hazo_auth 9.1.1 → 10.0.0

package/README.md

@@ -742,9 +742,7 @@ CREATE INDEX idx_hazo_scopes_level ON hazo_scopes(level);
 CREATE INDEX idx_hazo_scopes_slug ON hazo_scopes(slug);
 
 -- 7a. Reserved system scopes
-INSERT INTO hazo_scopes (id, parent_id, name, level)
-VALUES ('00000000-0000-0000-0000-000000000000', NULL, 'Super Admin', 'system')
-ON CONFLICT (id) DO NOTHING;
+-- Note: Super Admin scope retired in v10; use hazo_org_global_admin permission instead (see migration 020)
 INSERT INTO hazo_scopes (id, parent_id, name, level)
 VALUES ('00000000-0000-0000-0000-000000000001', NULL, 'System', 'default')
 ON CONFLICT (id) DO NOTHING;
@@ -900,8 +898,7 @@ CREATE INDEX IF NOT EXISTS idx_hazo_scopes_level ON hazo_scopes(level);
 CREATE INDEX IF NOT EXISTS idx_hazo_scopes_slug ON hazo_scopes(slug);
 
 -- Reserved system scopes
-INSERT OR IGNORE INTO hazo_scopes (id, parent_id, name, level, created_at, changed_at)
-VALUES ('00000000-0000-0000-0000-000000000000', NULL, 'Super Admin', 'system', datetime('now'), datetime('now'));
+-- Note: Super Admin scope retired in v10; use hazo_org_global_admin permission instead (see migration 020)
 INSERT OR IGNORE INTO hazo_scopes (id, parent_id, name, level, created_at, changed_at)
 VALUES ('00000000-0000-0000-0000-000000000001', NULL, 'System', 'default', datetime('now'), datetime('now'));
 
@@ -1743,7 +1740,6 @@ type TenantOrganization = {
   slug: string | null;          // URL-friendly identifier
   level: string;                // "Company", "Division", etc.
   role_id: string;              // User's role in this scope
-  is_super_admin: boolean;
   branding?: {
     logo_url: string | null;
     primary_color: string | null;
@@ -2500,6 +2496,28 @@ import { ProfilePicMenu } from "hazo_auth/components/layouts/shared";
 />
 ```
 
+#### Menu item types
+
+`custom_menu_items` accepts four `type` values:
+
+| Type | Renders as | Fields used |
+|------|------------|-------------|
+| `info` | Read-only label/value row | `label`, `value` |
+| `link` | Navigation link | `label`, `href` |
+| `separator` | Divider | — |
+| `action` | Clickable item that fires a client-side callback | `label`, `onSelect` |
+
+```typescript
+<ProfilePicMenu
+  variant="dropdown"
+  custom_menu_items={[
+    { type: "action", label: "Switch workspace", onSelect: () => openSwitcher(), order: 1, id: "switch" }
+  ]}
+/>
+```
+
+> **`action` items are React-only.** Because `onSelect` is a function, action items cannot be expressed via the INI `custom_menu_items` config (which only supports the serialisable `info` / `link` / `separator` types) — pass them through the `custom_menu_items` prop instead.
+
 ### Configuration
 
 ```ini

package/SETUP_CHECKLIST.md

@@ -544,9 +544,7 @@ CREATE INDEX IF NOT EXISTS idx_hazo_scopes_level ON hazo_scopes(level);
 CREATE INDEX IF NOT EXISTS idx_hazo_scopes_slug ON hazo_scopes(slug);
 
 -- Reserved system scopes
-INSERT OR IGNORE INTO hazo_scopes (id, parent_id, name, level, created_at, changed_at)
-VALUES ('00000000-0000-0000-0000-000000000000', NULL, 'Super Admin', 'system', datetime('now'), datetime('now'));
-
+-- Note: Super Admin scope retired in v10; use hazo_org_global_admin permission instead (see migration 020)
 INSERT OR IGNORE INTO hazo_scopes (id, parent_id, name, level, created_at, changed_at)
 VALUES ('00000000-0000-0000-0000-000000000001', NULL, 'System', 'default', datetime('now'), datetime('now'));
 
@@ -733,10 +731,7 @@ CREATE INDEX idx_hazo_scopes_level ON hazo_scopes(level);
 CREATE INDEX idx_hazo_scopes_slug ON hazo_scopes(slug);
 
 -- 7a. Reserved system scopes
-INSERT INTO hazo_scopes (id, parent_id, name, level, created_at, changed_at)
-VALUES ('00000000-0000-0000-0000-000000000000', NULL, 'Super Admin', 'system', NOW(), NOW())
-ON CONFLICT (id) DO NOTHING;
-
+-- Note: Super Admin scope retired in v10; use hazo_org_global_admin permission instead (see migration 020)
 INSERT INTO hazo_scopes (id, parent_id, name, level, created_at, changed_at)
 VALUES ('00000000-0000-0000-0000-000000000001', NULL, 'System', 'default', NOW(), NOW())
 ON CONFLICT (id) DO NOTHING;
@@ -897,8 +892,8 @@ GRANT USAGE ON TYPE hazo_enum_invitation_status TO anon, authenticated;
   - [ ] `hazo_invitations`
   - [ ] `hazo_user_relationships` (managed sub-profile parent/child links)
 - [ ] Reserved system scopes inserted:
-  - [ ] `00000000-0000-0000-0000-000000000000` (Super Admin)
   - [ ] `00000000-0000-0000-0000-000000000001` (System / non-multi-tenancy default)
+- [ ] Migration 020 run: Super Admin scope retired, `hazo_org_global_admin` permission granted to affected roles
 - [ ] `firm_admin` role inserted into `hazo_roles`
 
 ---
@@ -1768,10 +1763,7 @@ CREATE INDEX IF NOT EXISTS idx_hazo_scopes_level ON hazo_scopes(level);
 CREATE INDEX IF NOT EXISTS idx_hazo_scopes_slug ON hazo_scopes(slug);
 
 -- 3. Create system scopes
-INSERT INTO hazo_scopes (id, parent_id, name, level, created_at, changed_at)
-VALUES ('00000000-0000-0000-0000-000000000000', NULL, 'Super Admin', 'system', NOW(), NOW())
-ON CONFLICT (id) DO NOTHING;
-
+-- Note: Super Admin scope retired in v10; use hazo_org_global_admin permission instead (see migration 020)
 INSERT INTO hazo_scopes (id, parent_id, name, level, created_at, changed_at)
 VALUES ('00000000-0000-0000-0000-000000000001', NULL, 'System', 'default', NOW(), NOW())
 ON CONFLICT (id) DO NOTHING;
@@ -1861,9 +1853,7 @@ CREATE INDEX IF NOT EXISTS idx_hazo_scopes_level ON hazo_scopes(level);
 CREATE INDEX IF NOT EXISTS idx_hazo_scopes_slug ON hazo_scopes(slug);
 
 -- 3. Create system scopes
-INSERT OR IGNORE INTO hazo_scopes (id, parent_id, name, level, created_at, changed_at)
-VALUES ('00000000-0000-0000-0000-000000000000', NULL, 'Super Admin', 'system', datetime('now'), datetime('now'));
-
+-- Note: Super Admin scope retired in v10; use hazo_org_global_admin permission instead (see migration 020)
 INSERT OR IGNORE INTO hazo_scopes (id, parent_id, name, level, created_at, changed_at)
 VALUES ('00000000-0000-0000-0000-000000000001', NULL, 'System', 'default', datetime('now'), datetime('now'));
 
@@ -1959,8 +1949,8 @@ CREATE INDEX IF NOT EXISTS idx_hazo_scopes_slug ON hazo_scopes(slug);
   - [ ] `hazo_user_scopes` (user-scope-role assignments)
   - [ ] `hazo_invitations` (user invitation flow)
 - [ ] System scopes exist:
-  - [ ] Super Admin scope (00000000-0000-0000-0000-000000000000)
   - [ ] Default System scope (00000000-0000-0000-0000-000000000001)
+- [ ] Migration 020 run: Super Admin scope retired, `hazo_org_global_admin` permission granted
 - [ ] Grants applied (PostgreSQL)
 - [ ] HRBAC tabs visible in User Management
 - [ ] Scope test page works

package/cli-src/cli/init_users.ts

@@ -5,7 +5,8 @@ import { createCrudService } from "hazo_connect/server";
 import { get_user_management_config } from "../lib/user_management_config.server.js";
 import { get_config_value } from "../lib/config/config_loader.server.js";
 import { create_app_logger } from "../lib/app_logger.js";
-import { SUPER_ADMIN_SCOPE_ID } from "../lib/services/scope_service.js";
+import { DEFAULT_SYSTEM_SCOPE_ID } from "../lib/services/scope_service.js";
+import { GLOBAL_ADMIN_PERMISSION } from "../lib/constants.js";
 
 // section: types
 type InitSummary = {
@@ -23,10 +24,6 @@ type InitSummary = {
     existing: number;
   };
   // v5.x: Removed user_role - roles are now assigned via hazo_user_scopes
-  super_admin_scope: {
-    inserted: boolean;
-    existing: boolean;
-  };
   user_scope: {
     inserted: boolean;
     existing: boolean;
@@ -77,23 +74,13 @@ function print_summary(summary: InitSummary): void {
 
   // v5.x: User-Role assignments are now handled via User-Scope assignments (see below)
 
-  // Super admin scope summary
-  console.log("Super Admin Scope:");
-  if (summary.super_admin_scope.inserted) {
-    console.log(`  ✓ Inserted: Super Admin scope (ID: ${SUPER_ADMIN_SCOPE_ID})`);
-  }
-  if (summary.super_admin_scope.existing) {
-    console.log(`  ⊙ Already existed: Super Admin scope (ID: ${SUPER_ADMIN_SCOPE_ID})`);
-  }
-  console.log();
-
   // User scope summary
   console.log("User-Scope Assignment:");
   if (summary.user_scope.inserted) {
-    console.log(`  ✓ Inserted: User assigned to Super Admin scope`);
+    console.log(`  ✓ Inserted: User assigned to default system scope`);
   }
   if (summary.user_scope.existing) {
-    console.log(`  ⊙ Already existed: User already in Super Admin scope`);
+    console.log(`  ⊙ Already existed: User already in default system scope`);
   }
   console.log();
 
@@ -131,10 +118,6 @@ export async function handle_init_users(options: InitUsersOptions = {}): Promise
       existing: 0,
     },
     // v5.x: Removed user_role - roles are now assigned via hazo_user_scopes
-    super_admin_scope: {
-      inserted: false,
-      existing: false,
-    },
     user_scope: {
       inserted: false,
       existing: false,
@@ -155,7 +138,6 @@ export async function handle_init_users(options: InitUsersOptions = {}): Promise
     });
     const users_service = createCrudService(hazoConnect, "hazo_users");
     // v5.x: Removed hazo_user_roles - roles are now assigned via hazo_user_scopes
-    const scopes_service = createCrudService(hazoConnect, "hazo_scopes");
     // hazo_user_scopes uses composite primary key (user_id, scope_id), no 'id' column
     const user_scopes_service = createCrudService(hazoConnect, "hazo_user_scopes", {
       primaryKeys: ["user_id", "scope_id"],
@@ -317,54 +299,63 @@ export async function handle_init_users(options: InitUsersOptions = {}): Promise
     console.log(`✓ Found user: ${super_user_email} (ID: ${user_id})`);
     console.log();
 
-    // v5.x: Step 7 removed - role assignment now happens via hazo_user_scopes (see step 9)
-
-    // 8. Ensure super admin scope exists
-    const existing_scopes = await scopes_service.findBy({ id: SUPER_ADMIN_SCOPE_ID });
-
-    if (Array.isArray(existing_scopes) && existing_scopes.length > 0) {
-      summary.super_admin_scope.existing = true;
-      console.log(`✓ Super Admin scope already exists (ID: ${SUPER_ADMIN_SCOPE_ID})`);
-    } else {
-      await scopes_service.insert({
-        id: SUPER_ADMIN_SCOPE_ID,
-        parent_id: null,
-        name: "Super Admin",
-        level: "system",
+    // 7. Ensure hazo_org_global_admin is in the permission catalog
+    const global_admin_perms = await permissions_service.findBy({
+      permission_name: GLOBAL_ADMIN_PERMISSION,
+    });
+    if (!Array.isArray(global_admin_perms) || global_admin_perms.length === 0) {
+      await permissions_service.insert({
+        permission_name: GLOBAL_ADMIN_PERMISSION,
+        description: "Global admin — access to all scopes and operations",
         created_at: now,
         changed_at: now,
       });
-      summary.super_admin_scope.inserted = true;
-      console.log(`✓ Created Super Admin scope (ID: ${SUPER_ADMIN_SCOPE_ID})`);
+      console.log(`✓ Created permission: ${GLOBAL_ADMIN_PERMISSION}`);
+    } else {
+      console.log(`✓ Permission already exists: ${GLOBAL_ADMIN_PERMISSION}`);
     }
+    console.log();
 
+    // 9. Ensure hazo_org_global_admin is assigned to the super user role
+    // (The role already has all configured permissions; this ensures the global admin perm is included)
+    const perm_row = await permissions_service.findBy({ permission_name: GLOBAL_ADMIN_PERMISSION });
+    const perm_id = Array.isArray(perm_row) && perm_row.length > 0 ? (perm_row[0].id as string) : null;
+    if (perm_id && role_id) {
+      const existing_rp = await role_permissions_service.findBy({ role_id, permission_id: perm_id });
+      if (!Array.isArray(existing_rp) || existing_rp.length === 0) {
+        await role_permissions_service.insert({ role_id, permission_id: perm_id });
+        console.log(`✓ Assigned ${GLOBAL_ADMIN_PERMISSION} to super user role`);
+      } else {
+        console.log(`✓ Super user role already has ${GLOBAL_ADMIN_PERMISSION}`);
+      }
+    }
     console.log();
 
-    // 9. Assign user to super admin scope
+    // 10. Assign user to DEFAULT_SYSTEM_SCOPE_ID (global access comes from the permission, not the scope)
     const existing_user_scopes = await user_scopes_service.findBy({
       user_id,
-      scope_id: SUPER_ADMIN_SCOPE_ID,
+      scope_id: DEFAULT_SYSTEM_SCOPE_ID,
     });
 
     if (Array.isArray(existing_user_scopes) && existing_user_scopes.length > 0) {
       summary.user_scope.existing = true;
-      console.log(`✓ User already assigned to Super Admin scope`);
+      console.log(`✓ User already assigned to default system scope`);
     } else {
       await user_scopes_service.insert({
         user_id,
-        scope_id: SUPER_ADMIN_SCOPE_ID,
-        root_scope_id: SUPER_ADMIN_SCOPE_ID,
+        scope_id: DEFAULT_SYSTEM_SCOPE_ID,
+        root_scope_id: DEFAULT_SYSTEM_SCOPE_ID,
         role_id,
         created_at: now,
         changed_at: now,
       });
       summary.user_scope.inserted = true;
-      console.log(`✓ Assigned user to Super Admin scope`);
+      console.log(`✓ Assigned user to default system scope`);
     }
 
     console.log();
 
-    // 10. Print summary
+    // 11. Print summary
     print_summary(summary);
 
     logger.info("init_users_completed", {
@@ -402,15 +393,16 @@ export function show_init_users_help(): void {
   console.log(`
 hazo_auth init-users
 
-Initialize users, roles, permissions, and super admin scope from configuration.
+Initialize users, roles, and permissions from configuration.
 
 This command reads from hazo_auth_config.ini and:
   1. Creates permissions from [hazo_auth__user_management] application_permission_list_defaults
   2. Creates a 'default_super_user_role' role
   3. Assigns all permissions to the super user role
   4. Finds user by email (from --email parameter or config)
-  5. Creates the Super Admin scope (${SUPER_ADMIN_SCOPE_ID})
-  6. Assigns the user to the Super Admin scope with the super user role
+  5. Ensures the '${GLOBAL_ADMIN_PERMISSION}' permission exists and is assigned to the super user role
+  6. Assigns the user to the default system scope (${DEFAULT_SYSTEM_SCOPE_ID})
+     Global admin access is granted via the '${GLOBAL_ADMIN_PERMISSION}' permission, not by scope
      (v5.x: Roles are assigned per-scope via hazo_user_scopes table)
 
 Options:

package/cli-src/lib/auth/auth_types.ts

@@ -24,7 +24,6 @@ export type HazoAuthUser = {
 export type ScopeAccessInfo = {
   scope_id: string;
   scope_name?: string;
-  is_super_admin?: boolean;
 };
 
 /**
@@ -135,7 +134,6 @@ export type TenantOrganization = {
   slug: string | null;
   level: string;
   role_id: string;
-  is_super_admin: boolean;
   branding?: {
     logo_url: string | null;
     primary_color: string | null;

package/cli-src/lib/auth/hazo_get_auth.server.ts

@@ -30,6 +30,7 @@ import {
 } from "../services/user_scope_service.js";
 import { get_cookie_name, BASE_COOKIE_NAMES } from "../cookies_config.server.js";
 import { get_app_permission_descriptions } from "../app_permissions_config.server.js";
+import { GLOBAL_ADMIN_PERMISSION } from "../constants.js";
 
 // section: helpers
 
@@ -383,7 +384,6 @@ async function check_scope_access_internal(
       scope_access_via: {
         scope_id: result.access_via.scope_id,
         scope_name: result.access_via.scope_name,
-        is_super_admin: result.is_super_admin,
       },
       user_scopes,
     };
@@ -587,31 +587,37 @@ export async function hazo_get_auth(
   const hrbac_enabled = is_hrbac_enabled();
 
   if (hrbac_enabled && options?.scope_id) {
-    const scope_result = await check_scope_access_internal(
-      user.id,
-      options.scope_id,
-    );
-
-    scope_ok = scope_result.scope_ok;
-    scope_access_via = scope_result.scope_access_via;
-
-    // Log scope denial if permission logging is enabled
-    if (!scope_ok && config.log_permission_denials) {
-      const client_ip = get_client_ip(request);
-      logger.warn("auth_utility_scope_access_denied", {
-        filename: get_filename(),
-        line_number: get_line_number(),
-        user_id: user.id,
-        scope_id: options.scope_id,
-        user_scopes: scope_result.user_scopes,
-        ip: client_ip,
-        correlation_id: getCorrelationId(),
-      });
-    }
+    // Global admin permission grants access to all scopes
+    const has_global_admin = permissions.includes(GLOBAL_ADMIN_PERMISSION);
+    if (has_global_admin) {
+      scope_ok = true;
+      scope_access_via = { scope_id: options.scope_id };
+    } else {
+      const scope_result = await check_scope_access_internal(
+        user.id,
+        options.scope_id,
+      );
+      scope_ok = scope_result.scope_ok;
+      scope_access_via = scope_result.scope_access_via;
+
+      // Log scope denial if permission logging is enabled
+      if (!scope_ok && config.log_permission_denials) {
+        const client_ip = get_client_ip(request);
+        logger.warn("auth_utility_scope_access_denied", {
+          filename: get_filename(),
+          line_number: get_line_number(),
+          user_id: user.id,
+          scope_id: options.scope_id,
+          user_scopes: scope_result.user_scopes,
+          ip: client_ip,
+          correlation_id: getCorrelationId(),
+        });
+      }
 
-    // Throw error if strict mode and scope access denied
-    if (!scope_ok && options.strict) {
-      throw new ScopeAccessError(options.scope_id, scope_result.user_scopes);
+      // Throw error if strict mode and scope access denied
+      if (!scope_ok && options.strict) {
+        throw new ScopeAccessError(options.scope_id, scope_result.user_scopes);
+      }
     }
   }
 

package/cli-src/lib/auth/hazo_get_tenant_auth.server.ts

@@ -7,6 +7,7 @@ import { NextRequest } from "next/server";
 import { hazo_get_auth } from "./hazo_get_auth.server.js";
 import { get_auth_cache } from "./auth_cache.js";
 import { get_scope_by_id } from "../services/scope_service.js";
+import { GLOBAL_ADMIN_PERMISSION } from "../constants.js";
 import { get_hazo_connect_instance } from "../hazo_connect_instance.server.js";
 import { get_cookie_name } from "../cookies_config.server.js";
 import { get_auth_utility_config } from "../auth_utility_config.server.js";
@@ -62,14 +63,12 @@ export function extract_scope_id_from_request(
 }
 
 /**
- * Builds TenantOrganization from scope details and access info
+ * Builds TenantOrganization from scope details
  * @param scope_details - Full scope details from cache
- * @param is_super_admin - Whether user is accessing as super admin
  * @returns TenantOrganization object
  */
 function build_tenant_organization(
   scope_details: ScopeDetails,
-  is_super_admin: boolean,
 ): TenantOrganization {
   return {
     id: scope_details.id,
@@ -77,7 +76,6 @@ function build_tenant_organization(
     slug: scope_details.slug,
     level: scope_details.level,
     role_id: scope_details.role_id,
-    is_super_admin,
     branding:
       scope_details.logo_url || scope_details.primary_color
         ? {
@@ -159,18 +157,17 @@ export async function hazo_get_tenant_auth(
   let organization: TenantOrganization | null = null;
 
   if (scope_id && auth_result.scope_ok && auth_result.scope_access_via) {
-    // Find the scope in user's scopes that matches the access_via scope
+    // Try to find the scope in user's cached scope assignments first.
+    // For global admins the scope may not be in their cache (they can access any scope),
+    // in which case we fall through to the permission-based fetch below.
     const access_scope = user_scopes.find(
       (s) => s.id === auth_result.scope_access_via?.scope_id,
     );
 
     if (access_scope) {
-      organization = build_tenant_organization(
-        access_scope,
-        auth_result.scope_access_via.is_super_admin || false,
-      );
-    } else if (auth_result.scope_access_via.is_super_admin) {
-      // Super admin accessing scope they're not assigned to - fetch scope details
+      organization = build_tenant_organization(access_scope);
+    } else if (auth_result.permissions.includes(GLOBAL_ADMIN_PERMISSION)) {
+      // Global admin accessing a scope they aren't directly assigned to — fetch scope details
       const hazoConnect = get_hazo_connect_instance();
       const scope_result = await get_scope_by_id(hazoConnect, scope_id);
       if (scope_result.success && scope_result.scope) {
@@ -179,8 +176,7 @@ export async function hazo_get_tenant_auth(
           name: scope_result.scope.name,
           slug: null, // Could fetch from scope if slug column exists
           level: scope_result.scope.level,
-          role_id: "", // Super admin doesn't have a role in the scope
-          is_super_admin: true,
+          role_id: "", // Global admin doesn't have a role assignment in the scope
           branding: scope_result.scope.logo_url
             ? {
                 logo_url: scope_result.scope.logo_url,

package/cli-src/lib/constants.ts

@@ -13,3 +13,5 @@ export const HAZO_AUTH_PERMISSIONS = {
 } as const;
 
 export const ALL_ADMIN_PERMISSIONS: string[] = Object.values(HAZO_AUTH_PERMISSIONS);
+
+export const GLOBAL_ADMIN_PERMISSION = "hazo_org_global_admin";

package/cli-src/lib/profile_pic_menu_config.server.ts

@@ -8,13 +8,14 @@ import { get_config_value, get_config_boolean, get_config_array } from "./config
 // section: types
 // Note: These types are also used in client components, but TypeScript types are erased at runtime
 // so importing from a server file is safe for type-only imports
-export type MenuItemType = "info" | "link" | "separator";
+export type MenuItemType = "info" | "link" | "separator" | "action";
 
 export type ProfilePicMenuMenuItem = {
   type: MenuItemType;
-  label?: string; // For info and link types
+  label?: string; // For info, link, and action types
   value?: string; // For info type (e.g., user name, email)
   href?: string; // For link type
+  onSelect?: () => void; // For action type (client-side callback, not serialisable via INI config)
   order: number; // Ordering within type group
   id: string; // Unique identifier for the item
 };
@@ -50,7 +51,7 @@ function parse_custom_menu_items(items_string: string[]): ProfilePicMenuMenuItem
     
     const type = parts[0] as MenuItemType;
     if (type !== "info" && type !== "link" && type !== "separator") {
-      return; // Invalid type, skip
+      return; // Invalid type or action (action items carry callbacks, not expressible in INI)
     }
     
     if (type === "separator") {

package/cli-src/lib/schema/sqlite_schema.ts

@@ -97,10 +97,6 @@ CREATE INDEX IF NOT EXISTS idx_hazo_scopes_parent ON hazo_scopes(parent_id);
 CREATE INDEX IF NOT EXISTS idx_hazo_scopes_level ON hazo_scopes(level);
 CREATE INDEX IF NOT EXISTS idx_hazo_scopes_slug ON hazo_scopes(slug);
 
--- Super admin scope
-INSERT OR IGNORE INTO hazo_scopes (id, parent_id, name, level, created_at, changed_at)
-VALUES ('00000000-0000-0000-0000-000000000000', NULL, 'Super Admin', 'system', datetime('now'), datetime('now'));
-
 -- Default system scope (for non-multi-tenancy mode)
 INSERT OR IGNORE INTO hazo_scopes (id, parent_id, name, level, created_at, changed_at)
 VALUES ('00000000-0000-0000-0000-000000000001', NULL, 'System', 'default', datetime('now'), datetime('now'));

package/cli-src/lib/scope_hierarchy_config.server.ts

@@ -8,7 +8,7 @@ import {
   get_config_number,
   get_config_boolean,
 } from "./config/config_loader.server.js";
-import { SUPER_ADMIN_SCOPE_ID, DEFAULT_SYSTEM_SCOPE_ID } from "./services/scope_service.js";
+import { DEFAULT_SYSTEM_SCOPE_ID } from "./services/scope_service.js";
 
 // section: types
 
@@ -23,8 +23,6 @@ export type ScopeHierarchyConfig = {
   scope_cache_ttl_minutes: number;
   /** Maximum entries in scope cache (default: 5000) */
   scope_cache_max_entries: number;
-  /** Super admin scope ID */
-  super_admin_scope_id: string;
   /** Default system scope ID (for non-multi-tenancy mode) */
   default_system_scope_id: string;
 };
@@ -57,11 +55,6 @@ export function get_scope_hierarchy_config(): ScopeHierarchyConfig {
   );
 
   // Scope IDs (with defaults)
-  const super_admin_scope_id = get_config_value(
-    SECTION_NAME,
-    "super_admin_scope_id",
-    SUPER_ADMIN_SCOPE_ID,
-  );
   const default_system_scope_id = get_config_value(
     SECTION_NAME,
     "default_system_scope_id",
@@ -72,7 +65,6 @@ export function get_scope_hierarchy_config(): ScopeHierarchyConfig {
     enable_hrbac,
     scope_cache_ttl_minutes,
     scope_cache_max_entries,
-    super_admin_scope_id,
     default_system_scope_id,
   };
 }

package/cli-src/lib/services/invitation_service.ts

@@ -478,7 +478,7 @@ export async function list_invitations_by_scope(
 }
 
 /**
- * Lists all invitations (for super admin)
+ * Lists all invitations (for global admins)
  */
 export async function list_all_invitations(
   adapter: HazoConnectAdapter,

package/cli-src/lib/services/scope_service.ts

@@ -7,12 +7,6 @@ import { sanitize_error_for_user } from "../utils/error_sanitizer.js";
 
 // section: constants
 
-/**
- * Super admin scope ID - special UUID for system-level administrators
- * Users assigned to this scope have global access
- */
-export const SUPER_ADMIN_SCOPE_ID = "00000000-0000-0000-0000-000000000000";
-
 /**
  * Default system scope ID - for non-multi-tenancy mode
  * All users are assigned to this scope when multi-tenancy is disabled
@@ -119,13 +113,6 @@ export function has_branding(scope: ScopeRecord): boolean {
   return !!(scope.logo_url || scope.primary_color || scope.secondary_color || scope.tagline);
 }
 
-/**
- * Checks if the given scope_id is the super admin scope
- */
-export function is_super_admin_scope(scope_id: string): boolean {
-  return scope_id === SUPER_ADMIN_SCOPE_ID;
-}
-
 /**
  * Checks if the given scope_id is the default system scope
  */
@@ -134,10 +121,10 @@ export function is_default_system_scope(scope_id: string): boolean {
 }
 
 /**
- * Checks if the given scope_id is a system scope (super admin or default system)
+ * Checks if the given scope_id is a system scope (default system)
  */
 export function is_system_scope(scope_id: string): boolean {
-  return is_super_admin_scope(scope_id) || is_default_system_scope(scope_id);
+  return is_default_system_scope(scope_id);
 }
 
 // section: crud operations
@@ -781,67 +768,6 @@ export async function get_scope_tree(
   }
 }
 
-/**
- * Ensures the super admin scope exists
- */
-export async function ensure_super_admin_scope(
-  adapter: HazoConnectAdapter,
-): Promise<ScopeServiceResult> {
-  try {
-    // Check if already exists
-    const existing = await get_scope_by_id(adapter, SUPER_ADMIN_SCOPE_ID);
-    if (existing.success && existing.scope) {
-      return existing;
-    }
-
-    // Create it
-    const scope_service = createCrudService(adapter, "hazo_scopes");
-    const now = new Date().toISOString();
-
-    const inserted = await scope_service.insert({
-      id: SUPER_ADMIN_SCOPE_ID,
-      name: "Super Admin",
-      level: "system",
-      parent_id: null,
-      logo_url: null,
-      primary_color: null,
-      secondary_color: null,
-      tagline: null,
-      created_at: now,
-      changed_at: now,
-    });
-
-    if (!Array.isArray(inserted) || inserted.length === 0) {
-      return {
-        success: false,
-        error: "Failed to create super admin scope",
-      };
-    }
-
-    return {
-      success: true,
-      scope: normalize_scope_record(inserted[0] as Record<string, unknown>),
-    };
-  } catch (error) {
-    const logger = create_app_logger();
-    const error_message = sanitize_error_for_user(error, {
-      logToConsole: true,
-      logToLogger: true,
-      logger,
-      context: {
-        filename: "scope_service.ts",
-        line_number: 0,
-        operation: "ensure_super_admin_scope",
-      },
-    });
-
-    return {
-      success: false,
-      error: error_message,
-    };
-  }
-}
-
 /**
  * Ensures the default system scope exists
  */