fix auth

app/components/layout/AppTopBar.vue

@@ -11,6 +11,7 @@ const emit = defineEmits<{
 
 const route = useRoute()
 const router = useRouter()
+const { data: session, status, signOut } = useAuth()
 const isHome = computed(() => route.path === '/')
 const colorMode = useColorMode()
 const isDark = computed({
@@ -25,10 +26,25 @@ const isDark = computed({
 const userMenuOpen = ref(false)
 const userMenuRoot = ref<HTMLElement | null>(null)
 
+const user = computed(() => session.value?.user)
+const userEmail = computed(() => user.value?.email || 'user@example.com')
+const userName = computed(() => user.value?.name || 'User')
+const isAuthenticated = computed(() => status.value === 'authenticated')
+
 function closeUserMenu() {
   userMenuOpen.value = false
 }
 
+async function handleLogout() {
+  try {
+    userMenuOpen.value = false
+    await signOut({ callbackUrl: '/login', redirect: true })
+  } catch (error) {
+    console.error('Logout failed:', error)
+    await navigateTo('/login')
+  }
+}
+
 function onDocClick(e: MouseEvent) {
   const userEl = userMenuRoot.value
   if (userEl && userMenuOpen.value && !userEl.contains(e.target as Node)) {
@@ -119,6 +135,8 @@ onUnmounted(() => document.removeEventListener('click', onDocClick))
         </span>
       </NuxtLink>
 
+      <LayoutOrgSelector />
+
       <span class="mx-0.5 h-3 w-px" style="background: rgba(0,0,0,0.06);" />
 
       <!-- User / Account -->
@@ -146,6 +164,10 @@ onUnmounted(() => document.removeEventListener('click', onDocClick))
             v-show="userMenuOpen"
             class="absolute right-0 top-[calc(100%+8px)] z-50 w-56 overflow-hidden rounded-xl border border-[var(--sidebar-border)] bg-[var(--surface)] py-1 shadow-xl ring-1 ring-black/5"
           >
+            <div class="px-3 py-2 border-b border-[var(--sidebar-border)]">
+              <p class="text-sm font-medium text-[var(--text-primary)]">{{ userName }}</p>
+              <p class="text-xs text-[var(--text-muted)]">{{ userEmail }}</p>
+            </div>
             <NuxtLink
               to="/account"
               class="flex items-center gap-2 px-3 py-2.5 text-sm text-[var(--text-primary)] transition hover:bg-[var(--brand-faint)]"
@@ -163,17 +185,13 @@ onUnmounted(() => document.removeEventListener('click', onDocClick))
               Software settings
             </NuxtLink>
             <div class="my-1 border-t border-[var(--sidebar-border)]" />
-            <div class="px-3 py-1.5">
-              <p class="text-[12px] font-medium text-[var(--text-primary)]">Session (mock)</p>
-              <p class="text-[11px] text-[var(--text-muted)]">broker@demo.com</p>
-            </div>
             <button
               type="button"
-              class="flex w-full items-center gap-2 px-3 py-2 text-left text-sm text-[var(--text-muted)] opacity-50 cursor-not-allowed"
-              disabled
+              class="flex w-full items-center gap-2 px-3 py-2 text-left text-sm text-[var(--text-muted)] hover:bg-[var(--brand-faint)] hover:text-[var(--text-primary)] transition"
+              @click="handleLogout"
             >
               <UIcon name="i-heroicons-arrow-right-on-rectangle" class="h-4 w-4" />
-              Sign out (soon)
+              Sign out
             </button>
           </div>
         </Transition>

app/components/layout/OrgSelector.vue

@@ -0,0 +1,146 @@
+<script setup lang="ts">
+
+const { organizations, selectedOrg, selectOrg } = useOrganizationSelection()
+
+const dropdownOpen = ref(false)
+const dropdownRoot = ref<HTMLElement | null>(null)
+
+function toggleDropdown() {
+  dropdownOpen.value = !dropdownOpen.value
+}
+
+function closeDropdown() {
+  dropdownOpen.value = false
+}
+
+function onDocClick(e: MouseEvent) {
+  const el = dropdownRoot.value
+  if (el && dropdownOpen.value && !el.contains(e.target as Node)) {
+    dropdownOpen.value = false
+  }
+}
+
+onMounted(() => document.addEventListener('click', onDocClick))
+onUnmounted(() => document.removeEventListener('click', onDocClick))
+</script>
+
+<template>
+  <div v-if="organizations.length > 0" ref="dropdownRoot" class="org-selector-root">
+    <button
+      type="button"
+      class="org-selector-btn"
+      aria-label="Organization selector"
+      :aria-expanded="dropdownOpen"
+      @click.stop="toggleDropdown"
+    >
+      <UIcon name="i-heroicons-building-office" style="width: 13px; height: 13px; flex-shrink: 0;" />
+      <span class="org-selector-label">{{ selectedOrg?.orgSubDomain ?? 'Org' }}</span>
+      <UIcon name="i-heroicons-chevron-down" style="width: 8px; height: 8px; opacity: 0.4; flex-shrink: 0;" />
+    </button>
+    <div
+      v-show="dropdownOpen"
+      class="org-dropdown"
+    >
+      <button
+        v-for="org in organizations"
+        :key="org.orgId"
+        type="button"
+        class="org-option"
+        :class="{ 'org-option-active': org.orgId === selectedOrg?.orgId }"
+        @click="selectOrg(org.orgId); closeDropdown()"
+      >
+        <UIcon
+          name="i-heroicons-check"
+          class="shrink-0"
+          :class="org.orgId === selectedOrg?.orgId ? 'opacity-100' : 'opacity-0'"
+          style="width: 14px; height: 14px;"
+        />
+        <span class="org-option-label">{{ org.orgSubDomain }}</span>
+      </button>
+    </div>
+  </div>
+</template>
+
+<style scoped>
+.org-selector-root {
+  position: relative;
+  flex-shrink: 0;
+}
+
+.org-selector-btn {
+  display: inline-flex;
+  align-items: center;
+  gap: 4px;
+  padding: 2px 8px;
+  font-size: 11px;
+  font-weight: 500;
+  line-height: normal;
+  color: #8a8a86;
+  background: transparent;
+  border: 1px solid rgba(0, 0, 0, 0.06);
+  border-radius: 6px;
+  cursor: pointer;
+  transition: all 150ms ease;
+  white-space: nowrap;
+  box-sizing: content-box;
+  height: auto;
+}
+.org-selector-btn:hover {
+  color: var(--text-primary);
+  background: rgba(0, 0, 0, 0.03);
+  border-color: rgba(0, 0, 0, 0.1);
+}
+
+.org-selector-label {
+  max-width: 100px;
+  overflow: hidden;
+  text-overflow: ellipsis;
+  white-space: nowrap;
+}
+
+.org-dropdown {
+  position: absolute;
+  right: 0;
+  top: calc(100% + 6px);
+  z-index: 50;
+  min-width: 180px;
+  max-width: 280px;
+  overflow: hidden;
+  border-radius: 12px;
+  border: 1px solid var(--sidebar-border);
+  background: var(--surface);
+  padding: 4px 0;
+  box-shadow: 0 4px 12px rgba(0, 0, 0, 0.1), 0 0 0 1px rgba(0, 0, 0, 0.03);
+}
+
+.org-option {
+  display: flex;
+  align-items: center;
+  gap: 8px;
+  width: 100%;
+  padding: 6px 12px;
+  text-align: left;
+  font-size: 12px;
+  color: var(--text-secondary);
+  background: transparent;
+  border: none;
+  cursor: pointer;
+  border-radius: 4px;
+  transition: background 100ms ease;
+}
+.org-option:hover {
+  background: var(--brand-faint);
+  color: var(--text-primary);
+}
+.org-option-active {
+  color: var(--text-primary);
+  font-weight: 500;
+}
+
+.org-option-label {
+  max-width: 200px;
+  overflow: hidden;
+  text-overflow: ellipsis;
+  white-space: nowrap;
+}
+</style>

app/composables/useOrganizationSelection.ts

@@ -0,0 +1,81 @@
+export interface OrganizationInfo {
+  orgId: string
+  orgDomain: string
+  role: string
+}
+
+function extractSubdomain(domain: string): string {
+  const parts = domain.split('.')
+  return parts.length > 1 ? parts[0] : domain
+}
+
+
+const STORAGE_KEY = 'policy-ui.selected-org-id'
+
+export function useOrganizationSelection() {
+  const { data: session } = useAuth()
+
+  const organizations = computed<OrganizationInfo[]>(() => {
+    const allOrgRoles = (session.value?.user as any)?.allOrgRoles as Record<string, Record<string, Record<string, string>>> | undefined
+    if (!allOrgRoles) {
+      return []
+    }
+
+    const result: OrganizationInfo[] = []
+    for (const roles of Object.values(allOrgRoles)) {
+      for (const [role, orgMap] of Object.entries(roles)) {
+        for (const [orgId, orgDomain] of Object.entries(orgMap)) {
+          if (!result.find(o => o.orgId === orgId)) {
+            result.push({ orgId, orgDomain: orgDomain as string, role, orgSubDomain: extractSubdomain(orgDomain) })
+          }
+        }
+      }
+    }
+    result.sort((a, b) => a.orgDomain.localeCompare(b.orgDomain))
+    return result
+  })
+
+  // All unique org IDs the user has access to
+  const orgIds = computed<string[]>(() => organizations.value.map(o => o.orgId))
+
+  // Persisted selected org
+  const selectedOrgId = ref<string | null>(null)
+
+  onMounted(() => {
+    const stored = localStorage.getItem(STORAGE_KEY)
+    if (stored && orgIds.value.includes(stored)) {
+      selectedOrgId.value = stored
+    } else if (organizations.value.length > 0 && !selectedOrgId.value) {
+      const defaultOrgId = organizations.value[0]!.orgId
+      selectedOrgId.value = defaultOrgId
+      localStorage.setItem(STORAGE_KEY, defaultOrgId)
+    }
+  })
+
+  watch(orgIds, (ids) => {
+    if (ids.length > 0) {
+      const firstId = ids[0]!
+      if (!ids.includes(selectedOrgId.value ?? '')) {
+        selectedOrgId.value = firstId
+        localStorage.setItem(STORAGE_KEY, firstId)
+      }
+    }
+  })
+
+  const selectOrg = (orgId: string) => {
+    selectedOrgId.value = orgId
+    localStorage.setItem(STORAGE_KEY, orgId)
+  }
+
+  const selectedOrg = computed<OrganizationInfo | undefined>(() => {
+    if (!selectedOrgId.value) return undefined
+    return organizations.value.find(o => o.orgId === selectedOrgId.value)
+  })
+
+  return {
+    organizations,
+    selectedOrgId,
+    selectedOrg,
+    selectOrg,
+  }
+}

app/middleware/auth.ts

@@ -0,0 +1,7 @@
+export default defineNuxtRouteMiddleware((to) => {
+  const { status } = useAuth()
+
+  if (status.value === 'unauthenticated' && to.path !== '/login') {
+    return navigateTo('/login')
+  }
+})

app/pages/index.vue

@@ -1,5 +1,8 @@
 <script setup lang="ts">
-/* ── Time ── */
+const { data: session } = useAuth()
+
+const userName = computed(() => session.value?.user?.name || 'User')
+
 const timeGreeting = computed(() => {
   const h = new Date().getHours()
   if (h < 12) return 'Good morning'
@@ -18,7 +21,7 @@ const currentDate = computed(() =>
       <!-- Greeting -->
       <div class="mb-12">
         <h1 class="text-3xl font-semibold tracking-tight text-[var(--text-primary)]">
-          {{ timeGreeting }}, User
+          {{ timeGreeting }}, {{ userName }}
         </h1>
         <p class="mt-1 text-sm text-[var(--text-muted)]">{{ currentDate }}</p>
       </div>

app/pages/login.vue

@@ -0,0 +1,57 @@
+<script setup lang="ts">
+definePageMeta({
+  auth: false
+})
+
+const { signIn, status } = useAuth()
+
+const isLoading = ref(false)
+const isAuthenticated = computed(() => status.value === 'authenticated')
+
+watch(isAuthenticated, (authenticated) => {
+  if (authenticated) {
+    navigateTo('/')
+  }
+})
+
+async function loginWithZitadel() {
+  try {
+    isLoading.value = true
+    await signIn('zitadel', { callbackUrl: '/' })
+  } catch (error) {
+    console.error('Login failed:', error)
+    isLoading.value = false
+  }
+}
+</script>
+
+<template>
+  <div class="min-h-screen flex items-center justify-center" style="background: var(--page-bg);">
+    <div class="w-full max-w-md p-8 rounded-xl border" style="background: var(--surface); border-color: var(--card-border);">
+      <div class="text-center mb-8">
+        <h1 class="text-2xl font-semibold" style="color: var(--text-primary);">
+          Welcome to Segur-OS
+        </h1>
+        <p class="mt-2 text-sm" style="color: var(--text-muted);">
+          Sign in to access your insurance management dashboard
+        </p>
+      </div>
+
+      <button
+        type="button"
+        :disabled="isLoading"
+        @click="loginWithZitadel"
+        class="w-full flex items-center justify-center gap-3 px-4 py-3 rounded-lg font-medium transition-colors disabled:opacity-50 disabled:cursor-not-allowed"
+        style="background: var(--brand); color: white;"
+      >
+        <UIcon v-if="isLoading" name="i-heroicons-arrow-path" class="h-5 w-5 animate-spin" />
+        <UIcon v-else name="i-heroicons-lock-closed" class="h-5 w-5" />
+        <span>{{ isLoading ? 'Signing in...' : 'Sign in with Zitadel' }}</span>
+      </button>
+
+      <div class="mt-6 text-center text-xs" style="color: var(--text-muted);">
+        <p>Secure authentication powered by Zitadel</p>
+      </div>
+    </div>
+  </div>
+</template>

app/plugins/open-fetch-auth.ts

@@ -0,0 +1,49 @@
+const CLIENTS = ['customer', 'policy', 'providers', 'workload', 'document'] as const
+
+const ORG_STORAGE_KEY = 'policy-ui.selected-org-id'
+
+const setAuthHeader = (ctx: { options: { headers?: Headers | Record<string, string> | undefined } }, token: string) => {
+  const headers = ctx.options.headers
+  if (headers instanceof Headers) {
+    if (!headers.has('Authorization')) headers.set('Authorization', `Bearer ${token}`)
+  } else {
+    const h = (headers ?? {}) as Record<string, string>
+    if (!h.Authorization && !h.authorization) {
+      ctx.options.headers = { ...h, Authorization: `Bearer ${token}` }
+    }
+  }
+}
+
+const setOrgHeader = (ctx: { options: { headers?: Headers | Record<string, string> | undefined } }, orgId: string) => {
+  const headers = ctx.options.headers
+  if (headers instanceof Headers) {
+    if (!headers.has('x-organization-id')) headers.set('x-organization-id', orgId)
+  } else {
+    const h = (headers ?? {}) as Record<string, string>
+    if (!h['x-organization-id']) {
+      ctx.options.headers = { ...h, 'x-organization-id': orgId }
+    }
+  }
+}
+
+export default defineNuxtPlugin({
+  name: 'open-fetch-auth',
+  setup(nuxtApp) {
+    for (const client of CLIENTS) {
+      const hook = `openFetch:onRequest:${client}` as const
+      nuxtApp.hook(hook, (ctx) => {
+        const { data } = useAuth()
+        const token = data.value?.user?.accessToken as string | undefined
+        if (!token) return
+        setAuthHeader(ctx, token)
+
+        if (import.meta.client) {
+          const orgId = localStorage.getItem(ORG_STORAGE_KEY)
+          if (orgId) {
+            setOrgHeader(ctx, orgId)
+          }
+        }
+      })
+    }
+  }
+})

app/plugins/open-fetch-policy-auth.ts

@@ -1,20 +0,0 @@
-export default defineNuxtPlugin({
-  name: 'open-fetch-policy-auth',
-  setup(nuxtApp) {
-    const { policyApiToken } = useRuntimeConfig().public
-    const token = typeof policyApiToken === 'string' ? policyApiToken : ''
-    if (!token) return
-
-    nuxtApp.hook('openFetch:onRequest:policy', (ctx) => {
-      const headers = ctx.options.headers
-      if (headers instanceof Headers) {
-        if (!headers.has('Authorization')) headers.set('Authorization', `Bearer ${token}`)
-      } else {
-        const h = (headers ?? {}) as Record<string, string>
-        if (!h.Authorization && !h.authorization) {
-          ctx.options.headers = { ...h, Authorization: `Bearer ${token}` }
-        }
-      }
-    })
-  }
-})

nuxt.config.ts

@@ -1,22 +1,26 @@
 const devApiOrigin = 'https://dev.api.corredorconect.com'
 
+
 export default defineNuxtConfig({
   compatibilityDate: '2026-02-25',
-  /** Dev server URL — open the same port in the browser (see terminal if the port was busy). */
-  modules: ['nuxt-open-fetch', '@nuxt/ui', '@nuxt/eslint'],
+  modules: ['nuxt-open-fetch', '@nuxt/ui', '@nuxt/eslint', '@zitadel/nuxt-auth'],
+  auth: {
+    baseURL: '/api/auth',
+    provider: {
+      type: 'authjs',
+      trustHost: true,
+      defaultProvider: 'zitadel',
+    },
+    sessionRefresh: {
+      enablePeriodically: false,
+      enableOnWindowFocus: false,
+    },
+  },
   css: ['~/assets/css/main.css'],
   ui: {
     colorMode: false
   },
-  runtimeConfig: {
-    public: {
-      /**
-       * Sent as `Authorization: Bearer …` on Policy API requests (required for protected routes per OpenAPI).
-       * Set in `.env` as `NUXT_PUBLIC_POLICY_API_TOKEN`.
-       */
-      policyApiToken: process.env.NUXT_PUBLIC_POLICY_API_TOKEN ?? ''
-    }
-  },
+   runtimeConfig: {},
    openFetch: {
     clients: {
       customer: {

opencode.json

@@ -14,6 +14,34 @@
         "@browsermcp/mcp@0.1.3"
       ],
       "enabled": true
+    },
+    "stacklit": {
+      "type": "local",
+      "command": [
+        "npx",
+        "stacklit",
+        "serve"
+      ],
+      "enabled": true
+   }
+  },
+  "provider": {
+    "corredorconect": {
+      "npm": "@ai-sdk/openai-compatible",
+      "name": "Corredor Conect",
+      "options": {
+        "baseURL": "https://mcp.corredorconect.com/v1",
+	"headers": {
+          "Authorization": "Bearer cc-itsjusfdsawrtwtavfdsfsderysectrwurekey12345"
+        }
+      },
+     "models": {
+        "Qwen3.6-27B": {
+          "name": "Qwen3.6-27B",
+	  "tools": true
+        }
+      }
+
     }
   },
   "plugin": [

package.json

@@ -10,8 +10,10 @@
     "postinstall": "nuxt prepare"
   },
   "dependencies": {
+    "@auth/core": "^0.40.0",
     "@nuxt/eslint": "^1.15.2",
     "@nuxt/ui": "^4.5.0",
+    "@zitadel/nuxt-auth": "^1.0.0",
     "jspdf": "^4.2.0",
     "nuxt": "^4.3.1",
     "nuxt-open-fetch": "^0.13.8",

pnpm-lock.yaml

@@ -8,12 +8,18 @@ importers:
 
   .:
     dependencies:
+      '@auth/core':
+        specifier: ^0.40.0
+        version: 0.40.0
       '@nuxt/eslint':
         specifier: ^1.15.2
         version: 1.15.2(@typescript-eslint/utils@8.59.1(eslint@10.2.1(jiti@2.6.1))(typescript@5.9.3))(@vue/compiler-sfc@3.5.32)(eslint@10.2.1(jiti@2.6.1))(magicast@0.5.2)(typescript@5.9.3)(vite@7.3.2(jiti@2.6.1)(lightningcss@1.32.0)(terser@5.46.1)(yaml@2.8.3))
       '@nuxt/ui':
         specifier: ^4.5.0
         version: 4.6.1(@tiptap/extensions@3.22.3(@tiptap/core@3.22.3(@tiptap/pm@3.22.3))(@tiptap/pm@3.22.3))(@tiptap/y-tiptap@3.0.3(prosemirror-model@1.25.4)(prosemirror-state@1.4.4)(prosemirror-view@1.41.8)(y-protocols@1.0.7(yjs@13.6.30))(yjs@13.6.30))(change-case@5.4.4)(db0@0.3.4)(embla-carousel@8.6.0)(ioredis@5.10.1)(magicast@0.5.2)(tailwindcss@4.2.2)(typescript@5.9.3)(vite@7.3.2(jiti@2.6.1)(lightningcss@1.32.0)(terser@5.46.1)(yaml@2.8.3))(vue-router@4.6.4(vue@3.5.32(typescript@5.9.3)))(vue@3.5.32(typescript@5.9.3))(yjs@13.6.30)(zod@4.3.6)
+      '@zitadel/nuxt-auth':
+        specifier: ^1.0.0
+        version: 1.0.0(@auth/core@0.40.0)(@nuxt/schema@4.4.2)(magicast@0.5.2)(radix3@1.1.2)(vue@3.5.32(typescript@5.9.3))
       jspdf:
         specifier: ^4.2.0
         version: 4.2.1
@@ -51,6 +57,20 @@ packages:
     peerDependencies:
       '@types/json-schema': ^7.0.15
 
+  '@auth/core@0.40.0':
+    resolution: {integrity: sha512-n53uJE0RH5SqZ7N1xZoMKekbHfQgjd0sAEyUbE+IYJnmuQkbvuZnXItCU7d+i7Fj8VGOgqvNO7Mw4YfBTlZeQw==}
+    peerDependencies:
+      '@simplewebauthn/browser': ^9.0.1
+      '@simplewebauthn/server': ^9.0.2
+      nodemailer: ^6.8.0
+    peerDependenciesMeta:
+      '@simplewebauthn/browser':
+        optional: true
+      '@simplewebauthn/server':
+        optional: true
+      nodemailer:
+        optional: true
+
   '@babel/code-frame@7.29.0':
     resolution: {integrity: sha512-9NhCeYjq9+3uxgdtp20LSiJXJvN0FeCtNGpJxuMFZ1Kv3cWUNb6DOhJwUvcVCzKGR66cw4njwM6hrJLqgOwbcw==}
     engines: {node: '>=6.9.0'}
@@ -1087,6 +1107,9 @@ packages:
   '@package-json/types@0.0.12':
     resolution: {integrity: sha512-uu43FGU34B5VM9mCNjXCwLaGHYjXdNincqKLaraaCW+7S2+SmiBg1Nv8bPnmschrIfZmfKNY9f3fC376MRrObw==}
 
+  '@panva/hkdf@1.2.1':
+    resolution: {integrity: sha512-6oclG6Y3PiDFcoyk8srjLfVKyMfVCKJ27JwNPViuXziFpmdz+MZnZN/aKY0JGXgYuO/VghU0jcOAZgWXZ1Dmrw==}
+
   '@parcel/watcher-android-arm64@2.5.6':
     resolution: {integrity: sha512-YQxSS34tPF/6ZG7r/Ih9xy+kP/WwediEUsqmtf0cuCV5TPPKw/PQHRhueUo6JdeFJaqV3pyjm0GdYjZotbRt/A==}
     engines: {node: '>= 10.0.0'}
@@ -2151,6 +2174,15 @@ packages:
     peerDependencies:
       vue: ^3.5.0
 
+  '@zitadel/nuxt-auth@1.0.0':
+    resolution: {integrity: sha512-kQpUwjvtkvF20+sAop+VrayJJb51Pdc+l3OQ04ZXlTunrkKQFzO13sSwPU+v1u3UmAwYXAkjUDf5zIzMTtHCNg==}
+    engines: {node: '>=22.0.0'}
+    peerDependencies:
+      '@auth/core': '>=0.40.0'
+      '@nuxt/schema': ^4.0.0
+      radix3: ^1.0.0
+      vue: ^3.0.0
+
   abbrev@3.0.1:
     resolution: {integrity: sha512-AO2ac6pjRB3SJmGJo+v5/aK6Omggp6fsLrs6wN9bd35ulu4cCwaAU9+7ZhXjeqHVkaHThLuzH0nZr0YpCDhygg==}
     engines: {node: ^18.17.0 || >=20.5.0}
@@ -3334,6 +3366,9 @@ packages:
     resolution: {integrity: sha512-ekilCSN1jwRvIbgeg/57YFh8qQDNbwDb9xT/qu2DAHbFFZUicIl4ygVaAvzveMhMVr3LnpSKTNnwt8PoOfmKhQ==}
     hasBin: true
 
+  jose@6.2.3:
+    resolution: {integrity: sha512-YYVDInQKFJfR/xa3ojUTl8c2KoTwiL1R5Wg9YCydwH0x0B9grbzlg5HC7mMjCtUJjbQ/YnGEZIhI5tCgfTb4Hw==}
+
   js-levenshtein@1.1.6:
     resolution: {integrity: sha512-X2BB11YZtrRqY4EnQcLX5Rh373zbK4alC1FW7D7MBhL2gtcC17cTnr6DmfHZeS0s2rTHjUTMMHfG7gO8SSdw+g==}
     engines: {node: '>=0.10.0'}
@@ -3742,6 +3777,9 @@ packages:
     engines: {node: '>=18'}
     hasBin: true
 
+  oauth4webapi@3.8.6:
+    resolution: {integrity: sha512-iwemM91xz8nryHti2yTmg5fhyEMVOkOXwHNqbvcATjyajb5oQxCQzrNOA6uElRHuMhQQTKUyFKV9y/CNyg25BQ==}
+
   object-deep-merge@2.0.0:
     resolution: {integrity: sha512-3DC3UMpeffLTHiuXSy/UG4NOIYTLlY9u3V82+djSCLYClWobZiS4ivYzpIUWrRY/nfsJ8cWsKyG3QfyLePmhvg==}
 
@@ -4082,6 +4120,14 @@ packages:
     resolution: {integrity: sha512-dM0jVuXJPsDN6DvRpea484tCUaMiXWjuCn++HGTqUWzGDjv5tZkEZldAJ/UMlqRYGFrD/etByo4/xOuC/snX2A==}
     engines: {node: '>=20'}
 
+  preact-render-to-string@6.5.11:
+    resolution: {integrity: sha512-ubnauqoGczeGISiOh6RjX0/cdaF8v/oDXIjO85XALCQjwQP+SB4RDXXtvZ6yTYSjG+PC1QRP2AhPgCEsM2EvUw==}
+    peerDependencies:
+      preact: '>=10'
+
+  preact@10.24.3:
+    resolution: {integrity: sha512-Z2dPnBnMUfyQfSQ+GBdsGa16hz35YmLmtTLhM169uW944hYL6xzTYkJjC07j+Wosz733pMWx0fgON3JNw1jJQA==}
+
   prelude-ls@1.2.1:
     resolution: {integrity: sha512-vkcDPrRZo1QZLbn5RLGPpg/WmIQ65qoWWhcGKf/b5eplkkarX0m9z8ppCat4mlOqUsWpyNuYgO3VRyrYHSzX5g==}
     engines: {node: '>= 0.8.0'}
@@ -5087,6 +5133,14 @@ snapshots:
       '@types/json-schema': 7.0.15
       js-yaml: 4.1.1
 
+  '@auth/core@0.40.0':
+    dependencies:
+      '@panva/hkdf': 1.2.1
+      jose: 6.2.3
+      oauth4webapi: 3.8.6
+      preact: 10.24.3
+      preact-render-to-string: 6.5.11(preact@10.24.3)
+
   '@babel/code-frame@7.29.0':
     dependencies:
       '@babel/helper-validator-identifier': 7.28.5
@@ -6346,6 +6400,8 @@ snapshots:
 
   '@package-json/types@0.0.12': {}
 
+  '@panva/hkdf@1.2.1': {}
+
   '@parcel/watcher-android-arm64@2.5.6':
     optional: true
 
@@ -7327,6 +7383,20 @@ snapshots:
     dependencies:
       vue: 3.5.32(typescript@5.9.3)
 
+  '@zitadel/nuxt-auth@1.0.0(@auth/core@0.40.0)(@nuxt/schema@4.4.2)(magicast@0.5.2)(radix3@1.1.2)(vue@3.5.32(typescript@5.9.3))':
+    dependencies:
+      '@auth/core': 0.40.0
+      '@nuxt/kit': 4.4.2(magicast@0.5.2)
+      '@nuxt/schema': 4.4.2
+      consola: 3.4.2
+      defu: 6.1.7
+      h3: 1.15.11
+      radix3: 1.1.2
+      ufo: 1.6.3
+      vue: 3.5.32(typescript@5.9.3)
+    transitivePeerDependencies:
+      - magicast
+
   abbrev@3.0.1: {}
 
   abort-controller@3.0.0:
@@ -8519,6 +8589,8 @@ snapshots:
 
   jiti@2.6.1: {}
 
+  jose@6.2.3: {}
+
   js-levenshtein@1.1.6: {}
 
   js-tokens@4.0.0: {}
@@ -9110,6 +9182,8 @@ snapshots:
       pathe: 2.0.3
       tinyexec: 1.1.1
 
+  oauth4webapi@3.8.6: {}
+
   object-deep-merge@2.0.0: {}
 
   obug@2.1.1: {}
@@ -9505,6 +9579,12 @@ snapshots:
 
   powershell-utils@0.1.0: {}
 
+  preact-render-to-string@6.5.11(preact@10.24.3):
+    dependencies:
+      preact: 10.24.3
+
+  preact@10.24.3: {}
+
   prelude-ls@1.2.1: {}
 
   pretty-bytes@7.1.0: {}

server/api/auth/[...].ts

@@ -0,0 +1,82 @@
+import { NuxtAuthHandler } from '#auth'
+import ZitadelProvider from '@auth/core/providers/zitadel'
+
+export default NuxtAuthHandler({
+  secret: process.env.AUTH_SECRET,
+  providers: [
+    ZitadelProvider({
+      clientId: process.env.ZITADEL_CLIENT_ID,
+      issuer: process.env.ZITADEL_DOMAIN,
+      authorization: {
+        params: {
+            scope: 'openid email profile offline_access urn:zitadel:iam:org:project:371479849505653263:aud'
+        }
+      }
+    })
+  ],
+  session: {
+    strategy: 'jwt',
+    maxAge: 30 * 24 * 60 * 60, // 30 days
+  },
+  callbacks: {
+    async jwt({ token, account, user }) {
+      if (account?.provider === 'zitadel') {
+        token.accessToken = account.access_token
+        token.idToken = account.id_token
+        token.roles = (user as any)?.roles
+
+        /* Extract org roles from ID token claims */
+        const allOrgRoles: Record<string, Record<string, Record<string, string>>> = {}
+        const idTokenClaims = (() => {
+          try {
+            const parts = (account.id_token || '').split('.')
+            if (parts.length === 3) {
+              const payload = Buffer.from(parts[1], 'base64url').toString('utf8')
+              return JSON.parse(payload) as Record<string, any>
+            }
+          } catch { /* ignore */ }
+          return null
+        })()
+        if (idTokenClaims) {
+          for (const key of Object.keys(idTokenClaims)) {
+            if (key.startsWith('urn:zitadel:iam:org:project:') && key.endsWith(':roles')) {
+              allOrgRoles[key] = idTokenClaims[key]
+            }
+          }
+        }
+        /* Also check userinfo response for org role claims */
+        for (const key of Object.keys((user as any) || {})) {
+          if (key.startsWith('urn:zitadel:iam:org:project:') && key.endsWith(':roles')) {
+            allOrgRoles[key] = (user as any)[key]
+          }
+        }
+        token.allOrgRoles = Object.keys(allOrgRoles).length > 0 ? allOrgRoles : undefined
+      }
+      if (user?.id) {
+        token.sub = user.id
+        if (user.name || (user as any).profile?.given_name) {
+          token.name = user.name || ((user as any).profile?.given_name || '')
+        }
+        token.email = user.email || ''
+        token.image = user.image || undefined
+      }
+      return token
+    },
+    async session({ session, token }) {
+      const user = session.user as any
+      if (user) {
+        user.name = token.name || undefined
+        user.email = token.email || undefined
+        user.image = token.image || undefined
+        user.roles = token.roles as string[] | undefined
+        user.accessToken = token.accessToken as string | undefined
+        user.allOrgRoles = token.allOrgRoles as Record<string, Record<string, Record<string, string>>> | undefined
+      }
+      return session
+    },
+    async redirect({ url, baseUrl }) {
+      if (url === '/login') return '/login'
+      return url.startsWith(baseUrl) ? url : baseUrl
+    }
+  }
+})

types/auth.d.ts

@@ -0,0 +1,23 @@
+import type { DefaultSession } from '@auth/core/types'
+
+declare module '@auth/core/types' {
+  interface Session {
+    user: {
+      roles?: string[]
+      accessToken?: string
+    } & DefaultSession['user']
+  }
+
+  interface User {
+    roles?: string[]
+  }
+}
+
+declare module '#auth' {
+  interface Session {
+    user: {
+      roles?: string[]
+      accessToken?: string
+    } & DefaultSession['user']
+  }
+}