hazo_auth 9.0.1 → 10.0.0

package/dist/lib/services/scope_service.js

@@ -2,11 +2,6 @@ import { createCrudService } from "hazo_connect/server";
 import { create_app_logger } from "../app_logger.js";
 import { sanitize_error_for_user } from "../utils/error_sanitizer.js";
 // section: constants
-/**
- * Super admin scope ID - special UUID for system-level administrators
- * Users assigned to this scope have global access
- */
-export const SUPER_ADMIN_SCOPE_ID = "00000000-0000-0000-0000-000000000000";
 /**
  * Default system scope ID - for non-multi-tenancy mode
  * All users are assigned to this scope when multi-tenancy is disabled
@@ -52,12 +47,6 @@ export function extract_branding(scope) {
 export function has_branding(scope) {
     return !!(scope.logo_url || scope.primary_color || scope.secondary_color || scope.tagline);
 }
-/**
- * Checks if the given scope_id is the super admin scope
- */
-export function is_super_admin_scope(scope_id) {
-    return scope_id === SUPER_ADMIN_SCOPE_ID;
-}
 /**
  * Checks if the given scope_id is the default system scope
  */
@@ -65,10 +54,10 @@ export function is_default_system_scope(scope_id) {
     return scope_id === DEFAULT_SYSTEM_SCOPE_ID;
 }
 /**
- * Checks if the given scope_id is a system scope (super admin or default system)
+ * Checks if the given scope_id is a system scope (default system)
  */
 export function is_system_scope(scope_id) {
-    return is_super_admin_scope(scope_id) || is_default_system_scope(scope_id);
+    return is_default_system_scope(scope_id);
 }
 // section: crud operations
 /**
@@ -605,60 +594,6 @@ export async function get_scope_tree(adapter, root_scope_id) {
         };
     }
 }
-/**
- * Ensures the super admin scope exists
- */
-export async function ensure_super_admin_scope(adapter) {
-    try {
-        // Check if already exists
-        const existing = await get_scope_by_id(adapter, SUPER_ADMIN_SCOPE_ID);
-        if (existing.success && existing.scope) {
-            return existing;
-        }
-        // Create it
-        const scope_service = createCrudService(adapter, "hazo_scopes");
-        const now = new Date().toISOString();
-        const inserted = await scope_service.insert({
-            id: SUPER_ADMIN_SCOPE_ID,
-            name: "Super Admin",
-            level: "system",
-            parent_id: null,
-            logo_url: null,
-            primary_color: null,
-            secondary_color: null,
-            tagline: null,
-            created_at: now,
-            changed_at: now,
-        });
-        if (!Array.isArray(inserted) || inserted.length === 0) {
-            return {
-                success: false,
-                error: "Failed to create super admin scope",
-            };
-        }
-        return {
-            success: true,
-            scope: normalize_scope_record(inserted[0]),
-        };
-    }
-    catch (error) {
-        const logger = create_app_logger();
-        const error_message = sanitize_error_for_user(error, {
-            logToConsole: true,
-            logToLogger: true,
-            logger,
-            context: {
-                filename: "scope_service.ts",
-                line_number: 0,
-                operation: "ensure_super_admin_scope",
-            },
-        });
-        return {
-            success: false,
-            error: error_message,
-        };
-    }
-}
 /**
  * Ensures the default system scope exists
  */

package/dist/lib/services/user_scope_service.d.ts

@@ -20,7 +20,6 @@ export type ScopeAccessCheckResult = {
         scope_name?: string;
     };
     user_scopes?: UserScope[];
-    is_super_admin?: boolean;
 };
 export type AssignUserScopeData = {
     user_id: string;
@@ -52,10 +51,6 @@ export declare function update_user_scopes(adapter: HazoConnectAdapter, user_id:
     scope_id: string;
     role_id: string;
 }>): Promise<UserScopeResult>;
-/**
- * Checks if a user is a super admin (has super admin scope assigned)
- */
-export declare function is_user_super_admin(adapter: HazoConnectAdapter, user_id: string): Promise<boolean>;
 /**
  * Checks if a user has any scope assigned
  */
@@ -63,9 +58,11 @@ export declare function user_has_any_scope(adapter: HazoConnectAdapter, user_id:
 /**
  * Checks if a user has access to a specific scope
  * Access is granted if:
- * 1. User is a super admin (has super admin scope)
- * 2. User has the exact scope assigned
- * 3. User has access to an ancestor scope (inherited access)
+ * 1. User has the exact scope assigned
+ * 2. User has access to an ancestor scope (inherited access)
+ *
+ * Global admin access (hazo_org_global_admin permission) is handled upstream
+ * in hazo_get_auth before this function is called.
  *
  * @param adapter - HazoConnect adapter
  * @param user_id - User ID to check
@@ -85,8 +82,4 @@ export declare function get_user_direct_scopes(adapter: HazoConnectAdapter, user
     }>;
     error?: string;
 }>;
-/**
- * Assigns super admin scope to a user
- */
-export declare function assign_super_admin_scope(adapter: HazoConnectAdapter, user_id: string, role_id: string): Promise<UserScopeResult>;
 //# sourceMappingURL=user_scope_service.d.ts.map

package/dist/lib/services/user_scope_service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"user_scope_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/user_scope_service.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAyBvD,MAAM,MAAM,SAAS,GAAG;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,eAAe,GAAG;IAC5B,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,SAAS,CAAC;IAClB,MAAM,CAAC,EAAE,SAAS,EAAE,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF,MAAM,MAAM,sBAAsB,GAAG;IACnC,UAAU,EAAE,OAAO,CAAC;IACpB,UAAU,CAAC,EAAE;QACX,QAAQ,EAAE,MAAM,CAAC;QACjB,UAAU,CAAC,EAAE,MAAM,CAAC;KACrB,CAAC;IACF,WAAW,CAAC,EAAE,SAAS,EAAE,CAAC;IAC1B,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAIF;;GAEG;AACH,wBAAsB,eAAe,CACnC,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,eAAe,CAAC,CA4B1B;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CACtC,OAAO,EAAE,kBAAkB,EAC3B,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,eAAe,CAAC,CA4B1B;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,kBAAkB,EAC3B,IAAI,EAAE,mBAAmB,GACxB,OAAO,CAAC,eAAe,CAAC,CA2E1B;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,eAAe,CAAC,CA2E1B;AAED;;;GAGG;AACH,wBAAsB,kBAAkB,CACtC,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,KAAK,CAAC;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,GACvD,OAAO,CAAC,eAAe,CAAC,CAwD1B;AAED;;GAEG;AACH,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,OAAO,CAAC,CAalB;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CACtC,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,OAAO,CAAC,CAWlB;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,uBAAuB,CAC3C,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,EACf,eAAe,EAAE,MAAM,GACtB,OAAO,CAAC,sBAAsB,CAAC,CAqFjC;AAED;;GAEG;AACH,wBAAsB,sBAAsB,CAC1C,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,GACd,OAAO,CAAC;IACT,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,KAAK,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;QACjB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC,CAAC;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC,CA4CD;AAED;;GAEG;AACH,wBAAsB,wBAAwB,CAC5C,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,eAAe,CAAC,CAO1B"}
+{"version":3,"file":"user_scope_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/user_scope_service.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAuBvD,MAAM,MAAM,SAAS,GAAG;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,eAAe,GAAG;IAC5B,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,SAAS,CAAC;IAClB,MAAM,CAAC,EAAE,SAAS,EAAE,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF,MAAM,MAAM,sBAAsB,GAAG;IACnC,UAAU,EAAE,OAAO,CAAC;IACpB,UAAU,CAAC,EAAE;QACX,QAAQ,EAAE,MAAM,CAAC;QACjB,UAAU,CAAC,EAAE,MAAM,CAAC;KACrB,CAAC;IACF,WAAW,CAAC,EAAE,SAAS,EAAE,CAAC;CAC3B,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAIF;;GAEG;AACH,wBAAsB,eAAe,CACnC,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,eAAe,CAAC,CA4B1B;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CACtC,OAAO,EAAE,kBAAkB,EAC3B,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,eAAe,CAAC,CA4B1B;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,kBAAkB,EAC3B,IAAI,EAAE,mBAAmB,GACxB,OAAO,CAAC,eAAe,CAAC,CA2E1B;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,eAAe,CAAC,CA2E1B;AAED;;;GAGG;AACH,wBAAsB,kBAAkB,CACtC,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,KAAK,CAAC;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,GACvD,OAAO,CAAC,eAAe,CAAC,CAwD1B;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CACtC,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,OAAO,CAAC,CAWlB;AAED;;;;;;;;;;;;GAYG;AACH,wBAAsB,uBAAuB,CAC3C,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,EACf,eAAe,EAAE,MAAM,GACtB,OAAO,CAAC,sBAAsB,CAAC,CAoEjC;AAED;;GAEG;AACH,wBAAsB,sBAAsB,CAC1C,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,GACd,OAAO,CAAC;IACT,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,KAAK,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;QACjB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC,CAAC;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC,CA4CD"}

package/dist/lib/services/user_scope_service.js

@@ -1,7 +1,7 @@
 import { createCrudService } from "hazo_connect/server";
 import { create_app_logger } from "../app_logger.js";
 import { sanitize_error_for_user } from "../utils/error_sanitizer.js";
-import { get_scope_by_id, get_scope_ancestors, get_root_scope_id, SUPER_ADMIN_SCOPE_ID, is_super_admin_scope, } from "./scope_service.js";
+import { get_scope_by_id, get_scope_ancestors, get_root_scope_id, } from "./scope_service.js";
 // section: constants
 /**
  * CRUD service options for hazo_user_scopes table
@@ -274,21 +274,6 @@ export async function update_user_scopes(adapter, user_id, new_scopes) {
         };
     }
 }
-/**
- * Checks if a user is a super admin (has super admin scope assigned)
- */
-export async function is_user_super_admin(adapter, user_id) {
-    try {
-        const user_scopes_result = await get_user_scopes(adapter, user_id);
-        if (!user_scopes_result.success || !user_scopes_result.scopes) {
-            return false;
-        }
-        return user_scopes_result.scopes.some((scope) => is_super_admin_scope(scope.scope_id));
-    }
-    catch (_a) {
-        return false;
-    }
-}
 /**
  * Checks if a user has any scope assigned
  */
@@ -306,9 +291,11 @@ export async function user_has_any_scope(adapter, user_id) {
 /**
  * Checks if a user has access to a specific scope
  * Access is granted if:
- * 1. User is a super admin (has super admin scope)
- * 2. User has the exact scope assigned
- * 3. User has access to an ancestor scope (inherited access)
+ * 1. User has the exact scope assigned
+ * 2. User has access to an ancestor scope (inherited access)
+ *
+ * Global admin access (hazo_org_global_admin permission) is handled upstream
+ * in hazo_get_auth before this function is called.
  *
  * @param adapter - HazoConnect adapter
  * @param user_id - User ID to check
@@ -323,20 +310,7 @@ export async function check_user_scope_access(adapter, user_id, target_scope_id)
             return { has_access: false };
         }
         const user_scopes = user_scopes_result.scopes;
-        // Check 1: Is user a super admin?
-        const has_super_admin = user_scopes.some((scope) => is_super_admin_scope(scope.scope_id));
-        if (has_super_admin) {
-            return {
-                has_access: true,
-                access_via: {
-                    scope_id: SUPER_ADMIN_SCOPE_ID,
-                    scope_name: "Super Admin",
-                },
-                user_scopes,
-                is_super_admin: true,
-            };
-        }
-        // Check 2: Does user have exact scope assigned?
+        // Check 1: Does user have exact scope assigned?
         for (const user_scope of user_scopes) {
             if (user_scope.scope_id === target_scope_id) {
                 const scope_result = await get_scope_by_id(adapter, target_scope_id);
@@ -352,7 +326,7 @@ export async function check_user_scope_access(adapter, user_id, target_scope_id)
                 };
             }
         }
-        // Check 3: Does user have access via an ancestor scope?
+        // Check 2: Does user have access via an ancestor scope?
         const ancestors_result = await get_scope_ancestors(adapter, target_scope_id);
         if (ancestors_result.success && ancestors_result.scopes) {
             for (const ancestor of ancestors_result.scopes) {
@@ -436,14 +410,3 @@ export async function get_user_direct_scopes(adapter, user_id) {
         };
     }
 }
-/**
- * Assigns super admin scope to a user
- */
-export async function assign_super_admin_scope(adapter, user_id, role_id) {
-    return assign_user_scope(adapter, {
-        user_id,
-        scope_id: SUPER_ADMIN_SCOPE_ID,
-        root_scope_id: SUPER_ADMIN_SCOPE_ID,
-        role_id,
-    });
-}

package/dist/server/routes/invitations.d.ts

@@ -5,7 +5,7 @@ export declare const dynamic = "force-dynamic";
  * Query params:
  *   - scope_id: Filter by scope (optional, required for non-super-admins)
  *   - status: Filter by status (optional: PENDING, ACCEPTED, EXPIRED, REVOKED)
- * Super admins can see all invitations, others can only see invitations for their scopes
+ * Global admins can see all invitations, others can only see invitations for their scopes
  */
 export declare function GET(request: NextRequest): Promise<NextResponse<{
     error: string;

package/dist/server/routes/invitations.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"invitations.d.ts","sourceRoot":"","sources":["../../../src/server/routes/invitations.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAmBxD,eAAO,MAAM,OAAO,kBAAkB,CAAC;AAGvC;;;;;;GAMG;AACH,wBAAsB,GAAG,CAAC,OAAO,EAAE,WAAW;;;;;IAqH7C;AAED;;;GAGG;AACH,wBAAsB,IAAI,CAAC,OAAO,EAAE,WAAW;;;;;IAoG9C;AAED;;;GAGG;AACH,wBAAsB,KAAK,CAAC,OAAO,EAAE,WAAW;;;;;IAkG/C;AAED;;;GAGG;AACH,wBAAsB,MAAM,CAAC,OAAO,EAAE,WAAW;;;;IA2FhD"}
+{"version":3,"file":"invitations.d.ts","sourceRoot":"","sources":["../../../src/server/routes/invitations.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAiBxD,eAAO,MAAM,OAAO,kBAAkB,CAAC;AAGvC;;;;;;GAMG;AACH,wBAAsB,GAAG,CAAC,OAAO,EAAE,WAAW;;;;;IAqH7C;AAED;;;GAGG;AACH,wBAAsB,IAAI,CAAC,OAAO,EAAE,WAAW;;;;;IAoG9C;AAED;;;GAGG;AACH,wBAAsB,KAAK,CAAC,OAAO,EAAE,WAAW;;;;;IAkG/C;AAED;;;GAGG;AACH,wBAAsB,MAAM,CAAC,OAAO,EAAE,WAAW;;;;IA2FhD"}

package/dist/server/routes/invitations.js

@@ -6,7 +6,8 @@ import { create_app_logger } from "../../lib/app_logger.js";
 import { get_filename, get_line_number } from "../../lib/utils/api_route_helpers.js";
 import { hazo_get_auth } from "../../lib/auth/hazo_get_auth.server.js";
 import { create_invitation, list_invitations_by_scope, list_all_invitations, revoke_invitation, get_invitation_by_id, } from "../../lib/services/invitation_service.js";
-import { is_user_super_admin, get_user_scopes, } from "../../lib/services/user_scope_service.js";
+import { get_user_scopes } from "../../lib/services/user_scope_service.js";
+import { GLOBAL_ADMIN_PERMISSION } from "../../lib/constants.js";
 // section: route_config
 export const dynamic = "force-dynamic";
 // section: api_handler
@@ -15,7 +16,7 @@ export const dynamic = "force-dynamic";
  * Query params:
  *   - scope_id: Filter by scope (optional, required for non-super-admins)
  *   - status: Filter by status (optional: PENDING, ACCEPTED, EXPIRED, REVOKED)
- * Super admins can see all invitations, others can only see invitations for their scopes
+ * Global admins can see all invitations, others can only see invitations for their scopes
  */
 export async function GET(request) {
     var _a, _b;
@@ -34,11 +35,11 @@ export async function GET(request) {
         const status_param = searchParams.get("status");
         const status = status_param;
         const hazoConnect = get_hazo_connect_instance();
-        // Check if user is super admin
-        const is_super = await is_user_super_admin(hazoConnect, auth.user.id);
+        // Check if user is a global admin
+        const is_super = auth.permissions.includes(GLOBAL_ADMIN_PERMISSION);
         let result;
         if (is_super) {
-            // Super admin can see all invitations
+            // Global admin can see all invitations
             if (scope_id) {
                 result = await list_invitations_by_scope(hazoConnect, scope_id, status);
             }
@@ -124,8 +125,8 @@ export async function POST(request) {
             return NextResponse.json({ error: "Invalid email address format" }, { status: 400 });
         }
         const hazoConnect = get_hazo_connect_instance();
-        // Check if user is super admin or has access to the scope
-        const is_super = await is_user_super_admin(hazoConnect, auth.user.id);
+        // Check if user is a global admin or has access to the scope
+        const is_super = auth.permissions.includes(GLOBAL_ADMIN_PERMISSION);
         if (!is_super) {
             const user_scopes = await get_user_scopes(hazoConnect, auth.user.id);
             const has_scope_access = (_a = user_scopes.scopes) === null || _a === void 0 ? void 0 : _a.some((s) => s.scope_id === scope_id);
@@ -196,8 +197,8 @@ export async function PATCH(request) {
         if (!invitation_result.success || !invitation_result.invitation) {
             return NextResponse.json({ error: "Invitation not found" }, { status: 404 });
         }
-        // Check if user is super admin or has access to the invitation's scope
-        const is_super = await is_user_super_admin(hazoConnect, auth.user.id);
+        // Check if user is a global admin or has access to the invitation's scope
+        const is_super = auth.permissions.includes(GLOBAL_ADMIN_PERMISSION);
         if (!is_super) {
             const user_scopes = await get_user_scopes(hazoConnect, auth.user.id);
             const has_scope_access = (_a = user_scopes.scopes) === null || _a === void 0 ? void 0 : _a.some((s) => { var _a; return s.scope_id === ((_a = invitation_result.invitation) === null || _a === void 0 ? void 0 : _a.scope_id); });
@@ -257,8 +258,8 @@ export async function DELETE(request) {
         if (!invitation_result.success || !invitation_result.invitation) {
             return NextResponse.json({ error: "Invitation not found" }, { status: 404 });
         }
-        // Check if user is super admin or has access to the invitation's scope
-        const is_super = await is_user_super_admin(hazoConnect, auth.user.id);
+        // Check if user is a global admin or has access to the invitation's scope
+        const is_super = auth.permissions.includes(GLOBAL_ADMIN_PERMISSION);
         if (!is_super) {
             const user_scopes = await get_user_scopes(hazoConnect, auth.user.id);
             const has_scope_access = (_a = user_scopes.scopes) === null || _a === void 0 ? void 0 : _a.some((s) => { var _a; return s.scope_id === ((_a = invitation_result.invitation) === null || _a === void 0 ? void 0 : _a.scope_id); });

package/dist/server/routes/user_management_users.d.ts

@@ -26,7 +26,7 @@ export declare function GET(request: NextRequest): Promise<NextResponse<{
         profile_source: {} | null;
         user_type: string | null;
         app_user_data: Record<string, unknown> | null;
-        legal_acceptance_status: "current" | "none" | "outdated";
+        legal_acceptance_status: "none" | "current" | "outdated";
     }[];
 }>>;
 /**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "hazo_auth",
-  "version": "9.0.1",
+  "version": "10.0.0",
   "description": "Zero-config authentication UI components for Next.js with RBAC, OAuth, scope-based multi-tenancy, and invitations",
   "keywords": [
     "authentication",
@@ -252,13 +252,13 @@
     "@radix-ui/react-switch": "^1.2.0",
     "@radix-ui/react-tabs": "^1.1.0",
     "@radix-ui/react-tooltip": "^1.2.0",
-    "hazo_api": "^2.1.0",
-    "hazo_config": "^2.1.5",
-    "hazo_connect": "^3.0.0",
-    "hazo_core": "^1.0.0",
-    "hazo_logs": "^2.0.0",
-    "hazo_notify": "^6.0.0",
-    "hazo_ui": "^3.1.0",
+    "hazo_api": "^2.3.1",
+    "hazo_config": "^2.1.10",
+    "hazo_connect": "^3.4.1",
+    "hazo_core": "^1.1.0",
+    "hazo_logs": "^2.0.3",
+    "hazo_notify": "^6.1.3",
+    "hazo_ui": "^3.2.1",
     "input-otp": "^1.4.0",
     "lucide-react": "^0.553.0",
     "next": "^14.0.0",
@@ -388,13 +388,13 @@
     "eslint": "^9.39.1",
     "eslint-config-next": "^16.0.4",
     "eslint-plugin-storybook": "^10.0.6",
-    "hazo_api": "^2.1.0",
-    "hazo_config": "^2.1.6",
-    "hazo_connect": "^3.0.0",
-    "hazo_core": "^1.0.0",
-    "hazo_logs": "^2.0.1",
-    "hazo_notify": "^6.0.0",
-    "hazo_ui": "^3.1.0",
+    "hazo_api": "^2.3.1",
+    "hazo_config": "^2.1.10",
+    "hazo_connect": "^3.4.1",
+    "hazo_core": "^1.1.0",
+    "hazo_logs": "^2.0.3",
+    "hazo_notify": "^6.1.3",
+    "hazo_ui": "^3.2.1",
     "input-otp": "^1.4.0",
     "jest": "^30.2.0",
     "jest-environment-jsdom": "^30.0.0",