                    }
+                                                    // Special handling for settings
+                                                    if (item.id === "default_settings") {
+                                                        return (_jsx(DropdownMenuItem, { asChild: true, className: "cls_profile_pic_menu_settings cursor-pointer", children: _jsxs(Link, { href: item.href || settings_path, children: [_jsx(Settings, { className: "mr-2 h-4 w-4" }), item.label] }) }, item.id));
+                                                    }
+                                                    // Generic link handling
+                                                    return (_jsx(DropdownMenuItem, { asChild: true, className: "cls_profile_pic_menu_link cursor-pointer", children: _jsx(Link, { href: item.href || "#", children: item.label }) }, item.id));
+                                                }
+                                                return null;
+                                            }), shiftKeyHeld && (_jsxs(_Fragment, { children: [_jsx(DropdownMenuSeparator, { className: "cls_profile_pic_menu_separator" }), _jsxs(DropdownMenuItem, { onClick: () => setShowPermissionsDialog(true), className: "cls_profile_pic_menu_permissions cursor-pointer", children: [_jsx(Shield, { className: "mr-2 h-4 w-4" }), "My Permissions"] })] }))] })] }), _jsx(Dialog, { open: showPermissionsDialog, onOpenChange: setShowPermissionsDialog, children: _jsxs(DialogContent, { className: "cls_profile_pic_menu_permissions_dialog max-w-2xl max-h-[80vh] flex flex-col", children: [_jsxs(DialogHeader, { children: [_jsx(DialogTitle, { children: "My Permissions" }), _jsx(DialogDescription, { children: "Your assigned roles and their permissions" })] }), _jsx("div", { className: "flex-1 overflow-y-auto", children: _jsx(RolesMatrix, { user_id: authStatus.user_id, add_button_enabled: false, role_name_selection_enabled: false, permissions_read_only: true, show_save_cancel: false }) })] }) })] }) })] }));
     }
     // Default dropdown variant: show profile picture with dropdown menu
-    return (_jsx("div", { className: `cls_profile_pic_menu ${className || ""}`, children: _jsxs(DropdownMenu, { children: [_jsx(DropdownMenuTrigger, { asChild: true, children: _jsx("button", { className: "cls_profile_pic_menu_trigger focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary rounded-full", "aria-label": "Profile menu", children: _jsxs(Avatar, { className: `cls_profile_pic_menu_avatar ${avatarSizeClasses[avatar_size]} cursor-pointer`, children: [_jsx(AvatarImage, { src: authStatus.profile_picture_url, alt: authStatus.name ? `Profile picture of ${authStatus.name}` : "Profile picture", className: "cls_profile_pic_menu_image" }), _jsx(AvatarFallback, { className: "cls_profile_pic_menu_fallback bg-[var(--hazo-bg-emphasis)] text-[var(--hazo-text-muted)]", children: getInitials() })] }) }) }), _jsx(DropdownMenuContent, { align: "end", className: "cls_profile_pic_menu_dropdown w-56", children: menuItems.map((item) => {
-                        if (item.type === "separator") {
-                            return _jsx(DropdownMenuSeparator, { className: "cls_profile_pic_menu_separator" }, item.id);
-                        }
-                        if (item.type === "info") {
-                            return (_jsx("div", { className: "cls_profile_pic_menu_info", children: item.value && (_jsx("div", { className: "cls_profile_pic_menu_info_value px-2 py-1.5 text-sm text-foreground", children: item.value })) }, item.id));
-                        }
-                        if (item.type === "link") {
-                            // Special handling for logout
-                            if (item.id === "default_logout") {
-                                return (_jsxs(DropdownMenuItem, { onClick: handleLogout, disabled: isLoggingOut, className: "cls_profile_pic_menu_logout cursor-pointer text-destructive focus:text-destructive", children: [_jsx(LogOut, { className: "mr-2 h-4 w-4" }), isLoggingOut ? "Logging out..." : item.label] }, item.id));
-                            }
-                            // Special handling for settings
-                            if (item.id === "default_settings") {
-                                return (_jsx(DropdownMenuItem, { asChild: true, className: "cls_profile_pic_menu_settings cursor-pointer", children: _jsxs(Link, { href: item.href || settings_path, children: [_jsx(Settings, { className: "mr-2 h-4 w-4" }), item.label] }) }, item.id));
-                            }
-                            // Generic link handling
-                            return (_jsx(DropdownMenuItem, { asChild: true, className: "cls_profile_pic_menu_link cursor-pointer", children: _jsx(Link, { href: item.href || "#", children: item.label }) }, item.id));
-                        }
-                        return null;
-                    }) })] }) }));
+    return (_jsxs("div", { className: `cls_profile_pic_menu ${className || ""}`, children: [_jsxs(DropdownMenu, { onOpenChange: (open) => { if (!open)
+                    setShiftKeyHeld(false); }, children: [_jsx(DropdownMenuTrigger, { asChild: true, children: _jsx("button", { className: "cls_profile_pic_menu_trigger focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary rounded-full", "aria-label": "Profile menu", onClick: (e) => setShiftKeyHeld(e.shiftKey), children: _jsxs(Avatar, { className: `cls_profile_pic_menu_avatar ${avatarSizeClasses[avatar_size]} cursor-pointer`, children: [_jsx(AvatarImage, { src: authStatus.profile_picture_url, alt: authStatus.name ? `Profile picture of ${authStatus.name}` : "Profile picture", className: "cls_profile_pic_menu_image" }), _jsx(AvatarFallback, { className: "cls_profile_pic_menu_fallback bg-[var(--hazo-bg-emphasis)] text-[var(--hazo-text-muted)]", children: getInitials() })] }) }) }), _jsxs(DropdownMenuContent, { align: "end", className: "cls_profile_pic_menu_dropdown w-56", children: [menuItems.map((item) => {
+                                if (item.type === "separator") {
+                                    return _jsx(DropdownMenuSeparator, { className: "cls_profile_pic_menu_separator" }, item.id);
+                                }
+                                if (item.type === "info") {
+                                    return (_jsx("div", { className: "cls_profile_pic_menu_info", children: item.value && (_jsx("div", { className: "cls_profile_pic_menu_info_value px-2 py-1.5 text-sm text-foreground", children: item.value })) }, item.id));
+                                }
+                                if (item.type === "link") {
+                                    // Special handling for logout
+                                    if (item.id === "default_logout") {
+                                        return (_jsxs(DropdownMenuItem, { onClick: handleLogout, disabled: isLoggingOut, className: "cls_profile_pic_menu_logout cursor-pointer text-destructive focus:text-destructive", children: [_jsx(LogOut, { className: "mr-2 h-4 w-4" }), isLoggingOut ? "Logging out..." : item.label] }, item.id));
+                                    }
+                                    // Special handling for settings
+                                    if (item.id === "default_settings") {
+                                        return (_jsx(DropdownMenuItem, { asChild: true, className: "cls_profile_pic_menu_settings cursor-pointer", children: _jsxs(Link, { href: item.href || settings_path, children: [_jsx(Settings, { className: "mr-2 h-4 w-4" }), item.label] }) }, item.id));
+                                    }
+                                    // Generic link handling
+                                    return (_jsx(DropdownMenuItem, { asChild: true, className: "cls_profile_pic_menu_link cursor-pointer", children: _jsx(Link, { href: item.href || "#", children: item.label }) }, item.id));
+                                }
+                                return null;
+                            }), shiftKeyHeld && (_jsxs(_Fragment, { children: [_jsx(DropdownMenuSeparator, { className: "cls_profile_pic_menu_separator" }), _jsxs(DropdownMenuItem, { onClick: () => setShowPermissionsDialog(true), className: "cls_profile_pic_menu_permissions cursor-pointer", children: [_jsx(Shield, { className: "mr-2 h-4 w-4" }), "My Permissions"] })] }))] })] }), _jsx(Dialog, { open: showPermissionsDialog, onOpenChange: setShowPermissionsDialog, children: _jsxs(DialogContent, { className: "cls_profile_pic_menu_permissions_dialog max-w-2xl max-h-[80vh] flex flex-col", children: [_jsxs(DialogHeader, { children: [_jsx(DialogTitle, { children: "My Permissions" }), _jsx(DialogDescription, { children: "Your assigned roles and their permissions" })] }), _jsx("div", { className: "flex-1 overflow-y-auto", children: _jsx(RolesMatrix, { user_id: authStatus.user_id, add_button_enabled: false, role_name_selection_enabled: false, permissions_read_only: true, show_save_cancel: false }) })] }) })] }));
 }

package/dist/lib/auth/auth_utils.server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth_utils.server.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/auth_utils.server.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAMxD,MAAM,MAAM,QAAQ,GAAG;IACrB,aAAa,EAAE,IAAI,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,cAAc,EAAE,OAAO,CAAC;IACxB,SAAS,EAAE,OAAO,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,cAAc,CAAC,EAAE,QAAQ,GAAG,SAAS,GAAG,UAAU,GAAG,QAAQ,CAAC;CAC/D,CAAC;AAEF,MAAM,MAAM,UAAU,GAClB,QAAQ,GACR;IAAE,aAAa,EAAE,KAAK,CAAA;CAAE,CAAC;AAqB7B;;;;;GAKG;AACH,wBAAsB,sBAAsB,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC,CA8CtF;AAED;;;;GAIG;AACH,wBAAsB,gBAAgB,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC,CAG7E;AAED;;;;;;GAMG;AACH,wBAAsB,YAAY,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC,CAQ1E;AAED;;;;;GAKG;AACH,wBAAsB,oCAAoC,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC;IACxF,WAAW,EAAE,UAAU,CAAC;IACxB,QAAQ,CAAC,EAAE,YAAY,CAAC;CACzB,CAAC,CA6DD"}
+{"version":3,"file":"auth_utils.server.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/auth_utils.server.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAOxD,MAAM,MAAM,QAAQ,GAAG;IACrB,aAAa,EAAE,IAAI,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,cAAc,EAAE,OAAO,CAAC;IACxB,SAAS,EAAE,OAAO,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,cAAc,CAAC,EAAE,QAAQ,GAAG,SAAS,GAAG,UAAU,GAAG,QAAQ,CAAC;CAC/D,CAAC;AAEF,MAAM,MAAM,UAAU,GAClB,QAAQ,GACR;IAAE,aAAa,EAAE,KAAK,CAAA;CAAE,CAAC;AAmB7B;;;;;GAKG;AACH,wBAAsB,sBAAsB,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC,CA8CtF;AAED;;;;GAIG;AACH,wBAAsB,gBAAgB,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC,CAG7E;AAED;;;;;;GAMG;AACH,wBAAsB,YAAY,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC,CAQ1E;AAED;;;;;GAKG;AACH,wBAAsB,oCAAoC,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC;IACxF,WAAW,EAAE,UAAU,CAAC;IACxB,QAAQ,CAAC,EAAE,YAAY,CAAC;CACzB,CAAC,CA6DD"}

package/dist/lib/auth/auth_utils.server.js

@@ -4,21 +4,20 @@ import { NextResponse } from "next/server";
 import { get_hazo_connect_instance } from "../hazo_connect_instance.server";
 import { createCrudService } from "hazo_connect/server";
 import { map_db_source_to_ui } from "../services/profile_picture_source_mapper";
+import { get_cookie_name, get_cookie_options, BASE_COOKIE_NAMES } from "../cookies_config.server";
 // section: helpers
 /**
- * Clears authentication cookies from response
+ * Clears authentication cookies from response (with configurable prefix and domain)
  * @param response - NextResponse object to clear cookies from
  * @returns The response with cleared cookies
  */
 function clear_auth_cookies(response) {
-    response.cookies.set("hazo_auth_user_email", "", {
-        expires: new Date(0),
-        path: "/",
-    });
-    response.cookies.set("hazo_auth_user_id", "", {
+    const clear_cookie_options = get_cookie_options({
         expires: new Date(0),
         path: "/",
     });
+    response.cookies.set(get_cookie_name(BASE_COOKIE_NAMES.USER_EMAIL), "", clear_cookie_options);
+    response.cookies.set(get_cookie_name(BASE_COOKIE_NAMES.USER_ID), "", clear_cookie_options);
     return response;
 }
 // section: functions
@@ -30,8 +29,8 @@ function clear_auth_cookies(response) {
  */
 export async function get_authenticated_user(request) {
     var _a, _b;
-    const user_id = (_a = request.cookies.get("hazo_auth_user_id")) === null || _a === void 0 ? void 0 : _a.value;
-    const user_email = (_b = request.cookies.get("hazo_auth_user_email")) === null || _b === void 0 ? void 0 : _b.value;
+    const user_id = (_a = request.cookies.get(get_cookie_name(BASE_COOKIE_NAMES.USER_ID))) === null || _a === void 0 ? void 0 : _a.value;
+    const user_email = (_b = request.cookies.get(get_cookie_name(BASE_COOKIE_NAMES.USER_EMAIL))) === null || _b === void 0 ? void 0 : _b.value;
     if (!user_id || !user_email) {
         return { authenticated: false };
     }
@@ -100,8 +99,8 @@ export async function require_auth(request) {
  */
 export async function get_authenticated_user_with_response(request) {
     var _a, _b;
-    const user_id = (_a = request.cookies.get("hazo_auth_user_id")) === null || _a === void 0 ? void 0 : _a.value;
-    const user_email = (_b = request.cookies.get("hazo_auth_user_email")) === null || _b === void 0 ? void 0 : _b.value;
+    const user_id = (_a = request.cookies.get(get_cookie_name(BASE_COOKIE_NAMES.USER_ID))) === null || _a === void 0 ? void 0 : _a.value;
+    const user_email = (_b = request.cookies.get(get_cookie_name(BASE_COOKIE_NAMES.USER_EMAIL))) === null || _b === void 0 ? void 0 : _b.value;
     if (!user_id || !user_email) {
         return { auth_result: { authenticated: false } };
     }

package/dist/lib/auth/dev_lock_validator.edge.d.ts

@@ -30,8 +30,9 @@ export declare function validate_dev_lock_cookie(request: NextRequest): Promise<
  */
 export declare function validate_dev_lock_password(password: string): boolean;
 /**
- * Gets the dev lock cookie name
+ * Gets the dev lock cookie name (with configurable prefix)
  * Exported for use in API routes when setting the cookie
+ * Uses HAZO_AUTH_COOKIE_PREFIX env var for configurable prefix
  * @returns Cookie name string
  */
 export declare function get_dev_lock_cookie_name(): string;

package/dist/lib/auth/dev_lock_validator.edge.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"dev_lock_validator.edge.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/dev_lock_validator.edge.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAO/C,MAAM,MAAM,uBAAuB,GAAG;IACpC,KAAK,EAAE,OAAO,CAAC;IACf,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,iBAAiB,GAAG;IAC9B,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;CACjB,CAAC;AAmDF;;;;;;GAMG;AACH,wBAAsB,sBAAsB,CAC1C,QAAQ,EAAE,MAAM,EAChB,WAAW,GAAE,MAAU,GACtB,OAAO,CAAC,iBAAiB,CAAC,CAU5B;AAED;;;;;GAKG;AACH,wBAAsB,wBAAwB,CAC5C,OAAO,EAAE,WAAW,GACnB,OAAO,CAAC,uBAAuB,CAAC,CA8ClC;AAED;;;;;GAKG;AACH,wBAAgB,0BAA0B,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAQpE;AAED;;;;GAIG;AACH,wBAAgB,wBAAwB,IAAI,MAAM,CAEjD"}
+{"version":3,"file":"dev_lock_validator.edge.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/dev_lock_validator.edge.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAO/C,MAAM,MAAM,uBAAuB,GAAG;IACpC,KAAK,EAAE,OAAO,CAAC;IACf,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,iBAAiB,GAAG;IAC9B,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;CACjB,CAAC;AAmDF;;;;;;GAMG;AACH,wBAAsB,sBAAsB,CAC1C,QAAQ,EAAE,MAAM,EAChB,WAAW,GAAE,MAAU,GACtB,OAAO,CAAC,iBAAiB,CAAC,CAU5B;AAED;;;;;GAKG;AACH,wBAAsB,wBAAwB,CAC5C,OAAO,EAAE,WAAW,GACnB,OAAO,CAAC,uBAAuB,CAAC,CA8ClC;AAED;;;;;GAKG;AACH,wBAAgB,0BAA0B,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAQpE;AAED;;;;;GAKG;AACH,wBAAgB,wBAAwB,IAAI,MAAM,CAEjD"}

package/dist/lib/auth/dev_lock_validator.edge.js

@@ -1,5 +1,5 @@
+import { get_cookie_name_edge, BASE_COOKIE_NAMES } from "../cookies_config.edge";
 // section: constants
-const COOKIE_NAME = "hazo_auth_dev_lock";
 const SEPARATOR = "|";
 // section: helpers
 /**
@@ -67,7 +67,7 @@ export async function validate_dev_lock_cookie(request) {
         // No password set - cannot validate
         return { valid: false };
     }
-    const cookie = (_a = request.cookies.get(COOKIE_NAME)) === null || _a === void 0 ? void 0 : _a.value;
+    const cookie = (_a = request.cookies.get(get_cookie_name_edge(BASE_COOKIE_NAMES.DEV_LOCK))) === null || _a === void 0 ? void 0 : _a.value;
     if (!cookie) {
         return { valid: false };
     }
@@ -113,10 +113,11 @@ export function validate_dev_lock_password(password) {
     return constant_time_compare(password, expected);
 }
 /**
- * Gets the dev lock cookie name
+ * Gets the dev lock cookie name (with configurable prefix)
  * Exported for use in API routes when setting the cookie
+ * Uses HAZO_AUTH_COOKIE_PREFIX env var for configurable prefix
  * @returns Cookie name string
  */
 export function get_dev_lock_cookie_name() {
-    return COOKIE_NAME;
+    return get_cookie_name_edge(BASE_COOKIE_NAMES.DEV_LOCK);
 }

package/dist/lib/auth/hazo_get_auth.server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"hazo_get_auth.server.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/hazo_get_auth.server.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAK1C,OAAO,KAAK,EAAE,cAAc,EAAgB,eAAe,EAAmB,MAAM,cAAc,CAAC;AA2XnG;;;;;;;;;GASG;AACH,wBAAsB,aAAa,CACjC,OAAO,EAAE,WAAW,EACpB,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,cAAc,CAAC,CAwOzB"}
+{"version":3,"file":"hazo_get_auth.server.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/hazo_get_auth.server.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAK1C,OAAO,KAAK,EAAE,cAAc,EAAgB,eAAe,EAAmB,MAAM,cAAc,CAAC;AA4XnG;;;;;;;;;GASG;AACH,wBAAsB,aAAa,CACjC,OAAO,EAAE,WAAW,EACpB,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,cAAc,CAAC,CAwOzB"}

package/dist/lib/auth/hazo_get_auth.server.js

@@ -13,6 +13,7 @@ import { check_user_scope_access, get_user_scopes } from "../services/user_scope
 import { is_valid_scope_level } from "../services/scope_service";
 import { is_multi_tenancy_enabled, get_multi_tenancy_config } from "../multi_tenancy_config.server";
 import { get_org_cache } from "./org_cache";
+import { get_cookie_name, BASE_COOKIE_NAMES } from "../cookies_config.server";
 // section: helpers
 /**
  * Parse JSON string to object, returning null on failure
@@ -310,12 +311,12 @@ export async function hazo_get_auth(request, options) {
     const config = get_auth_utility_config();
     const cache = get_auth_cache(config.cache_max_users, config.cache_ttl_minutes, config.cache_max_age_minutes);
     const rate_limiter = get_rate_limiter();
-    // Fast path: Check for authentication cookies
+    // Fast path: Check for authentication cookies (with configurable prefix)
     // Priority: 1. JWT session token (new), 2. Simple cookies (backward compatibility)
     let user_id;
     let user_email;
     // Check for JWT session token first
-    const session_token = (_a = request.cookies.get("hazo_auth_session")) === null || _a === void 0 ? void 0 : _a.value;
+    const session_token = (_a = request.cookies.get(get_cookie_name(BASE_COOKIE_NAMES.SESSION))) === null || _a === void 0 ? void 0 : _a.value;
     if (session_token) {
         try {
             const token_result = await validate_session_token(session_token);
@@ -337,8 +338,8 @@ export async function hazo_get_auth(request, options) {
     }
     // Fall back to simple cookies if JWT not present or invalid (backward compatibility)
     if (!user_id || !user_email) {
-        user_id = (_b = request.cookies.get("hazo_auth_user_id")) === null || _b === void 0 ? void 0 : _b.value;
-        user_email = (_c = request.cookies.get("hazo_auth_user_email")) === null || _c === void 0 ? void 0 : _c.value;
+        user_id = (_b = request.cookies.get(get_cookie_name(BASE_COOKIE_NAMES.USER_ID))) === null || _b === void 0 ? void 0 : _b.value;
+        user_email = (_c = request.cookies.get(get_cookie_name(BASE_COOKIE_NAMES.USER_EMAIL))) === null || _c === void 0 ? void 0 : _c.value;
     }
     if (!user_id || !user_email) {
         // Unauthenticated - check rate limit by IP

package/dist/lib/auth/server_auth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"server_auth.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/server_auth.ts"],"names":[],"mappings":"AAQA,MAAM,MAAM,cAAc,GAAG;IAC3B,aAAa,EAAE,IAAI,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,cAAc,EAAE,OAAO,CAAC;IACxB,SAAS,EAAE,OAAO,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,cAAc,CAAC,EAAE,QAAQ,GAAG,SAAS,GAAG,UAAU,GAAG,QAAQ,CAAC;CAC/D,CAAC;AAEF,MAAM,MAAM,gBAAgB,GACxB,cAAc,GACd;IAAE,aAAa,EAAE,KAAK,CAAA;CAAE,CAAC;AAG7B;;;;GAIG;AACH,wBAAsB,oBAAoB,IAAI,OAAO,CAAC,gBAAgB,CAAC,CA+CtE;AAED;;;GAGG;AACH,wBAAsB,uBAAuB,IAAI,OAAO,CAAC,OAAO,CAAC,CAGhE"}
+{"version":3,"file":"server_auth.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/server_auth.ts"],"names":[],"mappings":"AASA,MAAM,MAAM,cAAc,GAAG;IAC3B,aAAa,EAAE,IAAI,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,cAAc,EAAE,OAAO,CAAC;IACxB,SAAS,EAAE,OAAO,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,cAAc,CAAC,EAAE,QAAQ,GAAG,SAAS,GAAG,UAAU,GAAG,QAAQ,CAAC;CAC/D,CAAC;AAEF,MAAM,MAAM,gBAAgB,GACxB,cAAc,GACd;IAAE,aAAa,EAAE,KAAK,CAAA;CAAE,CAAC;AAG7B;;;;GAIG;AACH,wBAAsB,oBAAoB,IAAI,OAAO,CAAC,gBAAgB,CAAC,CA+CtE;AAED;;;GAGG;AACH,wBAAsB,uBAAuB,IAAI,OAAO,CAAC,OAAO,CAAC,CAGhE"}

package/dist/lib/auth/server_auth.js

@@ -4,6 +4,7 @@ import { cookies } from "next/headers";
 import { get_hazo_connect_instance } from "../hazo_connect_instance.server";
 import { createCrudService } from "hazo_connect/server";
 import { map_db_source_to_ui } from "../services/profile_picture_source_mapper";
+import { get_cookie_name, BASE_COOKIE_NAMES } from "../cookies_config.server";
 // section: functions
 /**
  * Gets authenticated user in server components/pages
@@ -13,8 +14,8 @@ import { map_db_source_to_ui } from "../services/profile_picture_source_mapper";
 export async function get_server_auth_user() {
     var _a, _b;
     const cookie_store = await cookies();
-    const user_id = (_a = cookie_store.get("hazo_auth_user_id")) === null || _a === void 0 ? void 0 : _a.value;
-    const user_email = (_b = cookie_store.get("hazo_auth_user_email")) === null || _b === void 0 ? void 0 : _b.value;
+    const user_id = (_a = cookie_store.get(get_cookie_name(BASE_COOKIE_NAMES.USER_ID))) === null || _a === void 0 ? void 0 : _a.value;
+    const user_email = (_b = cookie_store.get(get_cookie_name(BASE_COOKIE_NAMES.USER_EMAIL))) === null || _b === void 0 ? void 0 : _b.value;
     if (!user_id || !user_email) {
         return { authenticated: false };
     }

package/dist/lib/auth/session_token_validator.edge.d.ts

@@ -8,6 +8,7 @@ export type ValidateSessionCookieResult = {
  * Validates session cookie from NextRequest (Edge-compatible)
  * Extracts hazo_auth_session cookie and validates JWT signature and expiry
  * Works in Edge Runtime (Next.js proxy/middleware)
+ * Uses HAZO_AUTH_COOKIE_PREFIX env var for configurable cookie name
  * @param request - NextRequest object
  * @returns Validation result with user_id and email if valid
  */

package/dist/lib/auth/session_token_validator.edge.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"session_token_validator.edge.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/session_token_validator.edge.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAG/C,MAAM,MAAM,2BAA2B,GAAG;IACxC,KAAK,EAAE,OAAO,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAsBF;;;;;;GAMG;AACH,wBAAsB,uBAAuB,CAC3C,OAAO,EAAE,WAAW,GACnB,OAAO,CAAC,2BAA2B,CAAC,CAwCtC"}
+{"version":3,"file":"session_token_validator.edge.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/session_token_validator.edge.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAI/C,MAAM,MAAM,2BAA2B,GAAG;IACxC,KAAK,EAAE,OAAO,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAsBF;;;;;;;GAOG;AACH,wBAAsB,uBAAuB,CAC3C,OAAO,EAAE,WAAW,GACnB,OAAO,CAAC,2BAA2B,CAAC,CAwCtC"}

package/dist/lib/auth/session_token_validator.edge.js

@@ -2,6 +2,7 @@
 // Uses jose library which works in Edge Runtime
 // section: imports
 import { jwtVerify } from "jose";
+import { get_cookie_name_edge, BASE_COOKIE_NAMES } from "../cookies_config.edge";
 // section: helpers
 /**
  * Gets JWT secret from environment variables
@@ -23,14 +24,15 @@ function get_jwt_secret() {
  * Validates session cookie from NextRequest (Edge-compatible)
  * Extracts hazo_auth_session cookie and validates JWT signature and expiry
  * Works in Edge Runtime (Next.js proxy/middleware)
+ * Uses HAZO_AUTH_COOKIE_PREFIX env var for configurable cookie name
  * @param request - NextRequest object
  * @returns Validation result with user_id and email if valid
  */
 export async function validate_session_cookie(request) {
     var _a;
     try {
-        // Extract session cookie
-        const session_cookie = (_a = request.cookies.get("hazo_auth_session")) === null || _a === void 0 ? void 0 : _a.value;
+        // Extract session cookie (with configurable prefix from env var)
+        const session_cookie = (_a = request.cookies.get(get_cookie_name_edge(BASE_COOKIE_NAMES.SESSION))) === null || _a === void 0 ? void 0 : _a.value;
         if (!session_cookie) {
             return { valid: false };
         }

package/dist/lib/cookies_config.edge.d.ts

@@ -0,0 +1,33 @@
+export declare const BASE_COOKIE_NAMES: {
+    readonly USER_ID: "hazo_auth_user_id";
+    readonly USER_EMAIL: "hazo_auth_user_email";
+    readonly SESSION: "hazo_auth_session";
+    readonly DEV_LOCK: "hazo_auth_dev_lock";
+};
+/**
+ * Gets the cookie prefix from environment variable
+ * For Edge runtime, use HAZO_AUTH_COOKIE_PREFIX env var
+ * @returns Cookie prefix string (empty string if not set)
+ */
+export declare function get_cookie_prefix_edge(): string;
+/**
+ * Gets the cookie domain from environment variable
+ * For Edge runtime, use HAZO_AUTH_COOKIE_DOMAIN env var
+ * @returns Cookie domain string (empty string if not set)
+ */
+export declare function get_cookie_domain_edge(): string;
+/**
+ * Gets the full cookie name with prefix applied (Edge-compatible)
+ * @param base_name - Base cookie name from BASE_COOKIE_NAMES
+ * @returns Full cookie name with prefix
+ */
+export declare function get_cookie_name_edge(base_name: string): string;
+/**
+ * Gets cookie options with domain if configured (Edge-compatible)
+ * @param options - Base cookie options
+ * @returns Cookie options with domain added if configured
+ */
+export declare function get_cookie_options_edge<T extends Record<string, unknown>>(options: T): T & {
+    domain?: string;
+};
+//# sourceMappingURL=cookies_config.edge.d.ts.map

package/dist/lib/cookies_config.edge.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cookies_config.edge.d.ts","sourceRoot":"","sources":["../../src/lib/cookies_config.edge.ts"],"names":[],"mappings":"AAKA,eAAO,MAAM,iBAAiB;;;;;CAKpB,CAAC;AAGX;;;;GAIG;AACH,wBAAgB,sBAAsB,IAAI,MAAM,CAE/C;AAED;;;;GAIG;AACH,wBAAgB,sBAAsB,IAAI,MAAM,CAE/C;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAG9D;AAED;;;;GAIG;AACH,wBAAgB,uBAAuB,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,OAAO,EAAE,CAAC,GAAG,CAAC,GAAG;IAAE,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAQ9G"}

package/dist/lib/cookies_config.edge.js

@@ -0,0 +1,48 @@
+// file_description: Edge-compatible cookie configuration helper
+// Uses environment variables since Edge runtime can't read config files
+// section: constants
+// Base cookie names (without prefix)
+export const BASE_COOKIE_NAMES = {
+    USER_ID: "hazo_auth_user_id",
+    USER_EMAIL: "hazo_auth_user_email",
+    SESSION: "hazo_auth_session",
+    DEV_LOCK: "hazo_auth_dev_lock",
+};
+// section: main_functions
+/**
+ * Gets the cookie prefix from environment variable
+ * For Edge runtime, use HAZO_AUTH_COOKIE_PREFIX env var
+ * @returns Cookie prefix string (empty string if not set)
+ */
+export function get_cookie_prefix_edge() {
+    return process.env.HAZO_AUTH_COOKIE_PREFIX || "";
+}
+/**
+ * Gets the cookie domain from environment variable
+ * For Edge runtime, use HAZO_AUTH_COOKIE_DOMAIN env var
+ * @returns Cookie domain string (empty string if not set)
+ */
+export function get_cookie_domain_edge() {
+    return process.env.HAZO_AUTH_COOKIE_DOMAIN || "";
+}
+/**
+ * Gets the full cookie name with prefix applied (Edge-compatible)
+ * @param base_name - Base cookie name from BASE_COOKIE_NAMES
+ * @returns Full cookie name with prefix
+ */
+export function get_cookie_name_edge(base_name) {
+    const prefix = get_cookie_prefix_edge();
+    return `${prefix}${base_name}`;
+}
+/**
+ * Gets cookie options with domain if configured (Edge-compatible)
+ * @param options - Base cookie options
+ * @returns Cookie options with domain added if configured
+ */
+export function get_cookie_options_edge(options) {
+    const domain = get_cookie_domain_edge();
+    if (domain) {
+        return Object.assign(Object.assign({}, options), { domain });
+    }
+    return options;
+}

package/dist/lib/cookies_config.server.d.ts

@@ -0,0 +1,42 @@
+export type CookiesConfig = {
+    /** Prefix for all hazo_auth cookies (e.g., "myapp_" results in "myapp_hazo_auth_session") */
+    cookie_prefix: string;
+    /** Optional domain for cookies (e.g., ".example.com" for cross-subdomain) */
+    cookie_domain: string;
+};
+export declare const BASE_COOKIE_NAMES: {
+    readonly USER_ID: "hazo_auth_user_id";
+    readonly USER_EMAIL: "hazo_auth_user_email";
+    readonly SESSION: "hazo_auth_session";
+    readonly DEV_LOCK: "hazo_auth_dev_lock";
+};
+/**
+ * Reads cookie configuration from hazo_auth_config.ini file
+ * Falls back to defaults if hazo_auth_config.ini is not found or section is missing
+ * @returns CookiesConfig object with all cookie settings
+ */
+export declare function get_cookies_config(): CookiesConfig;
+/**
+ * Gets the full cookie name with prefix applied
+ * @param base_name - Base cookie name from BASE_COOKIE_NAMES
+ * @returns Full cookie name with prefix
+ */
+export declare function get_cookie_name(base_name: string): string;
+/**
+ * Gets cookie options with domain if configured
+ * @param options - Base cookie options
+ * @returns Cookie options with domain added if configured
+ */
+export declare function get_cookie_options<T extends Record<string, unknown>>(options: T): T & {
+    domain?: string;
+};
+/**
+ * Gets cached cookie configuration for performance-critical paths
+ * @returns CookiesConfig object
+ */
+export declare function get_cached_cookies_config(): CookiesConfig;
+/**
+ * Clears the cached config (useful for testing)
+ */
+export declare function clear_cookies_config_cache(): void;
+//# sourceMappingURL=cookies_config.server.d.ts.map

package/dist/lib/cookies_config.server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cookies_config.server.d.ts","sourceRoot":"","sources":["../../src/lib/cookies_config.server.ts"],"names":[],"mappings":"AAKA,MAAM,MAAM,aAAa,GAAG;IAC1B,6FAA6F;IAC7F,aAAa,EAAE,MAAM,CAAC;IACtB,6EAA6E;IAC7E,aAAa,EAAE,MAAM,CAAC;CACvB,CAAC;AAYF,eAAO,MAAM,iBAAiB;;;;;CAKpB,CAAC;AAGX;;;;GAIG;AACH,wBAAgB,kBAAkB,IAAI,aAAa,CAWlD;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAGzD;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,OAAO,EAAE,CAAC,GAAG,CAAC,GAAG;IAAE,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAQzG;AAKD;;;GAGG;AACH,wBAAgB,yBAAyB,IAAI,aAAa,CAKzD;AAED;;GAEG;AACH,wBAAgB,0BAA0B,IAAI,IAAI,CAEjD"}

package/dist/lib/cookies_config.server.js

@@ -0,0 +1,71 @@
+// file_description: server-only helper to read cookie configuration from hazo_auth_config.ini
+import { read_config_section } from "./config/config_loader.server";
+// section: defaults
+const DEFAULT_CONFIG = {
+    cookie_prefix: "",
+    cookie_domain: "",
+};
+// section: constants
+const SECTION_NAME = "hazo_auth__cookies";
+// Base cookie names (without prefix)
+export const BASE_COOKIE_NAMES = {
+    USER_ID: "hazo_auth_user_id",
+    USER_EMAIL: "hazo_auth_user_email",
+    SESSION: "hazo_auth_session",
+    DEV_LOCK: "hazo_auth_dev_lock",
+};
+// section: main_function
+/**
+ * Reads cookie configuration from hazo_auth_config.ini file
+ * Falls back to defaults if hazo_auth_config.ini is not found or section is missing
+ * @returns CookiesConfig object with all cookie settings
+ */
+export function get_cookies_config() {
+    const section = read_config_section(SECTION_NAME);
+    if (!section) {
+        return DEFAULT_CONFIG;
+    }
+    return {
+        cookie_prefix: section.cookie_prefix || DEFAULT_CONFIG.cookie_prefix,
+        cookie_domain: section.cookie_domain || DEFAULT_CONFIG.cookie_domain,
+    };
+}
+/**
+ * Gets the full cookie name with prefix applied
+ * @param base_name - Base cookie name from BASE_COOKIE_NAMES
+ * @returns Full cookie name with prefix
+ */
+export function get_cookie_name(base_name) {
+    const config = get_cookies_config();
+    return `${config.cookie_prefix}${base_name}`;
+}
+/**
+ * Gets cookie options with domain if configured
+ * @param options - Base cookie options
+ * @returns Cookie options with domain added if configured
+ */
+export function get_cookie_options(options) {
+    const config = get_cookies_config();
+    if (config.cookie_domain) {
+        return Object.assign(Object.assign({}, options), { domain: config.cookie_domain });
+    }
+    return options;
+}
+// Cached config for performance (module-level cache)
+let cached_config = null;
+/**
+ * Gets cached cookie configuration for performance-critical paths
+ * @returns CookiesConfig object
+ */
+export function get_cached_cookies_config() {
+    if (!cached_config) {
+        cached_config = get_cookies_config();
+    }
+    return cached_config;
+}
+/**
+ * Clears the cached config (useful for testing)
+ */
+export function clear_cookies_config_cache() {
+    cached_config = null;
+}

package/hazo_auth_config.example.ini

@@ -3,6 +3,21 @@
 # Copy this file to your project root as hazo_auth_config.ini and customize the values
 # Commented values indicate defaults that are being used
 
+[hazo_auth__cookies]
+# Cookie configuration for hazo_auth
+# Use these settings to avoid conflicts when running multiple apps with hazo_auth
+
+# Cookie prefix (default: empty)
+# Add a unique prefix for each app to avoid cookie conflicts
+# Example: "myapp_" results in cookies named "myapp_hazo_auth_session", etc.
+# IMPORTANT: For Edge runtime (middleware), also set HAZO_AUTH_COOKIE_PREFIX env var
+# cookie_prefix =
+
+# Cookie domain (default: empty, uses current domain)
+# Set to share cookies across subdomains (e.g., ".example.com")
+# IMPORTANT: For Edge runtime (middleware), also set HAZO_AUTH_COOKIE_DOMAIN env var
+# cookie_domain =
+
 [hazo_connect]
 # Database type: sqlite, postgrest, supabase, or file
 type = sqlite

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "hazo_auth",
-  "version": "4.5.7",
+  "version": "4.6.0",
   "description": "Zero-config authentication UI components for Next.js with RBAC, OAuth, multi-tenancy, and hierarchical scopes",
   "keywords": [
     "authentication",