hazo_auth 5.1.10 → 5.1.12

package/cli-src/lib/auth/hazo_get_auth.server.ts

@@ -10,6 +10,7 @@ import type {
   HazoAuthUser,
   HazoAuthOptions,
   ScopeAccessInfo,
+  ScopeDetails,
 } from "./auth_types";
 import { PermissionError, ScopeAccessError } from "./auth_types.js";
 import { get_auth_cache } from "./auth_cache.js";
@@ -72,11 +73,6 @@ function get_client_ip(request: NextRequest): string {
   return "unknown";
 }
 
-/**
- * Fetches user data and permissions from database
- * @param user_id - User ID
- * @returns Object with user, permissions, and role_ids
- */
 /**
  * CRUD service options for hazo_user_scopes table
  * This table uses a composite primary key (user_id, scope_id) and no 'id' column
@@ -86,10 +82,63 @@ const USER_SCOPES_CRUD_OPTIONS = {
   autoId: false as const,
 };
 
+/**
+ * Fetches full scope details for user's scope assignments
+ * Joins hazo_user_scopes with hazo_scopes to get name, slug, branding
+ * @param user_id - User ID
+ * @returns Array of scope details with branding information
+ */
+async function fetch_user_scope_details(user_id: string): Promise<ScopeDetails[]> {
+  const hazoConnect = get_hazo_connect_instance();
+  const user_scopes_service = createCrudService(
+    hazoConnect,
+    "hazo_user_scopes",
+    USER_SCOPES_CRUD_OPTIONS,
+  );
+  const scopes_service = createCrudService(hazoConnect, "hazo_scopes");
+
+  const user_scope_assignments = await user_scopes_service.findBy({ user_id });
+  if (!Array.isArray(user_scope_assignments) || user_scope_assignments.length === 0) {
+    return [];
+  }
+
+  const scope_details: ScopeDetails[] = [];
+  for (const assignment of user_scope_assignments) {
+    const scope_id = assignment.scope_id as string;
+    const role_id = assignment.role_id as string;
+
+    const scopes = await scopes_service.findBy({ id: scope_id });
+    if (Array.isArray(scopes) && scopes.length > 0) {
+      const scope = scopes[0];
+      scope_details.push({
+        id: scope_id,
+        name: scope.name as string,
+        slug: (scope.slug as string) || null,
+        level: scope.level as string,
+        parent_id: scope.parent_id as string | null,
+        role_id,
+        logo_url: (scope.logo_url as string) || null,
+        primary_color: (scope.primary_color as string) || null,
+        secondary_color: (scope.secondary_color as string) || null,
+        tagline: (scope.tagline as string) || null,
+      });
+    }
+  }
+
+  return scope_details;
+}
+
+/**
+ * Fetches user data and permissions from database
+ * @param user_id - User ID
+ * @returns Object with user, permissions, role_ids, and scopes
+ */
+
 async function fetch_user_data_from_db(user_id: string): Promise<{
   user: HazoAuthUser;
   permissions: string[];
   role_ids: string[];
+  scopes: ScopeDetails[];
 }> {
   const hazoConnect = get_hazo_connect_instance();
   const users_service = createCrudService(hazoConnect, "hazo_users");
@@ -186,7 +235,10 @@ async function fetch_user_data_from_db(user_id: string): Promise<{
 
   const permissions = Array.from(permissions_set);
 
-  return { user, permissions, role_ids };
+  // v5.2: Fetch full scope details for caching
+  const scopes = await fetch_user_scope_details(user_id);
+
+  return { user, permissions, role_ids, scopes };
 }
 
 /**
@@ -430,8 +482,8 @@ export async function hazo_get_auth(
       permissions = user_data.permissions;
       role_ids = user_data.role_ids;
 
-      // Update cache
-      cache.set(user_id, user, permissions, role_ids);
+      // Update cache (v5.2: includes scope details for tenant auth)
+      cache.set(user_id, user, permissions, role_ids, user_data.scopes);
     } catch (error) {
       const error_message =
         error instanceof Error ? error.message : "Unknown error";

package/cli-src/lib/auth/hazo_get_tenant_auth.server.ts

@@ -0,0 +1,265 @@
+// file_description: tenant-aware authentication function that extracts scope from request headers/cookies
+// section: imports
+import { NextRequest } from "next/server";
+import { hazo_get_auth } from "./hazo_get_auth.server.js";
+import { get_auth_cache } from "./auth_cache.js";
+import { get_scope_by_id } from "../services/scope_service.js";
+import { get_hazo_connect_instance } from "../hazo_connect_instance.server.js";
+import { get_cookie_name } from "../cookies_config.server.js";
+import { get_auth_utility_config } from "../auth_utility_config.server.js";
+import type {
+  TenantAuthOptions,
+  TenantAuthResult,
+  RequiredTenantAuthResult,
+  TenantOrganization,
+  ScopeDetails,
+} from "./auth_types";
+import {
+  AuthenticationRequiredError,
+  TenantRequiredError,
+  TenantAccessDeniedError,
+} from "./auth_types.js";
+
+// section: constants
+
+/**
+ * Default header name for scope ID
+ */
+const DEFAULT_SCOPE_HEADER = "X-Hazo-Scope-Id";
+
+/**
+ * Base cookie name for scope ID (will have prefix applied)
+ */
+const BASE_SCOPE_COOKIE = "hazo_auth_scope_id";
+
+// section: helpers
+
+/**
+ * Extracts scope ID from request headers or cookies
+ * Priority: Header > Cookie
+ * @param request - NextRequest object
+ * @param options - TenantAuthOptions for customization
+ * @returns Scope ID if found, undefined otherwise
+ */
+export function extract_scope_id_from_request(
+  request: NextRequest,
+  options: TenantAuthOptions,
+): string | undefined {
+  // Check header first
+  const header_name = options.scope_header_name || DEFAULT_SCOPE_HEADER;
+  const header_value = request.headers.get(header_name);
+  if (header_value) {
+    return header_value;
+  }
+
+  // Check cookie (with prefix)
+  const cookie_name = options.scope_cookie_name || get_cookie_name(BASE_SCOPE_COOKIE);
+  const cookie_value = request.cookies.get(cookie_name)?.value;
+  return cookie_value;
+}
+
+/**
+ * Builds TenantOrganization from scope details and access info
+ * @param scope_details - Full scope details from cache
+ * @param is_super_admin - Whether user is accessing as super admin
+ * @returns TenantOrganization object
+ */
+function build_tenant_organization(
+  scope_details: ScopeDetails,
+  is_super_admin: boolean,
+): TenantOrganization {
+  return {
+    id: scope_details.id,
+    name: scope_details.name,
+    slug: scope_details.slug,
+    level: scope_details.level,
+    role_id: scope_details.role_id,
+    is_super_admin,
+    branding:
+      scope_details.logo_url || scope_details.primary_color
+        ? {
+            logo_url: scope_details.logo_url,
+            primary_color: scope_details.primary_color,
+            secondary_color: scope_details.secondary_color,
+            tagline: scope_details.tagline,
+          }
+        : undefined,
+  };
+}
+
+// section: main_functions
+
+/**
+ * Tenant-aware authentication function
+ *
+ * Extracts tenant/scope context from request headers or cookies,
+ * validates access, and returns enriched result with organization info.
+ *
+ * Header priority: X-Hazo-Scope-Id > Cookie
+ *
+ * @param request - NextRequest object
+ * @param options - TenantAuthOptions for customization
+ * @returns TenantAuthResult with user, permissions, organization, and user_scopes
+ *
+ * @example
+ * ```typescript
+ * const auth = await hazo_get_tenant_auth(request);
+ * if (auth.authenticated && auth.organization) {
+ *   // Access tenant-specific data
+ *   const data = await getData(auth.organization.id);
+ * }
+ * ```
+ */
+export async function hazo_get_tenant_auth(
+  request: NextRequest,
+  options: TenantAuthOptions = {},
+): Promise<TenantAuthResult> {
+  // Extract scope_id from request
+  const scope_id = extract_scope_id_from_request(request, options);
+
+  // Build hazo_get_auth options, passing through scope_id if present
+  const auth_options = {
+    ...options,
+    scope_id: scope_id || options.scope_id, // Allow explicit override via options
+  };
+
+  // Call base hazo_get_auth
+  const auth_result = await hazo_get_auth(request, auth_options);
+
+  // Handle unauthenticated case
+  if (!auth_result.authenticated) {
+    return {
+      authenticated: false,
+      user: null,
+      permissions: [],
+      permission_ok: false,
+      organization: null,
+      user_scopes: [],
+      scope_ok: false,
+    };
+  }
+
+  // Get user's scopes from cache (already populated by hazo_get_auth)
+  const config = get_auth_utility_config();
+  const cache = get_auth_cache(
+    config.cache_max_users,
+    config.cache_ttl_minutes,
+    config.cache_max_age_minutes,
+  );
+  const cached = cache.get(auth_result.user.id);
+
+  // User scopes from cache or empty array
+  const user_scopes: ScopeDetails[] = cached?.scopes || [];
+
+  // Build organization info if scope access was successful
+  let organization: TenantOrganization | null = null;
+
+  if (scope_id && auth_result.scope_ok && auth_result.scope_access_via) {
+    // Find the scope in user's scopes that matches the access_via scope
+    const access_scope = user_scopes.find(
+      (s) => s.id === auth_result.scope_access_via?.scope_id,
+    );
+
+    if (access_scope) {
+      organization = build_tenant_organization(
+        access_scope,
+        auth_result.scope_access_via.is_super_admin || false,
+      );
+    } else if (auth_result.scope_access_via.is_super_admin) {
+      // Super admin accessing scope they're not assigned to - fetch scope details
+      const hazoConnect = get_hazo_connect_instance();
+      const scope_result = await get_scope_by_id(hazoConnect, scope_id);
+      if (scope_result.success && scope_result.scope) {
+        organization = {
+          id: scope_result.scope.id,
+          name: scope_result.scope.name,
+          slug: null, // Could fetch from scope if slug column exists
+          level: scope_result.scope.level,
+          role_id: "", // Super admin doesn't have a role in the scope
+          is_super_admin: true,
+          branding: scope_result.scope.logo_url
+            ? {
+                logo_url: scope_result.scope.logo_url,
+                primary_color: scope_result.scope.primary_color,
+                secondary_color: scope_result.scope.secondary_color,
+                tagline: scope_result.scope.tagline,
+              }
+            : undefined,
+        };
+      }
+    }
+  }
+
+  return {
+    authenticated: true,
+    user: auth_result.user,
+    permissions: auth_result.permissions,
+    permission_ok: auth_result.permission_ok,
+    missing_permissions: auth_result.missing_permissions,
+    organization,
+    user_scopes,
+    scope_ok: auth_result.scope_ok,
+    scope_access_via: auth_result.scope_access_via,
+  };
+}
+
+/**
+ * Strict tenant authentication helper
+ *
+ * Wraps hazo_get_tenant_auth and throws appropriate errors:
+ * - AuthenticationRequiredError (401) if not authenticated
+ * - TenantRequiredError (403) if no tenant context in request
+ * - TenantAccessDeniedError (403) if user lacks access to requested tenant
+ *
+ * @param request - NextRequest object
+ * @param options - TenantAuthOptions for customization
+ * @returns RequiredTenantAuthResult with guaranteed non-null organization
+ * @throws AuthenticationRequiredError, TenantRequiredError, TenantAccessDeniedError
+ *
+ * @example
+ * ```typescript
+ * try {
+ *   const auth = await require_tenant_auth(request);
+ *   // auth.organization is guaranteed non-null here
+ *   const data = await getData(auth.organization.id);
+ * } catch (error) {
+ *   if (error instanceof HazoAuthError) {
+ *     return NextResponse.json(
+ *       { error: error.message, code: error.code },
+ *       { status: error.status_code }
+ *     );
+ *   }
+ *   throw error;
+ * }
+ * ```
+ */
+export async function require_tenant_auth(
+  request: NextRequest,
+  options: TenantAuthOptions = {},
+): Promise<RequiredTenantAuthResult> {
+  const result = await hazo_get_tenant_auth(request, options);
+
+  // Check authentication
+  if (!result.authenticated) {
+    throw new AuthenticationRequiredError();
+  }
+
+  // Extract scope_id from request for error messages
+  const scope_id = extract_scope_id_from_request(request, options);
+
+  // Check if scope was requested but access denied
+  if (scope_id && !result.scope_ok) {
+    throw new TenantAccessDeniedError(scope_id, result.user_scopes);
+  }
+
+  // Check if organization context is required but missing
+  if (!result.organization) {
+    throw new TenantRequiredError(
+      "No organization context provided. Include X-Hazo-Scope-Id header or scope cookie.",
+      result.user_scopes,
+    );
+  }
+
+  // Type assertion: at this point we know organization is non-null
+  return result as RequiredTenantAuthResult;
+}

package/cli-src/lib/auth/index.ts

@@ -11,6 +11,26 @@ export {
 } from "./auth_utils.server.js";
 export type { AuthResult, AuthUser } from "./auth_utils.server";
 
+// section: tenant_auth_exports
+export {
+  hazo_get_tenant_auth,
+  require_tenant_auth,
+  extract_scope_id_from_request,
+} from "./hazo_get_tenant_auth.server.js";
+export type {
+  ScopeDetails,
+  TenantOrganization,
+  TenantAuthOptions,
+  TenantAuthResult,
+  RequiredTenantAuthResult,
+} from "./auth_types";
+export {
+  HazoAuthError,
+  AuthenticationRequiredError,
+  TenantRequiredError,
+  TenantAccessDeniedError,
+} from "./auth_types.js";
+
 // section: client_exports
 export { get_server_auth_user } from "./server_auth.js";
 export type { ServerAuthResult } from "./server_auth";

package/cli-src/lib/cookies_config.server.ts

@@ -25,6 +25,7 @@ export const BASE_COOKIE_NAMES = {
   USER_EMAIL: "hazo_auth_user_email",
   SESSION: "hazo_auth_session",
   DEV_LOCK: "hazo_auth_dev_lock",
+  SCOPE_ID: "hazo_auth_scope_id", // v5.2: Tenant context cookie for multi-tenancy
 } as const;
 
 // section: main_function

package/dist/components/layouts/user_management/components/user_scopes_tab.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"user_scopes_tab.d.ts","sourceRoot":"","sources":["../../../../../src/components/layouts/user_management/components/user_scopes_tab.tsx"],"names":[],"mappings":"AAqDA,MAAM,MAAM,kBAAkB,GAAG;IAC/B,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AA4DF;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,EAAE,SAAS,EAAE,EAAE,kBAAkB,2CAqf9D"}
+{"version":3,"file":"user_scopes_tab.d.ts","sourceRoot":"","sources":["../../../../../src/components/layouts/user_management/components/user_scopes_tab.tsx"],"names":[],"mappings":"AA4DA,MAAM,MAAM,kBAAkB,GAAG;IAC/B,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAkEF;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,EAAE,SAAS,EAAE,EAAE,kBAAkB,2CA0jB9D"}

package/dist/components/layouts/user_management/components/user_scopes_tab.js

@@ -11,6 +11,7 @@ import { Dialog, DialogContent, DialogDescription, DialogFooter, DialogHeader, D
 import { AlertDialog, AlertDialogAction, AlertDialogCancel, AlertDialogContent, AlertDialogDescription, AlertDialogFooter, AlertDialogHeader, AlertDialogTitle, } from "../../../ui/alert-dialog.js";
 import { Input } from "../../../ui/input.js";
 import { Label } from "../../../ui/label.js";
+import { Select, SelectContent, SelectItem, SelectTrigger, SelectValue, } from "../../../ui/select.js";
 import { Avatar, AvatarFallback, AvatarImage } from "../../../ui/avatar.js";
 import { TreeView } from "../../../ui/tree-view.js";
 import { Loader2, Plus, Trash2, Search, CircleCheck, CircleX, ChevronRight, Building2, FolderTree, } from "lucide-react";
@@ -56,6 +57,10 @@ export function UserScopesTab({ className }) {
     const [treeLoading, setTreeLoading] = useState(false);
     const [selectedTreeItem, setSelectedTreeItem] = useState();
     const [actionLoading, setActionLoading] = useState(false);
+    // Roles state
+    const [roles, setRoles] = useState([]);
+    const [rolesLoading, setRolesLoading] = useState(false);
+    const [selectedRoleId, setSelectedRoleId] = useState("");
     // Delete scope dialog state
     const [deleteDialogOpen, setDeleteDialogOpen] = useState(false);
     const [scopeToDelete, setScopeToDelete] = useState(null);
@@ -136,11 +141,37 @@ export function UserScopesTab({ className }) {
             setTreeLoading(false);
         }
     }, [apiBasePath]);
+    // Load roles for add dialog
+    const loadRoles = useCallback(async () => {
+        var _a;
+        setRolesLoading(true);
+        try {
+            const response = await fetch(`${apiBasePath}/user_management/roles`);
+            const data = await response.json();
+            if (data.success) {
+                setRoles(data.roles || []);
+                // Auto-select first role if available and none selected
+                if (!selectedRoleId && ((_a = data.roles) === null || _a === void 0 ? void 0 : _a.length) > 0) {
+                    setSelectedRoleId(data.roles[0].id);
+                }
+            }
+            else {
+                setRoles([]);
+            }
+        }
+        catch (error) {
+            setRoles([]);
+        }
+        finally {
+            setRolesLoading(false);
+        }
+    }, [apiBasePath, selectedRoleId]);
     useEffect(() => {
         if (addDialogOpen) {
             void loadScopeTree();
+            void loadRoles();
         }
-    }, [addDialogOpen, loadScopeTree]);
+    }, [addDialogOpen, loadScopeTree, loadRoles]);
     // Filter users by search
     const filteredUsers = users.filter((user) => {
         var _a;
@@ -174,6 +205,10 @@ export function UserScopesTab({ className }) {
             toast.error("Please select a scope from the tree");
             return;
         }
+        if (!selectedRoleId) {
+            toast.error("Please select a role");
+            return;
+        }
         const scope = selectedTreeItem.scopeData;
         setActionLoading(true);
         try {
@@ -183,6 +218,7 @@ export function UserScopesTab({ className }) {
                 body: JSON.stringify({
                     user_id: selectedUser.id,
                     scope_id: scope.id,
+                    role_id: selectedRoleId,
                 }),
             });
             const data = await response.json();
@@ -190,6 +226,7 @@ export function UserScopesTab({ className }) {
                 toast.success("Scope assigned successfully");
                 setAddDialogOpen(false);
                 setSelectedTreeItem(undefined);
+                setSelectedRoleId("");
                 await loadUserScopes();
             }
             else {
@@ -245,7 +282,7 @@ export function UserScopesTab({ className }) {
                                     }, variant: "outline", size: "sm", children: [_jsx(Plus, { className: "h-4 w-4 mr-2" }), "Assign First Scope"] })] })) : (_jsxs(Table, { className: "w-full", children: [_jsx(TableHeader, { children: _jsxs(TableRow, { children: [_jsx(TableHead, { children: "Scope Name" }), _jsx(TableHead, { children: "Level" }), _jsx(TableHead, { children: "Scope ID" }), _jsx(TableHead, { children: "Assigned" }), _jsx(TableHead, { className: "text-right w-[80px]", children: "Actions" })] }) }), _jsx(TableBody, { children: userScopes.map((scope) => (_jsxs(TableRow, { children: [_jsx(TableCell, { className: "font-medium", children: scope.scope_name || "Unknown" }), _jsx(TableCell, { className: "text-sm", children: scope.level || "-" }), _jsxs(TableCell, { className: "font-mono text-xs text-muted-foreground", children: [scope.scope_id.substring(0, 8), "..."] }), _jsx(TableCell, { className: "text-sm text-muted-foreground", children: new Date(scope.created_at).toLocaleDateString() }), _jsx(TableCell, { className: "text-right", children: _jsx(Button, { onClick: () => {
                                                         setScopeToDelete(scope);
                                                         setDeleteDialogOpen(true);
-                                                    }, variant: "outline", size: "sm", className: "text-destructive", children: _jsx(Trash2, { className: "h-4 w-4" }) }) })] }, scope.scope_id))) })] })) })] }), _jsx(Dialog, { open: addDialogOpen, onOpenChange: setAddDialogOpen, children: _jsxs(DialogContent, { className: "cls_user_scopes_add_dialog sm:max-w-[500px]", children: [_jsxs(DialogHeader, { children: [_jsx(DialogTitle, { children: "Add Scope Assignment" }), _jsxs(DialogDescription, { children: ["Select a scope from the tree to assign to", " ", (selectedUser === null || selectedUser === void 0 ? void 0 : selectedUser.name) || (selectedUser === null || selectedUser === void 0 ? void 0 : selectedUser.email_address), "."] })] }), _jsxs("div", { className: "flex flex-col gap-4 py-4", children: [_jsxs("div", { className: "flex flex-col gap-2", children: [_jsx(Label, { children: "Select Scope" }), treeLoading ? (_jsx("div", { className: "flex items-center justify-center p-8 border rounded-lg", children: _jsx(Loader2, { className: "h-6 w-6 animate-spin text-slate-400" }) })) : scopeTree.length === 0 ? (_jsxs("div", { className: "flex flex-col items-center justify-center p-6 border rounded-lg border-dashed", children: [_jsx(FolderTree, { className: "h-8 w-8 text-muted-foreground mb-2" }), _jsx("p", { className: "text-sm text-muted-foreground text-center", children: "No scopes available. Create scopes in the Scope Hierarchy tab first." })] })) : (_jsx("div", { className: "border rounded-lg max-h-[300px] overflow-auto", children: _jsx(TreeView, { data: treeData, expandAll: true, defaultNodeIcon: Building2, defaultLeafIcon: Building2, onSelectChange: handleTreeSelectChange, initialSelectedItemId: selectedTreeItem === null || selectedTreeItem === void 0 ? void 0 : selectedTreeItem.id, className: "w-full" }) }))] }), (selectedTreeItem === null || selectedTreeItem === void 0 ? void 0 : selectedTreeItem.scopeData) && (_jsxs("div", { className: "p-3 border rounded-lg bg-muted/50", children: [_jsxs("p", { className: "text-sm", children: [_jsx("span", { className: "font-medium", children: "Selected:" }), " ", selectedTreeItem.scopeData.name] }), _jsxs("p", { className: "text-xs text-muted-foreground", children: [selectedTreeItem.scopeData.level, " - ID: ", selectedTreeItem.scopeData.id.substring(0, 8), "..."] })] }))] }), _jsxs(DialogFooter, { children: [_jsx(Button, { onClick: handleAddScope, disabled: actionLoading || !(selectedTreeItem === null || selectedTreeItem === void 0 ? void 0 : selectedTreeItem.scopeData), variant: "default", children: actionLoading ? (_jsxs(_Fragment, { children: [_jsx(Loader2, { className: "h-4 w-4 mr-2 animate-spin" }), "Assigning..."] })) : (_jsxs(_Fragment, { children: [_jsx(CircleCheck, { className: "h-4 w-4 mr-2" }), "Assign Scope"] })) }), _jsxs(Button, { onClick: () => setAddDialogOpen(false), variant: "outline", children: [_jsx(CircleX, { className: "h-4 w-4 mr-2" }), "Cancel"] })] })] }) }), _jsx(AlertDialog, { open: deleteDialogOpen, onOpenChange: setDeleteDialogOpen, children: _jsxs(AlertDialogContent, { children: [_jsxs(AlertDialogHeader, { children: [_jsx(AlertDialogTitle, { children: "Remove Scope Assignment" }), _jsxs(AlertDialogDescription, { children: ["Are you sure you want to remove the scope \"", (scopeToDelete === null || scopeToDelete === void 0 ? void 0 : scopeToDelete.scope_name) || (scopeToDelete === null || scopeToDelete === void 0 ? void 0 : scopeToDelete.scope_id.substring(0, 8)), "\" from", " ", (selectedUser === null || selectedUser === void 0 ? void 0 : selectedUser.name) || (selectedUser === null || selectedUser === void 0 ? void 0 : selectedUser.email_address), "? This will also revoke access to any child scopes."] })] }), _jsxs(AlertDialogFooter, { children: [_jsx(AlertDialogAction, { onClick: handleRemoveScope, disabled: actionLoading, children: actionLoading ? (_jsxs(_Fragment, { children: [_jsx(Loader2, { className: "h-4 w-4 mr-2 animate-spin" }), "Removing..."] })) : ("Remove") }), _jsx(AlertDialogCancel, { onClick: () => {
+                                                    }, variant: "outline", size: "sm", className: "text-destructive", children: _jsx(Trash2, { className: "h-4 w-4" }) }) })] }, scope.scope_id))) })] })) })] }), _jsx(Dialog, { open: addDialogOpen, onOpenChange: setAddDialogOpen, children: _jsxs(DialogContent, { className: "cls_user_scopes_add_dialog sm:max-w-[500px]", children: [_jsxs(DialogHeader, { children: [_jsx(DialogTitle, { children: "Add Scope Assignment" }), _jsxs(DialogDescription, { children: ["Select a scope from the tree to assign to", " ", (selectedUser === null || selectedUser === void 0 ? void 0 : selectedUser.name) || (selectedUser === null || selectedUser === void 0 ? void 0 : selectedUser.email_address), "."] })] }), _jsxs("div", { className: "flex flex-col gap-4 py-4", children: [_jsxs("div", { className: "flex flex-col gap-2", children: [_jsx(Label, { children: "Select Scope" }), treeLoading ? (_jsx("div", { className: "flex items-center justify-center p-8 border rounded-lg", children: _jsx(Loader2, { className: "h-6 w-6 animate-spin text-slate-400" }) })) : scopeTree.length === 0 ? (_jsxs("div", { className: "flex flex-col items-center justify-center p-6 border rounded-lg border-dashed", children: [_jsx(FolderTree, { className: "h-8 w-8 text-muted-foreground mb-2" }), _jsx("p", { className: "text-sm text-muted-foreground text-center", children: "No scopes available. Create scopes in the Scope Hierarchy tab first." })] })) : (_jsx("div", { className: "border rounded-lg max-h-[300px] overflow-auto", children: _jsx(TreeView, { data: treeData, expandAll: true, defaultNodeIcon: Building2, defaultLeafIcon: Building2, onSelectChange: handleTreeSelectChange, initialSelectedItemId: selectedTreeItem === null || selectedTreeItem === void 0 ? void 0 : selectedTreeItem.id, className: "w-full" }) }))] }), (selectedTreeItem === null || selectedTreeItem === void 0 ? void 0 : selectedTreeItem.scopeData) && (_jsxs("div", { className: "p-3 border rounded-lg bg-muted/50", children: [_jsxs("p", { className: "text-sm", children: [_jsx("span", { className: "font-medium", children: "Selected:" }), " ", selectedTreeItem.scopeData.name] }), _jsxs("p", { className: "text-xs text-muted-foreground", children: [selectedTreeItem.scopeData.level, " - ID: ", selectedTreeItem.scopeData.id.substring(0, 8), "..."] })] })), _jsxs("div", { className: "flex flex-col gap-2", children: [_jsx(Label, { children: "Assign Role" }), rolesLoading ? (_jsxs("div", { className: "flex items-center gap-2 p-2 text-sm text-muted-foreground", children: [_jsx(Loader2, { className: "h-4 w-4 animate-spin" }), "Loading roles..."] })) : roles.length === 0 ? (_jsx("p", { className: "text-sm text-muted-foreground", children: "No roles available. Create roles in the Roles tab first." })) : (_jsxs(Select, { value: selectedRoleId, onValueChange: setSelectedRoleId, children: [_jsx(SelectTrigger, { className: "w-full", children: _jsx(SelectValue, { placeholder: "Select a role" }) }), _jsx(SelectContent, { children: roles.map((role) => (_jsxs(SelectItem, { value: role.id, children: [role.name, role.description && (_jsxs("span", { className: "text-muted-foreground ml-2", children: ["- ", role.description] }))] }, role.id))) })] }))] })] }), _jsxs(DialogFooter, { children: [_jsx(Button, { onClick: handleAddScope, disabled: actionLoading || !(selectedTreeItem === null || selectedTreeItem === void 0 ? void 0 : selectedTreeItem.scopeData) || !selectedRoleId, variant: "default", children: actionLoading ? (_jsxs(_Fragment, { children: [_jsx(Loader2, { className: "h-4 w-4 mr-2 animate-spin" }), "Assigning..."] })) : (_jsxs(_Fragment, { children: [_jsx(CircleCheck, { className: "h-4 w-4 mr-2" }), "Assign Scope"] })) }), _jsxs(Button, { onClick: () => setAddDialogOpen(false), variant: "outline", children: [_jsx(CircleX, { className: "h-4 w-4 mr-2" }), "Cancel"] })] })] }) }), _jsx(AlertDialog, { open: deleteDialogOpen, onOpenChange: setDeleteDialogOpen, children: _jsxs(AlertDialogContent, { children: [_jsxs(AlertDialogHeader, { children: [_jsx(AlertDialogTitle, { children: "Remove Scope Assignment" }), _jsxs(AlertDialogDescription, { children: ["Are you sure you want to remove the scope \"", (scopeToDelete === null || scopeToDelete === void 0 ? void 0 : scopeToDelete.scope_name) || (scopeToDelete === null || scopeToDelete === void 0 ? void 0 : scopeToDelete.scope_id.substring(0, 8)), "\" from", " ", (selectedUser === null || selectedUser === void 0 ? void 0 : selectedUser.name) || (selectedUser === null || selectedUser === void 0 ? void 0 : selectedUser.email_address), "? This will also revoke access to any child scopes."] })] }), _jsxs(AlertDialogFooter, { children: [_jsx(AlertDialogAction, { onClick: handleRemoveScope, disabled: actionLoading, children: actionLoading ? (_jsxs(_Fragment, { children: [_jsx(Loader2, { className: "h-4 w-4 mr-2 animate-spin" }), "Removing..."] })) : ("Remove") }), _jsx(AlertDialogCancel, { onClick: () => {
                                         setDeleteDialogOpen(false);
                                         setScopeToDelete(null);
                                     }, children: "Cancel" })] })] }) })] }));

package/dist/lib/auth/auth_cache.d.ts

@@ -1,12 +1,14 @@
-import type { HazoAuthUser } from "./auth_types";
+import type { HazoAuthUser, ScopeDetails } from "./auth_types";
 /**
  * Cache entry structure
  * v5.x: role_ids are now string UUIDs (from hazo_user_scopes)
+ * v5.2: Added scopes with full details for multi-tenancy support
  */
 type CacheEntry = {
     user: HazoAuthUser;
     permissions: string[];
     role_ids: string[];
+    scopes: ScopeDetails[];
     timestamp: number;
     cache_version: number;
 };
@@ -35,8 +37,9 @@ declare class AuthCache {
      * @param user - User data
      * @param permissions - User permissions
      * @param role_ids - User role IDs (v5.x: string UUIDs)
+     * @param scopes - User scope details with full information (v5.2+)
      */
-    set(user_id: string, user: HazoAuthUser, permissions: string[], role_ids: string[]): void;
+    set(user_id: string, user: HazoAuthUser, permissions: string[], role_ids: string[], scopes?: ScopeDetails[]): void;
     /**
      * Invalidates cache for a specific user
      * @param user_id - User ID to invalidate
@@ -52,6 +55,12 @@ declare class AuthCache {
      * Invalidates all cache entries
      */
     invalidate_all(): void;
+    /**
+     * Invalidates cache entries for users who have access to specific scopes
+     * Used when scope details change (name, branding, etc.)
+     * @param scope_ids - Array of scope IDs to invalidate
+     */
+    invalidate_by_scope_ids(scope_ids: string[]): void;
     /**
      * Gets the maximum cache version for a set of roles
      * Used to determine if cache entry is stale

package/dist/lib/auth/auth_cache.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth_cache.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/auth_cache.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAIjD;;;GAGG;AACH,KAAK,UAAU,GAAG;IAChB,IAAI,EAAE,YAAY,CAAC;IACnB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;CACvB,CAAC;AAEF;;;GAGG;AACH,cAAM,SAAS;IACb,OAAO,CAAC,KAAK,CAA0B;IACvC,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,gBAAgB,CAAsB;gBAG5C,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM,EACnB,eAAe,EAAE,MAAM;IASzB;;;;;OAKG;IACH,GAAG,CAAC,OAAO,EAAE,MAAM,GAAG,UAAU,GAAG,SAAS;IA+B5C;;;;;;;OAOG;IACH,GAAG,CACD,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,YAAY,EAClB,WAAW,EAAE,MAAM,EAAE,EACrB,QAAQ,EAAE,MAAM,EAAE,GACjB,IAAI;IAyBP;;;OAGG;IACH,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI;IAItC;;;;OAIG;IACH,mBAAmB,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,IAAI;IAqB7C;;OAEG;IACH,cAAc,IAAI,IAAI;IAItB;;;;;OAKG;IACH,OAAO,CAAC,oBAAoB;IAc5B;;;OAGG;IACH,SAAS,IAAI;QACX,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;KAClB;CAMF;AAMD;;;;;;GAMG;AACH,wBAAgB,cAAc,CAC5B,QAAQ,GAAE,MAAc,EACxB,WAAW,GAAE,MAAW,EACxB,eAAe,GAAE,MAAW,GAC3B,SAAS,CAKX;AAED;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,IAAI,CAEvC"}
+{"version":3,"file":"auth_cache.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/auth_cache.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAI/D;;;;GAIG;AACH,KAAK,UAAU,GAAG;IAChB,IAAI,EAAE,YAAY,CAAC;IACnB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,MAAM,EAAE,YAAY,EAAE,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;CACvB,CAAC;AAEF;;;GAGG;AACH,cAAM,SAAS;IACb,OAAO,CAAC,KAAK,CAA0B;IACvC,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,gBAAgB,CAAsB;gBAG5C,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM,EACnB,eAAe,EAAE,MAAM;IASzB;;;;;OAKG;IACH,GAAG,CAAC,OAAO,EAAE,MAAM,GAAG,UAAU,GAAG,SAAS;IA+B5C;;;;;;;;OAQG;IACH,GAAG,CACD,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,YAAY,EAClB,WAAW,EAAE,MAAM,EAAE,EACrB,QAAQ,EAAE,MAAM,EAAE,EAClB,MAAM,GAAE,YAAY,EAAO,GAC1B,IAAI;IA0BP;;;OAGG;IACH,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI;IAItC;;;;OAIG;IACH,mBAAmB,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,IAAI;IAqB7C;;OAEG;IACH,cAAc,IAAI,IAAI;IAItB;;;;OAIG;IACH,uBAAuB,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,IAAI;IAalD;;;;;OAKG;IACH,OAAO,CAAC,oBAAoB;IAc5B;;;OAGG;IACH,SAAS,IAAI;QACX,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;KAClB;CAMF;AAMD;;;;;;GAMG;AACH,wBAAgB,cAAc,CAC5B,QAAQ,GAAE,MAAc,EACxB,WAAW,GAAE,MAAW,EACxB,eAAe,GAAE,MAAW,GAC3B,SAAS,CAKX;AAED;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,IAAI,CAEvC"}

package/dist/lib/auth/auth_cache.js

@@ -47,8 +47,9 @@ class AuthCache {
      * @param user - User data
      * @param permissions - User permissions
      * @param role_ids - User role IDs (v5.x: string UUIDs)
+     * @param scopes - User scope details with full information (v5.2+)
      */
-    set(user_id, user, permissions, role_ids) {
+    set(user_id, user, permissions, role_ids, scopes = []) {
         // Evict LRU entries if cache is full
         while (this.cache.size >= this.max_size) {
             const first_key = this.cache.keys().next().value;
@@ -65,6 +66,7 @@ class AuthCache {
             user,
             permissions,
             role_ids,
+            scopes,
             timestamp: Date.now(),
             cache_version,
         };
@@ -106,6 +108,23 @@ class AuthCache {
     invalidate_all() {
         this.cache.clear();
     }
+    /**
+     * Invalidates cache entries for users who have access to specific scopes
+     * Used when scope details change (name, branding, etc.)
+     * @param scope_ids - Array of scope IDs to invalidate
+     */
+    invalidate_by_scope_ids(scope_ids) {
+        const entries_to_remove = [];
+        for (const [user_id, entry] of this.cache.entries()) {
+            const has_scope = entry.scopes.some((s) => scope_ids.includes(s.id));
+            if (has_scope) {
+                entries_to_remove.push(user_id);
+            }
+        }
+        for (const user_id of entries_to_remove) {
+            this.cache.delete(user_id);
+        }
+    }
     /**
      * Gets the maximum cache version for a set of roles
      * Used to determine if cache entry is stale