hazo_auth 9.1.1 → 10.1.0

package/dist/lib/services/google_token_service.js

@@ -0,0 +1,319 @@
+// file_description: stores, retrieves, refreshes, and revokes Google OAuth tokens with encrypted persistence
+// section: imports
+import { createCrudService } from "hazo_connect/server";
+import { get_hazo_connect_instance } from "../hazo_connect_instance.server.js";
+import { create_app_logger } from "../app_logger.js";
+import { optional_import } from "hazo_core";
+import { randomUUID } from "crypto";
+// section: errors
+export class GoogleTokenStorageUnconfigured extends Error {
+    constructor() {
+        super("Google token storage is not configured. Set HAZO_AUTH_OAUTH_KEY_CURRENT and HAZO_AUTH_OAUTH_KEY_<ID> env vars.");
+        this.name = "GoogleTokenStorageUnconfigured";
+    }
+}
+// section: cache
+const access_token_cache = new Map();
+// section: helpers
+function makeKeyProvider(LookupKeyProvider) {
+    return new LookupKeyProvider((name) => {
+        if (name === "current")
+            return process.env.HAZO_AUTH_OAUTH_KEY_CURRENT;
+        if (name.startsWith("key_")) {
+            const keyId = name.slice(4).toUpperCase();
+            return process.env[`HAZO_AUTH_OAUTH_KEY_${keyId}`];
+        }
+        return undefined;
+    });
+}
+async function load_crypto_module() {
+    const cryptoModule = await optional_import("hazo_secure/crypto");
+    if (!cryptoModule)
+        throw new GoogleTokenStorageUnconfigured();
+    return cryptoModule;
+}
+// section: store
+/**
+ * Stores (inserts or updates) Google OAuth tokens for a user, encrypting sensitive fields.
+ * Throws GoogleTokenStorageUnconfigured if hazo_secure/crypto is unavailable or keys are missing.
+ */
+export async function store_google_oauth_token(params) {
+    var _a, _b;
+    const logger = create_app_logger();
+    const { encryptField, decryptField: _decryptField, aadFor, LookupKeyProvider } = await load_crypto_module();
+    const keys = makeKeyProvider(LookupKeyProvider);
+    // Force-fail early if no key is configured
+    try {
+        await keys.current();
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        logger.error("google_token_service_key_provider_failed", {
+            filename: "google_token_service.ts",
+            error: msg,
+        });
+        throw new GoogleTokenStorageUnconfigured();
+    }
+    const refresh_enc = await encryptField(params.refresh_token, {
+        keys,
+        aad: aadFor("hazo_google_oauth_tokens", params.user_id, "refresh_token"),
+    });
+    const refresh_token_enc = JSON.stringify(refresh_enc);
+    let access_token_enc = null;
+    if (params.access_token) {
+        const access_enc = await encryptField(params.access_token, {
+            keys,
+            aad: aadFor("hazo_google_oauth_tokens", params.user_id, "access_token"),
+        });
+        access_token_enc = JSON.stringify(access_enc);
+    }
+    const adapter = get_hazo_connect_instance();
+    const service = createCrudService(adapter, "hazo_google_oauth_tokens");
+    const existing_rows = (await service.findBy({
+        user_id: params.user_id,
+        provider: "google",
+    }));
+    const now = new Date().toISOString();
+    if (existing_rows.length > 0) {
+        const existing = existing_rows[0];
+        await service.updateById(existing.id, {
+            refresh_token_enc,
+            access_token_enc,
+            scopes: params.scopes,
+            expires_at: (_a = params.expires_at) !== null && _a !== void 0 ? _a : null,
+            changed_at: now,
+        });
+        logger.info("google_token_service_token_updated", {
+            filename: "google_token_service.ts",
+            user_id: params.user_id,
+        });
+    }
+    else {
+        await service.insert({
+            id: randomUUID(),
+            user_id: params.user_id,
+            provider: "google",
+            refresh_token_enc,
+            access_token_enc,
+            scopes: params.scopes,
+            expires_at: (_b = params.expires_at) !== null && _b !== void 0 ? _b : null,
+            created_at: now,
+            changed_at: now,
+        });
+        logger.info("google_token_service_token_stored", {
+            filename: "google_token_service.ts",
+            user_id: params.user_id,
+        });
+    }
+}
+// section: get
+/**
+ * Returns a valid access token for the user, refreshing via Google if needed.
+ * Returns a typed error result instead of throwing for expected failure modes.
+ */
+export async function getGoogleToken(userId, opts) {
+    var _a, _b;
+    const logger = create_app_logger();
+    // Check in-memory cache first
+    const cached = access_token_cache.get(userId);
+    if (cached) {
+        const still_valid = new Date(cached.expires_at).getTime() - 60000 > Date.now();
+        if (still_valid) {
+            logger.info("google_token_service_cache_hit", {
+                filename: "google_token_service.ts",
+                user_id: userId,
+            });
+            // We need scopes from DB even on cache hit when scope check is requested
+            if (!((_a = opts === null || opts === void 0 ? void 0 : opts.scopes) === null || _a === void 0 ? void 0 : _a.length)) {
+                // No scope check needed — return cached token (scopes unknown from cache alone)
+                // Fall through to DB to get scopes for the result shape
+            }
+        }
+    }
+    const adapter = get_hazo_connect_instance();
+    const service = createCrudService(adapter, "hazo_google_oauth_tokens");
+    const rows = (await service.findBy({ user_id: userId, provider: "google" }));
+    if (rows.length === 0) {
+        return { ok: false, error: "not_connected" };
+    }
+    const row = rows[0];
+    // Scope check
+    if ((_b = opts === null || opts === void 0 ? void 0 : opts.scopes) === null || _b === void 0 ? void 0 : _b.length) {
+        const stored_scopes = row.scopes.split(" ").filter(Boolean);
+        const missing = opts.scopes.some((s) => !stored_scopes.includes(s));
+        if (missing) {
+            return { ok: false, error: "reconsent_required" };
+        }
+    }
+    // Return cached token now that we have the row (scope check passed)
+    if (cached) {
+        const still_valid = new Date(cached.expires_at).getTime() - 60000 > Date.now();
+        if (still_valid) {
+            return { ok: true, access_token: cached.token, scopes: row.scopes };
+        }
+    }
+    // Need to refresh — load crypto
+    let cryptoModule;
+    try {
+        cryptoModule = await load_crypto_module();
+    }
+    catch (_c) {
+        return { ok: false, error: "unconfigured" };
+    }
+    const { decryptField, aadFor, LookupKeyProvider } = cryptoModule;
+    const keys = makeKeyProvider(LookupKeyProvider);
+    let decrypted_refresh;
+    try {
+        decrypted_refresh = await decryptField(JSON.parse(row.refresh_token_enc), {
+            keys,
+            aad: aadFor("hazo_google_oauth_tokens", userId, "refresh_token"),
+        });
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        logger.error("google_token_service_decrypt_failed", {
+            filename: "google_token_service.ts",
+            user_id: userId,
+            error: msg,
+        });
+        return { ok: false, error: "refresh_failed" };
+    }
+    // Call Google token refresh endpoint
+    let resp;
+    try {
+        resp = await fetch("https://oauth2.googleapis.com/token", {
+            method: "POST",
+            headers: { "Content-Type": "application/x-www-form-urlencoded" },
+            body: new URLSearchParams({
+                grant_type: "refresh_token",
+                refresh_token: decrypted_refresh,
+                client_id: process.env.HAZO_AUTH_GOOGLE_CLIENT_ID,
+                client_secret: process.env.HAZO_AUTH_GOOGLE_CLIENT_SECRET,
+            }),
+        });
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        logger.error("google_token_service_refresh_fetch_failed", {
+            filename: "google_token_service.ts",
+            user_id: userId,
+            error: msg,
+        });
+        return { ok: false, error: "refresh_failed" };
+    }
+    if (!resp.ok) {
+        logger.warn("google_token_service_refresh_rejected", {
+            filename: "google_token_service.ts",
+            user_id: userId,
+            status: resp.status,
+        });
+        return { ok: false, error: "refresh_failed" };
+    }
+    const data = await resp.json();
+    // Persist new access token (encrypted)
+    const new_expires_at = new Date(Date.now() + data.expires_in * 1000).toISOString();
+    try {
+        const { encryptField } = cryptoModule;
+        const access_enc = await encryptField(data.access_token, {
+            keys,
+            aad: aadFor("hazo_google_oauth_tokens", userId, "access_token"),
+        });
+        const access_token_enc = JSON.stringify(access_enc);
+        await service.updateById(row.id, {
+            access_token_enc,
+            expires_at: new_expires_at,
+            changed_at: new Date().toISOString(),
+        });
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        logger.warn("google_token_service_persist_access_token_failed", {
+            filename: "google_token_service.ts",
+            user_id: userId,
+            error: msg,
+            note: "Access token refreshed successfully but could not be persisted",
+        });
+    }
+    // Update in-memory cache
+    access_token_cache.set(userId, { token: data.access_token, expires_at: new_expires_at });
+    logger.info("google_token_service_token_refreshed", {
+        filename: "google_token_service.ts",
+        user_id: userId,
+    });
+    return { ok: true, access_token: data.access_token, scopes: row.scopes };
+}
+// section: revoke
+/**
+ * Revokes the user's Google OAuth tokens — best-effort remote revocation, then deletes DB row.
+ */
+export async function revoke_google_oauth_token(userId) {
+    const logger = create_app_logger();
+    const adapter = get_hazo_connect_instance();
+    const service = createCrudService(adapter, "hazo_google_oauth_tokens");
+    const rows = (await service.findBy({ user_id: userId, provider: "google" }));
+    if (rows.length === 0) {
+        return { ok: false, error: "not_connected" };
+    }
+    const row = rows[0];
+    // Attempt remote revocation — best effort
+    try {
+        const { decryptField, aadFor, LookupKeyProvider } = await load_crypto_module();
+        const keys = makeKeyProvider(LookupKeyProvider);
+        const decrypted_refresh = await decryptField(JSON.parse(row.refresh_token_enc), {
+            keys,
+            aad: aadFor("hazo_google_oauth_tokens", userId, "refresh_token"),
+        });
+        const revoke_resp = await fetch(`https://oauth2.googleapis.com/revoke?token=${encodeURIComponent(decrypted_refresh)}`, { method: "POST" });
+        if (!revoke_resp.ok) {
+            logger.warn("google_token_service_revoke_remote_failed", {
+                filename: "google_token_service.ts",
+                user_id: userId,
+                status: revoke_resp.status,
+                note: "Google revocation returned non-OK status; proceeding to delete local record",
+            });
+        }
+        else {
+            logger.info("google_token_service_revoke_remote_ok", {
+                filename: "google_token_service.ts",
+                user_id: userId,
+            });
+        }
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        logger.warn("google_token_service_revoke_remote_error", {
+            filename: "google_token_service.ts",
+            user_id: userId,
+            error: msg,
+            note: "Remote revocation failed; proceeding to delete local record",
+        });
+    }
+    // Always delete the local row
+    await service.deleteById(row.id);
+    access_token_cache.delete(userId);
+    logger.info("google_token_service_revoked", {
+        filename: "google_token_service.ts",
+        user_id: userId,
+    });
+    return { ok: true };
+}
+// section: status
+/**
+ * Returns connection status and scope information for a user's Google OAuth connection.
+ * Does not decrypt or refresh tokens.
+ */
+export async function get_google_token_status(userId) {
+    var _a;
+    const adapter = get_hazo_connect_instance();
+    const service = createCrudService(adapter, "hazo_google_oauth_tokens");
+    const rows = (await service.findBy({ user_id: userId, provider: "google" }));
+    if (rows.length === 0) {
+        return { connected: false, scopes: "", expires_at: null };
+    }
+    const row = rows[0];
+    return {
+        connected: true,
+        scopes: row.scopes,
+        expires_at: (_a = row.expires_at) !== null && _a !== void 0 ? _a : null,
+    };
+}

package/dist/lib/services/index.d.ts

@@ -18,4 +18,5 @@ export * from "./scope_service.js";
 export * from "./user_scope_service.js";
 export * from "./oauth_service.js";
 export * from "./branding_service.js";
+export * from "./google_token_service.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/lib/services/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/lib/services/index.ts"],"names":[],"mappings":"AAEA,cAAc,iBAAiB,CAAC;AAChC,cAAc,8BAA8B,CAAC;AAC7C,cAAc,iBAAiB,CAAC;AAChC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,0BAA0B,CAAC;AACzC,cAAc,kCAAkC,CAAC;AACjD,cAAc,2BAA2B,CAAC;AAC1C,cAAc,iCAAiC,CAAC;AAChD,cAAc,wBAAwB,CAAC;AACvC,cAAc,iBAAiB,CAAC;AAChC,cAAc,yBAAyB,CAAC;AACxC,cAAc,uBAAuB,CAAC;AACtC,cAAc,yBAAyB,CAAC;AACxC,cAAc,sBAAsB,CAAC;AACrC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,6BAA6B,CAAC;AAC5C,cAAc,iBAAiB,CAAC;AAChC,cAAc,sBAAsB,CAAC;AACrC,cAAc,iBAAiB,CAAC;AAChC,cAAc,oBAAoB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/lib/services/index.ts"],"names":[],"mappings":"AAEA,cAAc,iBAAiB,CAAC;AAChC,cAAc,8BAA8B,CAAC;AAC7C,cAAc,iBAAiB,CAAC;AAChC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,0BAA0B,CAAC;AACzC,cAAc,kCAAkC,CAAC;AACjD,cAAc,2BAA2B,CAAC;AAC1C,cAAc,iCAAiC,CAAC;AAChD,cAAc,wBAAwB,CAAC;AACvC,cAAc,iBAAiB,CAAC;AAChC,cAAc,yBAAyB,CAAC;AACxC,cAAc,uBAAuB,CAAC;AACtC,cAAc,yBAAyB,CAAC;AACxC,cAAc,sBAAsB,CAAC;AACrC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,6BAA6B,CAAC;AAC5C,cAAc,iBAAiB,CAAC;AAChC,cAAc,sBAAsB,CAAC;AACrC,cAAc,iBAAiB,CAAC;AAChC,cAAc,oBAAoB,CAAC;AACnC,cAAc,wBAAwB,CAAC"}

package/dist/lib/services/index.js

@@ -20,3 +20,4 @@ export * from "./scope_service.js";
 export * from "./user_scope_service.js";
 export * from "./oauth_service.js";
 export * from "./branding_service.js";
+export * from "./google_token_service.js";

package/dist/lib/services/invitation_service.d.ts

@@ -53,7 +53,7 @@ export declare function revoke_invitation(adapter: HazoConnectAdapter, invitatio
  */
 export declare function list_invitations_by_scope(adapter: HazoConnectAdapter, scope_id: string, status?: InvitationStatus): Promise<InvitationServiceResult>;
 /**
- * Lists all invitations (for super admin)
+ * Lists all invitations (for global admins)
  */
 export declare function list_all_invitations(adapter: HazoConnectAdapter, status?: InvitationStatus): Promise<InvitationServiceResult>;
 /**

package/dist/lib/services/invitation_service.js

@@ -365,7 +365,7 @@ export async function list_invitations_by_scope(adapter, scope_id, status) {
     }
 }
 /**
- * Lists all invitations (for super admin)
+ * Lists all invitations (for global admins)
  */
 export async function list_all_invitations(adapter, status) {
     try {

package/dist/lib/services/scope_service.d.ts

@@ -1,9 +1,4 @@
 import type { HazoConnectAdapter } from "hazo_connect";
-/**
- * Super admin scope ID - special UUID for system-level administrators
- * Users assigned to this scope have global access
- */
-export declare const SUPER_ADMIN_SCOPE_ID = "00000000-0000-0000-0000-000000000000";
 /**
  * Default system scope ID - for non-multi-tenancy mode
  * All users are assigned to this scope when multi-tenancy is disabled
@@ -67,16 +62,12 @@ export declare function extract_branding(scope: ScopeRecord): FirmBranding | nul
  * Checks if a scope has any branding set
  */
 export declare function has_branding(scope: ScopeRecord): boolean;
-/**
- * Checks if the given scope_id is the super admin scope
- */
-export declare function is_super_admin_scope(scope_id: string): boolean;
 /**
  * Checks if the given scope_id is the default system scope
  */
 export declare function is_default_system_scope(scope_id: string): boolean;
 /**
- * Checks if the given scope_id is a system scope (super admin or default system)
+ * Checks if the given scope_id is a system scope (default system)
  */
 export declare function is_system_scope(scope_id: string): boolean;
 /**
@@ -133,10 +124,6 @@ export declare function get_scope_tree(adapter: HazoConnectAdapter, root_scope_i
     tree?: ScopeTreeNode[];
     error?: string;
 }>;
-/**
- * Ensures the super admin scope exists
- */
-export declare function ensure_super_admin_scope(adapter: HazoConnectAdapter): Promise<ScopeServiceResult>;
 /**
  * Ensures the default system scope exists
  */

package/dist/lib/services/scope_service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"scope_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/scope_service.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAOvD;;;GAGG;AACH,eAAO,MAAM,oBAAoB,yCAAyC,CAAC;AAE3E;;;GAGG;AACH,eAAO,MAAM,uBAAuB,yCAAyC,CAAC;AAI9E;;;GAGG;AACH,MAAM,MAAM,YAAY,GAAG;IACzB,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,eAAe,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACzB,CAAC;AAEF,MAAM,MAAM,WAAW,GAAG;IACxB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IAEzB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,kBAAkB,GAAG;IAC/B,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,WAAW,CAAC;IACpB,MAAM,CAAC,EAAE,WAAW,EAAE,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF,MAAM,MAAM,eAAe,GAAG;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAE1B,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,eAAe,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACzB,CAAC;AAEF,MAAM,MAAM,eAAe,GAAG;IAC5B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAE1B,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,eAAe,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACzB,CAAC;AAEF,MAAM,MAAM,aAAa,GAAG,WAAW,GAAG;IACxC,QAAQ,CAAC,EAAE,aAAa,EAAE,CAAC;CAC5B,CAAC;AAsBF;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,WAAW,GAAG,YAAY,GAAG,IAAI,CAOxE;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,WAAW,GAAG,OAAO,CAExD;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAE9D;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAEjE;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAEzD;AAID;;GAEG;AACH,wBAAsB,cAAc,CAClC,OAAO,EAAE,kBAAkB,EAC3B,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,GACxB,OAAO,CAAC,kBAAkB,CAAC,CAyC7B;AAED;;GAEG;AACH,wBAAsB,eAAe,CACnC,OAAO,EAAE,kBAAkB,GAC1B,OAAO,CAAC,kBAAkB,CAAC,CAE7B;AAED;;GAEG;AACH,wBAAsB,eAAe,CACnC,OAAO,EAAE,kBAAkB,EAC3B,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,kBAAkB,CAAC,CAmC7B;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,kBAAkB,EAC3B,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,kBAAkB,CAAC,CAmC7B;AAED;;GAEG;AACH,wBAAsB,YAAY,CAChC,OAAO,EAAE,kBAAkB,EAC3B,IAAI,EAAE,eAAe,GACpB,OAAO,CAAC,kBAAkB,CAAC,CA4D7B;AAED;;GAEG;AACH,wBAAsB,YAAY,CAChC,OAAO,EAAE,kBAAkB,EAC3B,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,eAAe,GACpB,OAAO,CAAC,kBAAkB,CAAC,CAiH7B;AAED;;GAEG;AACH,wBAAsB,YAAY,CAChC,OAAO,EAAE,kBAAkB,EAC3B,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,kBAAkB,CAAC,CA2C7B;AAID;;GAEG;AACH,wBAAsB,kBAAkB,CACtC,OAAO,EAAE,kBAAkB,EAC3B,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,kBAAkB,CAAC,CA8B7B;AAED;;;GAGG;AACH,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,kBAAkB,EAC3B,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,kBAAkB,CAAC,CAgD7B;AAED;;;GAGG;AACH,wBAAsB,qBAAqB,CACzC,OAAO,EAAE,kBAAkB,EAC3B,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,kBAAkB,CAAC,CAyC7B;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,kBAAkB,EAC3B,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAuBxB;AAED;;GAEG;AACH,wBAAsB,cAAc,CAClC,OAAO,EAAE,kBAAkB,EAC3B,aAAa,CAAC,EAAE,MAAM,GACrB,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,IAAI,CAAC,EAAE,aAAa,EAAE,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAoEvE;AAED;;GAEG;AACH,wBAAsB,wBAAwB,CAC5C,OAAO,EAAE,kBAAkB,GAC1B,OAAO,CAAC,kBAAkB,CAAC,CAsD7B;AAED;;GAEG;AACH,wBAAsB,2BAA2B,CAC/C,OAAO,EAAE,kBAAkB,GAC1B,OAAO,CAAC,kBAAkB,CAAC,CAsD7B"}
+{"version":3,"file":"scope_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/scope_service.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAOvD;;;GAGG;AACH,eAAO,MAAM,uBAAuB,yCAAyC,CAAC;AAI9E;;;GAGG;AACH,MAAM,MAAM,YAAY,GAAG;IACzB,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,eAAe,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACzB,CAAC;AAEF,MAAM,MAAM,WAAW,GAAG;IACxB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IAEzB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,kBAAkB,GAAG;IAC/B,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,WAAW,CAAC;IACpB,MAAM,CAAC,EAAE,WAAW,EAAE,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF,MAAM,MAAM,eAAe,GAAG;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAE1B,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,eAAe,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACzB,CAAC;AAEF,MAAM,MAAM,eAAe,GAAG;IAC5B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAE1B,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,eAAe,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACzB,CAAC;AAEF,MAAM,MAAM,aAAa,GAAG,WAAW,GAAG;IACxC,QAAQ,CAAC,EAAE,aAAa,EAAE,CAAC;CAC5B,CAAC;AAsBF;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,WAAW,GAAG,YAAY,GAAG,IAAI,CAOxE;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,WAAW,GAAG,OAAO,CAExD;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAEjE;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAEzD;AAID;;GAEG;AACH,wBAAsB,cAAc,CAClC,OAAO,EAAE,kBAAkB,EAC3B,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,GACxB,OAAO,CAAC,kBAAkB,CAAC,CAyC7B;AAED;;GAEG;AACH,wBAAsB,eAAe,CACnC,OAAO,EAAE,kBAAkB,GAC1B,OAAO,CAAC,kBAAkB,CAAC,CAE7B;AAED;;GAEG;AACH,wBAAsB,eAAe,CACnC,OAAO,EAAE,kBAAkB,EAC3B,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,kBAAkB,CAAC,CAmC7B;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,kBAAkB,EAC3B,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,kBAAkB,CAAC,CAmC7B;AAED;;GAEG;AACH,wBAAsB,YAAY,CAChC,OAAO,EAAE,kBAAkB,EAC3B,IAAI,EAAE,eAAe,GACpB,OAAO,CAAC,kBAAkB,CAAC,CA4D7B;AAED;;GAEG;AACH,wBAAsB,YAAY,CAChC,OAAO,EAAE,kBAAkB,EAC3B,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,eAAe,GACpB,OAAO,CAAC,kBAAkB,CAAC,CAiH7B;AAED;;GAEG;AACH,wBAAsB,YAAY,CAChC,OAAO,EAAE,kBAAkB,EAC3B,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,kBAAkB,CAAC,CA2C7B;AAID;;GAEG;AACH,wBAAsB,kBAAkB,CACtC,OAAO,EAAE,kBAAkB,EAC3B,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,kBAAkB,CAAC,CA8B7B;AAED;;;GAGG;AACH,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,kBAAkB,EAC3B,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,kBAAkB,CAAC,CAgD7B;AAED;;;GAGG;AACH,wBAAsB,qBAAqB,CACzC,OAAO,EAAE,kBAAkB,EAC3B,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,kBAAkB,CAAC,CAyC7B;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,kBAAkB,EAC3B,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAuBxB;AAED;;GAEG;AACH,wBAAsB,cAAc,CAClC,OAAO,EAAE,kBAAkB,EAC3B,aAAa,CAAC,EAAE,MAAM,GACrB,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,IAAI,CAAC,EAAE,aAAa,EAAE,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAoEvE;AAED;;GAEG;AACH,wBAAsB,2BAA2B,CAC/C,OAAO,EAAE,kBAAkB,GAC1B,OAAO,CAAC,kBAAkB,CAAC,CAsD7B"}

package/dist/lib/services/scope_service.js

@@ -2,11 +2,6 @@ import { createCrudService } from "hazo_connect/server";
 import { create_app_logger } from "../app_logger.js";
 import { sanitize_error_for_user } from "../utils/error_sanitizer.js";
 // section: constants
-/**
- * Super admin scope ID - special UUID for system-level administrators
- * Users assigned to this scope have global access
- */
-export const SUPER_ADMIN_SCOPE_ID = "00000000-0000-0000-0000-000000000000";
 /**
  * Default system scope ID - for non-multi-tenancy mode
  * All users are assigned to this scope when multi-tenancy is disabled
@@ -52,12 +47,6 @@ export function extract_branding(scope) {
 export function has_branding(scope) {
     return !!(scope.logo_url || scope.primary_color || scope.secondary_color || scope.tagline);
 }
-/**
- * Checks if the given scope_id is the super admin scope
- */
-export function is_super_admin_scope(scope_id) {
-    return scope_id === SUPER_ADMIN_SCOPE_ID;
-}
 /**
  * Checks if the given scope_id is the default system scope
  */
@@ -65,10 +54,10 @@ export function is_default_system_scope(scope_id) {
     return scope_id === DEFAULT_SYSTEM_SCOPE_ID;
 }
 /**
- * Checks if the given scope_id is a system scope (super admin or default system)
+ * Checks if the given scope_id is a system scope (default system)
  */
 export function is_system_scope(scope_id) {
-    return is_super_admin_scope(scope_id) || is_default_system_scope(scope_id);
+    return is_default_system_scope(scope_id);
 }
 // section: crud operations
 /**
@@ -605,60 +594,6 @@ export async function get_scope_tree(adapter, root_scope_id) {
         };
     }
 }
-/**
- * Ensures the super admin scope exists
- */
-export async function ensure_super_admin_scope(adapter) {
-    try {
-        // Check if already exists
-        const existing = await get_scope_by_id(adapter, SUPER_ADMIN_SCOPE_ID);
-        if (existing.success && existing.scope) {
-            return existing;
-        }
-        // Create it
-        const scope_service = createCrudService(adapter, "hazo_scopes");
-        const now = new Date().toISOString();
-        const inserted = await scope_service.insert({
-            id: SUPER_ADMIN_SCOPE_ID,
-            name: "Super Admin",
-            level: "system",
-            parent_id: null,
-            logo_url: null,
-            primary_color: null,
-            secondary_color: null,
-            tagline: null,
-            created_at: now,
-            changed_at: now,
-        });
-        if (!Array.isArray(inserted) || inserted.length === 0) {
-            return {
-                success: false,
-                error: "Failed to create super admin scope",
-            };
-        }
-        return {
-            success: true,
-            scope: normalize_scope_record(inserted[0]),
-        };
-    }
-    catch (error) {
-        const logger = create_app_logger();
-        const error_message = sanitize_error_for_user(error, {
-            logToConsole: true,
-            logToLogger: true,
-            logger,
-            context: {
-                filename: "scope_service.ts",
-                line_number: 0,
-                operation: "ensure_super_admin_scope",
-            },
-        });
-        return {
-            success: false,
-            error: error_message,
-        };
-    }
-}
 /**
  * Ensures the default system scope exists
  */

package/dist/lib/services/user_scope_service.d.ts

@@ -20,7 +20,6 @@ export type ScopeAccessCheckResult = {
         scope_name?: string;
     };
     user_scopes?: UserScope[];
-    is_super_admin?: boolean;
 };
 export type AssignUserScopeData = {
     user_id: string;
@@ -52,10 +51,6 @@ export declare function update_user_scopes(adapter: HazoConnectAdapter, user_id:
     scope_id: string;
     role_id: string;
 }>): Promise<UserScopeResult>;
-/**
- * Checks if a user is a super admin (has super admin scope assigned)
- */
-export declare function is_user_super_admin(adapter: HazoConnectAdapter, user_id: string): Promise<boolean>;
 /**
  * Checks if a user has any scope assigned
  */
@@ -63,9 +58,11 @@ export declare function user_has_any_scope(adapter: HazoConnectAdapter, user_id:
 /**
  * Checks if a user has access to a specific scope
  * Access is granted if:
- * 1. User is a super admin (has super admin scope)
- * 2. User has the exact scope assigned
- * 3. User has access to an ancestor scope (inherited access)
+ * 1. User has the exact scope assigned
+ * 2. User has access to an ancestor scope (inherited access)
+ *
+ * Global admin access (hazo_org_global_admin permission) is handled upstream
+ * in hazo_get_auth before this function is called.
  *
  * @param adapter - HazoConnect adapter
  * @param user_id - User ID to check
@@ -85,8 +82,4 @@ export declare function get_user_direct_scopes(adapter: HazoConnectAdapter, user
     }>;
     error?: string;
 }>;
-/**
- * Assigns super admin scope to a user
- */
-export declare function assign_super_admin_scope(adapter: HazoConnectAdapter, user_id: string, role_id: string): Promise<UserScopeResult>;
 //# sourceMappingURL=user_scope_service.d.ts.map

package/dist/lib/services/user_scope_service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"user_scope_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/user_scope_service.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAyBvD,MAAM,MAAM,SAAS,GAAG;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,eAAe,GAAG;IAC5B,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,SAAS,CAAC;IAClB,MAAM,CAAC,EAAE,SAAS,EAAE,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF,MAAM,MAAM,sBAAsB,GAAG;IACnC,UAAU,EAAE,OAAO,CAAC;IACpB,UAAU,CAAC,EAAE;QACX,QAAQ,EAAE,MAAM,CAAC;QACjB,UAAU,CAAC,EAAE,MAAM,CAAC;KACrB,CAAC;IACF,WAAW,CAAC,EAAE,SAAS,EAAE,CAAC;IAC1B,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAIF;;GAEG;AACH,wBAAsB,eAAe,CACnC,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,eAAe,CAAC,CA4B1B;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CACtC,OAAO,EAAE,kBAAkB,EAC3B,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,eAAe,CAAC,CA4B1B;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,kBAAkB,EAC3B,IAAI,EAAE,mBAAmB,GACxB,OAAO,CAAC,eAAe,CAAC,CA2E1B;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,eAAe,CAAC,CA2E1B;AAED;;;GAGG;AACH,wBAAsB,kBAAkB,CACtC,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,KAAK,CAAC;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,GACvD,OAAO,CAAC,eAAe,CAAC,CAwD1B;AAED;;GAEG;AACH,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,OAAO,CAAC,CAalB;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CACtC,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,OAAO,CAAC,CAWlB;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,uBAAuB,CAC3C,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,EACf,eAAe,EAAE,MAAM,GACtB,OAAO,CAAC,sBAAsB,CAAC,CAqFjC;AAED;;GAEG;AACH,wBAAsB,sBAAsB,CAC1C,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,GACd,OAAO,CAAC;IACT,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,KAAK,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;QACjB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC,CAAC;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC,CA4CD;AAED;;GAEG;AACH,wBAAsB,wBAAwB,CAC5C,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,eAAe,CAAC,CAO1B"}
+{"version":3,"file":"user_scope_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/user_scope_service.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAuBvD,MAAM,MAAM,SAAS,GAAG;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,eAAe,GAAG;IAC5B,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,SAAS,CAAC;IAClB,MAAM,CAAC,EAAE,SAAS,EAAE,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF,MAAM,MAAM,sBAAsB,GAAG;IACnC,UAAU,EAAE,OAAO,CAAC;IACpB,UAAU,CAAC,EAAE;QACX,QAAQ,EAAE,MAAM,CAAC;QACjB,UAAU,CAAC,EAAE,MAAM,CAAC;KACrB,CAAC;IACF,WAAW,CAAC,EAAE,SAAS,EAAE,CAAC;CAC3B,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAIF;;GAEG;AACH,wBAAsB,eAAe,CACnC,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,eAAe,CAAC,CA4B1B;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CACtC,OAAO,EAAE,kBAAkB,EAC3B,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,eAAe,CAAC,CA4B1B;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,kBAAkB,EAC3B,IAAI,EAAE,mBAAmB,GACxB,OAAO,CAAC,eAAe,CAAC,CA2E1B;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,eAAe,CAAC,CA2E1B;AAED;;;GAGG;AACH,wBAAsB,kBAAkB,CACtC,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,KAAK,CAAC;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,GACvD,OAAO,CAAC,eAAe,CAAC,CAwD1B;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CACtC,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,OAAO,CAAC,CAWlB;AAED;;;;;;;;;;;;GAYG;AACH,wBAAsB,uBAAuB,CAC3C,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,EACf,eAAe,EAAE,MAAM,GACtB,OAAO,CAAC,sBAAsB,CAAC,CAoEjC;AAED;;GAEG;AACH,wBAAsB,sBAAsB,CAC1C,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,GACd,OAAO,CAAC;IACT,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,KAAK,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;QACjB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC,CAAC;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC,CA4CD"}

package/dist/lib/services/user_scope_service.js

@@ -1,7 +1,7 @@
 import { createCrudService } from "hazo_connect/server";
 import { create_app_logger } from "../app_logger.js";
 import { sanitize_error_for_user } from "../utils/error_sanitizer.js";
-import { get_scope_by_id, get_scope_ancestors, get_root_scope_id, SUPER_ADMIN_SCOPE_ID, is_super_admin_scope, } from "./scope_service.js";
+import { get_scope_by_id, get_scope_ancestors, get_root_scope_id, } from "./scope_service.js";
 // section: constants
 /**
  * CRUD service options for hazo_user_scopes table
@@ -274,21 +274,6 @@ export async function update_user_scopes(adapter, user_id, new_scopes) {
         };
     }
 }
-/**
- * Checks if a user is a super admin (has super admin scope assigned)
- */
-export async function is_user_super_admin(adapter, user_id) {
-    try {
-        const user_scopes_result = await get_user_scopes(adapter, user_id);
-        if (!user_scopes_result.success || !user_scopes_result.scopes) {
-            return false;
-        }
-        return user_scopes_result.scopes.some((scope) => is_super_admin_scope(scope.scope_id));
-    }
-    catch (_a) {
-        return false;
-    }
-}
 /**
  * Checks if a user has any scope assigned
  */
@@ -306,9 +291,11 @@ export async function user_has_any_scope(adapter, user_id) {
 /**
  * Checks if a user has access to a specific scope
  * Access is granted if:
- * 1. User is a super admin (has super admin scope)
- * 2. User has the exact scope assigned
- * 3. User has access to an ancestor scope (inherited access)
+ * 1. User has the exact scope assigned
+ * 2. User has access to an ancestor scope (inherited access)
+ *
+ * Global admin access (hazo_org_global_admin permission) is handled upstream
+ * in hazo_get_auth before this function is called.
  *
  * @param adapter - HazoConnect adapter
  * @param user_id - User ID to check
@@ -323,20 +310,7 @@ export async function check_user_scope_access(adapter, user_id, target_scope_id)
             return { has_access: false };
         }
         const user_scopes = user_scopes_result.scopes;
-        // Check 1: Is user a super admin?
-        const has_super_admin = user_scopes.some((scope) => is_super_admin_scope(scope.scope_id));
-        if (has_super_admin) {
-            return {
-                has_access: true,
-                access_via: {
-                    scope_id: SUPER_ADMIN_SCOPE_ID,
-                    scope_name: "Super Admin",
-                },
-                user_scopes,
-                is_super_admin: true,
-            };
-        }
-        // Check 2: Does user have exact scope assigned?
+        // Check 1: Does user have exact scope assigned?
         for (const user_scope of user_scopes) {
             if (user_scope.scope_id === target_scope_id) {
                 const scope_result = await get_scope_by_id(adapter, target_scope_id);
@@ -352,7 +326,7 @@ export async function check_user_scope_access(adapter, user_id, target_scope_id)
                 };
             }
         }
-        // Check 3: Does user have access via an ancestor scope?
+        // Check 2: Does user have access via an ancestor scope?
         const ancestors_result = await get_scope_ancestors(adapter, target_scope_id);
         if (ancestors_result.success && ancestors_result.scopes) {
             for (const ancestor of ancestors_result.scopes) {
@@ -436,14 +410,3 @@ export async function get_user_direct_scopes(adapter, user_id) {
         };
     }
 }
-/**
- * Assigns super admin scope to a user
- */
-export async function assign_super_admin_scope(adapter, user_id, role_id) {
-    return assign_user_scope(adapter, {
-        user_id,
-        scope_id: SUPER_ADMIN_SCOPE_ID,
-        root_scope_id: SUPER_ADMIN_SCOPE_ID,
-        role_id,
-    });
-}

package/dist/server/routes/google_token.d.ts

@@ -0,0 +1,13 @@
+import type { NextRequest } from "next/server";
+/**
+ * GET /api/hazo_auth/google/token
+ * Returns the current Google OAuth token status for the authenticated user.
+ */
+export declare function GET(request: NextRequest): Promise<Response>;
+/**
+ * DELETE /api/hazo_auth/google/token
+ * Revokes the stored Google OAuth token for the authenticated user.
+ * Does NOT sign the user out.
+ */
+export declare function DELETE(request: NextRequest): Promise<Response>;
+//# sourceMappingURL=google_token.d.ts.map