hazo_auth 5.1.8 → 5.1.9

package/cli-src/cli/init.ts

@@ -23,11 +23,12 @@ const REQUIRED_DIRECTORIES = [
   "public/profile_pictures/library",
   "public/profile_pictures/uploads",
   "data",
+  "config",
 ];
 
 const CONFIG_FILES = [
-  { source: "hazo_auth_config.example.ini", target: "hazo_auth_config.ini" },
-  { source: "hazo_notify_config.example.ini", target: "hazo_notify_config.ini" },
+  { source: "config/hazo_auth_config.example.ini", target: "config/hazo_auth_config.ini" },
+  { source: "config/hazo_notify_config.example.ini", target: "config/hazo_notify_config.ini" },
 ];
 
 // section: helpers
@@ -246,7 +247,7 @@ export function handle_init(): void {
   
   console.log("\n\x1b[32m🦊 Initialization complete!\x1b[0m");
   console.log("\nNext steps:");
-  console.log("  1. Edit \x1b[36mhazo_auth_config.ini\x1b[0m with your settings");
+  console.log("  1. Edit \x1b[36mconfig/hazo_auth_config.ini\x1b[0m with your settings");
   console.log("  2. Copy \x1b[36m.env.local.example\x1b[0m to \x1b[36m.env.local\x1b[0m and add your API keys");
   console.log("  3. Run \x1b[36mnpx hazo_auth generate-routes --pages\x1b[0m to generate routes and pages");
   console.log("  4. Run \x1b[36mnpx hazo_auth validate\x1b[0m to check your setup");

package/cli-src/cli/validate.ts

@@ -22,8 +22,8 @@ export type ValidationSummary = {
 
 // section: constants
 const REQUIRED_CONFIG_FILES = [
-  "hazo_auth_config.ini",
-  "hazo_notify_config.ini",
+  "config/hazo_auth_config.ini",
+  "config/hazo_notify_config.ini",
 ];
 
 const REQUIRED_ENV_VARS = [
@@ -141,7 +141,7 @@ function check_config_files(project_root: string): CheckResult[] {
     results.push({
       name: `Config file: ${config_file}`,
       status: exists ? "pass" : "fail",
-      message: exists ? "" : `File not found. Run: cp node_modules/hazo_auth/${config_file.replace(".ini", ".example.ini")} ./${config_file}`,
+      message: exists ? "" : `File not found. Run: npx hazo_auth init`,
     });
   }
 
@@ -150,8 +150,8 @@ function check_config_files(project_root: string): CheckResult[] {
 
 function check_config_values(project_root: string): CheckResult[] {
   const results: CheckResult[] = [];
-  
-  const hazo_config_path = path.join(project_root, "hazo_auth_config.ini");
+
+  const hazo_config_path = path.join(project_root, "config", "hazo_auth_config.ini");
   const hazo_config = read_ini_file(hazo_config_path);
 
   if (hazo_config) {
@@ -224,7 +224,7 @@ function check_config_values(project_root: string): CheckResult[] {
     }
   }
 
-  const notify_config_path = path.join(project_root, "hazo_notify_config.ini");
+  const notify_config_path = path.join(project_root, "config", "hazo_notify_config.ini");
   const notify_config = read_ini_file(notify_config_path);
 
   if (notify_config) {
@@ -414,15 +414,15 @@ function check_profile_pictures(project_root: string): CheckResult[] {
 
 function check_database(project_root: string): CheckResult[] {
   const results: CheckResult[] = [];
-  
-  const hazo_config_path = path.join(project_root, "hazo_auth_config.ini");
+
+  const hazo_config_path = path.join(project_root, "config", "hazo_auth_config.ini");
   const hazo_config = read_ini_file(hazo_config_path);
 
   if (!hazo_config) {
     results.push({
       name: "Database check",
       status: "fail",
-      message: "Could not read hazo_auth_config.ini",
+      message: "Could not read config/hazo_auth_config.ini",
     });
     return results;
   }

package/cli-src/lib/config/config_loader.server.ts

@@ -6,7 +6,7 @@ import fs from "fs";
 import { create_app_logger } from "../app_logger.js";
 
 // section: constants
-const DEFAULT_CONFIG_FILE = "hazo_auth_config.ini";
+const DEFAULT_CONFIG_FILE = "config/hazo_auth_config.ini";
 
 // section: helpers
 /**

package/cli-src/lib/services/invitation_service.ts

@@ -261,7 +261,7 @@ export async function accept_invitation(
     if (invitation.status !== "PENDING") {
       return {
         success: false,
-        error: `Invitation is ${invitation.status.toLowerCase()}, not pending`,
+        error: `Invitation is ${invitation.status}, not PENDING`,
       };
     }
 
@@ -361,7 +361,7 @@ export async function revoke_invitation(
     if (invitation_result.invitation.status !== "PENDING") {
       return {
         success: false,
-        error: `Cannot revoke invitation with status ${invitation_result.invitation.status.toLowerCase()}`,
+        error: `Cannot revoke invitation with status ${invitation_result.invitation.status}`,
       };
     }
 

package/config/hazo_auth_config.ini

@@ -0,0 +1,768 @@
+# file_description: configuration file for hazo_auth test application
+# This file contains all configurable parameters for the application
+# Commented values indicate defaults that are being used
+
+[hazo_connect]
+# Database type: sqlite, postgrest, supabase, or file
+type = sqlite
+; type = postgrest
+
+# SQLite database configuration
+# Path to SQLite database file (relative to process.cwd() or absolute)
+sqlite_path = __tests__/fixtures/hazo_auth.sqlite
+
+# Enable SQLite admin UI (true/false)
+enable_admin_ui = true
+
+# SQLite read-only mode (true/false)
+# read_only = false
+
+# PostgREST configuration (uncomment if using postgrest type)
+postgrest_url = http://209.38.26.241:4402
+# postgrest_api_key =
+
+[hazo_auth__ui_shell]
+# Available options: test_sidebar (default) or standalone
+layout_mode = test_sidebar
+standalone_heading = Welcome to hazo auth
+standalone_description = Reuse the packaged authentication flows while inheriting your existing app shell styles.
+standalone_wrapper_class = cls_standalone_shell flex min-h-screen w-full items-center justify-center bg-background px-4 py-10
+standalone_content_class = cls_standalone_shell_content w-full max-w-5xl shadow-xl rounded-2xl border bg-card
+# Show/hide heading and description (true/false, default: true)
+standalone_show_heading = false
+standalone_show_description = false
+
+# Enable vertical centering of auth content (default: true)
+# When enabled, auth forms are vertically centered in the viewport
+# vertical_center = true
+
+[hazo_auth__navbar]
+# Navbar Configuration for Auth Pages
+# The navbar appears on all auth pages (login, register, forgot_password, etc.)
+# when using standalone layout mode. It provides branding and a home link.
+#
+# Note: The navbar is automatically disabled for dev_lock pages.
+
+# Enable/disable navbar on auth pages (default: true)
+# enable_navbar = true
+
+# Logo Configuration
+# Path to logo image relative to public folder (default: /logo.png)
+# logo_path = /logo.png
+
+# Logo dimensions in pixels (default: 32x32)
+# logo_width = 32
+# logo_height = 32
+
+# Company/Application Branding
+# Company name displayed next to the logo (default: empty)
+# Leave empty to show only the logo
+# company_name = My Company
+
+# Home Link Configuration
+# Path for the home link and logo click (default: /)
+# home_path = /
+
+# Label for the home link (default: Home)
+# home_label = Home
+
+# Show/hide the home link on the right side (default: true)
+# show_home_link = true
+
+# Styling Options
+# Background color for the navbar (default: empty = uses theme background)
+# Leave empty to inherit from your theme's background color
+# background_color = #ffffff
+
+# Text color for the navbar (default: empty = uses theme foreground)
+# Leave empty to inherit from your theme's text color
+# text_color = #000000
+
+# Navbar height in pixels (default: 64)
+# height = 64
+
+[hazo_auth__register_layout]
+# Image configuration
+# If image_src is commented out or empty, the default image from package assets will be used
+# Default: src/assets/images/register_default.jpg
+; image_src = /auth_images/city_scape.jpg
+# image_alt = Modern building representing user registration
+# image_background_color = #e2e8f0
+
+# Labels
+# heading = Create your hazo account
+# sub_heading = Secure your access with editable fields powered by shadcn components.
+# submit_button = Register
+# cancel_button = Cancel
+
+# Field labels (defaults shown, uncomment to override)
+# name_label = Full name
+# name_placeholder = Enter your full name
+# email_label = Email address
+# email_placeholder = Enter your email address
+# password_label = Password
+# password_placeholder = Enter your password
+# confirm_password_label = Re-enter password
+# confirm_password_placeholder = Re-enter your password
+
+# Button colors
+# submit_background = #0f172a
+# submit_text = #ffffff
+# cancel_border = #cbd5f5
+# cancel_text = #0f172a
+
+# Show name field (true/false)
+# Note: This is now deprecated, use hazo_auth__user_fields section instead
+show_name_field = false
+
+[hazo_auth__user_fields]
+# Shared user fields configuration used by register and my_settings layouts
+# Show name field (true/false, default: true)
+# show_name_field = true
+
+# Show email field (true/false, default: true)
+# show_email_field = true
+
+# Show password field (true/false, default: true)
+# show_password_field = true
+
+[hazo_auth__password_requirements]
+# Shared password requirements used by register and reset password layouts
+minimum_length = 3
+# require_uppercase = false
+# require_lowercase = false
+# require_number = false
+# require_special = false
+
+[hazo_auth__oauth]
+# OAuth Provider Configuration
+# These settings control which authentication methods are available on the login page
+
+# Enable Google OAuth login (requires HAZO_AUTH_GOOGLE_CLIENT_ID and HAZO_AUTH_GOOGLE_CLIENT_SECRET env vars)
+# Default: true
+enable_google = true
+
+# Enable traditional email/password login
+# Default: true
+enable_email_password = true
+
+# Auto-link accounts: When user logs in with OAuth using an email that matches
+# an existing unverified email/password account, automatically link and verify the account
+# Default: true
+auto_link_unverified_accounts = true
+
+# UI Labels for OAuth section
+# Text displayed on the Google sign-in button
+# google_button_text = Continue with Google
+
+# Text displayed on the divider between OAuth and email/password form
+# oauth_divider_text = or continue with email
+
+[hazo_auth__login_layout]
+# Image configuration
+# If image_src is commented out or empty, the default image from package assets will be used
+# Default: src/assets/images/login_default.jpg
+# image_src = /auth_images/your_login_image.jpg
+# image_alt = Secure login illustration
+# image_background_color = #f1f5f9
+
+# Labels
+# heading = Sign in to your account
+# sub_heading = Enter your credentials to access your secure workspace.
+# submit_button = Login
+# cancel_button = Cancel
+
+# Field labels (defaults shown, uncomment to override)
+# email_label = Email address
+# email_placeholder = Enter your email address
+# password_label = Password
+# password_placeholder = Enter your password
+
+# Button colors
+# submit_background = #0f172a
+# submit_text = #ffffff
+# cancel_border = #cbd5f5
+# cancel_text = #0f172a
+
+# Redirect on successful login (leave empty to show success message instead)
+redirect_route_on_successful_login = /
+
+# Links shown beneath the login form
+forgot_password_path = /hazo_auth/forgot_password
+forgot_password_label = Forgot password?
+create_account_path = /hazo_auth/register
+create_account_label = Create account
+
+# Success message (shown when no redirect route is provided)
+# success_message = Successfully logged in
+
+[hazo_auth__forgot_password_layout]
+# Image configuration
+# If image_src is commented out or empty, the default image from package assets will be used
+# Default: src/assets/images/forgot_password_default.jpg
+# image_src = /auth_images/your_forgot_password_image.jpg
+# image_alt = Password recovery illustration
+# image_background_color = #f1f5f9
+
+# Labels
+# heading = Forgot your password?
+# sub_heading = Enter your email address and we'll send you a link to reset your password.
+# submit_button = Send reset link
+# cancel_button = Cancel
+
+[hazo_auth__reset_password_layout]
+# Image configuration
+# If image_src is commented out or empty, the default image from package assets will be used
+# Default: src/assets/images/reset_password_default.jpg
+# image_src = /auth_images/your_reset_password_image.jpg
+# image_alt = Reset password illustration
+# image_background_color = #f1f5f9
+
+# Labels
+# heading = Reset your password
+# sub_heading = Enter your new password below.
+# submit_button = Reset password
+# cancel_button = Cancel
+
+# Field labels (defaults shown, uncomment to override)
+# password_label = New password
+# password_placeholder = Enter your new password
+# confirm_password_label = Confirm new password
+# confirm_password_placeholder = Re-enter your new password
+
+# Button colors
+# submit_background = #0f172a
+# submit_text = #ffffff
+# cancel_border = #cbd5f5
+# cancel_text = #0f172a
+
+# Error message (shown when token is invalid or missing)
+# error_message = Reset password link invalid or has expired. Please go to Reset Password page to get a new link.
+
+# Success message (shown after successful password reset)
+# success_message = Password reset successfully. Redirecting to login...
+
+# Login path (redirect target after successful reset)
+# login_path = /login
+
+# Forgot password path (link shown in error state)
+# forgot_password_path = /forgot_password
+
+# Button colors
+# submit_background = #0f172a
+# submit_text = #ffffff
+# cancel_border = #cbd5f5
+# cancel_text = #0f172a
+
+[hazo_auth__email_verification_layout]
+# Image configuration
+# If image_src is commented out or empty, the default image from package assets will be used
+# Default: src/assets/images/verify_email_default.jpg
+# image_src = /auth_images/your_verify_email_image.jpg
+# image_alt = Email verification illustration
+# image_background_color = #f1f5f9
+
+# Labels (verifying state)
+# heading = Email verification
+# sub_heading = Verifying your email address...
+# submit_button = Resend verification email
+# cancel_button = Cancel
+
+# Success labels
+# success_heading = Email verified successfully
+# success_message = Your email address has been verified. You can now log in to your account.
+# success_redirect_message = Redirecting to login page in
+# success_go_to_login_button = Go to login
+
+# Error labels
+# error_heading = Verification failed
+# error_message = The verification link is invalid or has expired.
+# error_resend_form_heading = Resend verification email
+
+# Field labels (defaults shown, uncomment to override)
+# email_label = Email address
+# email_placeholder = Enter your email address
+
+# Button colors
+# submit_background = #0f172a
+# submit_text = #ffffff
+# cancel_border = #cbd5f5
+# cancel_text = #0f172a
+
+# Redirect delay in seconds (default: 5)
+# redirect_delay = 5
+
+# Login path for redirect (default: /login)
+# login_path = /login
+
+[hazo_auth__already_logged_in]
+# Message shown when user is already logged in (used across all auth pages)
+# message = You're already logged in.
+
+# Show logout button (true/false)
+# show_logout_button = true
+
+# Show return home button (true/false)
+# show_return_home_button = false
+
+# Return home button label
+# return_home_button_label = Return home
+
+# Return home path
+# return_home_path = /
+
+[hazo_auth__my_settings_layout]
+# My Settings layout configuration
+
+# Note: This layout uses shared configuration from:
+# - [hazo_auth__user_fields] for field visibility (show_name_field, show_email_field, show_password_field)
+# - [hazo_auth__password_requirements] for password validation rules
+# - [hazo_auth__profile_picture] for profile picture settings and prioritization
+
+# Heading
+# heading = Account Settings
+
+# Sub heading
+# sub_heading = Manage your profile, password, and email preferences.
+
+# Profile Photo section
+# profile_photo_label = Profile Photo
+# profile_photo_recommendation = Recommended size: 200x200px. JPG, PNG.
+# Note: profile_photo_recommendation is currently not displayed in the UI (removed per user request)
+# upload_photo_button_label = Upload New Photo
+# remove_photo_button_label = Remove
+
+# Profile Information section
+# profile_information_label = Profile Information
+# Note: Field visibility is controlled by [hazo_auth__user_fields] section:
+#   - show_name_field (controls Full Name field visibility)
+#   - show_email_field (controls Email Address field visibility)
+# Note: Name and email field labels are currently hardcoded in the component
+
+# Password section
+# password_label = Password
+# current_password_label = Current Password
+# new_password_label = New Password
+# confirm_password_label = Confirm Password
+# save_password_button_label = Save Password
+# Note: Field visibility is controlled by [hazo_auth__user_fields] show_password_field
+# Note: Password requirements are controlled by [hazo_auth__password_requirements]
+
+# Unauthorized message (shown when user is not logged in)
+# unauthorized_message = You must be logged in to access this page.
+
+# Login button label (shown in unauthorized message)
+# login_button_label = Go to login
+
+# Login path (redirect target in unauthorized message)
+# login_path = /login
+
+[hazo_auth__profile_picture]
+# Profile picture configuration
+# This configuration is used by:
+# - Registration service (for default photo assignment)
+# - My Settings layout (for profile picture management)
+
+# Allow photo upload (true/false, default: false)
+# When enabled, users can upload their own profile pictures
+allow_photo_upload = true
+
+# Upload photo path (required if allow_photo_upload is true)
+# Path should be outside the component package (e.g., ./uploads/profile_pictures/)
+# Can be relative to process.cwd() or absolute path
+upload_photo_path = ./uploads/profile_pictures
+
+# Maximum photo size in bytes (default: 51200 = 50kb)
+# Photos larger than this will be compressed automatically
+# max_photo_size = 51200
+
+# Enable default photo assignment on user creation (true/false, default: true)
+# When enabled, new users will automatically get a profile picture based on priority settings
+# user_photo_default = true
+
+# Default photo priority 1 (gravatar or library, default: gravatar)
+# This is the first source tried when assigning a default profile picture
+# Options: "gravatar" or "library"
+# user_photo_default_priority1 = gravatar
+
+# Default photo priority 2 (library or gravatar, optional)
+# This is the fallback source if priority 1 fails or is not available
+# Options: "library" or "gravatar"
+# Leave commented to disable fallback (only priority 1 will be tried)
+# user_photo_default_priority2 = library
+
+# Library photo path relative to public directory (default: /profile_pictures/library)
+# Photos should be organized in category subdirectories (e.g., /profile_pictures/library/Cars/)
+# library_photo_path = /profile_pictures/library
+
+[hazo_auth__tokens]
+# Token expiry configuration (in hours)
+# Default expiry times:
+# - refresh: 720 hours (30 days)
+# - password_reset: 0.167 hours (10 minutes)
+# - email_verification: 48 hours
+
+# Refresh token expiry (hours)
+# refresh_expiry_hours = 720
+
+# Password reset token expiry (hours, default: 10 minutes = 0.167 hours)
+# password_reset_expiry_hours = 0.167
+
+# Email verification token expiry (hours)
+# email_verification_expiry_hours = 48
+
+[hazo_auth__messages]
+# User-facing messages used across the application
+# Photo upload disabled message
+# photo_upload_disabled_message = Photo upload is not enabled. Please contact your administrator.
+
+# Gravatar messages
+# gravatar_setup_message = To set up your Gravatar:
+# gravatar_no_account_message = You don't have a Gravatar account set up for this email address.
+
+# Library tooltip message
+# library_tooltip_message = Select another tab image style to remove this image
+
+[hazo_auth__ui_sizes]
+# UI size configuration (in pixels)
+# Gravatar image size (default: 200)
+# gravatar_size = 200
+
+# Profile picture size (default: 200)
+# profile_picture_size = 200
+
+# Tooltip icon sizes
+# tooltip_icon_size_default = 16
+# tooltip_icon_size_small = 14
+
+# Library photo grid configuration
+# library_photo_grid_columns = 4
+# library_photo_preview_size = 200
+
+# Image compression max width/height (default: 200)
+# image_compression_max_dimension = 200
+
+# Upload file hard limit in bytes (default: 10485760 = 10MB)
+# upload_file_hard_limit_bytes = 10485760
+
+[hazo_auth__file_types]
+# Allowed file extensions and MIME types
+# Allowed image extensions (comma-separated, default: jpg,jpeg,png)
+# allowed_image_extensions = jpg,jpeg,png
+
+# Allowed image MIME types (comma-separated, default: image/jpeg,image/jpg,image/png)
+# allowed_image_mime_types = image/jpeg,image/jpg,image/png
+
+[hazo_auth__email]
+# Email configuration for verification, password reset, and password changed notification emails
+# Emails are sent using hazo_notify (configured in hazo_notify_config.ini)
+
+# Email from address (optional: overrides hazo_notify_config.ini from_email setting)
+# Priority: 1. hazo_auth__email.from_email, 2. hazo_notify_config.ini from_email
+# If not set, uses hazo_notify_config.ini from_email setting
+from_email = noreply3@bookmemento.com 
+from_name = Book Memento2
+
+# Base URL for email links (default: empty, uses relative URLs)
+# If provided, this will be used to construct absolute URLs for verification and password reset links
+# Priority: 1. hazo_auth__email.base_url, 2. APP_DOMAIN_NAME env var, 3. NEXT_PUBLIC_APP_URL/APP_URL env vars
+# Example: https://example.com
+# base_url = https://example.com
+
+# Email template main directory (default: ./email_templates)
+# This directory should contain email template files (HTML and text)
+# Template files should be named: <template_type>.html and <template_type>.txt
+# Example: email_verification.html, email_verification.txt, forgot_password.html, forgot_password.txt
+# email_template_main_directory = ./email_templates
+
+### Email Template: Email Verification ###
+# Email template configuration for email verification
+# This config key enables custom templates for email verification emails
+# If set, the service will look for email_verification.html and email_verification.txt in the template directory
+# email_template__email_verification = email_verification
+
+# Email subject for email verification (default: "Verify Your Email Address")
+# email_template__email_verification__subject = Verify Your Email Address
+
+# Template variables available in email_verification template:
+# - {{token}} - The verification token
+# - {{verification_url}} - Full URL for email verification
+# - {{user_email}} - User's email address
+# - {{user_name}} - User's name (if available)
+
+### Email Template: Forgot Password ###
+# Email template configuration for forgot password
+# This config key enables custom templates for forgot password emails
+# If set, the service will look for forgot_password.html and forgot_password.txt in the template directory
+# email_template__forgot_password = forgot_password
+
+# Email subject for forgot password (default: "Reset Your Password")
+# email_template__forgot_password__subject = Reset Your Password
+
+# Template variables available in forgot_password template:
+# - {{token}} - The password reset token
+# - {{reset_url}} - Full URL for password reset
+# - {{user_email}} - User's email address
+# - {{user_name}} - User's name (if available)
+
+### Email Template: Password Changed ###
+# Email template configuration for password changed notification
+# This config key enables custom templates for password changed notification emails
+# If set, the service will look for password_changed.html and password_changed.txt in the template directory
+# email_template__password_changed = password_changed
+
+# Email subject for password changed notification (default: "Password Changed Successfully")
+# email_template__password_changed__subject = Password Changed Successfully
+
+# Template variables available in password_changed template:
+# - {{user_email}} - User's email address
+# - {{user_name}} - User's name (if available)
+
+[hazo_auth__user_management]
+# User Management configuration
+# Application permission list defaults (comma-separated)
+# These permissions will be shown in the Permissions tab and can be migrated to the database
+# Note: Added HRBAC permissions for scope hierarchy management and user scope assignment
+application_permission_list_defaults = admin_user_management,admin_role_management,admin_permission_management,admin_scope_hierarchy_management,admin_user_scope_assignment,admin_test_access,admin_system
+
+[hazo_auth__app_permissions]
+# App Permission Declaration
+# Consuming applications can declare their required permissions with descriptions here.
+# This helps with debugging when permission checks fail - descriptions are included in error messages.
+#
+# Format: app_permission_X = permission_name:Description for debugging
+#
+# Example:
+# app_permission_1 = view_reports:Access to view all reports
+# app_permission_2 = edit_settings:Ability to modify application settings
+# app_permission_3 = manage_users:Permission to manage other users
+#
+# API Endpoint: GET /api/hazo_auth/permissions/app
+# Returns all registered app permissions with their descriptions.
+
+[hazo_auth__scope_hierarchy]
+# Hierarchical Role-Based Access Control (HRBAC) configuration
+# HRBAC uses a unified hazo_scopes table with parent_id for hierarchy
+#
+# Scopes are membership-based: users are assigned to scopes via hazo_user_scopes
+# Super admins (scope_id = super_admin_scope_id) have global access
+
+# Enable/disable HRBAC (true/false, default: false)
+# When disabled, all scope-related options in hazo_get_auth are ignored
+# and no HRBAC tabs appear in User Management
+enable_hrbac = true
+
+# Cache settings for scope lookups
+# TTL in minutes (default: 15)
+scope_cache_ttl_minutes = 15
+
+# Maximum entries in scope cache (default: 5000)
+scope_cache_max_entries = 5000
+
+# Super admin scope ID (special UUID for global access)
+# Users assigned to this scope have access to all scopes
+super_admin_scope_id = 00000000-0000-0000-0000-000000000000
+
+# Default system scope ID (for non-multi-tenancy mode)
+# Used when a single default scope is needed
+default_system_scope_id = 00000000-0000-0000-0000-000000000001
+
+# Default role for firm creators
+# When a user creates a firm, they are assigned this role
+default_firm_creator_role = firm_admin
+
+[hazo_auth__invitations]
+# Invitation system configuration
+# Invitations allow existing users to invite new users to their scope
+
+# Default invitation expiry in hours (default: 48)
+default_expiry_hours = 48
+
+# Maximum pending invitations per email address (default: 5)
+max_pending_per_email = 5
+
+[hazo_auth__create_firm]
+# Create Firm page configuration
+# Shown to new users who verify their email but have no scope/invitation
+
+# Image source for the create firm page (default: /hazo_auth/images/new_firm_default.jpg)
+image_src = /hazo_auth/images/new_firm_default.jpg
+
+# Page heading
+heading = Create Your Firm
+
+# Page sub-heading
+sub_heading = Set up your organisation to get started
+
+# Form field labels
+firm_name_label = Firm Name
+org_structure_label = Organisation Structure
+
+# Default value for organisation structure field
+org_structure_default = Headquarters
+
+# Submit button label
+submit_button_label = Create Firm
+
+[hazo_auth__initial_setup]
+# Initial setup configuration for initializing users, roles, and permissions
+# Email address of the super user to assign the default_super_user_role
+# This user will receive all permissions from application_permission_list_defaults
+default_super_user_email = pubudu79@gmail.com
+
+[hazo_auth__auth_utility]
+# Authentication utility configuration
+
+# Cache settings
+# Maximum number of users to cache (LRU eviction, default: 10000)
+cache_max_users = 10000
+
+# Cache TTL in minutes (default: 15)
+cache_ttl_minutes = 15
+
+# Force cache refresh if older than this many minutes (default: 30)
+cache_max_age_minutes = 30
+
+# Rate limiting for /api/auth/get_auth endpoint
+# Per-user rate limit (requests per minute, default: 100)
+rate_limit_per_user = 100
+
+# Per-IP rate limit for unauthenticated requests (default: 200)
+rate_limit_per_ip = 200
+
+# Permission check behavior
+# Log all permission denials for security audit (default: true)
+log_permission_denials = true
+
+# User-friendly error messages
+# Enable mapping of technical permissions to user-friendly messages (default: true)
+enable_friendly_error_messages = true
+
+# Permission message mappings (optional, comma-separated: permission_name:user_message)
+# Example: admin_user_management:You don't have access to user management,admin_role_management:You don't have access to role management
+# permission_error_messages = 
+
+# Debug endpoint
+# Enable debug auth endpoint /api/hazo_auth/debug_auth (default: false)
+# When enabled, provides detailed authentication debug information including user details, roles, permissions, and cookies
+# WARNING: Only enable this in development/staging environments, not in production
+enable_debug_auth_route = true
+
+[hazo_auth__dev_lock]
+# Development Lock Screen Configuration
+# This feature locks the entire application behind a password during development/testing
+# When enabled, all routes (pages and APIs) require the dev lock to be unlocked first
+#
+# IMPORTANT: Requires environment variables:
+# - HAZO_AUTH_DEV_LOCK_ENABLED=true   (enables the lock in middleware)
+# - HAZO_AUTH_DEV_LOCK_PASSWORD=xxx   (the password users must enter)
+#
+# If HAZO_AUTH_DEV_LOCK_ENABLED=true but HAZO_AUTH_DEV_LOCK_PASSWORD is not set,
+# the application will fail to start with a descriptive error message.
+
+# Enable the dev lock screen (default: false)
+# Note: Also requires HAZO_AUTH_DEV_LOCK_ENABLED=true env var for actual enforcement
+# enable = false
+
+# Session duration in days (default: 7)
+# Once a user enters the correct password, they won't be prompted again for this duration
+# session_duration_days = 7
+
+# UI Customization
+
+# Background color (default: #000000 - black)
+# background_color = #000000
+
+# Logo image path (default: /logo.png in public folder)
+# logo_path = /logo.png
+
+# Logo dimensions in pixels
+# logo_width = 120
+# logo_height = 120
+
+# Application name displayed below the logo (default: empty)
+# application_name = My Application
+
+# Limited access text displayed with lock icon (default: "Limited Access")
+# limited_access_text = Limited Access
+
+# Password input placeholder (default: "Enter access password")
+# password_placeholder = Enter access password
+
+# Submit button text (default: "Unlock")
+# submit_button_text = Unlock
+
+# Error message for incorrect password (default: "Incorrect password")
+# error_message = Incorrect password
+
+# Text color for labels (default: #ffffff - white)
+# text_color = #ffffff
+
+# Accent color for button (default: #3b82f6 - blue)
+# accent_color = #3b82f6
+
+application_name = My App
+background_color =rgb(18, 15, 15)
+logo_path = /logo.png
+
+[hazo_auth__user_types]
+# User Types Feature Configuration
+# This feature allows you to categorize users with customizable types
+# (e.g., "Client", "Tax Agent", "Support Staff") with visual badge indicators.
+#
+# User types are defined in this config file and displayed as badges in the
+# User Management interface. Types can be assigned to users via the UI.
+
+# Enable user types feature (default: false)
+# When enabled, a "User Type" column appears in the users table and
+# a dropdown selector appears in the user detail dialog.
+# enable_user_types = false
+
+# Default user type for new users (optional, default: empty)
+# When set, new registrations will automatically be assigned this type.
+# The value must match one of the user_type_X key values below.
+# Leave empty for no default (users start with no type assigned).
+# default_user_type = standard
+
+# User type definitions
+# Format: user_type_X = key:label:badge_color
+# - key: Unique identifier stored in database (lowercase, no spaces)
+# - label: Display name shown in the UI
+# - badge_color: Preset name (blue, green, red, yellow, purple, gray, orange, pink)
+#                or custom hex value (e.g., #4CAF50)
+#
+# Examples:
+# user_type_1 = admin:Administrator:red
+# user_type_2 = standard:Standard User:blue
+# user_type_3 = premium:Premium User:purple
+# user_type_4 = client:Client:green
+# user_type_5 = agent:Tax Agent:orange
+# user_type_6 = support:Support Staff:yellow
+# user_type_7 = guest:Guest:gray
+# user_type_8 = vip:VIP Customer:#FFD700
+
+[hazo_auth__app_user_data]
+# App User Data Schema Configuration
+# Enables schema-based editing of app_user_data in User Management
+#
+# When enabled with a valid schema, the User Management dialog will show
+# a form-based editor instead of the raw JSON tree view.
+
+# Enable schema-based editing (default: false)
+# When disabled, shows raw JSON view (read-only)
+enable_schema = true
+
+# JSON Schema defining the structure of app_user_data
+# Only supports a subset of JSON Schema: type (object, string, number, boolean), properties
+# The schema must be a single line of valid JSON
+#
+# Example schema with nested objects:
+schema = {"type":"object","properties":{"electronic_funds_transfer":{"type":"object","properties":{"eft_bsb_number":{"type":"string"},"eft_account_number":{"type":"string"},"eft_account_name":{"type":"string"}}},"contact_details":{"type":"object","properties":{"daytime_phone_number":{"type":"string"},"mobile_phone_number":{"type":"string"},"email_address":{"type":"string"}}},"postal_address":{"type":"object","properties":{"postal_address_line_1":{"type":"string"},"postal_suburb_town_locality":{"type":"string"},"postal_state_territory":{"type":"string"},"postal_postcode":{"type":"string"},"postal_country_if_not_australia":{"type":"string"}}}}}
+
+# Custom labels for top-level sections (optional)
+# Format: label_<key> = Display Label
+# If not provided, the key is converted from snake_case to Title Case
+#
+# Example:
+# label_contact_details = Contact Information
+# label_preferences = User Preferences

package/config/hazo_logs_config.ini

@@ -0,0 +1,32 @@
+[hazo_logs]
+# Directory for log files (relative to process.cwd() or absolute)
+log_directory = ./logs
+
+# Minimum log level (error, warn, info, debug)
+log_level = info
+
+# Enable console output with colors
+enable_console = true
+
+# Enable file output with daily rotation
+enable_file = true
+
+# Maximum size per log file before rotation (k, m, g)
+max_file_size = 20m
+
+# Maximum retention for log files (number of files or age)
+max_files = 14d
+
+# Date pattern for log file names
+date_pattern = YYYY-MM-DD
+
+# --- Log Viewer UI Settings ---
+
+# Enable the log viewer UI feature
+enable_log_viewer = true
+
+# Number of log entries per page in the viewer
+log_viewer_page_size = 50
+
+# Maximum number of log entries to load for filtering/sorting
+log_viewer_max_results = 1000

package/config/hazo_notify_config.ini

@@ -0,0 +1,158 @@
+# file_description: configuration file for hazo_notify email service
+# This file contains all configurable parameters for the hazo_notify email service
+# Commented values indicate defaults that are being used
+
+[emailer]
+# Emailer module: zeptoemail_api, smtp, pop3
+# Required: Yes
+# Default: zeptoemail_api
+# Description: Select the emailer module to use
+emailer_module=zeptoemail_api
+
+# Zeptomail API Provider Configuration
+# Required when emailer_module=zeptoemail_api
+# Description: API endpoint for Zeptomail email service
+zeptomail_api_endpoint=https://api.zeptomail.com.au/v1.1/email
+
+# Required when emailer_module=zeptoemail_api
+# Description: Zeptomail API key for authentication
+# SECURITY: Store this in .env.local file as ZEPTOMAIL_API_KEY (recommended)
+# Get this from your Zeptomail account dashboard
+# If not set in .env.local, you can set it here (not recommended for production)
+# zeptomail_api_key=your_zeptomail_api_key
+
+# Required: Yes
+# Description: Default sender email address
+# This email must be verified in your Zeptomail account
+from_email=noreply1@bookmemento.com
+
+# Required: Yes
+# Description: Default sender name displayed in email clients
+from_name=Book Memento1
+
+# Optional: Reply-to email address
+# Description: Email address to use for replies (if different from from_email)
+# Default: Uses from_email if not specified
+# reply_to_email=support@example.com
+
+# Optional: Bounce handling email
+# Description: Email address to receive bounce notifications
+# bounce_email=bounce@example.com
+
+# Optional: Return path email
+# Description: Email address to use for return path
+# return_path_email=returns@example.com
+
+# SMTP Provider Configuration (placeholder - not yet implemented)
+# Required when emailer_module=smtp
+# Description: SMTP server hostname
+# smtp_host=smtp.example.com
+
+# Required when emailer_module=smtp
+# Description: SMTP server port (typically 587 for TLS, 465 for SSL, 25 for non-secure)
+# smtp_port=587
+
+# Required when emailer_module=smtp
+# Description: Use secure connection (true for SSL/TLS, false for non-secure)
+# smtp_secure=false
+
+# Required when emailer_module=smtp
+# Description: SMTP authentication username (usually your email address)
+# smtp_auth_user=your_email@example.com
+
+# Required when emailer_module=smtp
+# Description: SMTP authentication password or app-specific password
+# smtp_auth_pass=your_password
+
+# Optional: SMTP connection timeout in milliseconds
+# Description: Timeout for SMTP connection attempts
+# Default: 5000
+# smtp_timeout=5000
+
+# Optional: SMTP pool configuration
+# Description: Enable connection pooling for better performance
+# Default: false
+# smtp_pool=false
+
+# POP3 Provider Configuration (placeholder - not yet implemented)
+# Required when emailer_module=pop3
+# Description: POP3 server hostname
+# pop3_host=pop3.example.com
+
+# Required when emailer_module=pop3
+# Description: POP3 server port (typically 995 for SSL, 110 for non-secure)
+# pop3_port=995
+
+# Required when emailer_module=pop3
+# Description: Use secure connection (true for SSL, false for non-secure)
+# pop3_secure=true
+
+# Required when emailer_module=pop3
+# Description: POP3 authentication username (usually your email address)
+# pop3_auth_user=your_email@example.com
+
+# Required when emailer_module=pop3
+# Description: POP3 authentication password
+# pop3_auth_pass=your_password
+
+# Optional: POP3 connection timeout in milliseconds
+# Description: Timeout for POP3 connection attempts
+# Default: 5000
+# pop3_timeout=5000
+
+# Rate Limiting Configuration
+# Optional: Rate limit requests per minute
+# Description: Maximum number of requests allowed per minute per IP address
+# Default: 10
+# Recommended: 10-60 for production
+rate_limit_requests=10
+
+# Optional: Rate limit window in seconds
+# Description: Time window for rate limiting
+# Default: 60 (1 minute)
+rate_limit_window=60
+
+# Attachment Limits
+# Optional: Maximum attachment size in bytes
+# Description: Maximum size allowed per attachment (in bytes)
+# Default: 10485760 (10MB)
+# Recommended: 10MB for most use cases
+max_attachment_size=10485760
+
+# Optional: Maximum number of attachments
+# Description: Maximum number of attachments allowed per email
+# Default: 10
+max_attachments=10
+
+# Request Timeout
+# Optional: Request timeout in milliseconds
+# Description: Timeout for API requests to email providers
+# Default: 30000 (30 seconds)
+request_timeout=30000
+
+# Input Length Limits
+# Optional: Maximum subject length in characters
+# Description: Maximum length for email subject line
+# Default: 255 (RFC 5322 standard)
+max_subject_length=255
+
+# Optional: Maximum body length in bytes
+# Description: Maximum size for email body content (text or HTML)
+# Default: 1048576 (1MB)
+max_body_length=1048576
+
+# CORS Configuration
+# Optional: CORS allowed origins
+# Description: Comma-separated list of allowed origins for CORS
+# Default: empty (same-origin only)
+# Use "*" to allow all origins (not recommended for production)
+# cors_allowed_origins=
+
+[ui]
+# Enable UI component and all routes (e.g., /hazo_notify/emailer_test)
+# Required: No
+# Default: false
+# Description: Enable the entire UI component and all routes for testing services
+# Set to true to enable the UI, false to disable it
+enable_ui=false
+

package/dist/cli/init.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../../src/cli/init.ts"],"names":[],"mappings":"AA2IA,wBAAgB,WAAW,IAAI,IAAI,CAkHlC"}
+{"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../../src/cli/init.ts"],"names":[],"mappings":"AA4IA,wBAAgB,WAAW,IAAI,IAAI,CAkHlC"}

package/dist/cli/init.js

@@ -12,10 +12,11 @@ const REQUIRED_DIRECTORIES = [
     "public/profile_pictures/library",
     "public/profile_pictures/uploads",
     "data",
+    "config",
 ];
 const CONFIG_FILES = [
-    { source: "hazo_auth_config.example.ini", target: "hazo_auth_config.ini" },
-    { source: "hazo_notify_config.example.ini", target: "hazo_notify_config.ini" },
+    { source: "config/hazo_auth_config.example.ini", target: "config/hazo_auth_config.ini" },
+    { source: "config/hazo_notify_config.example.ini", target: "config/hazo_notify_config.ini" },
 ];
 // section: helpers
 function get_project_root() {
@@ -198,7 +199,7 @@ export function handle_init() {
     }
     console.log("\n\x1b[32m🦊 Initialization complete!\x1b[0m");
     console.log("\nNext steps:");
-    console.log("  1. Edit \x1b[36mhazo_auth_config.ini\x1b[0m with your settings");
+    console.log("  1. Edit \x1b[36mconfig/hazo_auth_config.ini\x1b[0m with your settings");
     console.log("  2. Copy \x1b[36m.env.local.example\x1b[0m to \x1b[36m.env.local\x1b[0m and add your API keys");
     console.log("  3. Run \x1b[36mnpx hazo_auth generate-routes --pages\x1b[0m to generate routes and pages");
     console.log("  4. Run \x1b[36mnpx hazo_auth validate\x1b[0m to check your setup");

package/dist/cli/validate.js

@@ -4,8 +4,8 @@ import * as fs from "fs";
 import * as path from "path";
 // section: constants
 const REQUIRED_CONFIG_FILES = [
-    "hazo_auth_config.ini",
-    "hazo_notify_config.ini",
+    "config/hazo_auth_config.ini",
+    "config/hazo_notify_config.ini",
 ];
 const REQUIRED_ENV_VARS = [
     { name: "JWT_SECRET", required: true, description: "JWT signing secret" },
@@ -110,7 +110,7 @@ function check_config_files(project_root) {
         results.push({
             name: `Config file: ${config_file}`,
             status: exists ? "pass" : "fail",
-            message: exists ? "" : `File not found. Run: cp node_modules/hazo_auth/${config_file.replace(".ini", ".example.ini")} ./${config_file}`,
+            message: exists ? "" : `File not found. Run: npx hazo_auth init`,
         });
     }
     return results;
@@ -118,7 +118,7 @@ function check_config_files(project_root) {
 function check_config_values(project_root) {
     var _a, _b, _c, _d, _e, _f;
     const results = [];
-    const hazo_config_path = path.join(project_root, "hazo_auth_config.ini");
+    const hazo_config_path = path.join(project_root, "config", "hazo_auth_config.ini");
     const hazo_config = read_ini_file(hazo_config_path);
     if (hazo_config) {
         const db_type = (_a = hazo_config["hazo_connect"]) === null || _a === void 0 ? void 0 : _a["type"];
@@ -193,7 +193,7 @@ function check_config_values(project_root) {
             });
         }
     }
-    const notify_config_path = path.join(project_root, "hazo_notify_config.ini");
+    const notify_config_path = path.join(project_root, "config", "hazo_notify_config.ini");
     const notify_config = read_ini_file(notify_config_path);
     if (notify_config) {
         const from_email = (_e = notify_config["emailer"]) === null || _e === void 0 ? void 0 : _e["from_email"];
@@ -368,13 +368,13 @@ function check_profile_pictures(project_root) {
 function check_database(project_root) {
     var _a, _b, _c;
     const results = [];
-    const hazo_config_path = path.join(project_root, "hazo_auth_config.ini");
+    const hazo_config_path = path.join(project_root, "config", "hazo_auth_config.ini");
     const hazo_config = read_ini_file(hazo_config_path);
     if (!hazo_config) {
         results.push({
             name: "Database check",
             status: "fail",
-            message: "Could not read hazo_auth_config.ini",
+            message: "Could not read config/hazo_auth_config.ini",
         });
         return results;
     }

package/dist/lib/config/config_loader.server.js

@@ -5,7 +5,7 @@ import path from "path";
 import fs from "fs";
 import { create_app_logger } from "../app_logger.js";
 // section: constants
-const DEFAULT_CONFIG_FILE = "hazo_auth_config.ini";
+const DEFAULT_CONFIG_FILE = "config/hazo_auth_config.ini";
 // section: helpers
 /**
  * Gets the default config file path

package/dist/lib/services/invitation_service.js

@@ -183,7 +183,7 @@ export async function accept_invitation(adapter, invitation_id, user_id) {
         if (invitation.status !== "PENDING") {
             return {
                 success: false,
-                error: `Invitation is ${invitation.status.toLowerCase()}, not pending`,
+                error: `Invitation is ${invitation.status}, not PENDING`,
             };
         }
         // Check expiration
@@ -266,7 +266,7 @@ export async function revoke_invitation(adapter, invitation_id) {
         if (invitation_result.invitation.status !== "PENDING") {
             return {
                 success: false,
-                error: `Cannot revoke invitation with status ${invitation_result.invitation.status.toLowerCase()}`,
+                error: `Cannot revoke invitation with status ${invitation_result.invitation.status}`,
             };
         }
         // Mark as revoked

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "hazo_auth",
-  "version": "5.1.8",
+  "version": "5.1.9",
   "description": "Zero-config authentication UI components for Next.js with RBAC, OAuth, scope-based multi-tenancy, and invitations",
   "keywords": [
     "authentication",
@@ -172,8 +172,7 @@
     "cli-src/**/*",
     "public/profile_pictures/library/**/*",
     "public/hazo_auth/images/**/*",
-    "hazo_auth_config.example.ini",
-    "hazo_notify_config.example.ini",
+    "config/**/*",
     "README.md",
     "SETUP_CHECKLIST.md",
     "LICENSE"