hazo_auth 7.0.2 → 8.0.1

package/README.md

@@ -2,6 +2,40 @@
 
 A reusable authentication UI component package powered by Next.js, TailwindCSS, and shadcn. It integrates `hazo_config` for configuration management and `hazo_connect` for data access, enabling future components to stay aligned with platform conventions.
 
+### What's New in v8.0.1 🔧
+
+**Auto-test and middleware bug fixes**
+
+- Fixed 307 redirects blocking OTP, strings, consent, and legal_docs API routes when hit without auth cookies — all four are now in `middleware.ts` `public_routes`.
+- Auto-test runner register calls now include `legal_accepted` hashes when legal docs are configured, fixing 24 test failures that cascaded from the initial registration step.
+
+### What's New in v8.0.0 ⚠️ BREAKING CHANGE
+
+**Legal Document Acceptance** — opt-in, INI-configured. Add `[hazo_auth__legal_docs]` to `hazo_auth_config.ini` to require users to accept terms before registering. Each doc is a markdown file; hazo_auth hashes it, tracks acceptance history, and blocks register until all current hashes are accepted.
+
+**Breaking:** Deprecated page-component wrappers removed (`LoginPage`, `RegisterPage`, `ForgotPasswordPage`, `ResetPasswordPage`, `VerifyEmailPage` from `hazo_auth/page_components/*`). Use `*Layout` components directly in a server component instead.
+
+Run these migrations (in order) to upgrade an existing database:
+- `017_legal_acceptance_column.sql`
+- `018_hazo_legal_acceptances.sql`
+- `019_hazo_legal_doc_versions.sql`
+
+**New exports** — `LegalAcceptanceGate`, `LegalDocDrawer`, `LegalDocCheckboxList`, `LegalDocCombinedView` from `hazo_auth/client`; `legalDocsGET`, `legalDocsAcceptPOST`, `legalDocsPublishPOST` from `hazo_auth/server/routes`; `LegalDoc`, `LegalAcceptanceRecord`, `LegalAcceptanceMap` types from `hazo_auth`.
+
+**New dependency** — `react-markdown` (markdown rendering for legal doc drawers).
+
+```ini
+# config/hazo_auth_config.ini
+[hazo_auth__legal_docs]
+display_mode = separate    # separate | combined
+doc_1_key    = tos
+doc_1_title  = Terms of Service
+doc_1_path   = legal/tos.md
+doc_2_key    = privacy
+doc_2_title  = Privacy Policy
+doc_2_path   = legal/privacy.md
+```
+
 ### What's New in v5.3.1 🔧
 
 **`get_client_ip(request)` exported from `hazo_auth/server-lib`** — extracts the client IP from `x-forwarded-for` (first element), falling back to `x-real-ip`, then `"unknown"`. Previously private to `hazo_get_auth.server.ts`. Useful for consumers that need consistent IP extraction across handlers (e.g., `hazo_feedback` audit logging).

package/SETUP_CHECKLIST.md

@@ -2,6 +2,37 @@
 
 This checklist provides step-by-step instructions for setting up the `hazo_auth` package in your Next.js project. AI assistants can follow this guide to ensure complete and correct setup.
 
+## v8.0.0 Migration (from v7.x)
+
+### Breaking changes
+
+Remove the deprecated page-component imports if you used them:
+
+```diff
+- import LoginPage from 'hazo_auth/page_components/login';
+- import RegisterPage from 'hazo_auth/page_components/register';
++ // Use the Layout components directly in a server component instead
++ import LoginLayout from 'hazo_auth/components/layouts/login';
++ import RegisterLayout from 'hazo_auth/components/layouts/register';
+```
+
+### New migrations (run in order)
+
+```bash
+npm run migrate migrations/017_legal_acceptance_column.sql
+npm run migrate migrations/018_hazo_legal_acceptances.sql
+npm run migrate migrations/019_hazo_legal_doc_versions.sql
+```
+
+### Legal docs setup (optional)
+
+1. Add `[hazo_auth__legal_docs]` to `config/hazo_auth_config.ini` (see commented sample at the bottom of that file)
+2. Create markdown files at the configured paths (e.g. `legal/tos.md`, `legal/privacy.md`)
+3. Wrap your app layout with `<LegalAcceptanceGate>` from `hazo_auth/client`
+4. Go to User Management → Legal Docs tab, click "Publish current version" per doc to activate gating for existing users
+
+---
+
 ## v5.3.0 Migration (from v5.2.x)
 
 If you are already on hazo_auth `5.2.x`, the only mandatory work is wiring up hazo_notify's template manager at boot. Apps that don't use the templated email path (only the plain `send_email`) keep working unchanged after bumping the peer dep.

package/cli-src/lib/auth/auth_types.ts

@@ -1,5 +1,6 @@
 // file_description: Type definitions and error classes for hazo_get_auth utility
 // section: types
+import type { LegalAcceptanceMap } from '../legal/legal_docs_types';
 
 /**
  * User data structure returned by hazo_get_auth
@@ -13,6 +14,8 @@ export type HazoAuthUser = {
   managed_by_user_id?: string | null;
   // App-specific user data (JSON object stored as TEXT in database)
   app_user_data: Record<string, unknown> | null;
+  // Legal document acceptance map (JSON object stored in database)
+  legal_acceptance: LegalAcceptanceMap | null;
 };
 
 /**

package/cli-src/lib/auth/hazo_get_auth.server.ts

@@ -59,6 +59,24 @@ function parse_app_user_data(
   }
 }
 
+/**
+ * Parse raw legal_acceptance field from DB to LegalAcceptanceMap
+ * @param raw - Raw value from database (string or object)
+ * @returns Parsed LegalAcceptanceMap or null
+ */
+function parse_legal_acceptance(
+  raw: unknown,
+): import('../legal/legal_docs_types').LegalAcceptanceMap | null {
+  if (!raw) return null;
+  try {
+    const parsed = typeof raw === 'string' ? JSON.parse(raw) : raw;
+    if (typeof parsed !== 'object' || Array.isArray(parsed)) return null;
+    return parsed as import('../legal/legal_docs_types').LegalAcceptanceMap;
+  } catch {
+    return null;
+  }
+}
+
 /**
  * Gets client IP address from request
  * @param request - NextRequest object
@@ -185,6 +203,7 @@ async function fetch_user_data_from_db(user_id: string): Promise<{
       (user_db.profile_picture_url as string | null) || null,
     managed_by_user_id: (user_db.managed_by_user_id as string | undefined) || null,
     app_user_data: parse_app_user_data(user_db.app_user_data),
+    legal_acceptance: parse_legal_acceptance(user_db.legal_acceptance),
   };
 
   // v5.x: Fetch user's roles from hazo_user_scopes (scope-based role assignments)

package/cli-src/lib/legal/legal_docs_config.server.ts

@@ -0,0 +1,61 @@
+// file_description: server-only helper to read legal docs configuration from hazo_auth_config.ini
+// section: server-only-guard
+import 'server-only';
+
+// section: imports
+import { read_config_section } from '../config/config_loader.server.js';
+import type { LegalDocConfig, LegalDocsConfig } from './legal_docs_types';
+
+// section: constants
+const SECTION_NAME = 'hazo_auth__legal_docs';
+
+// section: cache
+// Cached after first load — INI changes require server restart anyway
+let _cached: LegalDocsConfig | null = null;
+
+// section: exports
+
+/**
+ * Reads legal docs configuration from hazo_auth_config.ini.
+ * Returns an empty docs array if the section is absent (legal docs disabled).
+ *
+ * Expected INI shape:
+ *   [hazo_auth__legal_docs]
+ *   display_mode = separate   ; or: combined
+ *   doc_1_key   = terms
+ *   doc_1_title = Terms of Service
+ *   doc_1_path  = legal/terms.md
+ *   doc_2_key   = privacy
+ *   doc_2_title = Privacy Policy
+ *   doc_2_path  = legal/privacy.md
+ */
+export function get_legal_docs_config(): LegalDocsConfig {
+  if (_cached) return _cached;
+
+  const section = read_config_section(SECTION_NAME) ?? {};
+
+  const docs: LegalDocConfig[] = [];
+  let i = 1;
+  while (section[`doc_${i}_key`]) {
+    docs.push({
+      key: section[`doc_${i}_key`],
+      title: section[`doc_${i}_title`] ?? section[`doc_${i}_key`],
+      path: section[`doc_${i}_path`],
+    });
+    i++;
+  }
+
+  _cached = {
+    docs,
+    display_mode: section['display_mode'] === 'combined' ? 'combined' : 'separate',
+  };
+
+  return _cached;
+}
+
+/**
+ * Call this in tests to clear the cache between runs.
+ */
+export function _reset_legal_docs_config_cache(): void {
+  _cached = null;
+}

package/cli-src/lib/legal/legal_docs_reader.server.ts

@@ -0,0 +1,36 @@
+// file_description: server-only utility that reads a legal document from disk and returns its content + SHA-256 hash
+// section: server-only-guard
+import 'server-only';
+
+// section: imports
+import * as fs from 'fs';
+import * as path from 'path';
+import { createHash } from 'crypto';
+
+// section: types
+
+export interface ReadDocResult {
+  content: string;
+  hash: string; // "sha256:<hex>"
+}
+
+// section: exports
+
+/**
+ * Reads a legal document from the filesystem and returns its text content
+ * together with a deterministic SHA-256 hash of that content.
+ *
+ * @param doc_path - Absolute path, or a path relative to process.cwd().
+ * @returns { content, hash } where hash is formatted as "sha256:<hex>".
+ * @throws If the file cannot be read.
+ */
+export function read_legal_doc(doc_path: string): ReadDocResult {
+  const abs_path = path.isAbsolute(doc_path)
+    ? doc_path
+    : path.join(process.cwd(), doc_path);
+
+  const content = fs.readFileSync(abs_path, 'utf-8');
+  const hex = createHash('sha256').update(content).digest('hex');
+
+  return { content, hash: `sha256:${hex}` };
+}

package/cli-src/lib/legal/legal_docs_service.ts

@@ -0,0 +1,196 @@
+// file_description: service functions for the legal document acceptance system
+// section: imports
+import { createCrudService } from 'hazo_connect/server';
+import type { LegalAcceptanceMap } from './legal_docs_types';
+
+// section: helpers
+
+function generate_id(): string {
+  return crypto.randomUUID();
+}
+
+// section: exports
+
+/**
+ * Write legal acceptance records. Call from:
+ * - registration_service (bundled with register POST, pre-session)
+ * - legal_docs_accept route (authenticated, post-login)
+ *
+ * Inserts one row per doc into hazo_legal_acceptances (audit history) and
+ * merges the result into the denormalised hazo_users.legal_acceptance JSONB
+ * column for fast "has this user accepted the current version?" queries.
+ */
+export async function write_legal_acceptance(
+  adapter: any,
+  user_id: string,
+  accepted: Record<string, { hash: string }>,
+  ip: string | null,
+  user_agent: string | null,
+): Promise<void> {
+  const now = new Date().toISOString();
+
+  // 1. Insert one history row per doc
+  const history_service = createCrudService(adapter, 'hazo_legal_acceptances');
+  for (const [doc_key, { hash }] of Object.entries(accepted)) {
+    await history_service.insert({
+      id: generate_id(),
+      user_id,
+      doc_key,
+      doc_hash: hash,
+      accepted_at: now,
+      ip,
+      user_agent,
+    });
+  }
+
+  // 2. Merge into denormalized JSONB on hazo_users
+  const users_service = createCrudService(adapter, 'hazo_users');
+  const rows = await users_service.findBy({ id: user_id });
+
+  const existing_raw = rows[0]?.legal_acceptance;
+  let existing: LegalAcceptanceMap = {};
+  if (existing_raw) {
+    try {
+      existing = typeof existing_raw === 'string'
+        ? JSON.parse(existing_raw)
+        : (existing_raw as LegalAcceptanceMap);
+    } catch { /* corrupt — start fresh */ }
+  }
+
+  const updated: LegalAcceptanceMap = { ...existing };
+  for (const [doc_key, { hash }] of Object.entries(accepted)) {
+    updated[doc_key] = { hash, accepted_at: now, ip, user_agent };
+  }
+
+  await users_service.updateById(user_id, {
+    legal_acceptance: JSON.stringify(updated),
+    changed_at: now,
+  });
+}
+
+/**
+ * Publish a doc version as the new required version (admin action).
+ * Upserts hazo_legal_doc_versions keyed on doc_key.
+ */
+export async function publish_doc_version(
+  adapter: any,
+  doc_key: string,
+  required_hash: string,
+  published_by_user_id: string,
+): Promise<{ published_at: string }> {
+  const now = new Date().toISOString();
+
+  // createCrudService with doc_key as primary key so updateById works correctly
+  const versions_service = createCrudService(adapter, 'hazo_legal_doc_versions', {
+    primaryKeys: ['doc_key'],
+    autoId: false,
+  });
+
+  const existing = await versions_service.findBy({ doc_key });
+
+  if (existing.length > 0) {
+    await versions_service.updateById(doc_key, {
+      required_hash,
+      published_at: now,
+      published_by_user_id,
+    });
+  } else {
+    await versions_service.insert({
+      doc_key,
+      required_hash,
+      published_at: now,
+      published_by_user_id,
+    });
+  }
+
+  return { published_at: now };
+}
+
+/**
+ * Return required version info keyed by doc_key.
+ */
+export async function get_required_versions(
+  adapter: any,
+  doc_keys: string[],
+): Promise<Record<string, { required_hash: string; published_at: string }>> {
+  if (doc_keys.length === 0) return {};
+
+  const versions_service = createCrudService(adapter, 'hazo_legal_doc_versions', {
+    primaryKeys: ['doc_key'],
+    autoId: false,
+  });
+
+  const rows = await versions_service.list((qb) =>
+    qb.whereIn('doc_key', doc_keys).select(['doc_key', 'required_hash', 'published_at'])
+  );
+
+  const result: Record<string, { required_hash: string; published_at: string }> = {};
+  for (const row of rows) {
+    result[String(row.doc_key)] = {
+      required_hash: String(row.required_hash),
+      published_at: String(row.published_at),
+    };
+  }
+  return result;
+}
+
+/**
+ * Return acceptance history for a user across all doc keys, newest first.
+ */
+export async function get_user_acceptance_history(
+  adapter: any,
+  user_id: string,
+): Promise<Array<{
+  doc_key: string;
+  doc_hash: string;
+  accepted_at: string;
+  ip: string | null;
+  user_agent: string | null;
+}>> {
+  const history_service = createCrudService(adapter, 'hazo_legal_acceptances');
+
+  return history_service.list((qb) =>
+    qb
+      .where('user_id', 'eq', user_id)
+      .select(['doc_key', 'doc_hash', 'accepted_at', 'ip', 'user_agent'])
+      .order('accepted_at', 'desc')
+  ) as Promise<Array<{
+    doc_key: string;
+    doc_hash: string;
+    accepted_at: string;
+    ip: string | null;
+    user_agent: string | null;
+  }>>;
+}
+
+/**
+ * Count how many users have accepted the current required hash for a doc key.
+ * Returns { current, total } where current is users on the required_hash and
+ * total is all users in the system (including those with no legal_acceptance data).
+ *
+ * Note: This performs an in-process scan over all users.  For large user bases
+ * consider a dedicated SQL query in a future optimisation.
+ */
+export async function get_compliance_count(
+  adapter: any,
+  doc_key: string,
+  required_hash: string,
+): Promise<{ current: number; total: number }> {
+  const users_service = createCrudService(adapter, 'hazo_users');
+  const all_users = await users_service.list((qb) =>
+    qb.select(['id', 'legal_acceptance'])
+  );
+
+  let current = 0;
+  for (const user of all_users) {
+    let map: LegalAcceptanceMap = {};
+    try {
+      map = typeof user.legal_acceptance === 'string'
+        ? JSON.parse(user.legal_acceptance as string)
+        : ((user.legal_acceptance ?? {}) as LegalAcceptanceMap);
+    } catch { /* ignore corrupt rows */ }
+    if (map[doc_key]?.hash === required_hash) current++;
+  }
+
+  return { current, total: all_users.length };
+}

package/cli-src/lib/legal/legal_docs_types.ts

@@ -0,0 +1,31 @@
+// file_description: shared types for the legal document acceptance system
+
+export interface LegalDocConfig {
+  key: string;
+  title: string;
+  path: string;
+}
+
+export interface LegalDocsConfig {
+  docs: LegalDocConfig[];
+  display_mode: 'separate' | 'combined';
+}
+
+export interface LegalDoc {
+  key: string;
+  title: string;
+  content: string;
+  hash: string;
+  required_hash: string | null;
+  required_published_at: string | null;
+}
+
+export interface LegalAcceptanceRecord {
+  hash: string;
+  accepted_at: string;
+  ip: string | null;
+  user_agent: string | null;
+}
+
+// Shape of hazo_users.legal_acceptance JSONB
+export type LegalAcceptanceMap = Record<string, LegalAcceptanceRecord>;

package/cli-src/lib/services/registration_service.ts

@@ -16,6 +16,7 @@ import {
   is_user_types_enabled,
   get_default_user_type,
 } from "../user_types_config.server.js";
+import { write_legal_acceptance } from "../legal/legal_docs_service.js";
 
 // section: types
 export type RegistrationData = {
@@ -23,6 +24,9 @@ export type RegistrationData = {
   password: string;
   name?: string;
   url_on_logon?: string;
+  legal_accepted?: Record<string, { hash: string }>;
+  ip?: string | null;
+  user_agent?: string | null;
 };
 
 export type RegistrationResult = {
@@ -156,7 +160,7 @@ export async function register_user(
         user_email: email,
         user_name: name,
       });
-      
+
       if (!email_result.success) {
         const logger = create_app_logger();
         logger.error("registration_service_email_send_failed", {
@@ -170,6 +174,17 @@ export async function register_user(
       }
     }
 
+    // Write legal acceptance records if provided
+    if (data.legal_accepted && Object.keys(data.legal_accepted).length > 0) {
+      await write_legal_acceptance(
+        adapter,
+        user_id,
+        data.legal_accepted,
+        data.ip ?? null,
+        data.user_agent ?? null,
+      );
+    }
+
     return {
       success: true,
       user_id,

package/dist/client.d.ts

@@ -1,4 +1,5 @@
 export * from "./components/index.js";
+export { LegalAcceptanceGate, LegalDocDrawer, LegalDocCheckboxList, LegalDocCombinedView } from "./components/layouts/legal/index.js";
 export { cn, merge_class_names } from "./lib/utils.js";
 export * from "./lib/auth/auth_types.js";
 export { use_auth_status, trigger_auth_status_refresh } from "./components/layouts/shared/hooks/use_auth_status.js";

package/dist/client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAYA,cAAc,oBAAoB,CAAC;AAInC,OAAO,EAAE,EAAE,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAIpD,cAAc,uBAAuB,CAAC;AAItC,OAAO,EAAE,eAAe,EAAE,2BAA2B,EAAE,MAAM,mDAAmD,CAAC;AACjH,OAAO,EAAE,aAAa,EAAE,yBAAyB,EAAE,MAAM,iDAAiD,CAAC;AAC3G,YAAY,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,iDAAiD,CAAC;AAC7G,OAAO,EAAE,iBAAiB,EAAE,yBAAyB,EAAE,MAAM,qDAAqD,CAAC;AACnH,YAAY,EAAE,YAAY,EAAE,sBAAsB,EAAE,qBAAqB,EAAE,MAAM,qDAAqD,CAAC;AAGvI,OAAO,EAAE,qBAAqB,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AAI/E,cAAc,8CAA8C,CAAC"}
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAYA,cAAc,oBAAoB,CAAC;AAInC,OAAO,EAAE,mBAAmB,EAAE,cAAc,EAAE,oBAAoB,EAAE,oBAAoB,EAAE,MAAM,kCAAkC,CAAC;AAInI,OAAO,EAAE,EAAE,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAIpD,cAAc,uBAAuB,CAAC;AAItC,OAAO,EAAE,eAAe,EAAE,2BAA2B,EAAE,MAAM,mDAAmD,CAAC;AACjH,OAAO,EAAE,aAAa,EAAE,yBAAyB,EAAE,MAAM,iDAAiD,CAAC;AAC3G,YAAY,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,iDAAiD,CAAC;AAC7G,OAAO,EAAE,iBAAiB,EAAE,yBAAyB,EAAE,MAAM,qDAAqD,CAAC;AACnH,YAAY,EAAE,YAAY,EAAE,sBAAsB,EAAE,qBAAqB,EAAE,MAAM,qDAAqD,CAAC;AAGvI,OAAO,EAAE,qBAAqB,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AAI/E,cAAc,8CAA8C,CAAC"}

package/dist/client.js

@@ -10,6 +10,9 @@
 // section: component_exports
 // All UI and layout components are client-safe
 export * from "./components/index.js";
+// section: legal_exports
+// Legal acceptance gate and primitives
+export { LegalAcceptanceGate, LegalDocDrawer, LegalDocCheckboxList, LegalDocCombinedView } from "./components/layouts/legal/index.js";
 // section: utility_exports
 // CSS utility functions
 export { cn, merge_class_names } from "./lib/utils.js";

package/dist/components/layouts/index.d.ts

@@ -14,5 +14,6 @@ export { UserManagementLayout } from "./user_management/index.js";
 export type { UserManagementLayoutProps } from "./user_management/index";
 export { default as DevLockLayout } from "./dev_lock/index.js";
 export type { DevLockLayoutProps } from "./dev_lock/index";
+export { LegalDocDrawer, LegalDocCheckboxList, LegalDocCombinedView, LegalAcceptanceGate } from "./legal/index.js";
 export * from "./shared/index.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/components/layouts/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/components/layouts/index.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,OAAO,IAAI,WAAW,EAAE,MAAM,eAAe,CAAC;AACvD,YAAY,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AAEtD,OAAO,EAAE,OAAO,IAAI,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAC7D,YAAY,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AAE5D,OAAO,EAAE,OAAO,IAAI,oBAAoB,EAAE,MAAM,yBAAyB,CAAC;AAC1E,YAAY,EAAE,yBAAyB,EAAE,MAAM,yBAAyB,CAAC;AAEzE,OAAO,EAAE,OAAO,IAAI,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AACxE,YAAY,EAAE,wBAAwB,EAAE,MAAM,wBAAwB,CAAC;AAEvE,OAAO,EAAE,OAAO,IAAI,uBAAuB,EAAE,MAAM,4BAA4B,CAAC;AAChF,YAAY,EAAE,4BAA4B,EAAE,MAAM,4BAA4B,CAAC;AAE/E,OAAO,EAAE,OAAO,IAAI,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAClE,YAAY,EAAE,qBAAqB,EAAE,MAAM,qBAAqB,CAAC;AAEjE,OAAO,EAAE,oBAAoB,EAAE,MAAM,yBAAyB,CAAC;AAC/D,YAAY,EAAE,yBAAyB,EAAE,MAAM,yBAAyB,CAAC;AAEzE,OAAO,EAAE,OAAO,IAAI,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAC5D,YAAY,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAG3D,cAAc,gBAAgB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/components/layouts/index.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,OAAO,IAAI,WAAW,EAAE,MAAM,eAAe,CAAC;AACvD,YAAY,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AAEtD,OAAO,EAAE,OAAO,IAAI,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAC7D,YAAY,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AAE5D,OAAO,EAAE,OAAO,IAAI,oBAAoB,EAAE,MAAM,yBAAyB,CAAC;AAC1E,YAAY,EAAE,yBAAyB,EAAE,MAAM,yBAAyB,CAAC;AAEzE,OAAO,EAAE,OAAO,IAAI,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AACxE,YAAY,EAAE,wBAAwB,EAAE,MAAM,wBAAwB,CAAC;AAEvE,OAAO,EAAE,OAAO,IAAI,uBAAuB,EAAE,MAAM,4BAA4B,CAAC;AAChF,YAAY,EAAE,4BAA4B,EAAE,MAAM,4BAA4B,CAAC;AAE/E,OAAO,EAAE,OAAO,IAAI,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAClE,YAAY,EAAE,qBAAqB,EAAE,MAAM,qBAAqB,CAAC;AAEjE,OAAO,EAAE,oBAAoB,EAAE,MAAM,yBAAyB,CAAC;AAC/D,YAAY,EAAE,yBAAyB,EAAE,MAAM,yBAAyB,CAAC;AAEzE,OAAO,EAAE,OAAO,IAAI,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAC5D,YAAY,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAG3D,OAAO,EAAE,cAAc,EAAE,oBAAoB,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,MAAM,eAAe,CAAC;AAGhH,cAAc,gBAAgB,CAAC"}

package/dist/components/layouts/index.js

@@ -8,5 +8,7 @@ export { default as EmailVerificationLayout } from "./email_verification/index.j
 export { default as MySettingsLayout } from "./my_settings/index.js";
 export { UserManagementLayout } from "./user_management/index.js";
 export { default as DevLockLayout } from "./dev_lock/index.js";
+// section: legal_exports
+export { LegalDocDrawer, LegalDocCheckboxList, LegalDocCombinedView, LegalAcceptanceGate } from "./legal/index.js";
 // section: shared_exports
 export * from "./shared/index.js";

package/dist/components/layouts/legal/index.d.ts

@@ -0,0 +1,5 @@
+export { LegalDocDrawer } from './legal_doc_drawer.js';
+export { LegalDocCheckboxList } from './legal_doc_checkbox_list.js';
+export { LegalDocCombinedView } from './legal_doc_combined_view.js';
+export { LegalAcceptanceGate } from './legal_acceptance_gate.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/components/layouts/legal/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/components/layouts/legal/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AACpD,OAAO,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AACjE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AACjE,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC"}

package/dist/components/layouts/legal/index.js

@@ -0,0 +1,4 @@
+export { LegalDocDrawer } from './legal_doc_drawer.js';
+export { LegalDocCheckboxList } from './legal_doc_checkbox_list.js';
+export { LegalDocCombinedView } from './legal_doc_combined_view.js';
+export { LegalAcceptanceGate } from './legal_acceptance_gate.js';

package/dist/components/layouts/legal/legal_acceptance_gate.d.ts

@@ -0,0 +1,7 @@
+interface LegalAcceptanceGateProps {
+    children: React.ReactNode;
+    apiBasePath?: string;
+}
+export declare function LegalAcceptanceGate({ children, apiBasePath }: LegalAcceptanceGateProps): import("react/jsx-runtime").JSX.Element | null;
+export {};
+//# sourceMappingURL=legal_acceptance_gate.d.ts.map

package/dist/components/layouts/legal/legal_acceptance_gate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"legal_acceptance_gate.d.ts","sourceRoot":"","sources":["../../../../src/components/layouts/legal/legal_acceptance_gate.tsx"],"names":[],"mappings":"AAQA,UAAU,wBAAwB;IAChC,QAAQ,EAAE,KAAK,CAAC,SAAS,CAAC;IAC1B,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAOD,wBAAgB,mBAAmB,CAAC,EAAE,QAAQ,EAAE,WAA8B,EAAE,EAAE,wBAAwB,kDAwHzG"}

package/dist/components/layouts/legal/legal_acceptance_gate.js

@@ -0,0 +1,84 @@
+'use client';
+import { Fragment as _Fragment, jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import { useState, useEffect } from 'react';
+import { LegalDocCheckboxList } from './legal_doc_checkbox_list.js';
+import { LegalDocCombinedView } from './legal_doc_combined_view.js';
+import { Button } from '../../ui/button.js';
+export function LegalAcceptanceGate({ children, apiBasePath = '/api/hazo_auth' }) {
+    const [gate, set_gate] = useState({ status: 'loading' });
+    const [accepted, set_accepted] = useState({});
+    const [submitting, set_submitting] = useState(false);
+    const [error, set_error] = useState(null);
+    useEffect(() => {
+        check_gate();
+        // eslint-disable-next-line react-hooks/exhaustive-deps
+    }, []);
+    async function check_gate() {
+        var _a, _b;
+        try {
+            const [docs_res, me_res] = await Promise.all([
+                fetch(`${apiBasePath}/legal_docs`).then((r) => r.json()),
+                fetch(`${apiBasePath}/me`, { credentials: 'include' }).then((r) => r.json()),
+            ]);
+            if (!docs_res.ok || docs_res.data.docs.length === 0 || !me_res.ok || !((_a = me_res.data) === null || _a === void 0 ? void 0 : _a.user)) {
+                set_gate({ status: 'clear' });
+                return;
+            }
+            const docs = docs_res.data.docs;
+            const display_mode = docs_res.data.display_mode;
+            const user_acceptance = (_b = me_res.data.user.legal_acceptance) !== null && _b !== void 0 ? _b : {};
+            const gated = docs.filter((doc) => {
+                var _a;
+                if (!doc.required_hash)
+                    return false;
+                return ((_a = user_acceptance[doc.key]) === null || _a === void 0 ? void 0 : _a.hash) !== doc.required_hash;
+            });
+            if (gated.length === 0) {
+                set_gate({ status: 'clear' });
+            }
+            else {
+                set_gate({ status: 'required', docs: gated, display_mode });
+            }
+        }
+        catch (_c) {
+            set_gate({ status: 'clear' });
+        }
+    }
+    async function handle_submit() {
+        var _a;
+        if (gate.status !== 'required')
+            return;
+        set_submitting(true);
+        set_error(null);
+        try {
+            const accepted_payload = Object.fromEntries(gate.docs
+                .filter((doc) => accepted[doc.key])
+                .map((doc) => [doc.key, { hash: doc.hash }]));
+            const res = await fetch(`${apiBasePath}/legal_docs/accept`, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                credentials: 'include',
+                body: JSON.stringify({ accepted: accepted_payload }),
+            });
+            const result = await res.json();
+            if (result.ok) {
+                set_gate({ status: 'clear' });
+            }
+            else {
+                set_error((_a = result.error) !== null && _a !== void 0 ? _a : 'Failed to record acceptance');
+            }
+        }
+        catch (_b) {
+            set_error('Network error — please try again');
+        }
+        finally {
+            set_submitting(false);
+        }
+    }
+    if (gate.status === 'loading')
+        return null;
+    if (gate.status === 'clear')
+        return _jsx(_Fragment, { children: children });
+    const all_accepted = gate.docs.every((doc) => accepted[doc.key]);
+    return (_jsx("div", { className: "min-h-screen flex items-center justify-center p-4", children: _jsxs("div", { className: "w-full max-w-lg space-y-6", children: [_jsxs("div", { children: [_jsx("h1", { className: "text-2xl font-bold", children: "Legal Documents" }), _jsx("p", { className: "text-muted-foreground mt-1", children: "Please review and accept the following documents to continue." })] }), gate.display_mode === 'combined' ? (_jsx(LegalDocCombinedView, { docs: gate.docs, accepted: gate.docs.length > 0 && gate.docs.every((d) => accepted[d.key]), onAcceptedChange: (value) => gate.docs.forEach((doc) => set_accepted((prev) => (Object.assign(Object.assign({}, prev), { [doc.key]: value })))) })) : (_jsx(LegalDocCheckboxList, { docs: gate.docs, accepted: accepted, onAcceptedChange: (key, value) => set_accepted((prev) => (Object.assign(Object.assign({}, prev), { [key]: value }))) })), error && _jsx("p", { className: "text-destructive text-sm", children: error }), _jsx(Button, { onClick: handle_submit, disabled: !all_accepted || submitting, className: "w-full", children: submitting ? 'Saving...' : 'Continue' })] }) }));
+}