hazo_auth 8.0.1 → 9.0.0

package/cli-src/lib/AGENTS.md

@@ -0,0 +1,26 @@
+# src/lib/ — AGENTS.md
+
+Server-side business logic, configuration loaders, and utilities.
+
+## Key subdirectories
+
+- `auth/` — Core auth logic: `hazo_get_auth.server.ts` (the main auth utility), session token validation, OAuth helpers, auth cache, scope cache, rate limiter.
+- `config/` — Config loaders: `config_loader.server.ts` (hazo_config-based, handles all 18+ INI sections), `hazo_auth_core_config.ts` (hazo_core loadConfig overlay for critical sections with Zod validation).
+- `services/` — Business logic: `login_service.ts`, `registration_service.ts`, `password_reset_service.ts`, `session_token_service.ts`, `scope_service.ts`, `invitation_service.ts`, `email_service.ts`, etc.
+- `auto_test/` — hazo_auth's internal test runner (server-side). This is the original test infrastructure that inspired `hazo_ui/test-harness`. Executes scenario definitions via API calls; the runner is invoked through `/api/hazo_auth/auto_test`.
+- `utils/` — Utilities: `api_route_helpers.ts` (re-exports `get_filename`/`get_line_number` from hazo_logs), `sanitize_error_for_user.ts`.
+- `legal/` — Legal docs management (acceptance tracking, versioned docs).
+- `schema/` — Zod schemas for request validation.
+
+## Error handling (Wave 2)
+
+Server-side `throw new Error(...)` replaced with `HazoError` subclasses from `hazo_core`:
+- `HazoAuthError(HAZO_AUTH_FORBIDDEN)` — authentication required or permission denied
+- `HazoAuthError(HAZO_AUTH_INVALID_TOKEN)` — invalid session token
+- `HazoNotFoundError(HAZO_AUTH_USER_NOT_FOUND)` — user not found
+- `HazoRateLimitError(HAZO_AUTH_RATE_LIMITED)` — rate limit exceeded
+- `HazoConfigError(HAZO_AUTH_CONFIG)` — missing/invalid config or env vars
+
+## Logging
+
+All logging via `create_app_logger()` from `app_logger.ts`, which returns `createLogger('hazo_auth')` from `hazo_core`. Log calls use structured format: `logger.info('event.name', { fields })`.

package/cli-src/lib/app_logger.ts

@@ -1,9 +1,6 @@
-// file_description: server-only wrapper for the main app logging service using hazo_logs
-// section: server-only-guard
-import "server-only";
-
+// file_description: server-only wrapper for the main app logging service using hazo_core
 // section: imports
-import { createLogger } from "hazo_logs";
+import { createLogger } from "hazo_core";
 
 // section: logger_instance
 // Create a singleton logger for the hazo_auth package
@@ -11,7 +8,6 @@ const logger = createLogger("hazo_auth");
 
 /**
  * Returns the hazo_auth logger instance
- * Uses hazo_logs for consistent logging across hazo packages
+ * Uses hazo_core for consistent logging across hazo packages
  */
 export const create_app_logger = () => logger;
-

package/cli-src/lib/auth/auth_utils.server.ts

@@ -4,6 +4,7 @@ import "server-only";
 
 // section: imports
 import { NextRequest, NextResponse } from "next/server";
+import { HazoAuthError } from "hazo_core";
 import { get_hazo_connect_instance } from "../hazo_connect_instance.server.js";
 import { createCrudService } from "hazo_connect/server";
 import { map_db_source_to_ui } from "../services/profile_picture_source_mapper.js";
@@ -118,7 +119,7 @@ export async function require_auth(request: NextRequest): Promise<AuthUser> {
   const result = await get_authenticated_user(request);
   
   if (!result.authenticated) {
-    throw new Error("Authentication required");
+    throw new HazoAuthError({ code: 'HAZO_AUTH_FORBIDDEN', pkg: 'hazo_auth', message: 'Authentication required' });
   }
   
   return result;

package/cli-src/lib/auth/ensure_anon_id.server.ts

@@ -24,6 +24,7 @@ import "server-only";
 // section: imports
 import { NextRequest } from "next/server";
 import { cookies } from "next/headers";
+import { generateRequestId } from "hazo_core";
 import {
   BASE_COOKIE_NAMES,
   get_cookie_name,
@@ -71,7 +72,7 @@ export async function ensure_anon_id(request: NextRequest): Promise<string> {
   }
 
   // Issue a new id and queue the Set-Cookie via the next/headers cookie store.
-  const new_id = crypto.randomUUID();
+  const new_id = generateRequestId().slice(4);
   const cookie_options = get_cookie_options({
     httpOnly: true,
     secure: process.env.NODE_ENV === "production",

package/cli-src/lib/auth/hazo_get_auth.server.ts

@@ -4,6 +4,7 @@ import "server-only";
 
 // section: imports
 import { NextRequest } from "next/server";
+import { HazoNotFoundError, HazoAuthError, HazoRateLimitError, getCorrelationId } from "hazo_core";
 import { get_hazo_connect_instance } from "../hazo_connect_instance.server.js";
 import { createCrudService } from "hazo_connect/server";
 import { create_app_logger } from "../app_logger.js";
@@ -183,14 +184,14 @@ async function fetch_user_data_from_db(user_id: string): Promise<{
   // Fetch user
   const users = await users_service.findBy({ id: user_id });
   if (!Array.isArray(users) || users.length === 0) {
-    throw new Error("User not found");
+    throw new HazoNotFoundError({ code: 'HAZO_AUTH_USER_NOT_FOUND', pkg: 'hazo_auth', message: 'User not found' });
   }
 
   const user_db = users[0];
 
   // Check if user is active (status must be 'ACTIVE')
   if (user_db.status !== "ACTIVE") {
-    throw new Error("User is inactive");
+    throw new HazoAuthError({ code: 'HAZO_AUTH_FORBIDDEN', pkg: 'hazo_auth', message: 'User account is inactive' });
   }
 
   // Build user object
@@ -441,6 +442,7 @@ export async function hazo_get_auth(
         line_number: get_line_number(),
         error: token_error_message,
         note: "Falling back to simple cookie check",
+        correlation_id: getCorrelationId(),
       });
     }
   }
@@ -464,8 +466,9 @@ export async function hazo_get_auth(
         filename: get_filename(),
         line_number: get_line_number(),
         ip: client_ip,
+        correlation_id: getCorrelationId(),
       });
-      throw new Error("Rate limit exceeded. Please try again later.");
+      throw new HazoRateLimitError({ code: 'HAZO_AUTH_RATE_LIMITED', pkg: 'hazo_auth', message: 'Rate limit exceeded. Please try again later.' });
     }
 
     return {
@@ -483,8 +486,9 @@ export async function hazo_get_auth(
       filename: get_filename(),
       line_number: get_line_number(),
       user_id,
+      correlation_id: getCorrelationId(),
     });
-    throw new Error("Rate limit exceeded. Please try again later.");
+    throw new HazoRateLimitError({ code: 'HAZO_AUTH_RATE_LIMITED', pkg: 'hazo_auth', message: 'Rate limit exceeded. Please try again later.' });
   }
 
   // Check cache
@@ -516,6 +520,7 @@ export async function hazo_get_auth(
         line_number: get_line_number(),
         user_id,
         error: error_message,
+        correlation_id: getCorrelationId(),
       });
 
       return {
@@ -550,6 +555,7 @@ export async function hazo_get_auth(
         missing_permissions,
         user_permissions: permissions,
         ip: client_ip,
+        correlation_id: getCorrelationId(),
       });
     }
 
@@ -599,6 +605,7 @@ export async function hazo_get_auth(
         scope_id: options.scope_id,
         user_scopes: scope_result.user_scopes,
         ip: client_ip,
+        correlation_id: getCorrelationId(),
       });
     }
 

package/cli-src/lib/config/hazo_auth_core_config.ts

@@ -0,0 +1,44 @@
+// file_description: Zod-validated config loader for hazo_auth core settings.
+// Covers server-critical sections ([hazo_auth__tokens], [hazo_auth__cookies], [hazo_auth__rate_limit], [log.overrides]).
+// UI sections (login_layout, register_layout, etc.) are still handled by config_loader.server.ts.
+import { z } from 'zod';
+import { loadConfig } from 'hazo_core';
+
+const HazoAuthCoreConfigSchema = z.object({
+  hazo_auth__tokens: z
+    .object({
+      access_token_ttl_seconds: z.string().optional().transform(v => v ? parseInt(v, 10) : 900),
+      refresh_token_ttl_seconds: z.string().optional().transform(v => v ? parseInt(v, 10) : 2592000),
+    })
+    .optional()
+    .transform(v => v ?? { access_token_ttl_seconds: 900, refresh_token_ttl_seconds: 2592000 }),
+  hazo_auth__cookies: z
+    .object({
+      cookie_prefix: z.string().optional().default(''),
+      cookie_domain: z.string().optional().default(''),
+    })
+    .optional()
+    .transform(v => v ?? { cookie_prefix: '', cookie_domain: '' }),
+  hazo_auth__rate_limit: z
+    .object({
+      max_attempts: z.string().optional().transform(v => v ? parseInt(v, 10) : 5),
+      window_minutes: z.string().optional().transform(v => v ? parseInt(v, 10) : 5),
+    })
+    .optional()
+    .transform(v => v ?? { max_attempts: 5, window_minutes: 5 }),
+  log: z
+    .object({
+      overrides: z.record(z.string(), z.string()).optional().default({}),
+    })
+    .optional()
+    .transform(v => v ?? { overrides: {} }),
+});
+
+export type HazoAuthCoreConfig = z.infer<typeof HazoAuthCoreConfigSchema>;
+
+export function getHazoAuthCoreConfig(): HazoAuthCoreConfig {
+  return loadConfig<HazoAuthCoreConfig>({
+    pkg: 'hazo_auth',
+    schema: HazoAuthCoreConfigSchema as never,
+  });
+}

package/cli-src/lib/cookies_config.server.ts

@@ -2,7 +2,7 @@
 // section: server-only-guard
 import "server-only";
 
-
+import { HazoConfigError } from "hazo_core";
 import { read_config_section } from "./config/config_loader.server.js";
 
 // section: types
@@ -44,15 +44,18 @@ export function get_cookies_config(): CookiesConfig {
   const cookie_prefix = section?.cookie_prefix || "";
 
   if (!cookie_prefix) {
-    throw new Error(
-      "[hazo_auth] cookie_prefix is required but not configured.\n" +
-      "Set cookie_prefix in [hazo_auth__cookies] section of config/hazo_auth_config.ini:\n\n" +
-      "  [hazo_auth__cookies]\n" +
-      "  cookie_prefix = myapp_\n\n" +
-      "Also set the matching environment variable for Edge runtime (middleware):\n" +
-      "  HAZO_AUTH_COOKIE_PREFIX=myapp_\n\n" +
-      "This prevents cookie conflicts between apps using hazo_auth."
-    );
+    throw new HazoConfigError({
+      code: 'HAZO_AUTH_CONFIG',
+      pkg: 'hazo_auth',
+      message:
+        "[hazo_auth] cookie_prefix is required but not configured.\n" +
+        "Set cookie_prefix in [hazo_auth__cookies] section of config/hazo_auth_config.ini:\n\n" +
+        "  [hazo_auth__cookies]\n" +
+        "  cookie_prefix = myapp_\n\n" +
+        "Also set the matching environment variable for Edge runtime (middleware):\n" +
+        "  HAZO_AUTH_COOKIE_PREFIX=myapp_\n\n" +
+        "This prevents cookie conflicts between apps using hazo_auth.",
+    });
   }
 
   return {

package/cli-src/lib/hazo_connect_setup.server.ts

@@ -7,6 +7,7 @@ import "server-only";
 // section: imports
 import { createHazoConnect } from "hazo_connect/server";
 import { HazoConfig } from "hazo_config/server";
+import { HazoConfigError } from "hazo_core";
 import path from "path";
 import fs from "fs";
 import { create_app_logger } from "./app_logger.js";
@@ -79,10 +80,13 @@ function get_hazo_connect_config(): {
       );
       sqlite_path = path.normalize(fallback_sqlite_path);
     } else {
-      throw new Error(
-        "[hazo_auth] sqlite_path not configured. Set sqlite_path in [hazo_connect] section of config/hazo_auth_config.ini, " +
-        "or set HAZO_CONNECT_SQLITE_PATH environment variable."
-      );
+      throw new HazoConfigError({
+        code: 'HAZO_AUTH_CONFIG',
+        pkg: 'hazo_auth',
+        message:
+          "[hazo_auth] sqlite_path not configured. Set sqlite_path in [hazo_connect] section of config/hazo_auth_config.ini, " +
+          "or set HAZO_CONNECT_SQLITE_PATH environment variable.",
+      });
     }
 
     // Validate config keys for typos
@@ -132,9 +136,11 @@ function get_hazo_connect_config(): {
       process.env.POSTGREST_API_KEY;
 
     if (!postgrest_url) {
-      throw new Error(
-        "PostgREST URL is required. Set postgrest_url in [hazo_connect] section of hazo_auth_config.ini or HAZO_CONNECT_POSTGREST_URL environment variable."
-      );
+      throw new HazoConfigError({
+        code: 'HAZO_AUTH_CONFIG',
+        pkg: 'hazo_auth',
+        message: 'PostgREST URL is required. Set postgrest_url in [hazo_connect] section of hazo_auth_config.ini or HAZO_CONNECT_POSTGREST_URL environment variable.',
+      });
     }
 
     return {
@@ -145,9 +151,11 @@ function get_hazo_connect_config(): {
     };
   }
 
-  throw new Error(
-    `Unsupported HAZO_CONNECT_TYPE: ${type}. Supported types: sqlite, postgrest`
-  );
+  throw new HazoConfigError({
+    code: 'HAZO_AUTH_CONFIG',
+    pkg: 'hazo_auth',
+    message: `Unsupported HAZO_CONNECT_TYPE: ${type}. Supported types: sqlite, postgrest`,
+  });
 }
 
 /**
@@ -177,7 +185,7 @@ export function create_sqlite_hazo_connect_server() {
     });
   }
 
-  throw new Error(`Unsupported database type: ${config.type}`);
+  throw new HazoConfigError({ code: 'HAZO_AUTH_CONFIG', pkg: 'hazo_auth', message: `Unsupported database type: ${config.type}` });
 }
 
 /**

package/cli-src/lib/legal/legal_docs_service.ts

@@ -1,12 +1,13 @@
 // file_description: service functions for the legal document acceptance system
 // section: imports
 import { createCrudService } from 'hazo_connect/server';
+import { generateRequestId } from 'hazo_core';
 import type { LegalAcceptanceMap } from './legal_docs_types';
 
 // section: helpers
 
 function generate_id(): string {
-  return crypto.randomUUID();
+  return generateRequestId().slice(4);
 }
 
 // section: exports

package/cli-src/lib/services/email_service.ts

@@ -1,8 +1,9 @@
 // file_description: service for sending emails with template support
 // section: imports
 import { create_app_logger } from "../app_logger.js";
+import { HazoConfigError, optional_import } from "hazo_core";
 import { read_config_section } from "../config/config_loader.server.js";
-import type { EmailerConfig, SendEmailOptions } from "hazo_notify";
+import type { EmailerConfig, SendEmailOptions } from "hazo_notify/adapters/email";
 import type { HazoConnectInstance } from "hazo_notify/template_manager";
 
 // section: types
@@ -76,8 +77,11 @@ async function get_hazo_notify_instance(): Promise<EmailerConfig> {
     });
     try {
       // Dynamic import to avoid build-time issues with hazo_notify
-      const hazo_notify_module = await import("hazo_notify");
-      const { load_emailer_config } = hazo_notify_module;
+      const hazo_notify_email_module = await optional_import<typeof import("hazo_notify/adapters/email")>('hazo_notify/adapters/email');
+      if (!hazo_notify_email_module) {
+        throw new Error("hazo_notify is not installed");
+      }
+      const { load_emailer_config } = hazo_notify_email_module;
       hazo_notify_config = load_emailer_config();
     } catch (error) {
       const error_message = error instanceof Error ? error.message : "Unknown error";
@@ -86,7 +90,7 @@ async function get_hazo_notify_instance(): Promise<EmailerConfig> {
         line_number: 0,
         error: error_message,
       });
-      throw new Error(`Failed to load hazo_notify config: ${error_message}`);
+      throw new HazoConfigError({ code: 'HAZO_AUTH_CONFIG', pkg: 'hazo_auth', message: `Failed to load hazo_notify config: ${error_message}` });
     }
   }
   return hazo_notify_config;
@@ -263,8 +267,12 @@ export async function send_email(options: EmailOptions): Promise<{ success: bool
     const notify_config = await get_hazo_notify_instance();
 
     // Dynamic import to avoid build-time issues with hazo_notify
-    const hazo_notify_module = await import("hazo_notify");
-    const { send_email: hazo_notify_send_email } = hazo_notify_module;
+    const hazo_notify_email_module = await optional_import<typeof import("hazo_notify/adapters/email")>('hazo_notify/adapters/email');
+    if (!hazo_notify_email_module) {
+      throw new Error("hazo_notify is not installed");
+    }
+    const { get_email_provider } = hazo_notify_email_module;
+    const provider = get_email_provider(notify_config);
 
     // Get from email and from name (hazo_auth_config overrides hazo_notify_config)
     // Priority: 1. options.from (explicit parameter), 2. hazo_auth_config.from_email, 3. hazo_notify_config.from_email
@@ -285,7 +293,7 @@ export async function send_email(options: EmailOptions): Promise<{ success: bool
     };
 
     // Send email using hazo_notify
-    const result = await hazo_notify_send_email(hazo_notify_options, notify_config);
+    const result = await provider.send_email(hazo_notify_options, notify_config);
 
     if (result.success) {
       logger.info("email_sent", {
@@ -370,11 +378,14 @@ export async function send_template_email(
     }
 
     if (!hazo_notify_connect) {
-      throw new Error(
-        "hazo_notify connect not initialized. Call set_hazo_notify_connect() " +
+      throw new HazoConfigError({
+        code: 'HAZO_AUTH_CONFIG',
+        pkg: 'hazo_auth',
+        message:
+          "hazo_notify connect not initialized. Call set_hazo_notify_connect() " +
           "from instrumentation.ts with the same HazoConnectInstance you pass " +
-          "to init_template_manager({ hazo_connect_factory })."
-      );
+          "to init_template_manager({ hazo_connect_factory }).",
+      });
     }
 
     const notify_config = await get_hazo_notify_instance();

package/cli-src/lib/services/firm_service.ts

@@ -2,6 +2,7 @@
 // section: imports
 import type { HazoConnectAdapter } from "hazo_connect";
 import { createCrudService } from "hazo_connect/server";
+import { generateRequestId } from "hazo_core";
 import { create_app_logger } from "../app_logger.js";
 import { sanitize_error_for_user } from "../utils/error_sanitizer.js";
 import { create_scope, type ScopeRecord } from "./scope_service.js";
@@ -146,7 +147,7 @@ async function assign_owner_permissions(
 
       if (!Array.isArray(permissions) || permissions.length === 0) {
         // Create permission with generated UUID
-        const perm_id = crypto.randomUUID();
+        const perm_id = generateRequestId().slice(4);
         const inserted = await permission_service.insert({
           id: perm_id,
           permission_name: perm_name,

package/cli-src/lib/services/otp_service.ts

@@ -1,5 +1,6 @@
 import "server-only";
 import crypto from "node:crypto";
+import { generateRequestId } from "hazo_core";
 import argon2 from "argon2";
 import { createCrudService } from "hazo_connect/server";
 import { get_otp_config, hazo_auth_otp_session_ttl_seconds } from "../otp_config.server.js";
@@ -133,7 +134,7 @@ export async function request_email_otp(args: {
   const code = generate_otp_code();
   const otp_hash = await hash_otp_code(code);
   const expires_at = new Date(Date.now() + cfg.code_ttl_seconds * 1000).toISOString();
-  const row_id = crypto.randomUUID();
+  const row_id = generateRequestId().slice(4);
 
   await otp_table.insert({
     id: row_id,
@@ -244,7 +245,7 @@ export async function verify_email_otp(args: {
     }
   } else if (cfg.auto_register) {
     // Create user + bind scope/role
-    const new_user_id = crypto.randomUUID();
+    const new_user_id = generateRequestId().slice(4);
     await users_table.insert({
       id: new_user_id,
       email_address: email,

package/cli-src/lib/services/profile_picture_service.ts

@@ -3,6 +3,7 @@
 import type { HazoConnectAdapter } from "hazo_connect";
 import { createCrudService } from "hazo_connect/server";
 import gravatarUrl from "gravatar-url";
+import { fetchWithRequestId } from "hazo_core";
 import { get_profile_picture_config } from "../profile_picture_config.server.js";
 import { get_ui_sizes_config } from "../ui_sizes_config.server.js";
 import { get_file_types_config } from "../file_types_config.server.js";
@@ -304,7 +305,7 @@ async function check_gravatar_exists(email: string): Promise<boolean> {
     const gravatar_url = get_gravatar_url(email, uiSizes.gravatar_size);
 
     // Make HEAD request to check if image exists without downloading it
-    const response = await fetch(gravatar_url, {
+    const response = await fetchWithRequestId(gravatar_url, {
       method: 'HEAD',
       // Add timeout to prevent hanging
       signal: AbortSignal.timeout(5000) // 5 second timeout

package/cli-src/lib/services/relationship_service.ts

@@ -2,6 +2,7 @@
 // section: imports
 import type { HazoConnectAdapter } from "hazo_connect";
 import { createCrudService } from "hazo_connect/server";
+import { generateRequestId } from "hazo_core";
 import argon2 from "argon2";
 import { create_app_logger } from "../app_logger.js";
 import { get_relationships_config, get_allowed_relationship_types } from "../relationships_config.server.js";
@@ -66,7 +67,7 @@ export function get_display_email(email: string | null | undefined): string | nu
 }
 
 function generate_sentinel_email(): string {
-  return `${SENTINEL_PREFIX}${crypto.randomUUID()}${SENTINEL_DOMAIN}`;
+  return `${SENTINEL_PREFIX}${generateRequestId().slice(4)}${SENTINEL_DOMAIN}`;
 }
 
 // section: helpers
@@ -129,8 +130,8 @@ export async function create_managed_child(
     }
 
     // Generate IDs
-    const child_user_id = crypto.randomUUID();
-    const relationship_id = crypto.randomUUID();
+    const child_user_id = generateRequestId().slice(4);
+    const relationship_id = generateRequestId().slice(4);
     const now = new Date().toISOString();
 
     // Insert managed child user
@@ -375,7 +376,7 @@ export async function create_self_relationship(
     }
 
     const config = get_relationships_config();
-    const relationship_id = crypto.randomUUID();
+    const relationship_id = generateRequestId().slice(4);
     const now = new Date().toISOString();
 
     await relationships_service.insert({

package/cli-src/lib/services/session_token_service.ts

@@ -2,6 +2,7 @@
 // Uses jose library for Edge-compatible JWT operations
 // section: imports
 import { SignJWT, jwtVerify } from "jose";
+import { HazoConfigError, HazoAuthError } from "hazo_core";
 import { create_app_logger } from "../app_logger.js";
 import { get_filename, get_line_number } from "../utils/api_route_helpers.js";
 
@@ -37,7 +38,7 @@ function get_jwt_secret(): Uint8Array {
       line_number: get_line_number(),
       error: "JWT_SECRET environment variable is required",
     });
-    throw new Error("JWT_SECRET environment variable is required");
+    throw new HazoConfigError({ code: 'HAZO_AUTH_CONFIG', pkg: 'hazo_auth', message: 'JWT_SECRET environment variable is required' });
   }
   
   // Convert string secret to Uint8Array for jose
@@ -112,7 +113,7 @@ export async function create_session_token(
       error_stack,
     });
     
-    throw new Error("Failed to create session token");
+    throw new HazoAuthError({ code: 'HAZO_AUTH_INVALID_TOKEN', pkg: 'hazo_auth', message: 'Failed to create session token' });
   }
 }
 

package/cli-src/lib/utils/api_route_helpers.ts

@@ -1,60 +1,5 @@
 // file_description: shared helper functions for API routes to get filename and line number
-// section: helpers
-/**
- * Gets the filename from the call stack
- * This is a simplified version that extracts the filename from the error stack
- * @returns Filename or "route.ts" as default
- */
-export function get_filename(): string {
-  try {
-    const stack = new Error().stack;
-    if (!stack) {
-      return "route.ts";
-    }
-
-    // Parse stack trace to find the caller's file
-    const lines = stack.split("\n");
-    // Skip Error line and get_filename line, get the actual caller
-    for (let i = 2; i < lines.length; i++) {
-      const line = lines[i];
-      // Match file paths in stack trace (e.g., "at /path/to/file.ts:123:45")
-      const match = line.match(/([^/\\]+\.tsx?):(\d+):(\d+)/);
-      if (match) {
-        return match[1];
-      }
-    }
-    return "route.ts";
-  } catch {
-    return "route.ts";
-  }
-}
-
-/**
- * Gets the line number from the call stack
- * This is a simplified version that extracts the line number from the error stack
- * @returns Line number or 0
- */
-export function get_line_number(): number {
-  try {
-    const stack = new Error().stack;
-    if (!stack) {
-      return 0;
-    }
-
-    // Parse stack trace to find the caller's line number
-    const lines = stack.split("\n");
-    // Skip Error line and get_line_number line, get the actual caller
-    for (let i = 2; i < lines.length; i++) {
-      const line = lines[i];
-      // Match line numbers in stack trace (e.g., "at /path/to/file.ts:123:45")
-      const match = line.match(/([^/\\]+\.tsx?):(\d+):(\d+)/);
-      if (match) {
-        return parseInt(match[2], 10) || 0;
-      }
-    }
-    return 0;
-  } catch {
-    return 0;
-  }
-}
-
+// Canonical location moved to hazo_logs/src/lib/utils/caller_info.ts.
+// This re-export maintains backward compatibility for hazo_auth consumers.
+// Will be removed in hazo_auth v9 — import from 'hazo_logs' directly.
+export { get_filename, get_line_number } from 'hazo_logs';

package/cli-src/lib/utils/get_origin_url.ts

@@ -1,61 +1,5 @@
-// file_description: Resolves the public-facing origin URL for constructing redirects
-// When running behind a reverse proxy (Cloudflare, nginx), request.url resolves to
-// the internal address (e.g. http://localhost:3000). This utility returns the correct
-// public origin using NEXTAUTH_URL, falling back to request.url.
-
-/**
- * Gets the public-facing origin URL for redirect construction.
- *
- * Behind reverse proxies (Cloudflare, nginx, etc.), `request.url` contains the
- * internal address (e.g. `http://localhost:3000`), not the public domain.
- * This function returns the correct origin from environment variables.
- *
- * Priority: NEXTAUTH_URL > APP_DOMAIN_NAME > NEXT_PUBLIC_APP_URL > APP_URL > request.url
- *
- * @param request_url - The request.url to use as fallback
- * @returns The origin URL (e.g. "https://gotimer.org")
- */
-export function get_origin_url(request_url: string): string {
-  // NEXTAUTH_URL is the standard for NextAuth.js apps
-  const nextauth_url = process.env.NEXTAUTH_URL;
-  if (nextauth_url) {
-    return nextauth_url.replace(/\/$/, "");
-  }
-
-  // APP_DOMAIN_NAME (with protocol handling)
-  const app_domain = process.env.APP_DOMAIN_NAME;
-  if (app_domain) {
-    const domain = app_domain.trim();
-    if (domain.startsWith("http://") || domain.startsWith("https://")) {
-      return domain.replace(/\/$/, "");
-    }
-    return `https://${domain}`;
-  }
-
-  // Other common env vars
-  const env_url = process.env.NEXT_PUBLIC_APP_URL || process.env.APP_URL;
-  if (env_url) {
-    return env_url.replace(/\/$/, "");
-  }
-
-  // Fallback to request.url (works in development without a proxy)
-  try {
-    const url = new URL(request_url);
-    return url.origin;
-  } catch {
-    return request_url;
-  }
-}
-
-/**
- * Creates a URL using the public-facing origin instead of request.url.
- * Drop-in replacement for `new URL(path, request.url)` in route handlers.
- *
- * @param path - The path or relative URL (e.g. "/hazo_auth/login")
- * @param request_url - The request.url (used as fallback only)
- * @returns A URL object with the correct public origin
- */
-export function create_redirect_url(path: string, request_url: string): URL {
-  const origin = get_origin_url(request_url);
-  return new URL(path, origin);
-}
+// file_description: Re-exports get_origin_url and create_redirect_url from hazo_core.
+// Canonical location moved to hazo_core/http in hazo_core v1.
+// This re-export maintains backward compatibility for hazo_auth consumers.
+// Will be removed in hazo_auth v9 — import from 'hazo_core' directly.
+export { get_origin_url, create_redirect_url } from 'hazo_core';