hazo_auth 6.0.0 → 7.0.1

package/README.md

@@ -2,6 +2,98 @@
 
 A reusable authentication UI component package powered by Next.js, TailwindCSS, and shadcn. It integrates `hazo_config` for configuration management and `hazo_connect` for data access, enabling future components to stay aligned with platform conventions.
 
+## What's New in v7.0.0
+
+**Themes, cookie consent, text overrides, and Facebook OAuth.**
+
+### Highlights
+
+- **Pluggable theme system** — `createTheme` + `<HazoAuthThemeProvider>` (zero FOUC, compiles to shadcn CSS variables). Use a preset or build from scratch.
+- **Facebook OAuth** — `<FacebookSignInButton>` and `handle_facebook_oauth_login` service. Strict linking by default (verified accounts only).
+- **Cookie consent banner** — `<CookieConsentBanner>` from `hazo_auth/consent`. GTM optional, 4 categories, theme-driven.
+- **Text override system** — `<HazoAuthStringsProvider>` and per-page `title`/`subtitle`/`ctaText`/`legalText` props. INI text keys removed.
+- **Preset themes** — `preset_neutral` (default look, no config needed) and `preset_indigo_sunset` from `hazo_auth/themes`.
+
+### Breaking Changes Summary
+
+- Per-page `imageSrc`/`imageAlt`/`imageBackgroundColor` props removed — use `theme.brandPanel`.
+- INI text keys (`title`, `subtitle`, `cta_text`, `legal_text`) removed from layout sections — use `HazoAuthStringsProvider` or per-page props.
+- Facebook OAuth requires new env vars (`HAZO_AUTH_FACEBOOK_APP_ID`, `HAZO_AUTH_FACEBOOK_APP_SECRET`).
+
+> Full upgrade guide: [MIGRATION.md](./MIGRATION.md)
+
+---
+
+## What's New in v6.1.0
+
+**Email-OTP sign-in** — a passwordless, OAuth-free way to sign in via a 6-digit code emailed to the user. Targeted at single-operator deployments that don't want to wire Google OAuth or manage passwords.
+
+### Highlights
+
+- **New routes** — `POST /api/hazo_auth/otp/request` and `POST /api/hazo_auth/otp/verify`
+- **New components** — `<OTPRequestForm/>` and `<OTPVerifyForm/>` exported from `hazo_auth/client`
+- **New page** — `/hazo_auth/otp` (zero-config) via `hazo_auth/pages/otp`
+- **Sliding 7-day session** — OTP sessions auto-extend on `/me` when within 24h of expiry. OAuth/password sessions keep their existing 30-day fixed behaviour.
+- **Auto-register (opt-in)** — set `otp_auto_register = true` to let unknown emails sign in on first successful /verify
+- **Rate limited** — 3 requests/email/15min, 20 requests/IP/hour; per-code attempts capped at 5
+
+### Consumer example
+
+Mount the routes:
+
+```ts
+// app/api/hazo_auth/otp/request/route.ts
+export { otpRequestPOST as POST } from "hazo_auth/server/routes";
+
+// app/api/hazo_auth/otp/verify/route.ts
+export { otpVerifyPOST as POST } from "hazo_auth/server/routes";
+```
+
+Render the zero-config page:
+
+```tsx
+// app/hazo_auth/otp/page.tsx
+export { default } from "hazo_auth/pages/otp";
+```
+
+Or compose components yourself:
+
+```tsx
+"use client";
+import { OTPRequestForm, OTPVerifyForm } from "hazo_auth/client";
+import { useState } from "react";
+
+export default function CustomOtp() {
+  const [sent_to, set_sent_to] = useState<string | null>(null);
+  return sent_to
+    ? <OTPVerifyForm email={sent_to} redirect_url="/" />
+    : <OTPRequestForm on_sent={set_sent_to} />;
+}
+```
+
+### Required setup
+
+1. Apply migration: `npm run migrate migrations/015_email_otp.sql`
+2. Add `[hazo_auth__otp]` section to `config/hazo_auth_config.ini` (template in `hazo_auth_config.example.ini`)
+3. `hazo_notify ^3.0.0` (existing peer dep) must be configured to deliver email
+4. New peer dep: `input-otp` (optional; required only if you render `<OTPVerifyForm/>`)
+5. **Add OTP routes to your middleware/proxy `public_routes`** — unauthenticated users land on the OTP page, so the page route and its API routes must bypass auth guards:
+
+```typescript
+// middleware.ts / proxy.ts  (in your consuming app)
+const public_routes = [
+  // ... existing entries ...
+  "/hazo_auth/otp",        // OTP sign-in page (public — users arrive unauthenticated)
+  "/api/hazo_auth/otp",    // OTP request + verify API routes
+];
+```
+
+Without this your middleware redirects unauthenticated users away from the sign-in page before they can authenticate.
+
+See `MIGRATION.md` "v6.0.x → v6.1" for the full upgrade walkthrough.
+
+---
+
 ### What's New in v6.0.0 🚨 BREAKING CHANGE
 
 **`TenantAuthResult.organization` / `.organization_id` renamed to `.selected_scope` / `.selected_scope_id`.**
@@ -380,23 +472,30 @@ export default function Page() {
 }
 ```
 
-**Customizing Visual Appearance (Optional):**
+**Customizing Visual Appearance (v7.0+):**
 
-```typescript
-// All pages accept optional visual props
+Use `HazoAuthThemeProvider` instead of per-page image props (which were removed in v7.0):
+
+```tsx
+import { createTheme, HazoAuthThemeProvider } from "hazo_auth/theme";
 import { LoginPage } from "hazo_auth/pages/login";
 
+const theme = createTheme({
+  layout: "split",
+  brandPanel: { logoSrc: "/logo.svg", tagline: "Welcome.", backgroundGradient: "linear-gradient(135deg, #3730A3, #F59E0B)" },
+});
+
 export default function Page() {
   return (
-    <LoginPage
-      image_src="/custom-login-image.jpg"
-      image_alt="My company logo"
-      image_background_color="#f0f0f0"
-    />
+    <HazoAuthThemeProvider theme={theme}>
+      <LoginPage theme={theme} />
+    </HazoAuthThemeProvider>
   );
 }
 ```
 
+See the [Theming](#theming-v700) section for all options.
+
 **Embedding MySettings in Your Dashboard:**
 
 ```typescript
@@ -586,6 +685,132 @@ The dark class is typically added by next-themes or similar theme providers.
 
 ---
 
+## Theming (v7.0.0+)
+
+hazo_auth v7 ships a pluggable theme system. `<HazoAuthThemeProvider>` is a Server Component that injects CSS variables at `:root` with zero FOUC.
+
+### Option 1: Use a preset directly
+
+```tsx
+import { HazoAuthThemeProvider } from "hazo_auth/theme";
+import { preset_indigo_sunset } from "hazo_auth/themes";
+
+// app/layout.tsx
+export default function RootLayout({ children }) {
+  return (
+    <html>
+      <body>
+        <HazoAuthThemeProvider theme={preset_indigo_sunset}>
+          {children}
+        </HazoAuthThemeProvider>
+      </body>
+    </html>
+  );
+}
+```
+
+`preset_neutral` is the default look (slate-700 palette, centered layout). Auth pages render acceptably with no theme configuration at all.
+
+### Option 2: Customize a preset
+
+```tsx
+import { createTheme, HazoAuthThemeProvider } from "hazo_auth/theme";
+import { preset_indigo_sunset } from "hazo_auth/themes";
+
+const theme = createTheme({
+  ...preset_indigo_sunset,
+  brandPanel: { logoSrc: "/logo.svg", tagline: "Welcome." },
+});
+
+<HazoAuthThemeProvider theme={theme}>{children}</HazoAuthThemeProvider>
+```
+
+### Option 3: Build from scratch
+
+```tsx
+import { createTheme, HazoAuthThemeProvider } from "hazo_auth/theme";
+
+const theme = createTheme({
+  colors: { primary: "#2563EB", primaryForeground: "#ffffff" },
+  layout: "split",
+  brandPanel: {
+    logoSrc: "/logo.svg",
+    tagline: "Welcome to MyApp.",
+    backgroundGradient: "linear-gradient(135deg, #2563EB, #7C3AED)",
+  },
+});
+
+<HazoAuthThemeProvider theme={theme}>{children}</HazoAuthThemeProvider>
+```
+
+**Note:** `preset_indigo_sunset` uses `var(--font-display)` and `var(--font-body)`. Wire these in `app/layout.tsx` using `next/font`. See [MIGRATION.md §3](./MIGRATION.md).
+
+---
+
+## Cookie Consent (v7.0.0+)
+
+```tsx
+import { CookieConsentBanner } from "hazo_auth/consent";
+
+// In your root layout or a page:
+<CookieConsentBanner />
+
+// With GTM:
+<CookieConsentBanner enableGTM gtmContainerId="GTM-XXXX" />
+```
+
+Read consent server-side:
+
+```tsx
+import { read_consent } from "hazo_auth/consent";
+
+export async function GET(request: NextRequest) {
+  const consent = read_consent(request.headers);
+  if (consent.analytics) {
+    // Track event
+  }
+}
+```
+
+Use the `useConsent` hook client-side:
+
+```tsx
+"use client";
+import { useConsent } from "hazo_auth/consent";
+
+export function MyComponent() {
+  const { analytics, marketing } = useConsent();
+  // Syncs across tabs via custom event
+}
+```
+
+---
+
+## Strings & Text Overrides (v7.0.0+)
+
+INI text keys (`title`, `subtitle`, `cta_text`, `legal_text`) are removed in v7. Use `<HazoAuthStringsProvider>` or per-page props instead.
+
+### Global overrides (app/layout.tsx)
+
+```tsx
+import { HazoAuthStringsProvider } from "hazo_auth/strings";
+
+<HazoAuthStringsProvider strings={{ login: { title: "Sign in to MyApp" } }}>
+  {children}
+</HazoAuthStringsProvider>
+```
+
+### Per-page overrides
+
+```tsx
+<LoginPage title="Sign in to MyApp" subtitle="Access your workspace" />
+<RegisterPage title="Create your account" ctaText="Get started" />
+```
+
+`DEFAULT_STRINGS` is exported from `hazo_auth/strings` for reference.
+
+---
+
 ## Configuration Setup
 
 After installing the package, you need to set up configuration files in your project root:

package/SETUP_CHECKLIST.md

@@ -1443,6 +1443,246 @@ export { POST } from "hazo_auth/server/routes/pin_login";
 
 ---
 
+## Phase 5.3: Email-OTP Sign-in Setup (Optional)
+
+Email-OTP sign-in lets users authenticate with a 6-digit code sent to their email — no password or Google OAuth required. Skip this phase if your app uses only password or OAuth authentication.
+
+### Step 5.3.1: Apply the OTP migration
+
+```bash
+npm run migrate migrations/015_email_otp.sql
+```
+
+This creates the `hazo_email_otps` table (stores hashed codes with expiry).
+
+**Verify the table exists:**
+```bash
+sqlite3 data/hazo_auth.sqlite ".tables" | tr ' ' '\n' | grep hazo_email_otps
+# Expected: hazo_email_otps
+```
+
+### Step 5.3.2: Add OTP config section
+
+Add to `config/hazo_auth_config.ini`:
+
+```ini
+[hazo_auth__otp]
+# Whether OTP sign-in is enabled
+enabled = true
+
+# Auto-register unknown emails on first successful verify (default: false)
+otp_auto_register = false
+
+# Code expiry in minutes (default: 10)
+code_expiry_minutes = 10
+```
+
+### Step 5.3.3: Create OTP API routes
+
+```bash
+npx hazo_auth generate-routes
+```
+
+Or manually:
+
+`app/api/hazo_auth/otp/request/route.ts`:
+```typescript
+export { otpRequestPOST as POST } from "hazo_auth/server/routes";
+```
+
+`app/api/hazo_auth/otp/verify/route.ts`:
+```typescript
+export { otpVerifyPOST as POST } from "hazo_auth/server/routes";
+```
+
+### Step 5.3.4: Create the OTP sign-in page
+
+`app/hazo_auth/otp/page.tsx`:
+```typescript
+export { default } from "hazo_auth/pages/otp";
+```
+
+### Step 5.3.5: Add OTP routes to middleware/proxy public_routes (REQUIRED)
+
+**This step is critical.** Unauthenticated users arrive at the OTP sign-in page before they have auth cookies. If the OTP routes are not in `public_routes`, your middleware will redirect them to `/login` in a loop.
+
+Edit your `middleware.ts` or `proxy.ts`:
+
+```typescript
+const public_routes = [
+  // ... existing entries ...
+  "/hazo_auth/otp",        // OTP sign-in page (public — users arrive unauthenticated)
+  "/api/hazo_auth/otp",    // OTP request + verify API routes
+];
+```
+
+### Step 5.3.6: Install optional peer dep (if using OTPVerifyForm)
+
+If you render `<OTPVerifyForm/>` directly (rather than using the zero-config page), install:
+
+```bash
+npm install input-otp
+```
+
+**OTP Setup Checklist:**
+- [ ] `hazo_email_otps` table created (`npm run migrate migrations/015_email_otp.sql`)
+- [ ] `[hazo_auth__otp]` section added to `hazo_auth_config.ini`
+- [ ] OTP API routes created (`/api/hazo_auth/otp/request` and `/api/hazo_auth/otp/verify`)
+- [ ] OTP page created (`/hazo_auth/otp`)
+- [ ] `/hazo_auth/otp` and `/api/hazo_auth/otp` added to middleware `public_routes`
+- [ ] `input-otp` installed (only if using `<OTPVerifyForm/>` directly)
+- [ ] Email delivery configured (`hazo_notify` + valid `ZEPTOMAIL_API_KEY`)
+
+---
+
+## Phase 5.4: Theme Setup (v7.0.0+)
+
+### Step 5.4.1: Mount HazoAuthThemeProvider (Required for themed auth pages)
+
+Mount `<HazoAuthThemeProvider>` in `app/layout.tsx`. Use `preset_neutral` for the default look, or configure a custom theme.
+
+**Option A: Default look (no config needed)**
+```tsx
+import { HazoAuthThemeProvider } from "hazo_auth/theme";
+import { preset_neutral } from "hazo_auth/themes";
+
+export default function RootLayout({ children }) {
+  return (
+    <html>
+      <body>
+        <HazoAuthThemeProvider theme={preset_neutral}>
+          {children}
+        </HazoAuthThemeProvider>
+      </body>
+    </html>
+  );
+}
+```
+
+**Option B: Custom theme**
+```tsx
+import { createTheme, HazoAuthThemeProvider } from "hazo_auth/theme";
+
+const theme = createTheme({
+  colors: { primary: "#2563EB" },
+  layout: "split",
+  brandPanel: { logoSrc: "/logo.svg", tagline: "Welcome." },
+});
+
+<HazoAuthThemeProvider theme={theme}>{children}</HazoAuthThemeProvider>
+```
+
+**If using `preset_indigo_sunset` (custom fonts required):**
+
+Wire `next/font` in `app/layout.tsx` to expose `--font-display` and `--font-body` CSS variables. See [MIGRATION.md §3](./MIGRATION.md).
+
+```tsx
+import { Crimson_Pro, DM_Sans } from "next/font/google";
+const display = Crimson_Pro({ subsets: ["latin"], variable: "--font-display" });
+const body = DM_Sans({ subsets: ["latin"], variable: "--font-body" });
+
+export default function Layout({ children }) {
+  return <html className={`${display.variable} ${body.variable}`}>{children}</html>;
+}
+```
+
+**Checklist:**
+- [ ] `<HazoAuthThemeProvider>` mounted in `app/layout.tsx`
+- [ ] Preset or custom theme configured
+- [ ] If using `preset_indigo_sunset`: `next/font` wired for `--font-display` and `--font-body`
+
+---
+
+## Phase 5.5: Facebook OAuth Setup (Optional, v7.0.0+)
+
+### Step 5.5.1: Get Facebook App credentials
+
+1. Go to [Meta Developers](https://developers.facebook.com/)
+2. Create or select an app
+3. Add the **Facebook Login** product
+4. Set authorized redirect URIs: `http://localhost:3000/api/auth/callback/facebook` (dev) and your production URL
+5. Copy **App ID** and **App Secret**
+
+### Step 5.5.2: Add Facebook OAuth environment variables
+
+Add to your `.env.local`:
+```env
+HAZO_AUTH_FACEBOOK_APP_ID=your_app_id
+HAZO_AUTH_FACEBOOK_APP_SECRET=your_app_secret
+```
+
+The Facebook sign-in button is hidden when these vars are not set.
+
+### Step 5.5.3: Enable Facebook in config
+
+Add to `config/hazo_auth_config.ini`:
+```ini
+[hazo_auth__oauth]
+enable_facebook = true
+
+; Facebook: default false — stricter security posture
+; Set true only if you want to auto-link to unverified email accounts
+auto_link_unverified_accounts_facebook = false
+```
+
+### Step 5.5.4: Apply Facebook migration
+
+```bash
+npm run migrate migrations/016_facebook_oauth.sql
+```
+
+### Step 5.5.5: Create Facebook OAuth callback route
+
+```typescript
+// app/api/hazo_auth/oauth/facebook/callback/route.ts
+export { GET } from "hazo_auth/server/routes/oauth_facebook_callback";
+```
+
+**Facebook OAuth Checklist:**
+- [ ] Facebook App credentials obtained
+- [ ] `HAZO_AUTH_FACEBOOK_APP_ID` and `HAZO_AUTH_FACEBOOK_APP_SECRET` set in `.env.local`
+- [ ] `enable_facebook = true` in `[hazo_auth__oauth]`
+- [ ] Migration `016_facebook_oauth.sql` applied
+- [ ] Facebook callback route created
+
+---
+
+## Phase 5.6: Cookie Consent Setup (Optional, v7.0.0+)
+
+### Step 5.6.1: Mount CookieConsentBanner
+
+Mount `<CookieConsentBanner>` in your root layout:
+
+```tsx
+import { CookieConsentBanner } from "hazo_auth/consent";
+
+export default function RootLayout({ children }) {
+  return (
+    <html>
+      <body>
+        <HazoAuthThemeProvider theme={preset_neutral}>
+          {children}
+          <CookieConsentBanner />
+        </HazoAuthThemeProvider>
+      </body>
+    </html>
+  );
+}
+```
+
+**With GTM (optional):**
+```tsx
+<CookieConsentBanner enableGTM gtmContainerId="GTM-XXXX" />
+```
+
+See the README [Cookie Consent](#cookie-consent-v700) section for server-side `read_consent` usage.
+
+**Checklist:**
+- [ ] `<CookieConsentBanner>` mounted in root layout
+- [ ] GTM container ID configured (if using GTM)
+
+---
+
 ## Phase 6: Verification Tests
 
 Run these tests to verify your setup is working correctly.

package/cli-src/cli/validate.ts

@@ -64,6 +64,9 @@ const REQUIRED_API_ROUTES = [
   { path: "api/hazo_auth/user_management/users/roles", method: "GET" },
   { path: "api/hazo_auth/user_management/users/roles", method: "POST" },
   { path: "api/hazo_auth/user_management/users/roles", method: "PUT" },
+  // OTP routes
+  { path: "api/hazo_auth/otp/request", method: "POST" },
+  { path: "api/hazo_auth/otp/verify", method: "POST" },
 ];
 
 // section: helpers
@@ -534,6 +537,7 @@ const REQUIRED_TABLES = [
   "hazo_role_permissions",
   "hazo_invitations",
   "hazo_refresh_tokens",
+  "hazo_email_otps",
 ];
 
 const TEXT_ID_TABLES = [

package/cli-src/lib/auth/nextauth_config.ts

@@ -5,8 +5,10 @@ import type { JWT } from "next-auth/jwt";
 // ESM/CJS interop: next-auth providers are CommonJS, handle both export scenarios
 import GoogleProviderImport from "next-auth/providers/google";
 const GoogleProvider = (GoogleProviderImport as any).default || GoogleProviderImport;
+import FacebookProviderImport from "next-auth/providers/facebook";
+const FacebookProvider = (FacebookProviderImport as any).default || FacebookProviderImport;
 import { get_oauth_config } from "../oauth_config.server.js";
-import { handle_google_oauth_login } from "../services/oauth_service.js";
+import { handle_google_oauth_login, handle_facebook_oauth_login } from "../services/oauth_service.js";
 import { get_hazo_connect_instance } from "../hazo_connect_instance.server.js";
 import { create_app_logger } from "../app_logger.js";
 
@@ -35,6 +37,13 @@ export type NextAuthCallbackProfile = {
   email_verified?: boolean;
 };
 
+export type FacebookCallbackProfile = {
+  id?: string;
+  name?: string;
+  email?: string;
+  picture?: { data?: { url: string } } | string;
+};
+
 // section: config
 /**
  * Gets NextAuth.js configuration with enabled OAuth providers
@@ -67,6 +76,21 @@ export function get_nextauth_config(): AuthOptions {
     }
   }
 
+  // Add Facebook provider if enabled and credentials are present
+  if (oauth_config.enable_facebook && oauth_config.facebook_client_id && oauth_config.facebook_client_secret) {
+    providers.push(
+      FacebookProvider({
+        clientId: oauth_config.facebook_client_id,
+        clientSecret: oauth_config.facebook_client_secret,
+        authorization: {
+          params: {
+            scope: "email,public_profile",
+          },
+        },
+      })
+    );
+  }
+
   return {
     providers,
     pages: {
@@ -88,6 +112,9 @@ export function get_nextauth_config(): AuthOptions {
         if (url.includes("/api/hazo_auth/oauth/google/callback")) {
           return url;
         }
+        if (url.includes("/api/hazo_auth/oauth/facebook/callback")) {
+          return url;
+        }
 
         // If URL is relative or same origin, allow it
         if (url.startsWith("/")) {
@@ -162,6 +189,75 @@ export function get_nextauth_config(): AuthOptions {
             return false;
           }
         }
+
+        if (account?.provider === "facebook" && profile) {
+          try {
+            const fbProfile = profile as FacebookCallbackProfile;
+            const hazoConnect = get_hazo_connect_instance();
+            const current_oauth_config = get_oauth_config();
+
+            // Resolve profile picture URL from Facebook's nested structure
+            let fb_picture_url: string | undefined;
+            if (fbProfile.picture) {
+              if (typeof fbProfile.picture === "string") {
+                fb_picture_url = fbProfile.picture;
+              } else if (fbProfile.picture?.data?.url) {
+                fb_picture_url = fbProfile.picture.data.url;
+              }
+            }
+            if (!fb_picture_url && user.image) {
+              fb_picture_url = user.image ?? undefined;
+            }
+
+            logger.info("nextauth_facebook_signin_attempt", {
+              email: user.email,
+              facebook_id: fbProfile.id,
+              name: user.name,
+            });
+
+            const result = await handle_facebook_oauth_login(
+              hazoConnect,
+              {
+                facebook_id: fbProfile.id || account.providerAccountId,
+                email: user.email ?? fbProfile.email ?? null,
+                name: user.name || fbProfile.name || undefined,
+                profile_picture_url: fb_picture_url,
+              },
+              { auto_link_unverified: current_oauth_config.auto_link_unverified_accounts_facebook }
+            );
+
+            if (!result.success) {
+              logger.error("nextauth_facebook_signin_failed", {
+                email: user.email,
+                error: result.error,
+              });
+              if (result.error === "link_blocked_unverified") {
+                return `/hazo_auth/login?error=link_blocked_unverified`;
+              }
+              return false;
+            }
+
+            logger.info("nextauth_facebook_signin_success", {
+              user_id: result.user_id,
+              email: result.email,
+              is_new_user: result.is_new_user,
+              was_linked: result.was_linked,
+            });
+
+            // Store user_id in account for the JWT callback to pick up
+            (account as Record<string, unknown>).hazo_user_id = result.user_id;
+
+            return true;
+          } catch (error) {
+            const errorMessage = error instanceof Error ? error.message : "Unknown error";
+            logger.error("nextauth_facebook_signin_exception", {
+              email: user.email,
+              error: errorMessage,
+            });
+            return false;
+          }
+        }
+
         return true;
       },
       /**
@@ -225,5 +321,9 @@ export function has_oauth_providers(): boolean {
     if (has_google_credentials) return true;
   }
 
+  if (oauth_config.enable_facebook && oauth_config.facebook_client_id && oauth_config.facebook_client_secret) {
+    return true;
+  }
+
   return false;
 }

package/cli-src/lib/cookies_config.server.ts

@@ -27,6 +27,7 @@ export const BASE_COOKIE_NAMES = {
   USER_ID: "hazo_auth_user_id",
   USER_EMAIL: "hazo_auth_user_email",
   SESSION: "hazo_auth_session",
+  SESSION_KIND: "hazo_auth_session_kind", // v6.1: marks OTP-issued sessions so /me can apply sliding expiry
   DEV_LOCK: "hazo_auth_dev_lock",
   SCOPE_ID: "hazo_auth_scope_id", // v5.2: Tenant context cookie for multi-tenancy
   ANON_ID: "hazo_auth_anon_id", // v5.2: Stable opaque per-visitor ID for anonymous flows (e.g. hazo_feedback)