hazo_auth 9.0.1 → 10.0.0

package/README.md

@@ -2,6 +2,17 @@
 
 A reusable authentication UI component package powered by Next.js, TailwindCSS, and shadcn. It integrates `hazo_config` for configuration management and `hazo_connect` for data access, enabling future components to stay aligned with platform conventions.
 
+### What's New in v9.1.1 🔧
+
+**Dev-server noise fixes for Next.js 16 + Turbopack**
+
+- `next.config.mjs`: `hazo_core` and `hazo_config` added to `serverExternalPackages`. Turbopack was bundling hazo_config and breaking `ini.parse()` CJS interop, causing every config-section read to throw and producing `config_loader_read_section_failed` ×9 + `me_endpoint_error` per request.
+- `config/hazo_auth_config.ini`: renamed `[log.overrides]` → `[log_overrides]`. The `ini` v4 library parses dots in section names as nesting separators, creating null-prototype objects that hazo_config cannot stringify. Dotted section names must be avoided.
+- `src/lib/config/config_loader.server.ts`: `HazoConfig` instances are now memoized per resolved file path — one INI parse per server process instead of one per getter call.
+- Companion fixes in hazo_core@1.0.3 (registerSingleton moved to module level, hazo_debug probe → lazy import) and hazo_config@2.1.9 (hazo_core/errors probe → lazy import, graceful skip of null-prototype nested objects in refresh()).
+
+> **Action required if you use `[log.overrides]` in your app's config:** rename it to `[log_overrides]` (or any non-dotted name). This applies to any hazo_config-backed INI file, not just hazo_auth.
+
 ### What's New in v8.0.1 🔧
 
 **Auto-test and middleware bug fixes**
@@ -207,7 +218,7 @@ See [CHANGE_LOG.md](./CHANGE_LOG.md) for detailed migration guide, rationale, an
 
 ```bash
 # Install hazo_auth and required peer dependencies
-npm install hazo_auth hazo_config hazo_connect hazo_logs next react react-dom next-auth
+npm install hazo_auth hazo_core hazo_config hazo_connect hazo_logs next react react-dom next-auth
 
 # UI peer dependencies (required if using hazo_auth UI components)
 npm install hazo_ui lucide-react sonner next-themes @radix-ui/react-accordion @radix-ui/react-alert-dialog @radix-ui/react-avatar @radix-ui/react-checkbox @radix-ui/react-dialog @radix-ui/react-dropdown-menu @radix-ui/react-hover-card @radix-ui/react-label @radix-ui/react-select @radix-ui/react-separator @radix-ui/react-slot @radix-ui/react-switch @radix-ui/react-tabs @radix-ui/react-tooltip
@@ -231,7 +242,7 @@ The fastest way to get started is using the CLI commands:
 
 ```bash
 # 1. Install the package and peer dependencies
-npm install hazo_auth hazo_config hazo_connect hazo_logs next react react-dom next-auth
+npm install hazo_auth hazo_core hazo_config hazo_connect hazo_logs next react react-dom next-auth
 
 # 2. Initialize your project (directories, config, database, images)
 npx hazo_auth init
@@ -425,7 +436,7 @@ import { hazo_get_auth } from "hazo_auth/lib/auth/hazo_get_auth.server";
 
 **Peer Dependencies (Required):**
 ```bash
-npm install hazo_config hazo_connect hazo_logs
+npm install hazo_core hazo_config hazo_connect hazo_logs
 ```
 
 **UI Components:** All shadcn/ui components are bundled with hazo_auth. You do NOT need to install them separately.
@@ -731,9 +742,7 @@ CREATE INDEX idx_hazo_scopes_level ON hazo_scopes(level);
 CREATE INDEX idx_hazo_scopes_slug ON hazo_scopes(slug);
 
 -- 7a. Reserved system scopes
-INSERT INTO hazo_scopes (id, parent_id, name, level)
-VALUES ('00000000-0000-0000-0000-000000000000', NULL, 'Super Admin', 'system')
-ON CONFLICT (id) DO NOTHING;
+-- Note: Super Admin scope retired in v10; use hazo_org_global_admin permission instead (see migration 020)
 INSERT INTO hazo_scopes (id, parent_id, name, level)
 VALUES ('00000000-0000-0000-0000-000000000001', NULL, 'System', 'default')
 ON CONFLICT (id) DO NOTHING;
@@ -889,8 +898,7 @@ CREATE INDEX IF NOT EXISTS idx_hazo_scopes_level ON hazo_scopes(level);
 CREATE INDEX IF NOT EXISTS idx_hazo_scopes_slug ON hazo_scopes(slug);
 
 -- Reserved system scopes
-INSERT OR IGNORE INTO hazo_scopes (id, parent_id, name, level, created_at, changed_at)
-VALUES ('00000000-0000-0000-0000-000000000000', NULL, 'Super Admin', 'system', datetime('now'), datetime('now'));
+-- Note: Super Admin scope retired in v10; use hazo_org_global_admin permission instead (see migration 020)
 INSERT OR IGNORE INTO hazo_scopes (id, parent_id, name, level, created_at, changed_at)
 VALUES ('00000000-0000-0000-0000-000000000001', NULL, 'System', 'default', datetime('now'), datetime('now'));
 
@@ -1732,7 +1740,6 @@ type TenantOrganization = {
   slug: string | null;          // URL-friendly identifier
   level: string;                // "Company", "Division", etc.
   role_id: string;              // User's role in this scope
-  is_super_admin: boolean;
   branding?: {
     logo_url: string | null;
     primary_color: string | null;
@@ -2489,6 +2496,28 @@ import { ProfilePicMenu } from "hazo_auth/components/layouts/shared";
 />
 ```
 
+#### Menu item types
+
+`custom_menu_items` accepts four `type` values:
+
+| Type | Renders as | Fields used |
+|------|------------|-------------|
+| `info` | Read-only label/value row | `label`, `value` |
+| `link` | Navigation link | `label`, `href` |
+| `separator` | Divider | — |
+| `action` | Clickable item that fires a client-side callback | `label`, `onSelect` |
+
+```typescript
+<ProfilePicMenu
+  variant="dropdown"
+  custom_menu_items={[
+    { type: "action", label: "Switch workspace", onSelect: () => openSwitcher(), order: 1, id: "switch" }
+  ]}
+/>
+```
+
+> **`action` items are React-only.** Because `onSelect` is a function, action items cannot be expressed via the INI `custom_menu_items` config (which only supports the serialisable `info` / `link` / `separator` types) — pass them through the `custom_menu_items` prop instead.
+
 ### Configuration
 
 ```ini
@@ -2879,8 +2908,7 @@ Retrieves basic profile information for multiple users in a single batch call.
 **Location:** `src/lib/services/user_profiles_service.ts`
 
 ```typescript
-import { hazo_get_user_profiles } from "hazo_auth/lib/services/user_profiles_service";
-import { get_hazo_connect_instance } from "hazo_auth/server/hazo_connect_instance.server";
+import { hazo_get_user_profiles, get_hazo_connect_instance } from "hazo_auth/server-lib";
 
 export async function GET(request: NextRequest) {
   const adapter = get_hazo_connect_instance();

package/SETUP_CHECKLIST.md

@@ -2,6 +2,35 @@
 
 This checklist provides step-by-step instructions for setting up the `hazo_auth` package in your Next.js project. AI assistants can follow this guide to ensure complete and correct setup.
 
+## v9.1.1 — Next.js 16 / Turbopack setup (new installs and migrations)
+
+### Add to `serverExternalPackages`
+
+hazo_core and hazo_config use CJS dependencies (`ini`, optional peer probes) that Turbopack cannot bundle cleanly. Add them to the external packages list in `next.config.mjs` / `next.config.js`:
+
+```js
+const nextConfig = {
+  serverExternalPackages: [
+    "hazo_notify", "argon2",
+    "hazo_core", "hazo_config",  // required for Next 16 + Turbopack
+  ],
+};
+```
+
+### Avoid dotted section names in INI config files
+
+`ini` v4 parses dots in section headers as nesting separators (`[log.overrides]` becomes `parsed.log.overrides`). hazo_config uses flat sections — use underscores instead:
+
+```ini
+# Bad: creates a nested null-prototype object that hazo_config cannot stringify
+[log.overrides]
+
+# Good:
+[log_overrides]
+```
+
+---
+
 ## v8.0.0 Migration (from v7.x)
 
 ### Breaking changes
@@ -515,9 +544,7 @@ CREATE INDEX IF NOT EXISTS idx_hazo_scopes_level ON hazo_scopes(level);
 CREATE INDEX IF NOT EXISTS idx_hazo_scopes_slug ON hazo_scopes(slug);
 
 -- Reserved system scopes
-INSERT OR IGNORE INTO hazo_scopes (id, parent_id, name, level, created_at, changed_at)
-VALUES ('00000000-0000-0000-0000-000000000000', NULL, 'Super Admin', 'system', datetime('now'), datetime('now'));
-
+-- Note: Super Admin scope retired in v10; use hazo_org_global_admin permission instead (see migration 020)
 INSERT OR IGNORE INTO hazo_scopes (id, parent_id, name, level, created_at, changed_at)
 VALUES ('00000000-0000-0000-0000-000000000001', NULL, 'System', 'default', datetime('now'), datetime('now'));
 
@@ -704,10 +731,7 @@ CREATE INDEX idx_hazo_scopes_level ON hazo_scopes(level);
 CREATE INDEX idx_hazo_scopes_slug ON hazo_scopes(slug);
 
 -- 7a. Reserved system scopes
-INSERT INTO hazo_scopes (id, parent_id, name, level, created_at, changed_at)
-VALUES ('00000000-0000-0000-0000-000000000000', NULL, 'Super Admin', 'system', NOW(), NOW())
-ON CONFLICT (id) DO NOTHING;
-
+-- Note: Super Admin scope retired in v10; use hazo_org_global_admin permission instead (see migration 020)
 INSERT INTO hazo_scopes (id, parent_id, name, level, created_at, changed_at)
 VALUES ('00000000-0000-0000-0000-000000000001', NULL, 'System', 'default', NOW(), NOW())
 ON CONFLICT (id) DO NOTHING;
@@ -868,8 +892,8 @@ GRANT USAGE ON TYPE hazo_enum_invitation_status TO anon, authenticated;
   - [ ] `hazo_invitations`
   - [ ] `hazo_user_relationships` (managed sub-profile parent/child links)
 - [ ] Reserved system scopes inserted:
-  - [ ] `00000000-0000-0000-0000-000000000000` (Super Admin)
   - [ ] `00000000-0000-0000-0000-000000000001` (System / non-multi-tenancy default)
+- [ ] Migration 020 run: Super Admin scope retired, `hazo_org_global_admin` permission granted to affected roles
 - [ ] `firm_admin` role inserted into `hazo_roles`
 
 ---
@@ -1739,10 +1763,7 @@ CREATE INDEX IF NOT EXISTS idx_hazo_scopes_level ON hazo_scopes(level);
 CREATE INDEX IF NOT EXISTS idx_hazo_scopes_slug ON hazo_scopes(slug);
 
 -- 3. Create system scopes
-INSERT INTO hazo_scopes (id, parent_id, name, level, created_at, changed_at)
-VALUES ('00000000-0000-0000-0000-000000000000', NULL, 'Super Admin', 'system', NOW(), NOW())
-ON CONFLICT (id) DO NOTHING;
-
+-- Note: Super Admin scope retired in v10; use hazo_org_global_admin permission instead (see migration 020)
 INSERT INTO hazo_scopes (id, parent_id, name, level, created_at, changed_at)
 VALUES ('00000000-0000-0000-0000-000000000001', NULL, 'System', 'default', NOW(), NOW())
 ON CONFLICT (id) DO NOTHING;
@@ -1832,9 +1853,7 @@ CREATE INDEX IF NOT EXISTS idx_hazo_scopes_level ON hazo_scopes(level);
 CREATE INDEX IF NOT EXISTS idx_hazo_scopes_slug ON hazo_scopes(slug);
 
 -- 3. Create system scopes
-INSERT OR IGNORE INTO hazo_scopes (id, parent_id, name, level, created_at, changed_at)
-VALUES ('00000000-0000-0000-0000-000000000000', NULL, 'Super Admin', 'system', datetime('now'), datetime('now'));
-
+-- Note: Super Admin scope retired in v10; use hazo_org_global_admin permission instead (see migration 020)
 INSERT OR IGNORE INTO hazo_scopes (id, parent_id, name, level, created_at, changed_at)
 VALUES ('00000000-0000-0000-0000-000000000001', NULL, 'System', 'default', datetime('now'), datetime('now'));
 
@@ -1930,8 +1949,8 @@ CREATE INDEX IF NOT EXISTS idx_hazo_scopes_slug ON hazo_scopes(slug);
   - [ ] `hazo_user_scopes` (user-scope-role assignments)
   - [ ] `hazo_invitations` (user invitation flow)
 - [ ] System scopes exist:
-  - [ ] Super Admin scope (00000000-0000-0000-0000-000000000000)
   - [ ] Default System scope (00000000-0000-0000-0000-000000000001)
+- [ ] Migration 020 run: Super Admin scope retired, `hazo_org_global_admin` permission granted
 - [ ] Grants applied (PostgreSQL)
 - [ ] HRBAC tabs visible in User Management
 - [ ] Scope test page works

package/cli-src/cli/init_users.ts

@@ -5,7 +5,8 @@ import { createCrudService } from "hazo_connect/server";
 import { get_user_management_config } from "../lib/user_management_config.server.js";
 import { get_config_value } from "../lib/config/config_loader.server.js";
 import { create_app_logger } from "../lib/app_logger.js";
-import { SUPER_ADMIN_SCOPE_ID } from "../lib/services/scope_service.js";
+import { DEFAULT_SYSTEM_SCOPE_ID } from "../lib/services/scope_service.js";
+import { GLOBAL_ADMIN_PERMISSION } from "../lib/constants.js";
 
 // section: types
 type InitSummary = {
@@ -23,10 +24,6 @@ type InitSummary = {
     existing: number;
   };
   // v5.x: Removed user_role - roles are now assigned via hazo_user_scopes
-  super_admin_scope: {
-    inserted: boolean;
-    existing: boolean;
-  };
   user_scope: {
     inserted: boolean;
     existing: boolean;
@@ -77,23 +74,13 @@ function print_summary(summary: InitSummary): void {
 
   // v5.x: User-Role assignments are now handled via User-Scope assignments (see below)
 
-  // Super admin scope summary
-  console.log("Super Admin Scope:");
-  if (summary.super_admin_scope.inserted) {
-    console.log(`  ✓ Inserted: Super Admin scope (ID: ${SUPER_ADMIN_SCOPE_ID})`);
-  }
-  if (summary.super_admin_scope.existing) {
-    console.log(`  ⊙ Already existed: Super Admin scope (ID: ${SUPER_ADMIN_SCOPE_ID})`);
-  }
-  console.log();
-
   // User scope summary
   console.log("User-Scope Assignment:");
   if (summary.user_scope.inserted) {
-    console.log(`  ✓ Inserted: User assigned to Super Admin scope`);
+    console.log(`  ✓ Inserted: User assigned to default system scope`);
   }
   if (summary.user_scope.existing) {
-    console.log(`  ⊙ Already existed: User already in Super Admin scope`);
+    console.log(`  ⊙ Already existed: User already in default system scope`);
   }
   console.log();
 
@@ -131,10 +118,6 @@ export async function handle_init_users(options: InitUsersOptions = {}): Promise
       existing: 0,
     },
     // v5.x: Removed user_role - roles are now assigned via hazo_user_scopes
-    super_admin_scope: {
-      inserted: false,
-      existing: false,
-    },
     user_scope: {
       inserted: false,
       existing: false,
@@ -155,7 +138,6 @@ export async function handle_init_users(options: InitUsersOptions = {}): Promise
     });
     const users_service = createCrudService(hazoConnect, "hazo_users");
     // v5.x: Removed hazo_user_roles - roles are now assigned via hazo_user_scopes
-    const scopes_service = createCrudService(hazoConnect, "hazo_scopes");
     // hazo_user_scopes uses composite primary key (user_id, scope_id), no 'id' column
     const user_scopes_service = createCrudService(hazoConnect, "hazo_user_scopes", {
       primaryKeys: ["user_id", "scope_id"],
@@ -317,54 +299,63 @@ export async function handle_init_users(options: InitUsersOptions = {}): Promise
     console.log(`✓ Found user: ${super_user_email} (ID: ${user_id})`);
     console.log();
 
-    // v5.x: Step 7 removed - role assignment now happens via hazo_user_scopes (see step 9)
-
-    // 8. Ensure super admin scope exists
-    const existing_scopes = await scopes_service.findBy({ id: SUPER_ADMIN_SCOPE_ID });
-
-    if (Array.isArray(existing_scopes) && existing_scopes.length > 0) {
-      summary.super_admin_scope.existing = true;
-      console.log(`✓ Super Admin scope already exists (ID: ${SUPER_ADMIN_SCOPE_ID})`);
-    } else {
-      await scopes_service.insert({
-        id: SUPER_ADMIN_SCOPE_ID,
-        parent_id: null,
-        name: "Super Admin",
-        level: "system",
+    // 7. Ensure hazo_org_global_admin is in the permission catalog
+    const global_admin_perms = await permissions_service.findBy({
+      permission_name: GLOBAL_ADMIN_PERMISSION,
+    });
+    if (!Array.isArray(global_admin_perms) || global_admin_perms.length === 0) {
+      await permissions_service.insert({
+        permission_name: GLOBAL_ADMIN_PERMISSION,
+        description: "Global admin — access to all scopes and operations",
         created_at: now,
         changed_at: now,
       });
-      summary.super_admin_scope.inserted = true;
-      console.log(`✓ Created Super Admin scope (ID: ${SUPER_ADMIN_SCOPE_ID})`);
+      console.log(`✓ Created permission: ${GLOBAL_ADMIN_PERMISSION}`);
+    } else {
+      console.log(`✓ Permission already exists: ${GLOBAL_ADMIN_PERMISSION}`);
     }
+    console.log();
 
+    // 9. Ensure hazo_org_global_admin is assigned to the super user role
+    // (The role already has all configured permissions; this ensures the global admin perm is included)
+    const perm_row = await permissions_service.findBy({ permission_name: GLOBAL_ADMIN_PERMISSION });
+    const perm_id = Array.isArray(perm_row) && perm_row.length > 0 ? (perm_row[0].id as string) : null;
+    if (perm_id && role_id) {
+      const existing_rp = await role_permissions_service.findBy({ role_id, permission_id: perm_id });
+      if (!Array.isArray(existing_rp) || existing_rp.length === 0) {
+        await role_permissions_service.insert({ role_id, permission_id: perm_id });
+        console.log(`✓ Assigned ${GLOBAL_ADMIN_PERMISSION} to super user role`);
+      } else {
+        console.log(`✓ Super user role already has ${GLOBAL_ADMIN_PERMISSION}`);
+      }
+    }
     console.log();
 
-    // 9. Assign user to super admin scope
+    // 10. Assign user to DEFAULT_SYSTEM_SCOPE_ID (global access comes from the permission, not the scope)
     const existing_user_scopes = await user_scopes_service.findBy({
       user_id,
-      scope_id: SUPER_ADMIN_SCOPE_ID,
+      scope_id: DEFAULT_SYSTEM_SCOPE_ID,
     });
 
     if (Array.isArray(existing_user_scopes) && existing_user_scopes.length > 0) {
       summary.user_scope.existing = true;
-      console.log(`✓ User already assigned to Super Admin scope`);
+      console.log(`✓ User already assigned to default system scope`);
     } else {
       await user_scopes_service.insert({
         user_id,
-        scope_id: SUPER_ADMIN_SCOPE_ID,
-        root_scope_id: SUPER_ADMIN_SCOPE_ID,
+        scope_id: DEFAULT_SYSTEM_SCOPE_ID,
+        root_scope_id: DEFAULT_SYSTEM_SCOPE_ID,
         role_id,
         created_at: now,
         changed_at: now,
       });
       summary.user_scope.inserted = true;
-      console.log(`✓ Assigned user to Super Admin scope`);
+      console.log(`✓ Assigned user to default system scope`);
     }
 
     console.log();
 
-    // 10. Print summary
+    // 11. Print summary
     print_summary(summary);
 
     logger.info("init_users_completed", {
@@ -402,15 +393,16 @@ export function show_init_users_help(): void {
   console.log(`
 hazo_auth init-users
 
-Initialize users, roles, permissions, and super admin scope from configuration.
+Initialize users, roles, and permissions from configuration.
 
 This command reads from hazo_auth_config.ini and:
   1. Creates permissions from [hazo_auth__user_management] application_permission_list_defaults
   2. Creates a 'default_super_user_role' role
   3. Assigns all permissions to the super user role
   4. Finds user by email (from --email parameter or config)
-  5. Creates the Super Admin scope (${SUPER_ADMIN_SCOPE_ID})
-  6. Assigns the user to the Super Admin scope with the super user role
+  5. Ensures the '${GLOBAL_ADMIN_PERMISSION}' permission exists and is assigned to the super user role
+  6. Assigns the user to the default system scope (${DEFAULT_SYSTEM_SCOPE_ID})
+     Global admin access is granted via the '${GLOBAL_ADMIN_PERMISSION}' permission, not by scope
      (v5.x: Roles are assigned per-scope via hazo_user_scopes table)
 
 Options:

package/cli-src/lib/auth/auth_types.ts

@@ -24,7 +24,6 @@ export type HazoAuthUser = {
 export type ScopeAccessInfo = {
   scope_id: string;
   scope_name?: string;
-  is_super_admin?: boolean;
 };
 
 /**
@@ -135,7 +134,6 @@ export type TenantOrganization = {
   slug: string | null;
   level: string;
   role_id: string;
-  is_super_admin: boolean;
   branding?: {
     logo_url: string | null;
     primary_color: string | null;

package/cli-src/lib/auth/hazo_get_auth.server.ts

@@ -30,6 +30,7 @@ import {
 } from "../services/user_scope_service.js";
 import { get_cookie_name, BASE_COOKIE_NAMES } from "../cookies_config.server.js";
 import { get_app_permission_descriptions } from "../app_permissions_config.server.js";
+import { GLOBAL_ADMIN_PERMISSION } from "../constants.js";
 
 // section: helpers
 
@@ -383,7 +384,6 @@ async function check_scope_access_internal(
       scope_access_via: {
         scope_id: result.access_via.scope_id,
         scope_name: result.access_via.scope_name,
-        is_super_admin: result.is_super_admin,
       },
       user_scopes,
     };
@@ -587,31 +587,37 @@ export async function hazo_get_auth(
   const hrbac_enabled = is_hrbac_enabled();
 
   if (hrbac_enabled && options?.scope_id) {
-    const scope_result = await check_scope_access_internal(
-      user.id,
-      options.scope_id,
-    );
-
-    scope_ok = scope_result.scope_ok;
-    scope_access_via = scope_result.scope_access_via;
-
-    // Log scope denial if permission logging is enabled
-    if (!scope_ok && config.log_permission_denials) {
-      const client_ip = get_client_ip(request);
-      logger.warn("auth_utility_scope_access_denied", {
-        filename: get_filename(),
-        line_number: get_line_number(),
-        user_id: user.id,
-        scope_id: options.scope_id,
-        user_scopes: scope_result.user_scopes,
-        ip: client_ip,
-        correlation_id: getCorrelationId(),
-      });
-    }
+    // Global admin permission grants access to all scopes
+    const has_global_admin = permissions.includes(GLOBAL_ADMIN_PERMISSION);
+    if (has_global_admin) {
+      scope_ok = true;
+      scope_access_via = { scope_id: options.scope_id };
+    } else {
+      const scope_result = await check_scope_access_internal(
+        user.id,
+        options.scope_id,
+      );
+      scope_ok = scope_result.scope_ok;
+      scope_access_via = scope_result.scope_access_via;
+
+      // Log scope denial if permission logging is enabled
+      if (!scope_ok && config.log_permission_denials) {
+        const client_ip = get_client_ip(request);
+        logger.warn("auth_utility_scope_access_denied", {
+          filename: get_filename(),
+          line_number: get_line_number(),
+          user_id: user.id,
+          scope_id: options.scope_id,
+          user_scopes: scope_result.user_scopes,
+          ip: client_ip,
+          correlation_id: getCorrelationId(),
+        });
+      }
 
-    // Throw error if strict mode and scope access denied
-    if (!scope_ok && options.strict) {
-      throw new ScopeAccessError(options.scope_id, scope_result.user_scopes);
+      // Throw error if strict mode and scope access denied
+      if (!scope_ok && options.strict) {
+        throw new ScopeAccessError(options.scope_id, scope_result.user_scopes);
+      }
     }
   }
 

package/cli-src/lib/auth/hazo_get_tenant_auth.server.ts

@@ -7,6 +7,7 @@ import { NextRequest } from "next/server";
 import { hazo_get_auth } from "./hazo_get_auth.server.js";
 import { get_auth_cache } from "./auth_cache.js";
 import { get_scope_by_id } from "../services/scope_service.js";
+import { GLOBAL_ADMIN_PERMISSION } from "../constants.js";
 import { get_hazo_connect_instance } from "../hazo_connect_instance.server.js";
 import { get_cookie_name } from "../cookies_config.server.js";
 import { get_auth_utility_config } from "../auth_utility_config.server.js";
@@ -62,14 +63,12 @@ export function extract_scope_id_from_request(
 }
 
 /**
- * Builds TenantOrganization from scope details and access info
+ * Builds TenantOrganization from scope details
  * @param scope_details - Full scope details from cache
- * @param is_super_admin - Whether user is accessing as super admin
  * @returns TenantOrganization object
  */
 function build_tenant_organization(
   scope_details: ScopeDetails,
-  is_super_admin: boolean,
 ): TenantOrganization {
   return {
     id: scope_details.id,
@@ -77,7 +76,6 @@ function build_tenant_organization(
     slug: scope_details.slug,
     level: scope_details.level,
     role_id: scope_details.role_id,
-    is_super_admin,
     branding:
       scope_details.logo_url || scope_details.primary_color
         ? {
@@ -159,18 +157,17 @@ export async function hazo_get_tenant_auth(
   let organization: TenantOrganization | null = null;
 
   if (scope_id && auth_result.scope_ok && auth_result.scope_access_via) {
-    // Find the scope in user's scopes that matches the access_via scope
+    // Try to find the scope in user's cached scope assignments first.
+    // For global admins the scope may not be in their cache (they can access any scope),
+    // in which case we fall through to the permission-based fetch below.
     const access_scope = user_scopes.find(
       (s) => s.id === auth_result.scope_access_via?.scope_id,
     );
 
     if (access_scope) {
-      organization = build_tenant_organization(
-        access_scope,
-        auth_result.scope_access_via.is_super_admin || false,
-      );
-    } else if (auth_result.scope_access_via.is_super_admin) {
-      // Super admin accessing scope they're not assigned to - fetch scope details
+      organization = build_tenant_organization(access_scope);
+    } else if (auth_result.permissions.includes(GLOBAL_ADMIN_PERMISSION)) {
+      // Global admin accessing a scope they aren't directly assigned to — fetch scope details
       const hazoConnect = get_hazo_connect_instance();
       const scope_result = await get_scope_by_id(hazoConnect, scope_id);
       if (scope_result.success && scope_result.scope) {
@@ -179,8 +176,7 @@ export async function hazo_get_tenant_auth(
           name: scope_result.scope.name,
           slug: null, // Could fetch from scope if slug column exists
           level: scope_result.scope.level,
-          role_id: "", // Super admin doesn't have a role in the scope
-          is_super_admin: true,
+          role_id: "", // Global admin doesn't have a role assignment in the scope
           branding: scope_result.scope.logo_url
             ? {
                 logo_url: scope_result.scope.logo_url,

package/cli-src/lib/config/config_loader.server.ts

@@ -11,6 +11,15 @@ import { create_app_logger } from "../app_logger.js";
 // section: constants
 const DEFAULT_CONFIG_FILE = "config/hazo_auth_config.ini";
 
+// section: config_instance_cache
+// Cache HazoConfig instances by resolved file path so we never construct (and re-parse)
+// more than one instance per config file per server process. This prevents repeated
+// warnings when multiple getters read the same file in a single request, and eliminates
+// redundant synchronous file I/O.
+const _config_instance_cache = new Map<string, HazoConfig>();
+// Track paths that failed to construct so we don't retry and warn repeatedly.
+const _config_failed_paths = new Set<string>();
+
 // section: helpers
 /**
  * Gets the default config file path
@@ -24,6 +33,35 @@ function get_config_file_path(custom_path?: string): string {
   return path.resolve(process.cwd(), DEFAULT_CONFIG_FILE);
 }
 
+/**
+ * Returns a cached HazoConfig instance for the given path, constructing one if needed.
+ * Returns null if construction fails (logs the error once on first failure).
+ */
+function get_config_instance(
+  config_path: string,
+  logger: ReturnType<typeof create_app_logger>,
+): HazoConfig | null {
+  const cached = _config_instance_cache.get(config_path);
+  if (cached) return cached;
+  if (_config_failed_paths.has(config_path)) return null;
+
+  try {
+    const instance = new HazoConfig({ filePath: config_path });
+    _config_instance_cache.set(config_path, instance);
+    return instance;
+  } catch (error) {
+    _config_failed_paths.add(config_path);
+    const error_message = error instanceof Error ? error.message : "Unknown error";
+    logger.warn("config_loader_construct_failed", {
+      filename: "config_loader.server.ts",
+      line_number: 0,
+      config_path,
+      error: error_message,
+    });
+    return null;
+  }
+}
+
 /**
  * Reads a section from the config file
  * @param section_name - Name of the section to read (e.g., "hazo_auth__register_layout")
@@ -41,10 +79,10 @@ export function read_config_section(
     return undefined;
   }
 
+  const hazo_config = get_config_instance(config_path, logger);
+  if (!hazo_config) return undefined;
+
   try {
-    const hazo_config = new HazoConfig({
-      filePath: config_path,
-    });
     return hazo_config.getSection(section_name);
   } catch (error) {
     const error_message = error instanceof Error ? error.message : "Unknown error";

package/cli-src/lib/config/hazo_auth_core_config.ts

@@ -1,5 +1,5 @@
 // file_description: Zod-validated config loader for hazo_auth core settings.
-// Covers server-critical sections ([hazo_auth__tokens], [hazo_auth__cookies], [hazo_auth__rate_limit], [log.overrides]).
+// Covers server-critical sections ([hazo_auth__tokens], [hazo_auth__cookies], [hazo_auth__rate_limit], [log_overrides]).
 // UI sections (login_layout, register_layout, etc.) are still handled by config_loader.server.ts.
 import { z } from 'zod';
 import { loadConfig } from 'hazo_core';

package/cli-src/lib/constants.ts

@@ -13,3 +13,5 @@ export const HAZO_AUTH_PERMISSIONS = {
 } as const;
 
 export const ALL_ADMIN_PERMISSIONS: string[] = Object.values(HAZO_AUTH_PERMISSIONS);
+
+export const GLOBAL_ADMIN_PERMISSION = "hazo_org_global_admin";