hazo_auth 9.0.1 → 10.0.0

package/cli-src/lib/hazo_connect_setup.server.ts

@@ -22,6 +22,7 @@ import { read_config_section } from "./config/config_loader.server.js";
 function get_hazo_connect_config(): {
   type: "sqlite" | "postgrest";
   sqlitePath?: string;
+  sqliteDriver?: "sql.js" | "better-sqlite3";
   enableAdminUi: boolean;
   readOnly?: boolean;
   postgrestUrl?: string;
@@ -89,9 +90,19 @@ function get_hazo_connect_config(): {
       });
     }
 
+    // SQLite driver: 'sql.js' (default, WAL-unaware WASM) or 'better-sqlite3' (native, WAL-aware).
+    // Forwarded to hazo_connect's factory as sqlite.driver. Defaults to undefined so hazo_connect
+    // keeps its own default ('sql.js') when unset — no behavior change.
+    const sqlite_driver_raw =
+      hazo_connect_section?.sqlite_driver || process.env.HAZO_CONNECT_SQLITE_DRIVER;
+    const sqliteDriver: "sql.js" | "better-sqlite3" | undefined =
+      sqlite_driver_raw === "better-sqlite3" || sqlite_driver_raw === "sql.js"
+        ? sqlite_driver_raw
+        : undefined;
+
     // Validate config keys for typos
     if (hazo_connect_section) {
-      const known_keys = ["type", "sqlite_path", "enable_admin_ui", "read_only", "postgrest_url"];
+      const known_keys = ["type", "sqlite_path", "sqlite_driver", "enable_admin_ui", "read_only", "postgrest_url"];
       for (const key of Object.keys(hazo_connect_section)) {
         if (!known_keys.includes(key)) {
           // Simple similarity check for common typos
@@ -117,6 +128,7 @@ function get_hazo_connect_config(): {
     return {
       type: "sqlite",
       sqlitePath: sqlite_path,
+      sqliteDriver,
       enableAdminUi,
       readOnly,
     };
@@ -169,8 +181,12 @@ export function create_sqlite_hazo_connect_server() {
   if (config.type === "sqlite") {
     return createHazoConnect({
       type: "sqlite",
-      database: config.sqlitePath!,
       enable_admin_ui: config.enableAdminUi,
+      sqlite: {
+        database_path: config.sqlitePath!,
+        read_only: config.readOnly,
+        driver: config.sqliteDriver,
+      },
     });
   }
 
@@ -196,6 +212,7 @@ export function create_sqlite_hazo_connect_server() {
 export function get_hazo_connect_config_options(): {
   type?: "sqlite" | "postgrest";
   sqlitePath?: string;
+  sqliteDriver?: "sql.js" | "better-sqlite3";
   enableAdminUi?: boolean;
   readOnly?: boolean;
   baseUrl?: string;
@@ -207,6 +224,7 @@ export function get_hazo_connect_config_options(): {
     return {
       type: "sqlite",
       sqlitePath: config.sqlitePath,
+      sqliteDriver: config.sqliteDriver,
       enableAdminUi: config.enableAdminUi,
       readOnly: config.readOnly,
     };

package/cli-src/lib/profile_pic_menu_config.server.ts

@@ -8,13 +8,14 @@ import { get_config_value, get_config_boolean, get_config_array } from "./config
 // section: types
 // Note: These types are also used in client components, but TypeScript types are erased at runtime
 // so importing from a server file is safe for type-only imports
-export type MenuItemType = "info" | "link" | "separator";
+export type MenuItemType = "info" | "link" | "separator" | "action";
 
 export type ProfilePicMenuMenuItem = {
   type: MenuItemType;
-  label?: string; // For info and link types
+  label?: string; // For info, link, and action types
   value?: string; // For info type (e.g., user name, email)
   href?: string; // For link type
+  onSelect?: () => void; // For action type (client-side callback, not serialisable via INI config)
   order: number; // Ordering within type group
   id: string; // Unique identifier for the item
 };
@@ -50,7 +51,7 @@ function parse_custom_menu_items(items_string: string[]): ProfilePicMenuMenuItem
     
     const type = parts[0] as MenuItemType;
     if (type !== "info" && type !== "link" && type !== "separator") {
-      return; // Invalid type, skip
+      return; // Invalid type or action (action items carry callbacks, not expressible in INI)
     }
     
     if (type === "separator") {

package/cli-src/lib/schema/sqlite_schema.ts

@@ -97,10 +97,6 @@ CREATE INDEX IF NOT EXISTS idx_hazo_scopes_parent ON hazo_scopes(parent_id);
 CREATE INDEX IF NOT EXISTS idx_hazo_scopes_level ON hazo_scopes(level);
 CREATE INDEX IF NOT EXISTS idx_hazo_scopes_slug ON hazo_scopes(slug);
 
--- Super admin scope
-INSERT OR IGNORE INTO hazo_scopes (id, parent_id, name, level, created_at, changed_at)
-VALUES ('00000000-0000-0000-0000-000000000000', NULL, 'Super Admin', 'system', datetime('now'), datetime('now'));
-
 -- Default system scope (for non-multi-tenancy mode)
 INSERT OR IGNORE INTO hazo_scopes (id, parent_id, name, level, created_at, changed_at)
 VALUES ('00000000-0000-0000-0000-000000000001', NULL, 'System', 'default', datetime('now'), datetime('now'));

package/cli-src/lib/scope_hierarchy_config.server.ts

@@ -8,7 +8,7 @@ import {
   get_config_number,
   get_config_boolean,
 } from "./config/config_loader.server.js";
-import { SUPER_ADMIN_SCOPE_ID, DEFAULT_SYSTEM_SCOPE_ID } from "./services/scope_service.js";
+import { DEFAULT_SYSTEM_SCOPE_ID } from "./services/scope_service.js";
 
 // section: types
 
@@ -23,8 +23,6 @@ export type ScopeHierarchyConfig = {
   scope_cache_ttl_minutes: number;
   /** Maximum entries in scope cache (default: 5000) */
   scope_cache_max_entries: number;
-  /** Super admin scope ID */
-  super_admin_scope_id: string;
   /** Default system scope ID (for non-multi-tenancy mode) */
   default_system_scope_id: string;
 };
@@ -57,11 +55,6 @@ export function get_scope_hierarchy_config(): ScopeHierarchyConfig {
   );
 
   // Scope IDs (with defaults)
-  const super_admin_scope_id = get_config_value(
-    SECTION_NAME,
-    "super_admin_scope_id",
-    SUPER_ADMIN_SCOPE_ID,
-  );
   const default_system_scope_id = get_config_value(
     SECTION_NAME,
     "default_system_scope_id",
@@ -72,7 +65,6 @@ export function get_scope_hierarchy_config(): ScopeHierarchyConfig {
     enable_hrbac,
     scope_cache_ttl_minutes,
     scope_cache_max_entries,
-    super_admin_scope_id,
     default_system_scope_id,
   };
 }

package/cli-src/lib/services/invitation_service.ts

@@ -478,7 +478,7 @@ export async function list_invitations_by_scope(
 }
 
 /**
- * Lists all invitations (for super admin)
+ * Lists all invitations (for global admins)
  */
 export async function list_all_invitations(
   adapter: HazoConnectAdapter,

package/cli-src/lib/services/scope_service.ts

@@ -7,12 +7,6 @@ import { sanitize_error_for_user } from "../utils/error_sanitizer.js";
 
 // section: constants
 
-/**
- * Super admin scope ID - special UUID for system-level administrators
- * Users assigned to this scope have global access
- */
-export const SUPER_ADMIN_SCOPE_ID = "00000000-0000-0000-0000-000000000000";
-
 /**
  * Default system scope ID - for non-multi-tenancy mode
  * All users are assigned to this scope when multi-tenancy is disabled
@@ -119,13 +113,6 @@ export function has_branding(scope: ScopeRecord): boolean {
   return !!(scope.logo_url || scope.primary_color || scope.secondary_color || scope.tagline);
 }
 
-/**
- * Checks if the given scope_id is the super admin scope
- */
-export function is_super_admin_scope(scope_id: string): boolean {
-  return scope_id === SUPER_ADMIN_SCOPE_ID;
-}
-
 /**
  * Checks if the given scope_id is the default system scope
  */
@@ -134,10 +121,10 @@ export function is_default_system_scope(scope_id: string): boolean {
 }
 
 /**
- * Checks if the given scope_id is a system scope (super admin or default system)
+ * Checks if the given scope_id is a system scope (default system)
  */
 export function is_system_scope(scope_id: string): boolean {
-  return is_super_admin_scope(scope_id) || is_default_system_scope(scope_id);
+  return is_default_system_scope(scope_id);
 }
 
 // section: crud operations
@@ -781,67 +768,6 @@ export async function get_scope_tree(
   }
 }
 
-/**
- * Ensures the super admin scope exists
- */
-export async function ensure_super_admin_scope(
-  adapter: HazoConnectAdapter,
-): Promise<ScopeServiceResult> {
-  try {
-    // Check if already exists
-    const existing = await get_scope_by_id(adapter, SUPER_ADMIN_SCOPE_ID);
-    if (existing.success && existing.scope) {
-      return existing;
-    }
-
-    // Create it
-    const scope_service = createCrudService(adapter, "hazo_scopes");
-    const now = new Date().toISOString();
-
-    const inserted = await scope_service.insert({
-      id: SUPER_ADMIN_SCOPE_ID,
-      name: "Super Admin",
-      level: "system",
-      parent_id: null,
-      logo_url: null,
-      primary_color: null,
-      secondary_color: null,
-      tagline: null,
-      created_at: now,
-      changed_at: now,
-    });
-
-    if (!Array.isArray(inserted) || inserted.length === 0) {
-      return {
-        success: false,
-        error: "Failed to create super admin scope",
-      };
-    }
-
-    return {
-      success: true,
-      scope: normalize_scope_record(inserted[0] as Record<string, unknown>),
-    };
-  } catch (error) {
-    const logger = create_app_logger();
-    const error_message = sanitize_error_for_user(error, {
-      logToConsole: true,
-      logToLogger: true,
-      logger,
-      context: {
-        filename: "scope_service.ts",
-        line_number: 0,
-        operation: "ensure_super_admin_scope",
-      },
-    });
-
-    return {
-      success: false,
-      error: error_message,
-    };
-  }
-}
-
 /**
  * Ensures the default system scope exists
  */

package/cli-src/lib/services/user_scope_service.ts

@@ -8,8 +8,6 @@ import {
   get_scope_by_id,
   get_scope_ancestors,
   get_root_scope_id,
-  SUPER_ADMIN_SCOPE_ID,
-  is_super_admin_scope,
 } from "./scope_service.js";
 
 // section: constants
@@ -48,7 +46,6 @@ export type ScopeAccessCheckResult = {
     scope_name?: string;
   };
   user_scopes?: UserScope[];
-  is_super_admin?: boolean;
 };
 
 export type AssignUserScopeData = {
@@ -365,27 +362,6 @@ export async function update_user_scopes(
   }
 }
 
-/**
- * Checks if a user is a super admin (has super admin scope assigned)
- */
-export async function is_user_super_admin(
-  adapter: HazoConnectAdapter,
-  user_id: string,
-): Promise<boolean> {
-  try {
-    const user_scopes_result = await get_user_scopes(adapter, user_id);
-    if (!user_scopes_result.success || !user_scopes_result.scopes) {
-      return false;
-    }
-
-    return user_scopes_result.scopes.some((scope) =>
-      is_super_admin_scope(scope.scope_id),
-    );
-  } catch {
-    return false;
-  }
-}
-
 /**
  * Checks if a user has any scope assigned
  */
@@ -408,9 +384,11 @@ export async function user_has_any_scope(
 /**
  * Checks if a user has access to a specific scope
  * Access is granted if:
- * 1. User is a super admin (has super admin scope)
- * 2. User has the exact scope assigned
- * 3. User has access to an ancestor scope (inherited access)
+ * 1. User has the exact scope assigned
+ * 2. User has access to an ancestor scope (inherited access)
+ *
+ * Global admin access (hazo_org_global_admin permission) is handled upstream
+ * in hazo_get_auth before this function is called.
  *
  * @param adapter - HazoConnect adapter
  * @param user_id - User ID to check
@@ -430,24 +408,7 @@ export async function check_user_scope_access(
 
     const user_scopes = user_scopes_result.scopes;
 
-    // Check 1: Is user a super admin?
-    const has_super_admin = user_scopes.some((scope) =>
-      is_super_admin_scope(scope.scope_id),
-    );
-
-    if (has_super_admin) {
-      return {
-        has_access: true,
-        access_via: {
-          scope_id: SUPER_ADMIN_SCOPE_ID,
-          scope_name: "Super Admin",
-        },
-        user_scopes,
-        is_super_admin: true,
-      };
-    }
-
-    // Check 2: Does user have exact scope assigned?
+    // Check 1: Does user have exact scope assigned?
     for (const user_scope of user_scopes) {
       if (user_scope.scope_id === target_scope_id) {
         const scope_result = await get_scope_by_id(adapter, target_scope_id);
@@ -464,7 +425,7 @@ export async function check_user_scope_access(
       }
     }
 
-    // Check 3: Does user have access via an ancestor scope?
+    // Check 2: Does user have access via an ancestor scope?
     const ancestors_result = await get_scope_ancestors(
       adapter,
       target_scope_id,
@@ -568,18 +529,3 @@ export async function get_user_direct_scopes(
   }
 }
 
-/**
- * Assigns super admin scope to a user
- */
-export async function assign_super_admin_scope(
-  adapter: HazoConnectAdapter,
-  user_id: string,
-  role_id: string,
-): Promise<UserScopeResult> {
-  return assign_user_scope(adapter, {
-    user_id,
-    scope_id: SUPER_ADMIN_SCOPE_ID,
-    root_scope_id: SUPER_ADMIN_SCOPE_ID,
-    role_id,
-  });
-}

package/config/hazo_auth_config.example.ini

@@ -732,6 +732,8 @@ company_name = My Company
 ; ── Log level overrides (per hazo_logs D-015) ────────────────────────────────
 ; Uncomment to tune log verbosity for specific namespaces.
 ; Format: namespace = TRACE | DEBUG | INFO | WARN | ERROR
-[log.overrides]
+; NOTE: use [log_overrides] not [log.overrides] — the ini library parses dots as
+; nesting separators and would create a nested object that hazo_config cannot flatten.
+[log_overrides]
 ; hazo_auth = DEBUG
 

package/dist/cli/init_users.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"init_users.d.ts","sourceRoot":"","sources":["../../src/cli/init_users.ts"],"names":[],"mappings":"AAuGA,MAAM,MAAM,gBAAgB,GAAG;IAC7B,6EAA6E;IAC7E,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAGF;;;;;;GAMG;AACH,wBAAsB,iBAAiB,CAAC,OAAO,GAAE,gBAAqB,GAAG,OAAO,CAAC,IAAI,CAAC,CAsRrF;AAGD;;GAEG;AACH,wBAAgB,oBAAoB,IAAI,IAAI,CAkC3C"}
+{"version":3,"file":"init_users.d.ts","sourceRoot":"","sources":["../../src/cli/init_users.ts"],"names":[],"mappings":"AA0FA,MAAM,MAAM,gBAAgB,GAAG;IAC7B,6EAA6E;IAC7E,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAGF;;;;;;GAMG;AACH,wBAAsB,iBAAiB,CAAC,OAAO,GAAE,gBAAqB,GAAG,OAAO,CAAC,IAAI,CAAC,CA0RrF;AAGD;;GAEG;AACH,wBAAgB,oBAAoB,IAAI,IAAI,CAmC3C"}

package/dist/cli/init_users.js

@@ -5,7 +5,8 @@ import { createCrudService } from "hazo_connect/server";
 import { get_user_management_config } from "../lib/user_management_config.server.js";
 import { get_config_value } from "../lib/config/config_loader.server.js";
 import { create_app_logger } from "../lib/app_logger.js";
-import { SUPER_ADMIN_SCOPE_ID } from "../lib/services/scope_service.js";
+import { DEFAULT_SYSTEM_SCOPE_ID } from "../lib/services/scope_service.js";
+import { GLOBAL_ADMIN_PERMISSION } from "../lib/constants.js";
 // section: helpers
 /**
  * Prints a summary of what was inserted vs what already existed
@@ -45,22 +46,13 @@ function print_summary(summary) {
     }
     console.log();
     // v5.x: User-Role assignments are now handled via User-Scope assignments (see below)
-    // Super admin scope summary
-    console.log("Super Admin Scope:");
-    if (summary.super_admin_scope.inserted) {
-        console.log(`  ✓ Inserted: Super Admin scope (ID: ${SUPER_ADMIN_SCOPE_ID})`);
-    }
-    if (summary.super_admin_scope.existing) {
-        console.log(`  ⊙ Already existed: Super Admin scope (ID: ${SUPER_ADMIN_SCOPE_ID})`);
-    }
-    console.log();
     // User scope summary
     console.log("User-Scope Assignment:");
     if (summary.user_scope.inserted) {
-        console.log(`  ✓ Inserted: User assigned to Super Admin scope`);
+        console.log(`  ✓ Inserted: User assigned to default system scope`);
     }
     if (summary.user_scope.existing) {
-        console.log(`  ⊙ Already existed: User already in Super Admin scope`);
+        console.log(`  ⊙ Already existed: User already in default system scope`);
     }
     console.log();
     console.log("=".repeat(60));
@@ -91,10 +83,6 @@ export async function handle_init_users(options = {}) {
             existing: 0,
         },
         // v5.x: Removed user_role - roles are now assigned via hazo_user_scopes
-        super_admin_scope: {
-            inserted: false,
-            existing: false,
-        },
         user_scope: {
             inserted: false,
             existing: false,
@@ -113,7 +101,6 @@ export async function handle_init_users(options = {}) {
         });
         const users_service = createCrudService(hazoConnect, "hazo_users");
         // v5.x: Removed hazo_user_roles - roles are now assigned via hazo_user_scopes
-        const scopes_service = createCrudService(hazoConnect, "hazo_scopes");
         // hazo_user_scopes uses composite primary key (user_id, scope_id), no 'id' column
         const user_scopes_service = createCrudService(hazoConnect, "hazo_user_scopes", {
             primaryKeys: ["user_id", "scope_id"],
@@ -247,49 +234,61 @@ export async function handle_init_users(options = {}) {
         const user_id = user.id;
         console.log(`✓ Found user: ${super_user_email} (ID: ${user_id})`);
         console.log();
-        // v5.x: Step 7 removed - role assignment now happens via hazo_user_scopes (see step 9)
-        // 8. Ensure super admin scope exists
-        const existing_scopes = await scopes_service.findBy({ id: SUPER_ADMIN_SCOPE_ID });
-        if (Array.isArray(existing_scopes) && existing_scopes.length > 0) {
-            summary.super_admin_scope.existing = true;
-            console.log(`✓ Super Admin scope already exists (ID: ${SUPER_ADMIN_SCOPE_ID})`);
-        }
-        else {
-            await scopes_service.insert({
-                id: SUPER_ADMIN_SCOPE_ID,
-                parent_id: null,
-                name: "Super Admin",
-                level: "system",
+        // 7. Ensure hazo_org_global_admin is in the permission catalog
+        const global_admin_perms = await permissions_service.findBy({
+            permission_name: GLOBAL_ADMIN_PERMISSION,
+        });
+        if (!Array.isArray(global_admin_perms) || global_admin_perms.length === 0) {
+            await permissions_service.insert({
+                permission_name: GLOBAL_ADMIN_PERMISSION,
+                description: "Global admin — access to all scopes and operations",
                 created_at: now,
                 changed_at: now,
             });
-            summary.super_admin_scope.inserted = true;
-            console.log(`✓ Created Super Admin scope (ID: ${SUPER_ADMIN_SCOPE_ID})`);
+            console.log(`✓ Created permission: ${GLOBAL_ADMIN_PERMISSION}`);
+        }
+        else {
+            console.log(`✓ Permission already exists: ${GLOBAL_ADMIN_PERMISSION}`);
+        }
+        console.log();
+        // 9. Ensure hazo_org_global_admin is assigned to the super user role
+        // (The role already has all configured permissions; this ensures the global admin perm is included)
+        const perm_row = await permissions_service.findBy({ permission_name: GLOBAL_ADMIN_PERMISSION });
+        const perm_id = Array.isArray(perm_row) && perm_row.length > 0 ? perm_row[0].id : null;
+        if (perm_id && role_id) {
+            const existing_rp = await role_permissions_service.findBy({ role_id, permission_id: perm_id });
+            if (!Array.isArray(existing_rp) || existing_rp.length === 0) {
+                await role_permissions_service.insert({ role_id, permission_id: perm_id });
+                console.log(`✓ Assigned ${GLOBAL_ADMIN_PERMISSION} to super user role`);
+            }
+            else {
+                console.log(`✓ Super user role already has ${GLOBAL_ADMIN_PERMISSION}`);
+            }
         }
         console.log();
-        // 9. Assign user to super admin scope
+        // 10. Assign user to DEFAULT_SYSTEM_SCOPE_ID (global access comes from the permission, not the scope)
         const existing_user_scopes = await user_scopes_service.findBy({
             user_id,
-            scope_id: SUPER_ADMIN_SCOPE_ID,
+            scope_id: DEFAULT_SYSTEM_SCOPE_ID,
         });
         if (Array.isArray(existing_user_scopes) && existing_user_scopes.length > 0) {
             summary.user_scope.existing = true;
-            console.log(`✓ User already assigned to Super Admin scope`);
+            console.log(`✓ User already assigned to default system scope`);
         }
         else {
             await user_scopes_service.insert({
                 user_id,
-                scope_id: SUPER_ADMIN_SCOPE_ID,
-                root_scope_id: SUPER_ADMIN_SCOPE_ID,
+                scope_id: DEFAULT_SYSTEM_SCOPE_ID,
+                root_scope_id: DEFAULT_SYSTEM_SCOPE_ID,
                 role_id,
                 created_at: now,
                 changed_at: now,
             });
             summary.user_scope.inserted = true;
-            console.log(`✓ Assigned user to Super Admin scope`);
+            console.log(`✓ Assigned user to default system scope`);
         }
         console.log();
-        // 10. Print summary
+        // 11. Print summary
         print_summary(summary);
         logger.info("init_users_completed", {
             filename: "init_users.ts",
@@ -323,15 +322,16 @@ export function show_init_users_help() {
     console.log(`
 hazo_auth init-users
 
-Initialize users, roles, permissions, and super admin scope from configuration.
+Initialize users, roles, and permissions from configuration.
 
 This command reads from hazo_auth_config.ini and:
   1. Creates permissions from [hazo_auth__user_management] application_permission_list_defaults
   2. Creates a 'default_super_user_role' role
   3. Assigns all permissions to the super user role
   4. Finds user by email (from --email parameter or config)
-  5. Creates the Super Admin scope (${SUPER_ADMIN_SCOPE_ID})
-  6. Assigns the user to the Super Admin scope with the super user role
+  5. Ensures the '${GLOBAL_ADMIN_PERMISSION}' permission exists and is assigned to the super user role
+  6. Assigns the user to the default system scope (${DEFAULT_SYSTEM_SCOPE_ID})
+     Global admin access is granted via the '${GLOBAL_ADMIN_PERMISSION}' permission, not by scope
      (v5.x: Roles are assigned per-scope via hazo_user_scopes table)
 
 Options:

package/dist/client.d.ts

@@ -7,6 +7,6 @@ export { use_hazo_auth, trigger_hazo_auth_refresh } from "./components/layouts/s
 export type { UseHazoAuthOptions, UseHazoAuthResult } from "./components/layouts/shared/hooks/use_hazo_auth";
 export { use_firm_branding, use_current_user_branding } from "./components/layouts/shared/hooks/use_firm_branding.js";
 export type { FirmBranding, UseFirmBrandingOptions, UseFirmBrandingResult } from "./components/layouts/shared/hooks/use_firm_branding";
-export { HAZO_AUTH_PERMISSIONS, ALL_ADMIN_PERMISSIONS } from "./lib/constants.js";
+export { HAZO_AUTH_PERMISSIONS, ALL_ADMIN_PERMISSIONS, GLOBAL_ADMIN_PERMISSION } from "./lib/constants.js";
 export * from "./components/layouts/shared/utils/validation.js";
 //# sourceMappingURL=client.d.ts.map

package/dist/client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAYA,cAAc,oBAAoB,CAAC;AAInC,OAAO,EAAE,mBAAmB,EAAE,cAAc,EAAE,oBAAoB,EAAE,oBAAoB,EAAE,MAAM,kCAAkC,CAAC;AAInI,OAAO,EAAE,EAAE,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAIpD,cAAc,uBAAuB,CAAC;AAItC,OAAO,EAAE,eAAe,EAAE,2BAA2B,EAAE,MAAM,mDAAmD,CAAC;AACjH,OAAO,EAAE,aAAa,EAAE,yBAAyB,EAAE,MAAM,iDAAiD,CAAC;AAC3G,YAAY,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,iDAAiD,CAAC;AAC7G,OAAO,EAAE,iBAAiB,EAAE,yBAAyB,EAAE,MAAM,qDAAqD,CAAC;AACnH,YAAY,EAAE,YAAY,EAAE,sBAAsB,EAAE,qBAAqB,EAAE,MAAM,qDAAqD,CAAC;AAGvI,OAAO,EAAE,qBAAqB,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AAI/E,cAAc,8CAA8C,CAAC"}
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAYA,cAAc,oBAAoB,CAAC;AAInC,OAAO,EAAE,mBAAmB,EAAE,cAAc,EAAE,oBAAoB,EAAE,oBAAoB,EAAE,MAAM,kCAAkC,CAAC;AAInI,OAAO,EAAE,EAAE,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAIpD,cAAc,uBAAuB,CAAC;AAItC,OAAO,EAAE,eAAe,EAAE,2BAA2B,EAAE,MAAM,mDAAmD,CAAC;AACjH,OAAO,EAAE,aAAa,EAAE,yBAAyB,EAAE,MAAM,iDAAiD,CAAC;AAC3G,YAAY,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,iDAAiD,CAAC;AAC7G,OAAO,EAAE,iBAAiB,EAAE,yBAAyB,EAAE,MAAM,qDAAqD,CAAC;AACnH,YAAY,EAAE,YAAY,EAAE,sBAAsB,EAAE,qBAAqB,EAAE,MAAM,qDAAqD,CAAC;AAGvI,OAAO,EAAE,qBAAqB,EAAE,qBAAqB,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AAIxG,cAAc,8CAA8C,CAAC"}

package/dist/client.js

@@ -25,7 +25,7 @@ export { use_auth_status, trigger_auth_status_refresh } from "./components/layou
 export { use_hazo_auth, trigger_hazo_auth_refresh } from "./components/layouts/shared/hooks/use_hazo_auth.js";
 export { use_firm_branding, use_current_user_branding } from "./components/layouts/shared/hooks/use_firm_branding.js";
 // section: constant_exports
-export { HAZO_AUTH_PERMISSIONS, ALL_ADMIN_PERMISSIONS } from "./lib/constants.js";
+export { HAZO_AUTH_PERMISSIONS, ALL_ADMIN_PERMISSIONS, GLOBAL_ADMIN_PERMISSION } from "./lib/constants.js";
 // section: validation_exports
 // Client-side validation utilities
 export * from "./components/layouts/shared/utils/validation.js";

package/dist/components/layouts/shared/components/profile_pic_menu.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"profile_pic_menu.d.ts","sourceRoot":"","sources":["../../../../../src/components/layouts/shared/components/profile_pic_menu.tsx"],"names":[],"mappings":"AAqCA,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,gDAAgD,CAAC;AAI7F,MAAM,MAAM,mBAAmB,GAAG;IAChC,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB;;;;;;;OAOG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,iBAAiB,CAAC,EAAE,sBAAsB,EAAE,CAAC;IAC7C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,SAAS,GAAG,IAAI,GAAG,IAAI,CAAC;IACtC,OAAO,CAAC,EAAE,UAAU,GAAG,SAAS,CAAC;IACjC,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B,CAAC;AAGF;;;;;;;;GAQG;AACH,wBAAgB,cAAc,CAAC,EAC7B,kBAA0B,EAC1B,aAAyB,EACzB,aAAyB,EACzB,aAAqC,EACrC,UAA+B,EAC/B,aAAwC,EACxC,WAAW,EACX,iBAAsB,EACtB,SAAS,EACT,WAAuB,EACvB,OAAoB,EACpB,mBAA+B,GAChC,EAAE,mBAAmB,2CAsfrB"}
+{"version":3,"file":"profile_pic_menu.d.ts","sourceRoot":"","sources":["../../../../../src/components/layouts/shared/components/profile_pic_menu.tsx"],"names":[],"mappings":"AAqCA,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,gDAAgD,CAAC;AAI7F,MAAM,MAAM,mBAAmB,GAAG;IAChC,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB;;;;;;;OAOG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,iBAAiB,CAAC,EAAE,sBAAsB,EAAE,CAAC;IAC7C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,SAAS,GAAG,IAAI,GAAG,IAAI,CAAC;IACtC,OAAO,CAAC,EAAE,UAAU,GAAG,SAAS,CAAC;IACjC,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B,CAAC;AAGF;;;;;;;;GAQG;AACH,wBAAgB,cAAc,CAAC,EAC7B,kBAA0B,EAC1B,aAAyB,EACzB,aAAyB,EACzB,aAAqC,EACrC,UAA+B,EAC/B,aAAwC,EACxC,WAAW,EACX,iBAAsB,EACtB,SAAS,EACT,WAAuB,EACvB,OAAoB,EACpB,mBAA+B,GAChC,EAAE,mBAAmB,2CA8gBrB"}

package/dist/components/layouts/shared/components/profile_pic_menu.js

@@ -141,7 +141,7 @@ export function ProfilePicMenu({ show_single_button = false, sign_up_label = "Si
         // Order: info items first, then separators, then links
         items.sort((a, b) => {
             // Define type priority: info = 0, separator = 1, link = 2
-            const typePriority = { info: 0, separator: 1, link: 2 };
+            const typePriority = { info: 0, separator: 1, link: 2, action: 2 };
             const aPriority = typePriority[a.type];
             const bPriority = typePriority[b.type];
             if (aPriority !== bPriority) {
@@ -195,6 +195,9 @@ export function ProfilePicMenu({ show_single_button = false, sign_up_label = "Si
                                                     // Generic link handling
                                                     return (_jsx(DropdownMenuItem, { asChild: true, className: "cls_profile_pic_menu_link cursor-pointer", children: _jsx(Link, { href: item.href || "#", children: item.label }) }, item.id));
                                                 }
+                                                if (item.type === "action") {
+                                                    return (_jsx(DropdownMenuItem, { onClick: item.onSelect, className: "cls_profile_pic_menu_action cursor-pointer", children: item.label }, item.id));
+                                                }
                                                 return null;
                                             }), shiftKeyHeld && (_jsxs(_Fragment, { children: [_jsx(DropdownMenuSeparator, { className: "cls_profile_pic_menu_separator" }), _jsxs(DropdownMenuItem, { onClick: () => setShowPermissionsDialog(true), className: "cls_profile_pic_menu_permissions cursor-pointer", children: [_jsx(Shield, { className: "mr-2 h-4 w-4" }), "My Permissions"] })] }))] })] }), _jsx(Dialog, { open: showPermissionsDialog, onOpenChange: setShowPermissionsDialog, children: _jsxs(DialogContent, { className: "cls_profile_pic_menu_permissions_dialog max-w-2xl max-h-[80vh] flex flex-col", children: [_jsxs(DialogHeader, { children: [_jsx(DialogTitle, { children: "My Permissions" }), _jsx(DialogDescription, { children: "Your assigned roles and their permissions" })] }), _jsx("div", { className: "flex-1 overflow-y-auto", children: _jsx(RolesMatrix, { user_id: authStatus.user_id, add_button_enabled: false, role_name_selection_enabled: false, permissions_read_only: true, show_save_cancel: false }) })] }) })] }) })] }));
     }
@@ -219,6 +222,9 @@ export function ProfilePicMenu({ show_single_button = false, sign_up_label = "Si
                                     // Generic link handling
                                     return (_jsx(DropdownMenuItem, { asChild: true, className: "cls_profile_pic_menu_link cursor-pointer", children: _jsx(Link, { href: item.href || "#", children: item.label }) }, item.id));
                                 }
+                                if (item.type === "action") {
+                                    return (_jsx(DropdownMenuItem, { onClick: item.onSelect, className: "cls_profile_pic_menu_action cursor-pointer", children: item.label }, item.id));
+                                }
                                 return null;
                             }), shiftKeyHeld && (_jsxs(_Fragment, { children: [_jsx(DropdownMenuSeparator, { className: "cls_profile_pic_menu_separator" }), _jsxs(DropdownMenuItem, { onClick: () => setShowPermissionsDialog(true), className: "cls_profile_pic_menu_permissions cursor-pointer", children: [_jsx(Shield, { className: "mr-2 h-4 w-4" }), "My Permissions"] })] }))] })] }), _jsx(Dialog, { open: showPermissionsDialog, onOpenChange: setShowPermissionsDialog, children: _jsxs(DialogContent, { className: "cls_profile_pic_menu_permissions_dialog max-w-2xl max-h-[80vh] flex flex-col", children: [_jsxs(DialogHeader, { children: [_jsx(DialogTitle, { children: "My Permissions" }), _jsx(DialogDescription, { children: "Your assigned roles and their permissions" })] }), _jsx("div", { className: "flex-1 overflow-y-auto", children: _jsx(RolesMatrix, { user_id: authStatus.user_id, add_button_enabled: false, role_name_selection_enabled: false, permissions_read_only: true, show_save_cancel: false }) })] }) })] }));
 }

package/dist/components/ui/input-otp.d.ts

@@ -1,5 +1,5 @@
 import * as React from "react";
-declare const InputOTP: React.ForwardRefExoticComponent<(Omit<Omit<React.InputHTMLAttributes<HTMLInputElement>, "value" | "onChange" | "maxLength" | "textAlign" | "onComplete" | "pushPasswordManagerStrategy" | "pasteTransformer" | "containerClassName" | "noScriptCSSFallback"> & {
+declare const InputOTP: React.ForwardRefExoticComponent<(Omit<Omit<React.InputHTMLAttributes<HTMLInputElement>, "onChange" | "value" | "maxLength" | "textAlign" | "onComplete" | "pushPasswordManagerStrategy" | "pasteTransformer" | "containerClassName" | "noScriptCSSFallback"> & {
     value?: string;
     onChange?: (newValue: string) => unknown;
     maxLength: number;
@@ -12,7 +12,7 @@ declare const InputOTP: React.ForwardRefExoticComponent<(Omit<Omit<React.InputHT
 } & {
     render: (props: import("input-otp").RenderProps) => React.ReactNode;
     children?: never;
-} & React.RefAttributes<HTMLInputElement>, "ref"> | Omit<Omit<React.InputHTMLAttributes<HTMLInputElement>, "value" | "onChange" | "maxLength" | "textAlign" | "onComplete" | "pushPasswordManagerStrategy" | "pasteTransformer" | "containerClassName" | "noScriptCSSFallback"> & {
+} & React.RefAttributes<HTMLInputElement>, "ref"> | Omit<Omit<React.InputHTMLAttributes<HTMLInputElement>, "onChange" | "value" | "maxLength" | "textAlign" | "onComplete" | "pushPasswordManagerStrategy" | "pasteTransformer" | "containerClassName" | "noScriptCSSFallback"> & {
     value?: string;
     onChange?: (newValue: string) => unknown;
     maxLength: number;

package/dist/index.d.ts

@@ -5,5 +5,5 @@ export type { HazoAuthUser, HazoAuthResult, HazoAuthError, HazoAuthOptions, Scop
 export { AuthenticationRequiredError, TenantRequiredError, TenantAccessDeniedError, } from "./lib/auth/auth_types.js";
 export type { LegalDoc, LegalAcceptanceRecord, LegalAcceptanceMap } from './lib/legal/legal_docs_types';
 export { cn, merge_class_names } from "./lib/utils.js";
-export { HAZO_AUTH_PERMISSIONS, ALL_ADMIN_PERMISSIONS } from "./lib/constants.js";
+export { HAZO_AUTH_PERMISSIONS, ALL_ADMIN_PERMISSIONS, GLOBAL_ADMIN_PERMISSION } from "./lib/constants.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAQA,cAAc,+BAA+B,CAAC;AAC9C,cAAc,6BAA6B,CAAC;AAG5C,cAAc,oBAAoB,CAAC;AAGnC,YAAY,EACV,YAAY,EACZ,cAAc,EACd,aAAa,EACb,eAAe,EACf,YAAY,EACZ,kBAAkB,EAClB,iBAAiB,EACjB,gBAAgB,EAChB,wBAAwB,GACzB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,2BAA2B,EAC3B,mBAAmB,EACnB,uBAAuB,GACxB,MAAM,uBAAuB,CAAC;AAG/B,YAAY,EAAE,QAAQ,EAAE,qBAAqB,EAAE,kBAAkB,EAAE,MAAM,8BAA8B,CAAC;AAGxG,OAAO,EAAE,EAAE,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAGpD,OAAO,EAAE,qBAAqB,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAQA,cAAc,+BAA+B,CAAC;AAC9C,cAAc,6BAA6B,CAAC;AAG5C,cAAc,oBAAoB,CAAC;AAGnC,YAAY,EACV,YAAY,EACZ,cAAc,EACd,aAAa,EACb,eAAe,EACf,YAAY,EACZ,kBAAkB,EAClB,iBAAiB,EACjB,gBAAgB,EAChB,wBAAwB,GACzB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,2BAA2B,EAC3B,mBAAmB,EACnB,uBAAuB,GACxB,MAAM,uBAAuB,CAAC;AAG/B,YAAY,EAAE,QAAQ,EAAE,qBAAqB,EAAE,kBAAkB,EAAE,MAAM,8BAA8B,CAAC;AAGxG,OAAO,EAAE,EAAE,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAGpD,OAAO,EAAE,qBAAqB,EAAE,qBAAqB,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/index.js

@@ -13,4 +13,4 @@ export { AuthenticationRequiredError, TenantRequiredError, TenantAccessDeniedErr
 // section: utility_exports (client-safe)
 export { cn, merge_class_names } from "./lib/utils.js";
 // section: constant_exports
-export { HAZO_AUTH_PERMISSIONS, ALL_ADMIN_PERMISSIONS } from "./lib/constants.js";
+export { HAZO_AUTH_PERMISSIONS, ALL_ADMIN_PERMISSIONS, GLOBAL_ADMIN_PERMISSION } from "./lib/constants.js";