hazo_auth 6.1.1 → 7.0.2

package/README.md

@@ -2,154 +2,6 @@
 
 A reusable authentication UI component package powered by Next.js, TailwindCSS, and shadcn. It integrates `hazo_config` for configuration management and `hazo_connect` for data access, enabling future components to stay aligned with platform conventions.
 
-## What's New in v6.1.0
-
-**Email-OTP sign-in** — a passwordless, OAuth-free way to sign in via a 6-digit code emailed to the user. Targeted at single-operator deployments that don't want to wire Google OAuth or manage passwords.
-
-### Highlights
-
-- **New routes** — `POST /api/hazo_auth/otp/request` and `POST /api/hazo_auth/otp/verify`
-- **New components** — `<OTPRequestForm/>` and `<OTPVerifyForm/>` exported from `hazo_auth/client`
-- **New page** — `/hazo_auth/otp` (zero-config) via `hazo_auth/pages/otp`
-- **Sliding 7-day session** — OTP sessions auto-extend on `/me` when within 24h of expiry. OAuth/password sessions keep their existing 30-day fixed behaviour.
-- **Auto-register (opt-in)** — set `otp_auto_register = true` to let unknown emails sign in on first successful /verify
-- **Rate limited** — 3 requests/email/15min, 20 requests/IP/hour; per-code attempts capped at 5
-
-### Consumer example
-
-Mount the routes:
-
-```ts
-// app/api/hazo_auth/otp/request/route.ts
-export { otpRequestPOST as POST } from "hazo_auth/server/routes";
-
-// app/api/hazo_auth/otp/verify/route.ts
-export { otpVerifyPOST as POST } from "hazo_auth/server/routes";
-```
-
-Render the zero-config page:
-
-```tsx
-// app/hazo_auth/otp/page.tsx
-export { default } from "hazo_auth/pages/otp";
-```
-
-Or compose components yourself:
-
-```tsx
-"use client";
-import { OTPRequestForm, OTPVerifyForm } from "hazo_auth/client";
-import { useState } from "react";
-
-export default function CustomOtp() {
-  const [sent_to, set_sent_to] = useState<string | null>(null);
-  return sent_to
-    ? <OTPVerifyForm email={sent_to} redirect_url="/" />
-    : <OTPRequestForm on_sent={set_sent_to} />;
-}
-```
-
-### Required setup
-
-1. Apply migration: `npm run migrate migrations/015_email_otp.sql`
-2. Add `[hazo_auth__otp]` section to `config/hazo_auth_config.ini` (template in `hazo_auth_config.example.ini`)
-3. `hazo_notify ^3.0.0` (existing peer dep) must be configured to deliver email
-4. New peer dep: `input-otp` (optional; required only if you render `<OTPVerifyForm/>`)
-5. **Add OTP routes to your middleware/proxy `public_routes`** — unauthenticated users land on the OTP page, so the page route and its API routes must bypass auth guards:
-
-```typescript
-// middleware.ts / proxy.ts  (in your consuming app)
-const public_routes = [
-  // ... existing entries ...
-  "/hazo_auth/otp",        // OTP sign-in page (public — users arrive unauthenticated)
-  "/api/hazo_auth/otp",    // OTP request + verify API routes
-];
-```
-
-Without this your middleware redirects unauthenticated users away from the sign-in page before they can authenticate.
-
-See `MIGRATION.md` "v6.0.x → v6.1" for the full upgrade walkthrough.
-
----
-
-### What's New in v6.0.0 🚨 BREAKING CHANGE
-
-**`TenantAuthResult.organization` / `.organization_id` renamed to `.selected_scope` / `.selected_scope_id`.**
-
-The multi-tenancy model has been scope-based for several releases — `auth.user_scopes`, `auth.scope_access_via`, `auth.scope_ok`, the `hazo_auth_scope_id` cookie, the `X-Hazo-Scope-Id` header. The only holdouts using the legacy "organization" name were two fields on `TenantAuthResult` that were always just *"the currently selected scope"* under the hood. This release eliminates the inconsistency.
-
-> 📖 **Full migration guide:** [MIGRATION.md → v5.x → v6.0](./MIGRATION.md#v5x--v60-organization--selected_scope)
-
-**No behavioral change.** `selected_scope_id` is derived from the same scope-selection cookie/header that `organization_id` was. Wire-format auth responses change field names, but the underlying scope lookup is identical.
-
-**No deprecation shim.** A clean find-replace is the upgrade path. If you absolutely need a transitional period, pin to `hazo_auth@^5.3` until you can do the rename in one shot.
-
-**What to replace (find ↔ replace, all in your app code):**
-
-| Find                                              | Replace with                                       |
-| ------------------------------------------------- | -------------------------------------------------- |
-| `auth.organization`                               | `auth.selected_scope`                              |
-| `auth.organization_id`                            | `auth.selected_scope_id`                           |
-| `import type { TenantOrganization }`              | `import type { SelectedScope }`                    |
-| `: TenantOrganization`                            | `: SelectedScope`                                  |
-| `AuthenticatedTenantAuthWithOrg`                  | `AuthenticatedTenantAuthWithSelectedScope`         |
-
-**Before / after example:**
-
-```typescript
-// BEFORE (v5.x)
-import { hazo_get_tenant_auth } from "hazo_auth/server-lib";
-import type { TenantOrganization } from "hazo_auth";
-
-export async function GET(request: NextRequest) {
-  const auth = await hazo_get_tenant_auth(request);
-  if (!auth.authenticated || !auth.organization) {
-    return NextResponse.json({ error: "no tenant" }, { status: 403 });
-  }
-  const data = await getData(auth.organization_id);  // or auth.organization.id
-  return NextResponse.json({ org: auth.organization, data });
-}
-
-// AFTER (v6.0)
-import { hazo_get_tenant_auth } from "hazo_auth/server-lib";
-import type { SelectedScope } from "hazo_auth";
-
-export async function GET(request: NextRequest) {
-  const auth = await hazo_get_tenant_auth(request);
-  if (!auth.authenticated || !auth.selected_scope) {
-    return NextResponse.json({ error: "no tenant scope" }, { status: 403 });
-  }
-  const data = await getData(auth.selected_scope_id);  // or auth.selected_scope.id
-  return NextResponse.json({ selected_scope: auth.selected_scope, data });
-}
-```
-
-**What did NOT change** (same names, same behavior, same wire format):
-- `auth.user_scopes` — array of all scopes the user has access to
-- `auth.scope_ok`, `auth.scope_access_via` — scope-access fields
-- `hazo_auth_scope_id` cookie name and `X-Hazo-Scope-Id` request header
-- All `Tenant*` type and class names: `TenantAuthResult`, `TenantAuthOptions`, `RequiredTenantAuthResult`, `TenantRequiredError`, `TenantAccessDeniedError`, `hazo_get_tenant_auth`, `require_tenant_auth`, `withAuth`'s `require_tenant` option
-- The error response `{ code: "TENANT_REQUIRED" }` shape — only the human-readable `error` string was rephrased ("Organization context required" → "Tenant scope context required")
-
-**One-liner upgrade for typical consumers:**
-
-```bash
-# Run from your app repo (NOT inside hazo_auth itself).
-# Update the path glob to match your code layout.
-git grep -l "organization\b\|TenantOrganization\|AuthenticatedTenantAuthWithOrg" -- 'src/**' 'app/**' 'lib/**' \
-  | xargs sed -i.bak '
-    s/auth\.organization_id\b/auth.selected_scope_id/g;
-    s/auth\.organization\b/auth.selected_scope/g;
-    s/\bTenantOrganization\b/SelectedScope/g;
-    s/\bAuthenticatedTenantAuthWithOrg\b/AuthenticatedTenantAuthWithSelectedScope/g;
-  '
-# Then: review the diff carefully — sed is blunt. Remove .bak files when satisfied.
-```
-
-> ⚠️ The sed line is a starting point, not a blanket "trust me." It only catches `auth.organization*` and the type names. If you destructure (`const { organization } = auth`), aliased imports (`TenantOrganization as Org`), or reference `organization` for unrelated reasons (HTML autocomplete attribute, your own variables), the script either misses or wrongly rewrites them. **Always diff before committing.**
-
----
-
 ### What's New in v5.3.1 🔧
 
 **`get_client_ip(request)` exported from `hazo_auth/server-lib`** — extracts the client IP from `x-forwarded-for` (first element), falling back to `x-real-ip`, then `"unknown"`. Previously private to `hazo_get_auth.server.ts`. Useful for consumers that need consistent IP extraction across handlers (e.g., `hazo_feedback` audit logging).
@@ -1792,7 +1644,7 @@ export async function proxy(request: NextRequest) {
 
 #### `hazo_get_tenant_auth` (Recommended for Multi-Tenant Apps)
 
-**New:** Tenant-aware authentication function that extracts scope context from request headers or cookies and returns enriched result including the currently selected scope.
+**New:** Tenant-aware authentication function that extracts scope context from request headers or cookies and returns enriched result with organization information.
 
 **Location:** `src/lib/auth/hazo_get_tenant_auth.server.ts`
 
@@ -1826,9 +1678,8 @@ type TenantAuthResult =
       permissions: string[];
       permission_ok: boolean;
       missing_permissions?: string[];
-      selected_scope: SelectedScope | null;     // Currently selected tenant/scope
-      selected_scope_id: string | null;         // Shorthand for selected_scope?.id
-      user_scopes: ScopeDetails[];              // All user's scopes for switching
+      organization: TenantOrganization | null;  // NEW: Tenant context
+      user_scopes: ScopeDetails[];              // NEW: All user's scopes for switching
       scope_ok: boolean;
     }
   | {
@@ -1836,13 +1687,12 @@ type TenantAuthResult =
       user: null;
       permissions: [];
       permission_ok: false;
-      selected_scope: null;
-      selected_scope_id: null;
+      organization: null;
       user_scopes: [];
       scope_ok: false;
     };
 
-type SelectedScope = {
+type TenantOrganization = {
   id: string;
   name: string;
   slug: string | null;          // URL-friendly identifier
@@ -1884,10 +1734,10 @@ export async function GET(request: NextRequest) {
     return NextResponse.json({ error: "Authentication required" }, { status: 401 });
   }
 
-  if (!auth.selected_scope) {
+  if (!auth.organization) {
     return NextResponse.json(
       {
-        error: "No tenant scope context",
+        error: "No organization context",
         available_scopes: auth.user_scopes.map(s => ({ id: s.id, name: s.name }))
       },
       { status: 403 }
@@ -1895,10 +1745,10 @@ export async function GET(request: NextRequest) {
   }
 
   // Access tenant-specific data
-  const data = await getTenantData(auth.selected_scope.id);
+  const data = await getTenantData(auth.organization.id);
 
   return NextResponse.json({
-    selected_scope: auth.selected_scope,
+    organization: auth.organization,
     data,
     // Include available scopes for UI scope switcher
     available_scopes: auth.user_scopes,
@@ -1916,8 +1766,8 @@ export async function GET(request: NextRequest) {
       required_permissions: ["view_reports"],
     });
 
-    // auth.selected_scope is guaranteed non-null here
-    const reports = await getReports(auth.selected_scope.id);
+    // auth.organization is guaranteed non-null here
+    const reports = await getReports(auth.organization.id);
     return NextResponse.json({ reports });
   } catch (error) {
     if (error instanceof HazoAuthError) {
@@ -1967,16 +1817,16 @@ Helper function that wraps `hazo_get_tenant_auth` and throws typed errors for co
 - `TenantRequiredError` (403) - No tenant context in request
 - `TenantAccessDeniedError` (403) - User lacks access to requested tenant
 
-**Returns:** `RequiredTenantAuthResult` with guaranteed non-null `selected_scope`
+**Returns:** `RequiredTenantAuthResult` with guaranteed non-null `organization`
 
 **Example:**
 ```typescript
 export async function GET(request: NextRequest) {
   try {
-    // selected_scope is guaranteed to exist
-    const { selected_scope, user, permissions } = await require_tenant_auth(request);
+    // organization is guaranteed to exist
+    const { organization, user, permissions } = await require_tenant_auth(request);
 
-    const data = await getData(selected_scope.id);
+    const data = await getData(organization.id);
     return NextResponse.json(data);
   } catch (error) {
     if (error instanceof HazoAuthError) {
@@ -2029,10 +1879,10 @@ export const DELETE = withAuth<{ id: string }>(
   { required_permissions: ["admin_system"] }
 );
 
-// With tenant requirement (auth.selected_scope guaranteed non-null)
+// With tenant requirement (auth.organization guaranteed non-null)
 export const GET = withAuth<{ id: string }>(
   async (request, auth, { id }) => {
-    const data = await getData(auth.selected_scope.id, id);
+    const data = await getData(auth.organization.id, id);
     return NextResponse.json(data);
   },
   { require_tenant: true }
@@ -3128,3 +2978,51 @@ The `package.json` exports field defines the public API:
 - Use `npx shadcn@latest add <component>` to scaffold new UI primitives.
 - Centralize configurable values through `hazo_config`.
 - Access backend resources exclusively via `hazo_connect`.
+
+## Email OTP sign-in
+
+```tsx
+// app/(auth)/otp/page.tsx
+import { OTPPage } from "hazo_auth/pages/otp";
+export default function Page(props) { return <OTPPage {...props} />; }
+```
+
+Enable in config: `[hazo_auth__otp] enable_email_otp = true`. Run `npx hazo_auth migrate migrations/015_email_otp.sql`.
+
+## Theming
+
+```tsx
+import { HazoAuthThemeProvider, createTheme } from "hazo_auth/theme";
+
+const my_theme = createTheme({
+  colors: { primary: "#1D4ED8" },
+  layout: "split",
+  brandPanel: { logoSrc: "/logo.svg", tagline: "Welcome." },
+});
+
+<HazoAuthThemeProvider theme={my_theme}>
+  <LoginPage />
+</HazoAuthThemeProvider>
+```
+
+Theme is auth-page scoped. Does not affect `:root`.
+
+## Cookie Consent
+
+```tsx
+import { CookieConsentBanner } from "hazo_auth/consent";
+// Place in your root layout:
+<CookieConsentBanner />
+```
+
+Server-side consent check: `GET /api/hazo_auth/consent/me` returns `ConsentState`.
+
+## String overrides
+
+```tsx
+import { HazoAuthStringsProvider } from "hazo_auth/strings";
+
+<HazoAuthStringsProvider strings={{ login: { title: "Welcome back" } }}>
+  <LoginPage />
+</HazoAuthStringsProvider>
+```

package/SETUP_CHECKLIST.md

@@ -958,7 +958,27 @@ CREATE UNIQUE INDEX IF NOT EXISTS idx_hazo_users_google_id_unique ON hazo_users(
 CREATE INDEX IF NOT EXISTS idx_hazo_users_google_id ON hazo_users(google_id);
 ```
 
-### Step 3.2.4: Configure OAuth in hazo_auth_config.ini
+### Step 3.2.4 (Optional): Run Email OTP Migration
+
+Required only if you plan to enable `enable_email_otp = true` in `[hazo_auth__otp]`.
+
+```bash
+npx hazo_auth migrate migrations/015_email_otp.sql
+```
+
+Creates `hazo_email_otps` table for OTP codes and rate limiting.
+
+### Step 3.2.4b (Optional): Run Facebook OAuth Migration
+
+Required only if `enable_facebook_oauth = true` in `[hazo_auth__oauth]`.
+
+```bash
+npx hazo_auth migrate migrations/016_add_facebook_id_to_hazo_users.sql
+```
+
+Adds `facebook_id` column to `hazo_users`.
+
+### Step 3.2.5: Configure OAuth in hazo_auth_config.ini
 
 Add (or modify) the OAuth section:
 
@@ -1443,98 +1463,6 @@ export { POST } from "hazo_auth/server/routes/pin_login";
 
 ---
 
-## Phase 5.3: Email-OTP Sign-in Setup (Optional)
-
-Email-OTP sign-in lets users authenticate with a 6-digit code sent to their email — no password or Google OAuth required. Skip this phase if your app uses only password or OAuth authentication.
-
-### Step 5.3.1: Apply the OTP migration
-
-```bash
-npm run migrate migrations/015_email_otp.sql
-```
-
-This creates the `hazo_email_otps` table (stores hashed codes with expiry).
-
-**Verify the table exists:**
-```bash
-sqlite3 data/hazo_auth.sqlite ".tables" | tr ' ' '\n' | grep hazo_email_otps
-# Expected: hazo_email_otps
-```
-
-### Step 5.3.2: Add OTP config section
-
-Add to `config/hazo_auth_config.ini`:
-
-```ini
-[hazo_auth__otp]
-# Whether OTP sign-in is enabled
-enabled = true
-
-# Auto-register unknown emails on first successful verify (default: false)
-otp_auto_register = false
-
-# Code expiry in minutes (default: 10)
-code_expiry_minutes = 10
-```
-
-### Step 5.3.3: Create OTP API routes
-
-```bash
-npx hazo_auth generate-routes
-```
-
-Or manually:
-
-`app/api/hazo_auth/otp/request/route.ts`:
-```typescript
-export { otpRequestPOST as POST } from "hazo_auth/server/routes";
-```
-
-`app/api/hazo_auth/otp/verify/route.ts`:
-```typescript
-export { otpVerifyPOST as POST } from "hazo_auth/server/routes";
-```
-
-### Step 5.3.4: Create the OTP sign-in page
-
-`app/hazo_auth/otp/page.tsx`:
-```typescript
-export { default } from "hazo_auth/pages/otp";
-```
-
-### Step 5.3.5: Add OTP routes to middleware/proxy public_routes (REQUIRED)
-
-**This step is critical.** Unauthenticated users arrive at the OTP sign-in page before they have auth cookies. If the OTP routes are not in `public_routes`, your middleware will redirect them to `/login` in a loop.
-
-Edit your `middleware.ts` or `proxy.ts`:
-
-```typescript
-const public_routes = [
-  // ... existing entries ...
-  "/hazo_auth/otp",        // OTP sign-in page (public — users arrive unauthenticated)
-  "/api/hazo_auth/otp",    // OTP request + verify API routes
-];
-```
-
-### Step 5.3.6: Install optional peer dep (if using OTPVerifyForm)
-
-If you render `<OTPVerifyForm/>` directly (rather than using the zero-config page), install:
-
-```bash
-npm install input-otp
-```
-
-**OTP Setup Checklist:**
-- [ ] `hazo_email_otps` table created (`npm run migrate migrations/015_email_otp.sql`)
-- [ ] `[hazo_auth__otp]` section added to `hazo_auth_config.ini`
-- [ ] OTP API routes created (`/api/hazo_auth/otp/request` and `/api/hazo_auth/otp/verify`)
-- [ ] OTP page created (`/hazo_auth/otp`)
-- [ ] `/hazo_auth/otp` and `/api/hazo_auth/otp` added to middleware `public_routes`
-- [ ] `input-otp` installed (only if using `<OTPVerifyForm/>` directly)
-- [ ] Email delivery configured (`hazo_notify` + valid `ZEPTOMAIL_API_KEY`)
-
----
-
 ## Phase 6: Verification Tests
 
 Run these tests to verify your setup is working correctly.
@@ -2016,10 +1944,10 @@ import { hazo_get_tenant_auth } from "hazo_auth/server-lib";
 export async function GET(request: NextRequest) {
   const auth = await hazo_get_tenant_auth(request);
 
-  if (auth.authenticated && auth.selected_scope) {
-    // auth.selected_scope contains the currently selected tenant/scope
+  if (auth.authenticated && auth.organization) {
+    // auth.organization contains tenant details
     // auth.user_scopes contains all scopes user can access (for UI switcher)
-    const data = await getTenantData(auth.selected_scope.id);
+    const data = await getTenantData(auth.organization.id);
   }
 }
 ```
@@ -2031,8 +1959,8 @@ import { require_tenant_auth, HazoAuthError } from "hazo_auth/server-lib";
 export async function GET(request: NextRequest) {
   try {
     const auth = await require_tenant_auth(request);
-    // auth.selected_scope is guaranteed non-null
-    return NextResponse.json(await getData(auth.selected_scope.id));
+    // auth.organization is guaranteed non-null
+    return NextResponse.json(await getData(auth.organization.id));
   } catch (error) {
     if (error instanceof HazoAuthError) {
       return NextResponse.json(
@@ -2052,7 +1980,7 @@ import { withAuth } from "hazo_auth/server-lib";
 // Auth + params + error handling all automatic
 export const GET = withAuth<{ id: string }>(
   async (request, auth, { id }) => {
-    const data = await getData(auth.selected_scope.id, id);
+    const data = await getData(auth.organization.id, id);
     return NextResponse.json(data);
   },
   { require_tenant: true }
@@ -2101,7 +2029,7 @@ const auth = await hazo_get_tenant_auth(request);
 
 // Return available scopes to frontend
 return NextResponse.json({
-  current_scope: auth.selected_scope,
+  current_scope: auth.organization,
   available_scopes: auth.user_scopes.map(s => ({
     id: s.id,
     name: s.name,

package/cli-src/cli/generate.ts

@@ -127,20 +127,11 @@ ${exports}
 }
 
 function generate_page_content(page: PageDefinition): string {
-  // Next 16 requires page default exports to satisfy `PageProps` (i.e. accept
-  // `{ params?, searchParams? }` and nothing else). Re-exporting the named
-  // component directly fails that check because the component carries custom
-  // props (image_src, layout, …). The wrapper below is a parameter-less
-  // function that returns the component — Next sees a `() => JSX` signature
-  // which trivially satisfies PageProps. Direct JSX consumers still use the
-  // named export from `hazo_auth/pages` and get the full custom-prop API.
   return `// Generated by hazo_auth - do not edit manually
 // Page: /${page.path}
 import { ${page.component_name} } from "hazo_auth/pages";
 
-export default function Page() {
-  return <${page.component_name} />;
-}
+export default ${page.component_name};
 `;
 }
 

package/cli-src/cli/validate.ts

@@ -64,9 +64,6 @@ const REQUIRED_API_ROUTES = [
   { path: "api/hazo_auth/user_management/users/roles", method: "GET" },
   { path: "api/hazo_auth/user_management/users/roles", method: "POST" },
   { path: "api/hazo_auth/user_management/users/roles", method: "PUT" },
-  // OTP routes
-  { path: "api/hazo_auth/otp/request", method: "POST" },
-  { path: "api/hazo_auth/otp/verify", method: "POST" },
 ];
 
 // section: helpers
@@ -537,7 +534,6 @@ const REQUIRED_TABLES = [
   "hazo_role_permissions",
   "hazo_invitations",
   "hazo_refresh_tokens",
-  "hazo_email_otps",
 ];
 
 const TEXT_ID_TABLES = [

package/cli-src/lib/auth/auth_types.ts

@@ -1,12 +1,4 @@
 // file_description: Type definitions and error classes for hazo_get_auth utility
-//
-// Naming note (v6.0.0): the field previously called `organization` (and
-// `organization_id`) on `TenantAuthResult` was renamed to `selected_scope`
-// (and `selected_scope_id`), and the type `TenantOrganization` was renamed
-// to `SelectedScope`. The multi-tenancy model is scopes throughout; the
-// old name was a legacy synonym for "the currently selected scope" derived
-// from the scope-selection cookie/header. No deprecation shim is provided.
-//
 // section: types
 
 /**
@@ -131,11 +123,10 @@ export type ScopeDetails = {
 };
 
 /**
- * Currently selected scope information returned in tenant auth results.
- * Simplified view of the scope chosen via the scope-selection cookie or
- * `X-Hazo-Scope-Id` header.
+ * Tenant/organization information returned in tenant auth results
+ * Simplified view of scope for API responses
  */
-export type SelectedScope = {
+export type TenantOrganization = {
   id: string;
   name: string;
   slug: string | null;
@@ -176,9 +167,9 @@ export type TenantAuthResult =
       permissions: string[];
       permission_ok: boolean;
       missing_permissions?: string[];
-      selected_scope: SelectedScope | null;
-      /** Shorthand for selected_scope?.id - commonly used for DB query filters. */
-      selected_scope_id: string | null;
+      organization: TenantOrganization | null;
+      /** Shorthand for organization?.id - commonly used for DB query filters */
+      organization_id: string | null;
       user_scopes: ScopeDetails[];
       scope_ok?: boolean;
       scope_access_via?: ScopeAccessInfo;
@@ -188,20 +179,20 @@ export type TenantAuthResult =
       user: null;
       permissions: [];
       permission_ok: false;
-      selected_scope: null;
-      /** Shorthand for selected_scope?.id - commonly used for DB query filters. */
-      selected_scope_id: null;
+      organization: null;
+      /** Shorthand for organization?.id - commonly used for DB query filters */
+      organization_id: null;
       user_scopes: [];
       scope_ok?: false;
     };
 
 /**
- * Guaranteed authenticated result with non-null selected_scope.
- * Returned by require_tenant_auth when validation passes.
+ * Guaranteed authenticated result with non-null organization
+ * Returned by require_tenant_auth when validation passes
  */
 export type RequiredTenantAuthResult = TenantAuthResult & {
   authenticated: true;
-  selected_scope: SelectedScope;
+  organization: TenantOrganization;
 };
 
 // section: tenant_error_classes