npm - hazo_auth - Versions diffs - 7.0.2 → 9.0.0 - Mend

hazo_auth 7.0.2 → 9.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (145) hide show

package/README.md +34 -0
package/SETUP_CHECKLIST.md +31 -0
package/cli-src/lib/AGENTS.md +26 -0
package/cli-src/lib/app_logger.ts +3 -7
package/cli-src/lib/auth/auth_types.ts +3 -0
package/cli-src/lib/auth/auth_utils.server.ts +2 -1
package/cli-src/lib/auth/ensure_anon_id.server.ts +2 -1
package/cli-src/lib/auth/hazo_get_auth.server.ts +30 -4
package/cli-src/lib/config/hazo_auth_core_config.ts +44 -0
package/cli-src/lib/cookies_config.server.ts +13 -10
package/cli-src/lib/hazo_connect_setup.server.ts +19 -11
package/cli-src/lib/legal/legal_docs_config.server.ts +61 -0
package/cli-src/lib/legal/legal_docs_reader.server.ts +36 -0
package/cli-src/lib/legal/legal_docs_service.ts +197 -0
package/cli-src/lib/legal/legal_docs_types.ts +31 -0
package/cli-src/lib/services/email_service.ts +22 -11
package/cli-src/lib/services/firm_service.ts +2 -1
package/cli-src/lib/services/otp_service.ts +3 -2
package/cli-src/lib/services/profile_picture_service.ts +2 -1
package/cli-src/lib/services/registration_service.ts +16 -1
package/cli-src/lib/services/relationship_service.ts +5 -4
package/cli-src/lib/services/session_token_service.ts +3 -2
package/cli-src/lib/utils/api_route_helpers.ts +4 -59
package/cli-src/lib/utils/get_origin_url.ts +5 -61
package/cli-src/lib/utils.ts +4 -10
package/config/hazo_auth_config.example.ini +6 -0
package/dist/client.d.ts +1 -0
package/dist/client.d.ts.map +1 -1
package/dist/client.js +3 -0
package/dist/components/layouts/index.d.ts +1 -0
package/dist/components/layouts/index.d.ts.map +1 -1
package/dist/components/layouts/index.js +2 -0
package/dist/components/layouts/legal/index.d.ts +5 -0
package/dist/components/layouts/legal/index.d.ts.map +1 -0
package/dist/components/layouts/legal/index.js +4 -0
package/dist/components/layouts/legal/legal_acceptance_gate.d.ts +7 -0
package/dist/components/layouts/legal/legal_acceptance_gate.d.ts.map +1 -0
package/dist/components/layouts/legal/legal_acceptance_gate.js +84 -0
package/dist/components/layouts/legal/legal_doc_checkbox_list.d.ts +9 -0
package/dist/components/layouts/legal/legal_doc_checkbox_list.d.ts.map +1 -0
package/dist/components/layouts/legal/legal_doc_checkbox_list.js +11 -0
package/dist/components/layouts/legal/legal_doc_combined_view.d.ts +9 -0
package/dist/components/layouts/legal/legal_doc_combined_view.d.ts.map +1 -0
package/dist/components/layouts/legal/legal_doc_combined_view.js +11 -0
package/dist/components/layouts/legal/legal_doc_drawer.d.ts +8 -0
package/dist/components/layouts/legal/legal_doc_drawer.d.ts.map +1 -0
package/dist/components/layouts/legal/legal_doc_drawer.js +55 -0
package/dist/components/layouts/register/hooks/use_register_form.d.ts +5 -1
package/dist/components/layouts/register/hooks/use_register_form.d.ts.map +1 -1
package/dist/components/layouts/register/hooks/use_register_form.js +25 -10
package/dist/components/layouts/register/index.d.ts.map +1 -1
package/dist/components/layouts/register/index.js +21 -1
package/dist/components/layouts/user_management/index.d.ts.map +1 -1
package/dist/components/layouts/user_management/index.js +45 -7
package/dist/components/ui/input-otp.d.ts +2 -2
package/dist/index.d.ts +1 -0
package/dist/index.d.ts.map +1 -1
package/dist/lib/app_logger.d.ts +2 -3
package/dist/lib/app_logger.d.ts.map +1 -1
package/dist/lib/app_logger.js +3 -5
package/dist/lib/auth/auth_types.d.ts +2 -0
package/dist/lib/auth/auth_types.d.ts.map +1 -1
package/dist/lib/auth/auth_types.js +0 -2
package/dist/lib/auth/auth_utils.server.d.ts.map +1 -1
package/dist/lib/auth/auth_utils.server.js +2 -1
package/dist/lib/auth/ensure_anon_id.server.d.ts.map +1 -1
package/dist/lib/auth/ensure_anon_id.server.js +2 -1
package/dist/lib/auth/hazo_get_auth.server.d.ts.map +1 -1
package/dist/lib/auth/hazo_get_auth.server.js +30 -4
package/dist/lib/config/hazo_auth_core_config.d.ts +44 -0
package/dist/lib/config/hazo_auth_core_config.d.ts.map +1 -0
package/dist/lib/config/hazo_auth_core_config.js +40 -0
package/dist/lib/cookies_config.server.d.ts.map +1 -1
package/dist/lib/cookies_config.server.js +12 -7
package/dist/lib/hazo_connect_setup.server.d.ts.map +1 -1
package/dist/lib/hazo_connect_setup.server.js +18 -5
package/dist/lib/legal/legal_docs_config.server.d.ts +22 -0
package/dist/lib/legal/legal_docs_config.server.d.ts.map +1 -0
package/dist/lib/legal/legal_docs_config.server.js +52 -0
package/dist/lib/legal/legal_docs_reader.server.d.ts +15 -0
package/dist/lib/legal/legal_docs_reader.server.d.ts.map +1 -0
package/dist/lib/legal/legal_docs_reader.server.js +24 -0
package/dist/lib/legal/legal_docs_service.d.ts +49 -0
package/dist/lib/legal/legal_docs_service.d.ts.map +1 -0
package/dist/lib/legal/legal_docs_service.js +141 -0
package/dist/lib/legal/legal_docs_types.d.ts +25 -0
package/dist/lib/legal/legal_docs_types.d.ts.map +1 -0
package/dist/lib/legal/legal_docs_types.js +2 -0
package/dist/lib/services/email_service.d.ts +1 -1
package/dist/lib/services/email_service.d.ts.map +1 -1
package/dist/lib/services/email_service.js +21 -9
package/dist/lib/services/firm_service.d.ts.map +1 -1
package/dist/lib/services/firm_service.js +2 -1
package/dist/lib/services/otp_service.d.ts.map +1 -1
package/dist/lib/services/otp_service.js +3 -2
package/dist/lib/services/profile_picture_service.d.ts.map +1 -1
package/dist/lib/services/profile_picture_service.js +2 -1
package/dist/lib/services/registration_service.d.ts +5 -0
package/dist/lib/services/registration_service.d.ts.map +1 -1
package/dist/lib/services/registration_service.js +6 -0
package/dist/lib/services/relationship_service.d.ts.map +1 -1
package/dist/lib/services/relationship_service.js +5 -4
package/dist/lib/services/session_token_service.d.ts.map +1 -1
package/dist/lib/services/session_token_service.js +3 -2
package/dist/lib/utils/api_route_helpers.d.ts +1 -12
package/dist/lib/utils/api_route_helpers.d.ts.map +1 -1
package/dist/lib/utils/api_route_helpers.js +4 -57
package/dist/lib/utils/get_origin_url.d.ts +1 -22
package/dist/lib/utils/get_origin_url.d.ts.map +1 -1
package/dist/lib/utils/get_origin_url.js +5 -57
package/dist/lib/utils.d.ts +2 -3
package/dist/lib/utils.d.ts.map +1 -1
package/dist/lib/utils.js +4 -9
package/dist/page_components/index.d.ts +0 -5
package/dist/page_components/index.d.ts.map +1 -1
package/dist/page_components/index.js +0 -5
package/dist/server/config/config_loader.js +2 -2
package/dist/server/index.js +1 -1
package/dist/server/routes/index.d.ts +3 -0
package/dist/server/routes/index.d.ts.map +1 -1
package/dist/server/routes/index.js +4 -0
package/dist/server/routes/legal_docs_accept.d.ts +3 -0
package/dist/server/routes/legal_docs_accept.d.ts.map +1 -0
package/dist/server/routes/legal_docs_accept.js +43 -0
package/dist/server/routes/legal_docs_get.d.ts +3 -0
package/dist/server/routes/legal_docs_get.d.ts.map +1 -0
package/dist/server/routes/legal_docs_get.js +49 -0
package/dist/server/routes/legal_docs_publish.d.ts +3 -0
package/dist/server/routes/legal_docs_publish.d.ts.map +1 -0
package/dist/server/routes/legal_docs_publish.js +35 -0
package/dist/server/routes/register.d.ts.map +1 -1
package/dist/server/routes/register.js +26 -0
package/dist/server/routes/remove_profile_picture.d.ts.map +1 -1
package/dist/server/routes/remove_profile_picture.js +6 -1
package/dist/server/routes/upload_profile_picture.d.ts.map +1 -1
package/dist/server/routes/upload_profile_picture.js +6 -1
package/dist/server/routes/user_management_users.d.ts +2 -2
package/dist/server/routes/user_management_users.d.ts.map +1 -1
package/dist/server/routes/user_management_users.js +46 -2
package/dist/server/server.d.ts.map +1 -1
package/dist/server/server.js +7 -0
package/dist/strings.d.ts +2 -0
package/dist/strings.d.ts.map +1 -0
package/dist/strings.js +3 -0
package/package.json +33 -35

package/cli-src/lib/legal/legal_docs_service.ts ADDED Viewed

@@ -0,0 +1,197 @@
+// file_description: service functions for the legal document acceptance system
+// section: imports
+import { createCrudService } from 'hazo_connect/server';
+import { generateRequestId } from 'hazo_core';
+import type { LegalAcceptanceMap } from './legal_docs_types';
+// section: helpers
+function generate_id(): string {
+  return generateRequestId().slice(4);
+}
+// section: exports
+/**
+ * Write legal acceptance records. Call from:
+ * - registration_service (bundled with register POST, pre-session)
+ * - legal_docs_accept route (authenticated, post-login)
+ *
+ * Inserts one row per doc into hazo_legal_acceptances (audit history) and
+ * merges the result into the denormalised hazo_users.legal_acceptance JSONB
+ * column for fast "has this user accepted the current version?" queries.
+ */
+export async function write_legal_acceptance(
+  adapter: any,
+  user_id: string,
+  accepted: Record<string, { hash: string }>,
+  ip: string | null,
+  user_agent: string | null,
+): Promise<void> {
+  const now = new Date().toISOString();
+  // 1. Insert one history row per doc
+  const history_service = createCrudService(adapter, 'hazo_legal_acceptances');
+  for (const [doc_key, { hash }] of Object.entries(accepted)) {
+    await history_service.insert({
+      id: generate_id(),
+      user_id,
+      doc_key,
+      doc_hash: hash,
+      accepted_at: now,
+      ip,
+      user_agent,
+    });
+  }
+  // 2. Merge into denormalized JSONB on hazo_users
+  const users_service = createCrudService(adapter, 'hazo_users');
+  const rows = await users_service.findBy({ id: user_id });
+  const existing_raw = rows[0]?.legal_acceptance;
+  let existing: LegalAcceptanceMap = {};
+  if (existing_raw) {
+    try {
+      existing = typeof existing_raw === 'string'
+        ? JSON.parse(existing_raw)
+        : (existing_raw as LegalAcceptanceMap);
+    } catch { /* corrupt — start fresh */ }
+  }
+  const updated: LegalAcceptanceMap = { ...existing };
+  for (const [doc_key, { hash }] of Object.entries(accepted)) {
+    updated[doc_key] = { hash, accepted_at: now, ip, user_agent };
+  }
+  await users_service.updateById(user_id, {
+    legal_acceptance: JSON.stringify(updated),
+    changed_at: now,
+  });
+}
+/**
+ * Publish a doc version as the new required version (admin action).
+ * Upserts hazo_legal_doc_versions keyed on doc_key.
+ */
+export async function publish_doc_version(
+  adapter: any,
+  doc_key: string,
+  required_hash: string,
+  published_by_user_id: string,
+): Promise<{ published_at: string }> {
+  const now = new Date().toISOString();
+  // createCrudService with doc_key as primary key so updateById works correctly
+  const versions_service = createCrudService(adapter, 'hazo_legal_doc_versions', {
+    primaryKeys: ['doc_key'],
+    autoId: false,
+  });
+  const existing = await versions_service.findBy({ doc_key });
+  if (existing.length > 0) {
+    await versions_service.updateById(doc_key, {
+      required_hash,
+      published_at: now,
+      published_by_user_id,
+    });
+  } else {
+    await versions_service.insert({
+      doc_key,
+      required_hash,
+      published_at: now,
+      published_by_user_id,
+    });
+  }
+  return { published_at: now };
+}
+/**
+ * Return required version info keyed by doc_key.
+ */
+export async function get_required_versions(
+  adapter: any,
+  doc_keys: string[],
+): Promise<Record<string, { required_hash: string; published_at: string }>> {
+  if (doc_keys.length === 0) return {};
+  const versions_service = createCrudService(adapter, 'hazo_legal_doc_versions', {
+    primaryKeys: ['doc_key'],
+    autoId: false,
+  });
+  const rows = await versions_service.list((qb) =>
+    qb.whereIn('doc_key', doc_keys).select(['doc_key', 'required_hash', 'published_at'])
+  );
+  const result: Record<string, { required_hash: string; published_at: string }> = {};
+  for (const row of rows) {
+    result[String(row.doc_key)] = {
+      required_hash: String(row.required_hash),
+      published_at: String(row.published_at),
+    };
+  }
+  return result;
+}
+/**
+ * Return acceptance history for a user across all doc keys, newest first.
+ */
+export async function get_user_acceptance_history(
+  adapter: any,
+  user_id: string,
+): Promise<Array<{
+  doc_key: string;
+  doc_hash: string;
+  accepted_at: string;
+  ip: string | null;
+  user_agent: string | null;
+}>> {
+  const history_service = createCrudService(adapter, 'hazo_legal_acceptances');
+  return history_service.list((qb) =>
+    qb
+      .where('user_id', 'eq', user_id)
+      .select(['doc_key', 'doc_hash', 'accepted_at', 'ip', 'user_agent'])
+      .order('accepted_at', 'desc')
+  ) as Promise<Array<{
+    doc_key: string;
+    doc_hash: string;
+    accepted_at: string;
+    ip: string | null;
+    user_agent: string | null;
+  }>>;
+}
+/**
+ * Count how many users have accepted the current required hash for a doc key.
+ * Returns { current, total } where current is users on the required_hash and
+ * total is all users in the system (including those with no legal_acceptance data).
+ *
+ * Note: This performs an in-process scan over all users.  For large user bases
+ * consider a dedicated SQL query in a future optimisation.
+ */
+export async function get_compliance_count(
+  adapter: any,
+  doc_key: string,
+  required_hash: string,
+): Promise<{ current: number; total: number }> {
+  const users_service = createCrudService(adapter, 'hazo_users');
+  const all_users = await users_service.list((qb) =>
+    qb.select(['id', 'legal_acceptance'])
+  );
+  let current = 0;
+  for (const user of all_users) {
+    let map: LegalAcceptanceMap = {};
+    try {
+      map = typeof user.legal_acceptance === 'string'
+        ? JSON.parse(user.legal_acceptance as string)
+        : ((user.legal_acceptance ?? {}) as LegalAcceptanceMap);
+    } catch { /* ignore corrupt rows */ }
+    if (map[doc_key]?.hash === required_hash) current++;
+  }
+  return { current, total: all_users.length };
+}

package/cli-src/lib/legal/legal_docs_types.ts ADDED Viewed

@@ -0,0 +1,31 @@
+// file_description: shared types for the legal document acceptance system
+export interface LegalDocConfig {
+  key: string;
+  title: string;
+  path: string;
+}
+export interface LegalDocsConfig {
+  docs: LegalDocConfig[];
+  display_mode: 'separate' | 'combined';
+}
+export interface LegalDoc {
+  key: string;
+  title: string;
+  content: string;
+  hash: string;
+  required_hash: string | null;
+  required_published_at: string | null;
+}
+export interface LegalAcceptanceRecord {
+  hash: string;
+  accepted_at: string;
+  ip: string | null;
+  user_agent: string | null;
+}
+// Shape of hazo_users.legal_acceptance JSONB
+export type LegalAcceptanceMap = Record<string, LegalAcceptanceRecord>;

package/cli-src/lib/services/email_service.ts CHANGED Viewed

@@ -1,8 +1,9 @@
 // file_description: service for sending emails with template support
 // section: imports
 import { create_app_logger } from "../app_logger.js";
+import { HazoConfigError, optional_import } from "hazo_core";
 import { read_config_section } from "../config/config_loader.server.js";
-import type { EmailerConfig, SendEmailOptions } from "hazo_notify";
+import type { EmailerConfig, SendEmailOptions } from "hazo_notify/adapters/email";
 import type { HazoConnectInstance } from "hazo_notify/template_manager";
 // section: types
@@ -76,8 +77,11 @@ async function get_hazo_notify_instance(): Promise<EmailerConfig> {
     });
     try {
       // Dynamic import to avoid build-time issues with hazo_notify
-      const hazo_notify_module = await import("hazo_notify");
-      const { load_emailer_config } = hazo_notify_module;
+      const hazo_notify_email_module = await optional_import<typeof import("hazo_notify/adapters/email")>('hazo_notify/adapters/email');
+      if (!hazo_notify_email_module) {
+        throw new Error("hazo_notify is not installed");
+      }
+      const { load_emailer_config } = hazo_notify_email_module;
       hazo_notify_config = load_emailer_config();
     } catch (error) {
       const error_message = error instanceof Error ? error.message : "Unknown error";
@@ -86,7 +90,7 @@ async function get_hazo_notify_instance(): Promise<EmailerConfig> {
         line_number: 0,
         error: error_message,
       });
-      throw new Error(`Failed to load hazo_notify config: ${error_message}`);
+      throw new HazoConfigError({ code: 'HAZO_AUTH_CONFIG', pkg: 'hazo_auth', message: `Failed to load hazo_notify config: ${error_message}` });
     }
   }
   return hazo_notify_config;
@@ -263,8 +267,12 @@ export async function send_email(options: EmailOptions): Promise<{ success: bool
     const notify_config = await get_hazo_notify_instance();
     // Dynamic import to avoid build-time issues with hazo_notify
-    const hazo_notify_module = await import("hazo_notify");
-    const { send_email: hazo_notify_send_email } = hazo_notify_module;
+    const hazo_notify_email_module = await optional_import<typeof import("hazo_notify/adapters/email")>('hazo_notify/adapters/email');
+    if (!hazo_notify_email_module) {
+      throw new Error("hazo_notify is not installed");
+    }
+    const { get_email_provider } = hazo_notify_email_module;
+    const provider = get_email_provider(notify_config);
     // Get from email and from name (hazo_auth_config overrides hazo_notify_config)
     // Priority: 1. options.from (explicit parameter), 2. hazo_auth_config.from_email, 3. hazo_notify_config.from_email
@@ -285,7 +293,7 @@ export async function send_email(options: EmailOptions): Promise<{ success: bool
     };
     // Send email using hazo_notify
-    const result = await hazo_notify_send_email(hazo_notify_options, notify_config);
+    const result = await provider.send_email(hazo_notify_options, notify_config);
     if (result.success) {
       logger.info("email_sent", {
@@ -370,11 +378,14 @@ export async function send_template_email(
     }
     if (!hazo_notify_connect) {
-      throw new Error(
-        "hazo_notify connect not initialized. Call set_hazo_notify_connect() " +
+      throw new HazoConfigError({
+        code: 'HAZO_AUTH_CONFIG',
+        pkg: 'hazo_auth',
+        message:
+          "hazo_notify connect not initialized. Call set_hazo_notify_connect() " +
           "from instrumentation.ts with the same HazoConnectInstance you pass " +
-          "to init_template_manager({ hazo_connect_factory })."
-      );
+          "to init_template_manager({ hazo_connect_factory }).",
+      });
     }
     const notify_config = await get_hazo_notify_instance();

package/cli-src/lib/services/firm_service.ts CHANGED Viewed

@@ -2,6 +2,7 @@
 // section: imports
 import type { HazoConnectAdapter } from "hazo_connect";
 import { createCrudService } from "hazo_connect/server";
+import { generateRequestId } from "hazo_core";
 import { create_app_logger } from "../app_logger.js";
 import { sanitize_error_for_user } from "../utils/error_sanitizer.js";
 import { create_scope, type ScopeRecord } from "./scope_service.js";
@@ -146,7 +147,7 @@ async function assign_owner_permissions(
       if (!Array.isArray(permissions) || permissions.length === 0) {
         // Create permission with generated UUID
-        const perm_id = crypto.randomUUID();
+        const perm_id = generateRequestId().slice(4);
         const inserted = await permission_service.insert({
           id: perm_id,
           permission_name: perm_name,

package/cli-src/lib/services/otp_service.ts CHANGED Viewed

@@ -1,5 +1,6 @@
 import "server-only";
 import crypto from "node:crypto";
+import { generateRequestId } from "hazo_core";
 import argon2 from "argon2";
 import { createCrudService } from "hazo_connect/server";
 import { get_otp_config, hazo_auth_otp_session_ttl_seconds } from "../otp_config.server.js";
@@ -133,7 +134,7 @@ export async function request_email_otp(args: {
   const code = generate_otp_code();
   const otp_hash = await hash_otp_code(code);
   const expires_at = new Date(Date.now() + cfg.code_ttl_seconds * 1000).toISOString();
-  const row_id = crypto.randomUUID();
+  const row_id = generateRequestId().slice(4);
   await otp_table.insert({
     id: row_id,
@@ -244,7 +245,7 @@ export async function verify_email_otp(args: {
     }
   } else if (cfg.auto_register) {
     // Create user + bind scope/role
-    const new_user_id = crypto.randomUUID();
+    const new_user_id = generateRequestId().slice(4);
     await users_table.insert({
       id: new_user_id,
       email_address: email,

package/cli-src/lib/services/profile_picture_service.ts CHANGED Viewed

@@ -3,6 +3,7 @@
 import type { HazoConnectAdapter } from "hazo_connect";
 import { createCrudService } from "hazo_connect/server";
 import gravatarUrl from "gravatar-url";
+import { fetchWithRequestId } from "hazo_core";
 import { get_profile_picture_config } from "../profile_picture_config.server.js";
 import { get_ui_sizes_config } from "../ui_sizes_config.server.js";
 import { get_file_types_config } from "../file_types_config.server.js";
@@ -304,7 +305,7 @@ async function check_gravatar_exists(email: string): Promise<boolean> {
     const gravatar_url = get_gravatar_url(email, uiSizes.gravatar_size);
     // Make HEAD request to check if image exists without downloading it
-    const response = await fetch(gravatar_url, {
+    const response = await fetchWithRequestId(gravatar_url, {
       method: 'HEAD',
       // Add timeout to prevent hanging
       signal: AbortSignal.timeout(5000) // 5 second timeout

package/cli-src/lib/services/registration_service.ts CHANGED Viewed

@@ -16,6 +16,7 @@ import {
   is_user_types_enabled,
   get_default_user_type,
 } from "../user_types_config.server.js";
+import { write_legal_acceptance } from "../legal/legal_docs_service.js";
 // section: types
 export type RegistrationData = {
@@ -23,6 +24,9 @@ export type RegistrationData = {
   password: string;
   name?: string;
   url_on_logon?: string;
+  legal_accepted?: Record<string, { hash: string }>;
+  ip?: string | null;
+  user_agent?: string | null;
 };
 export type RegistrationResult = {
@@ -156,7 +160,7 @@ export async function register_user(
         user_email: email,
         user_name: name,
       });
       if (!email_result.success) {
         const logger = create_app_logger();
         logger.error("registration_service_email_send_failed", {
@@ -170,6 +174,17 @@ export async function register_user(
       }
     }
+    // Write legal acceptance records if provided
+    if (data.legal_accepted && Object.keys(data.legal_accepted).length > 0) {
+      await write_legal_acceptance(
+        adapter,
+        user_id,
+        data.legal_accepted,
+        data.ip ?? null,
+        data.user_agent ?? null,
+      );
+    }
     return {
       success: true,
       user_id,

package/cli-src/lib/services/relationship_service.ts CHANGED Viewed

@@ -2,6 +2,7 @@
 // section: imports
 import type { HazoConnectAdapter } from "hazo_connect";
 import { createCrudService } from "hazo_connect/server";
+import { generateRequestId } from "hazo_core";
 import argon2 from "argon2";
 import { create_app_logger } from "../app_logger.js";
 import { get_relationships_config, get_allowed_relationship_types } from "../relationships_config.server.js";
@@ -66,7 +67,7 @@ export function get_display_email(email: string | null | undefined): string | nu
 }
 function generate_sentinel_email(): string {
-  return `${SENTINEL_PREFIX}${crypto.randomUUID()}${SENTINEL_DOMAIN}`;
+  return `${SENTINEL_PREFIX}${generateRequestId().slice(4)}${SENTINEL_DOMAIN}`;
 }
 // section: helpers
@@ -129,8 +130,8 @@ export async function create_managed_child(
     }
     // Generate IDs
-    const child_user_id = crypto.randomUUID();
-    const relationship_id = crypto.randomUUID();
+    const child_user_id = generateRequestId().slice(4);
+    const relationship_id = generateRequestId().slice(4);
     const now = new Date().toISOString();
     // Insert managed child user
@@ -375,7 +376,7 @@ export async function create_self_relationship(
     }
     const config = get_relationships_config();
-    const relationship_id = crypto.randomUUID();
+    const relationship_id = generateRequestId().slice(4);
     const now = new Date().toISOString();
     await relationships_service.insert({

package/cli-src/lib/services/session_token_service.ts CHANGED Viewed

@@ -2,6 +2,7 @@
 // Uses jose library for Edge-compatible JWT operations
 // section: imports
 import { SignJWT, jwtVerify } from "jose";
+import { HazoConfigError, HazoAuthError } from "hazo_core";
 import { create_app_logger } from "../app_logger.js";
 import { get_filename, get_line_number } from "../utils/api_route_helpers.js";
@@ -37,7 +38,7 @@ function get_jwt_secret(): Uint8Array {
       line_number: get_line_number(),
       error: "JWT_SECRET environment variable is required",
     });
-    throw new Error("JWT_SECRET environment variable is required");
+    throw new HazoConfigError({ code: 'HAZO_AUTH_CONFIG', pkg: 'hazo_auth', message: 'JWT_SECRET environment variable is required' });
   }
   // Convert string secret to Uint8Array for jose
@@ -112,7 +113,7 @@ export async function create_session_token(
       error_stack,
     });
-    throw new Error("Failed to create session token");
+    throw new HazoAuthError({ code: 'HAZO_AUTH_INVALID_TOKEN', pkg: 'hazo_auth', message: 'Failed to create session token' });
   }
 }

package/cli-src/lib/utils/api_route_helpers.ts CHANGED Viewed

@@ -1,60 +1,5 @@
 // file_description: shared helper functions for API routes to get filename and line number
-// section: helpers
-/**
- * Gets the filename from the call stack
- * This is a simplified version that extracts the filename from the error stack
- * @returns Filename or "route.ts" as default
- */
-export function get_filename(): string {
-  try {
-    const stack = new Error().stack;
-    if (!stack) {
-      return "route.ts";
-    }
-    // Parse stack trace to find the caller's file
-    const lines = stack.split("\n");
-    // Skip Error line and get_filename line, get the actual caller
-    for (let i = 2; i < lines.length; i++) {
-      const line = lines[i];
-      // Match file paths in stack trace (e.g., "at /path/to/file.ts:123:45")
-      const match = line.match(/([^/\\]+\.tsx?):(\d+):(\d+)/);
-      if (match) {
-        return match[1];
-      }
-    }
-    return "route.ts";
-  } catch {
-    return "route.ts";
-  }
-}
-/**
- * Gets the line number from the call stack
- * This is a simplified version that extracts the line number from the error stack
- * @returns Line number or 0
- */
-export function get_line_number(): number {
-  try {
-    const stack = new Error().stack;
-    if (!stack) {
-      return 0;
-    }
-    // Parse stack trace to find the caller's line number
-    const lines = stack.split("\n");
-    // Skip Error line and get_line_number line, get the actual caller
-    for (let i = 2; i < lines.length; i++) {
-      const line = lines[i];
-      // Match line numbers in stack trace (e.g., "at /path/to/file.ts:123:45")
-      const match = line.match(/([^/\\]+\.tsx?):(\d+):(\d+)/);
-      if (match) {
-        return parseInt(match[2], 10) || 0;
-      }
-    }
-    return 0;
-  } catch {
-    return 0;
-  }
-}
+// Canonical location moved to hazo_logs/src/lib/utils/caller_info.ts.
+// This re-export maintains backward compatibility for hazo_auth consumers.
+// Will be removed in hazo_auth v9 — import from 'hazo_logs' directly.
+export { get_filename, get_line_number } from 'hazo_logs';

package/cli-src/lib/utils/get_origin_url.ts CHANGED Viewed

@@ -1,61 +1,5 @@
-// file_description: Resolves the public-facing origin URL for constructing redirects
-// When running behind a reverse proxy (Cloudflare, nginx), request.url resolves to
-// the internal address (e.g. http://localhost:3000). This utility returns the correct
-// public origin using NEXTAUTH_URL, falling back to request.url.
-/**
- * Gets the public-facing origin URL for redirect construction.
- *
- * Behind reverse proxies (Cloudflare, nginx, etc.), `request.url` contains the
- * internal address (e.g. `http://localhost:3000`), not the public domain.
- * This function returns the correct origin from environment variables.
- *
- * Priority: NEXTAUTH_URL > APP_DOMAIN_NAME > NEXT_PUBLIC_APP_URL > APP_URL > request.url
- *
- * @param request_url - The request.url to use as fallback
- * @returns The origin URL (e.g. "https://gotimer.org")
- */
-export function get_origin_url(request_url: string): string {
-  // NEXTAUTH_URL is the standard for NextAuth.js apps
-  const nextauth_url = process.env.NEXTAUTH_URL;
-  if (nextauth_url) {
-    return nextauth_url.replace(/\/$/, "");
-  }
-  // APP_DOMAIN_NAME (with protocol handling)
-  const app_domain = process.env.APP_DOMAIN_NAME;
-  if (app_domain) {
-    const domain = app_domain.trim();
-    if (domain.startsWith("http://") || domain.startsWith("https://")) {
-      return domain.replace(/\/$/, "");
-    }
-    return `https://${domain}`;
-  }
-  // Other common env vars
-  const env_url = process.env.NEXT_PUBLIC_APP_URL || process.env.APP_URL;
-  if (env_url) {
-    return env_url.replace(/\/$/, "");
-  }
-  // Fallback to request.url (works in development without a proxy)
-  try {
-    const url = new URL(request_url);
-    return url.origin;
-  } catch {
-    return request_url;
-  }
-}
-/**
- * Creates a URL using the public-facing origin instead of request.url.
- * Drop-in replacement for `new URL(path, request.url)` in route handlers.
- *
- * @param path - The path or relative URL (e.g. "/hazo_auth/login")
- * @param request_url - The request.url (used as fallback only)
- * @returns A URL object with the correct public origin
- */
-export function create_redirect_url(path: string, request_url: string): URL {
-  const origin = get_origin_url(request_url);
-  return new URL(path, origin);
-}
+// file_description: Re-exports get_origin_url and create_redirect_url from hazo_core.
+// Canonical location moved to hazo_core/http in hazo_core v1.
+// This re-export maintains backward compatibility for hazo_auth consumers.
+// Will be removed in hazo_auth v9 — import from 'hazo_core' directly.
+export { get_origin_url, create_redirect_url } from 'hazo_core';

package/cli-src/lib/utils.ts CHANGED Viewed

@@ -1,11 +1,5 @@
-// file_description: provide shared utility helpers for the hazo_auth project
-import { clsx, type ClassValue } from "clsx";
-import { twMerge } from "tailwind-merge";
+// file_description: re-exports cn and merge_class_names from hazo_ui (canonical source)
+export { cn } from "hazo_ui";
-// section: tailwind_merge_helper
-export function merge_class_names(...inputs: ClassValue[]) {
-  return twMerge(clsx(inputs));
-}
-// section: shadcn_compatibility_helper
-export const cn = (...inputs: ClassValue[]) => merge_class_names(...inputs);
+// merge_class_names alias — kept for backward compatibility
+export { cn as merge_class_names } from "hazo_ui";

package/config/hazo_auth_config.example.ini CHANGED Viewed

@@ -729,3 +729,9 @@ company_name = My Company
 #   [hazo_auth__login_layout]
 #   image_src = /your-custom-image.jpg
+; ── Log level overrides (per hazo_logs D-015) ────────────────────────────────
+; Uncomment to tune log verbosity for specific namespaces.
+; Format: namespace = TRACE | DEBUG | INFO | WARN | ERROR
+[log.overrides]
+; hazo_auth = DEBUG

package/dist/client.d.ts CHANGED Viewed

@@ -1,4 +1,5 @@
 export * from "./components/index.js";
+export { LegalAcceptanceGate, LegalDocDrawer, LegalDocCheckboxList, LegalDocCombinedView } from "./components/layouts/legal/index.js";
 export { cn, merge_class_names } from "./lib/utils.js";
 export * from "./lib/auth/auth_types.js";
 export { use_auth_status, trigger_auth_status_refresh } from "./components/layouts/shared/hooks/use_auth_status.js";

package/dist/client.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAYA,cAAc,oBAAoB,CAAC;AAInC,OAAO,EAAE,EAAE,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAIpD,cAAc,uBAAuB,CAAC;AAItC,OAAO,EAAE,eAAe,EAAE,2BAA2B,EAAE,MAAM,mDAAmD,CAAC;AACjH,OAAO,EAAE,aAAa,EAAE,yBAAyB,EAAE,MAAM,iDAAiD,CAAC;AAC3G,YAAY,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,iDAAiD,CAAC;AAC7G,OAAO,EAAE,iBAAiB,EAAE,yBAAyB,EAAE,MAAM,qDAAqD,CAAC;AACnH,YAAY,EAAE,YAAY,EAAE,sBAAsB,EAAE,qBAAqB,EAAE,MAAM,qDAAqD,CAAC;AAGvI,OAAO,EAAE,qBAAqB,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AAI/E,cAAc,8CAA8C,CAAC"}
1	+ {"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAYA,cAAc,oBAAoB,CAAC;AAInC,OAAO,EAAE,mBAAmB,EAAE,cAAc,EAAE,oBAAoB,EAAE,oBAAoB,EAAE,MAAM,kCAAkC,CAAC;AAInI,OAAO,EAAE,EAAE,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAIpD,cAAc,uBAAuB,CAAC;AAItC,OAAO,EAAE,eAAe,EAAE,2BAA2B,EAAE,MAAM,mDAAmD,CAAC;AACjH,OAAO,EAAE,aAAa,EAAE,yBAAyB,EAAE,MAAM,iDAAiD,CAAC;AAC3G,YAAY,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,iDAAiD,CAAC;AAC7G,OAAO,EAAE,iBAAiB,EAAE,yBAAyB,EAAE,MAAM,qDAAqD,CAAC;AACnH,YAAY,EAAE,YAAY,EAAE,sBAAsB,EAAE,qBAAqB,EAAE,MAAM,qDAAqD,CAAC;AAGvI,OAAO,EAAE,qBAAqB,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AAI/E,cAAc,8CAA8C,CAAC"}

package/dist/client.js CHANGED Viewed

@@ -10,6 +10,9 @@
 // section: component_exports
 // All UI and layout components are client-safe
 export * from "./components/index.js";
+// section: legal_exports
+// Legal acceptance gate and primitives
+export { LegalAcceptanceGate, LegalDocDrawer, LegalDocCheckboxList, LegalDocCombinedView } from "./components/layouts/legal/index.js";
 // section: utility_exports
 // CSS utility functions
 export { cn, merge_class_names } from "./lib/utils.js";

package/dist/components/layouts/index.d.ts CHANGED Viewed

@@ -14,5 +14,6 @@ export { UserManagementLayout } from "./user_management/index.js";
 export type { UserManagementLayoutProps } from "./user_management/index";
 export { default as DevLockLayout } from "./dev_lock/index.js";
 export type { DevLockLayoutProps } from "./dev_lock/index";
+export { LegalDocDrawer, LegalDocCheckboxList, LegalDocCombinedView, LegalAcceptanceGate } from "./legal/index.js";
 export * from "./shared/index.js";
 //# sourceMappingURL=index.d.ts.map