feat: workspace members — invite, roles, management (#32)

- Add members settings page at /[workspaceSlug]/settings/members
- Invite form: email + role, creates workspace_invites row with token and 7-day expiry
- Invite accept page at /invite/[token] with states for invalid, expired, already accepted,
  unauthenticated, email mismatch, and ready-to-accept
- Member list with role badges, role change (Select), and remove (with confirmation)
- Pending invites list with revoke action
- RLS migration: policies for invite token lookup, invite acceptance, self-join via invite,
  and self-removal from workspace
- Personal workspace owner cannot be removed
- Navigation: Members link in sidebar user menu and workspace settings page
- shadcn/ui components added: Badge, Select, Table

Co-authored-by: Ona <no-reply@ona.com>

Author: zacharias-ona

.agents/architecture.md

@@ -171,16 +171,26 @@ src/
 │   │   ├── page-tree.tsx        # Page list placeholder (functional in #28)
 │   │   └── user-menu.tsx        # User dropdown with settings link + sign-out
 │   ├── workspace-settings-form.tsx # Edit workspace name/slug, delete workspace
+│   ├── members/             # Workspace member management components
+│   │   ├── members-page.tsx       # Client orchestrator: member list + invite form + pending invites
+│   │   ├── member-list.tsx        # Table of members with role badges, role change, remove
+│   │   ├── invite-form.tsx        # Email + role invite form (admin/owner only)
+│   │   ├── invite-accept.tsx      # Client component for accepting an invite token
+│   │   ├── pending-invite-list.tsx # Table of pending invites with revoke action
+│   │   └── role-select.tsx        # Role picker dropdown (owner/admin/member)
 │   └── ui/                 # shadcn/ui components (base-nova style, base-ui primitives)
 │       ├── alert-dialog.tsx
+│       ├── badge.tsx
 │       ├── button.tsx
 │       ├── card.tsx
 │       ├── dialog.tsx
 │       ├── dropdown-menu.tsx
 │       ├── input.tsx
 │       ├── label.tsx
+│       ├── select.tsx
 │       ├── separator.tsx
 │       ├── sheet.tsx
+│       ├── table.tsx
 │       └── tooltip.tsx
 ├── lib/
 │   ├── utils.ts            # cn() utility (clsx + tailwind-merge)
@@ -209,15 +219,15 @@ src/
 │   ├── (auth)/                        # Unauthenticated routes
 │   │   ├── sign-in/page.tsx           # /sign-in
 │   │   ├── sign-up/page.tsx           # /sign-up
-│   │   └── invite/[token]/page.tsx    # /invite/[token]
+│   │   └── invite/[token]/page.tsx    # /invite/[token] — invite accept flow
 │   ├── (app)/                         # Authenticated routes
 │   │   ├── layout.tsx                 # App shell (sidebar + main content), passes userId
 │   │   └── [workspaceSlug]/
 │   │       ├── page.tsx               # /[workspaceSlug] (workspace home)
 │   │       ├── [pageId]/page.tsx      # /[workspaceSlug]/[pageId] (editor) — planned
 │   │       └── settings/
 │   │           ├── page.tsx           # /[workspaceSlug]/settings (name, slug, delete)
-│   │           └── members/page.tsx   # /[workspaceSlug]/settings/members — planned
+│   │           └── members/page.tsx   # /[workspaceSlug]/settings/members
 │   └── api/
 │       ├── health/                    # Existing
 │       └── ...                        # Additional API routes as needed

src/app/(app)/[workspaceSlug]/settings/members/page.tsx

@@ -0,0 +1,87 @@
+import { notFound, redirect } from "next/navigation";
+import { createClient } from "@/lib/supabase/server";
+import { MembersPage } from "@/components/members/members-page";
+import type { MemberWithProfile, WorkspaceInviteWithInviter } from "@/lib/types";
+
+export default async function WorkspaceMembersPage({
+  params,
+}: {
+  params: Promise<{ workspaceSlug: string }>;
+}) {
+  const { workspaceSlug } = await params;
+  const supabase = await createClient();
+
+  const {
+    data: { user },
+  } = await supabase.auth.getUser();
+
+  if (!user) {
+    redirect("/sign-in");
+  }
+
+  const { data: workspace } = await supabase
+    .from("workspaces")
+    .select("*")
+    .eq("slug", workspaceSlug)
+    .maybeSingle();
+
+  if (!workspace) {
+    notFound();
+  }
+
+  // Fetch current user's membership to determine their role
+  const { data: currentMember } = await supabase
+    .from("members")
+    .select("id, role")
+    .eq("workspace_id", workspace.id)
+    .eq("user_id", user.id)
+    .maybeSingle();
+
+  if (!currentMember) {
+    notFound();
+  }
+
+  // Fetch all members with profile info
+  const { data: membersRaw } = await supabase
+    .from("members")
+    .select("*, profiles(email, display_name, avatar_url)")
+    .eq("workspace_id", workspace.id)
+    .order("created_at", { ascending: true });
+
+  // Supabase join returns the relation as an opaque type; cast is unavoidable
+  const members = (membersRaw ?? []) as unknown as MemberWithProfile[];
+
+  // Fetch pending invites (only visible to admins/owners)
+  const isAdmin = currentMember.role === "owner" || currentMember.role === "admin";
+  let pendingInvites: WorkspaceInviteWithInviter[] = [];
+
+  if (isAdmin) {
+    const { data: invites } = await supabase
+      .from("workspace_invites")
+      .select("*, profiles:invited_by(display_name)")
+      .eq("workspace_id", workspace.id)
+      .is("accepted_at", null)
+      .order("created_at", { ascending: false });
+
+    // Supabase join returns the relation as an opaque type; cast is unavoidable
+    pendingInvites = (invites ?? []) as unknown as WorkspaceInviteWithInviter[];
+  }
+
+  return (
+    <div className="mx-auto max-w-xl p-6">
+      <h1 className="text-2xl font-semibold">Members</h1>
+      <p className="mt-1 text-sm text-muted-foreground">
+        Manage who has access to this workspace.
+      </p>
+      <div className="mt-6">
+        <MembersPage
+          workspace={workspace}
+          members={members}
+          pendingInvites={pendingInvites}
+          currentUserId={user.id}
+          currentUserRole={currentMember.role}
+        />
+      </div>
+    </div>
+  );
+}

src/app/(app)/[workspaceSlug]/settings/page.tsx

@@ -1,3 +1,4 @@
+import Link from "next/link";
 import { notFound, redirect } from "next/navigation";
 import { createClient } from "@/lib/supabase/server";
 import { WorkspaceSettingsForm } from "@/components/workspace-settings-form";
@@ -30,7 +31,15 @@ export default async function WorkspaceSettingsPage({
 
   return (
     <div className="mx-auto max-w-xl p-6">
-      <h1 className="text-2xl font-semibold">Workspace settings</h1>
+      <div className="flex items-center gap-4">
+        <h1 className="text-2xl font-semibold">Workspace settings</h1>
+        <Link
+          href={`/${workspaceSlug}/settings/members`}
+          className="text-sm text-accent underline-offset-4 hover:underline"
+        >
+          Members
+        </Link>
+      </div>
       <p className="mt-1 text-sm text-muted-foreground">
         Manage your workspace name, URL, and other settings.
       </p>

src/app/(auth)/invite/[token]/page.tsx

@@ -0,0 +1,106 @@
+import { createClient } from "@/lib/supabase/server";
+import {
+  Card,
+  CardContent,
+  CardDescription,
+  CardHeader,
+  CardTitle,
+} from "@/components/ui/card";
+import { InviteAccept } from "@/components/members/invite-accept";
+
+export default async function InviteAcceptPage({
+  params,
+}: {
+  params: Promise<{ token: string }>;
+}) {
+  const { token } = await params;
+  const supabase = await createClient();
+
+  // Look up the invite by token
+  const { data: invite } = await supabase
+    .from("workspace_invites")
+    .select("*, workspaces(name, slug)")
+    .eq("token", token)
+    .maybeSingle();
+
+  if (!invite) {
+    return (
+      <Card>
+        <CardHeader>
+          <CardTitle className="text-2xl font-semibold">
+            Invalid invite
+          </CardTitle>
+          <CardDescription>
+            This invite link is invalid or has been revoked.
+          </CardDescription>
+        </CardHeader>
+      </Card>
+    );
+  }
+
+  if (invite.accepted_at) {
+    // Supabase join returns the relation as an opaque type; cast is unavoidable
+    const ws = invite.workspaces as unknown as { name: string; slug: string };
+    return (
+      <Card>
+        <CardHeader>
+          <CardTitle className="text-2xl font-semibold">
+            Already accepted
+          </CardTitle>
+          <CardDescription>
+            This invite to {ws?.name} has already been accepted.
+          </CardDescription>
+        </CardHeader>
+      </Card>
+    );
+  }
+
+  if (new Date(invite.expires_at) < new Date()) {
+    return (
+      <Card>
+        <CardHeader>
+          <CardTitle className="text-2xl font-semibold">
+            Invite expired
+          </CardTitle>
+          <CardDescription>
+            This invite has expired. Ask the workspace admin to send a new one.
+          </CardDescription>
+        </CardHeader>
+      </Card>
+    );
+  }
+
+  // Supabase join returns the relation as an opaque type; cast is unavoidable
+  const ws = invite.workspaces as unknown as { name: string; slug: string };
+
+  // Check if the current user is authenticated
+  const {
+    data: { user },
+  } = await supabase.auth.getUser();
+
+  return (
+    <Card>
+      <CardHeader>
+        <CardTitle className="text-2xl font-semibold">
+          Join {ws?.name}
+        </CardTitle>
+        <CardDescription>
+          You&apos;ve been invited to join as {invite.role === "admin" ? "an" : "a"}{" "}
+          <span className="font-medium text-foreground">{invite.role}</span>.
+        </CardDescription>
+      </CardHeader>
+      <CardContent>
+        <InviteAccept
+          token={token}
+          inviteId={invite.id}
+          workspaceId={invite.workspace_id}
+          workspaceSlug={ws?.slug ?? ""}
+          email={invite.email}
+          role={invite.role}
+          isAuthenticated={!!user}
+          userEmail={user?.email ?? null}
+        />
+      </CardContent>
+    </Card>
+  );
+}