feat: workspace members — invite, roles, management (#32) (#51)

* feat: workspace members — invite, roles, management (#32)

- Add members settings page at /[workspaceSlug]/settings/members
- Invite form: email + role, creates workspace_invites row with token and 7-day expiry
- Invite accept page at /invite/[token] with states for invalid, expired, already accepted,
  unauthenticated, email mismatch, and ready-to-accept
- Member list with role badges, role change (Select), and remove (with confirmation)
- Pending invites list with revoke action
- RLS migration: policies for invite token lookup, invite acceptance, self-join via invite,
  and self-removal from workspace
- Personal workspace owner cannot be removed
- Navigation: Members link in sidebar user menu and workspace settings page
- shadcn/ui components added: Badge, Select, Table

Co-authored-by: Ona <no-reply@ona.com>

* chore: re-trigger PR review

Co-authored-by: Ona <no-reply@ona.com>

* fix: address review security feedback — use security definer RPCs for invite flow

Replace overly permissive RLS policies with security definer functions:

- get_invite_by_token: bypasses RLS for token lookup, works for anon+authenticated
- accept_invite: atomically marks invite accepted and inserts member with the
  invite's role, preventing role escalation and column tampering

Remove unused props (token, workspaceId, role) from InviteAccept component.

Co-authored-by: Ona <no-reply@ona.com>

---------

Co-authored-by: Ona <no-reply@ona.com>

Author: zacharias-ona

.agents/architecture.md

@@ -181,16 +181,26 @@ src/
 │   ├── page-title.tsx           # Inline-editable page title (saves on blur/Enter)
 │   ├── workspace-home.tsx       # Workspace home: page list or empty state with create CTA
 │   ├── workspace-settings-form.tsx # Edit workspace name/slug, delete workspace
+│   ├── members/             # Workspace member management components
+│   │   ├── members-page.tsx       # Client orchestrator: member list + invite form + pending invites
+│   │   ├── member-list.tsx        # Table of members with role badges, role change, remove
+│   │   ├── invite-form.tsx        # Email + role invite form (admin/owner only)
+│   │   ├── invite-accept.tsx      # Client component for accepting an invite token
+│   │   ├── pending-invite-list.tsx # Table of pending invites with revoke action
+│   │   └── role-select.tsx        # Role picker dropdown (owner/admin/member)
 │   └── ui/                 # shadcn/ui components (base-nova style, base-ui primitives)
 │       ├── alert-dialog.tsx
+│       ├── badge.tsx
 │       ├── button.tsx
 │       ├── card.tsx
 │       ├── dialog.tsx
 │       ├── dropdown-menu.tsx
 │       ├── input.tsx
 │       ├── label.tsx
+│       ├── select.tsx
 │       ├── separator.tsx
 │       ├── sheet.tsx
+│       ├── table.tsx
 │       └── tooltip.tsx
 ├── lib/
 │   ├── utils.ts            # cn() utility (clsx + tailwind-merge)
@@ -219,15 +229,15 @@ src/
 │   ├── (auth)/                        # Unauthenticated routes
 │   │   ├── sign-in/page.tsx           # /sign-in
 │   │   ├── sign-up/page.tsx           # /sign-up
-│   │   └── invite/[token]/page.tsx    # /invite/[token]
+│   │   └── invite/[token]/page.tsx    # /invite/[token] — invite accept flow
 │   ├── (app)/                         # Authenticated routes
 │   │   ├── layout.tsx                 # App shell (sidebar + main content), passes userId
 │   │   └── [workspaceSlug]/
 │   │       ├── page.tsx               # /[workspaceSlug] (workspace home)
 │   │       ├── [pageId]/page.tsx      # /[workspaceSlug]/[pageId] (page view + Lexical editor)
 │   │       └── settings/
 │   │           ├── page.tsx           # /[workspaceSlug]/settings (name, slug, delete)
-│   │           └── members/page.tsx   # /[workspaceSlug]/settings/members — planned
+│   │           └── members/page.tsx   # /[workspaceSlug]/settings/members
 │   └── api/
 │       ├── health/                    # Existing
 │       └── ...                        # Additional API routes as needed

src/app/(app)/[workspaceSlug]/settings/members/page.tsx

@@ -0,0 +1,87 @@
+import { notFound, redirect } from "next/navigation";
+import { createClient } from "@/lib/supabase/server";
+import { MembersPage } from "@/components/members/members-page";
+import type { MemberWithProfile, WorkspaceInviteWithInviter } from "@/lib/types";
+
+export default async function WorkspaceMembersPage({
+  params,
+}: {
+  params: Promise<{ workspaceSlug: string }>;
+}) {
+  const { workspaceSlug } = await params;
+  const supabase = await createClient();
+
+  const {
+    data: { user },
+  } = await supabase.auth.getUser();
+
+  if (!user) {
+    redirect("/sign-in");
+  }
+
+  const { data: workspace } = await supabase
+    .from("workspaces")
+    .select("*")
+    .eq("slug", workspaceSlug)
+    .maybeSingle();
+
+  if (!workspace) {
+    notFound();
+  }
+
+  // Fetch current user's membership to determine their role
+  const { data: currentMember } = await supabase
+    .from("members")
+    .select("id, role")
+    .eq("workspace_id", workspace.id)
+    .eq("user_id", user.id)
+    .maybeSingle();
+
+  if (!currentMember) {
+    notFound();
+  }
+
+  // Fetch all members with profile info
+  const { data: membersRaw } = await supabase
+    .from("members")
+    .select("*, profiles(email, display_name, avatar_url)")
+    .eq("workspace_id", workspace.id)
+    .order("created_at", { ascending: true });
+
+  // Supabase join returns the relation as an opaque type; cast is unavoidable
+  const members = (membersRaw ?? []) as unknown as MemberWithProfile[];
+
+  // Fetch pending invites (only visible to admins/owners)
+  const isAdmin = currentMember.role === "owner" || currentMember.role === "admin";
+  let pendingInvites: WorkspaceInviteWithInviter[] = [];
+
+  if (isAdmin) {
+    const { data: invites } = await supabase
+      .from("workspace_invites")
+      .select("*, profiles:invited_by(display_name)")
+      .eq("workspace_id", workspace.id)
+      .is("accepted_at", null)
+      .order("created_at", { ascending: false });
+
+    // Supabase join returns the relation as an opaque type; cast is unavoidable
+    pendingInvites = (invites ?? []) as unknown as WorkspaceInviteWithInviter[];
+  }
+
+  return (
+    <div className="mx-auto max-w-xl p-6">
+      <h1 className="text-2xl font-semibold">Members</h1>
+      <p className="mt-1 text-sm text-muted-foreground">
+        Manage who has access to this workspace.
+      </p>
+      <div className="mt-6">
+        <MembersPage
+          workspace={workspace}
+          members={members}
+          pendingInvites={pendingInvites}
+          currentUserId={user.id}
+          currentUserRole={currentMember.role}
+        />
+      </div>
+    </div>
+  );
+}

src/app/(app)/[workspaceSlug]/settings/page.tsx

@@ -1,3 +1,4 @@
+import Link from "next/link";
 import { notFound, redirect } from "next/navigation";
 import { createClient } from "@/lib/supabase/server";
 import { WorkspaceSettingsForm } from "@/components/workspace-settings-form";
@@ -30,7 +31,15 @@ export default async function WorkspaceSettingsPage({
 
   return (
     <div className="mx-auto max-w-xl p-6">
-      <h1 className="text-2xl font-semibold">Workspace settings</h1>
+      <div className="flex items-center gap-4">
+        <h1 className="text-2xl font-semibold">Workspace settings</h1>
+        <Link
+          href={`/${workspaceSlug}/settings/members`}
+          className="text-sm text-accent underline-offset-4 hover:underline"
+        >
+          Members
+        </Link>
+      </div>
       <p className="mt-1 text-sm text-muted-foreground">
         Manage your workspace name, URL, and other settings.
       </p>

src/app/(auth)/invite/[token]/page.tsx

@@ -0,0 +1,99 @@
+import { createClient } from "@/lib/supabase/server";
+import {
+  Card,
+  CardContent,
+  CardDescription,
+  CardHeader,
+  CardTitle,
+} from "@/components/ui/card";
+import { InviteAccept } from "@/components/members/invite-accept";
+
+export default async function InviteAcceptPage({
+  params,
+}: {
+  params: Promise<{ token: string }>;
+}) {
+  const { token } = await params;
+  const supabase = await createClient();
+
+  // Look up the invite by token via security definer function.
+  // Works for both anon and authenticated users.
+  const { data: invites } = await supabase.rpc("get_invite_by_token", {
+    invite_token: token,
+  });
+
+  const invite = invites?.[0] ?? null;
+
+  if (!invite) {
+    return (
+      <Card>
+        <CardHeader>
+          <CardTitle className="text-2xl font-semibold">
+            Invalid invite
+          </CardTitle>
+          <CardDescription>
+            This invite link is invalid or has been revoked.
+          </CardDescription>
+        </CardHeader>
+      </Card>
+    );
+  }
+
+  if (invite.accepted_at) {
+    return (
+      <Card>
+        <CardHeader>
+          <CardTitle className="text-2xl font-semibold">
+            Already accepted
+          </CardTitle>
+          <CardDescription>
+            This invite to {invite.workspace_name} has already been accepted.
+          </CardDescription>
+        </CardHeader>
+      </Card>
+    );
+  }
+
+  if (new Date(invite.expires_at) < new Date()) {
+    return (
+      <Card>
+        <CardHeader>
+          <CardTitle className="text-2xl font-semibold">
+            Invite expired
+          </CardTitle>
+          <CardDescription>
+            This invite has expired. Ask the workspace admin to send a new one.
+          </CardDescription>
+        </CardHeader>
+      </Card>
+    );
+  }
+
+  // Check if the current user is authenticated
+  const {
+    data: { user },
+  } = await supabase.auth.getUser();
+
+  return (
+    <Card>
+      <CardHeader>
+        <CardTitle className="text-2xl font-semibold">
+          Join {invite.workspace_name}
+        </CardTitle>
+        <CardDescription>
+          You&apos;ve been invited to join as {invite.role === "admin" ? "an" : "a"}{" "}
+          <span className="font-medium text-foreground">{invite.role}</span>.
+        </CardDescription>
+      </CardHeader>
+      <CardContent>
+        <InviteAccept
+          inviteId={invite.id}
+          workspaceSlug={invite.workspace_slug ?? ""}
+          email={invite.email}
+          isAuthenticated={!!user}
+          userEmail={user?.email ?? null}
+        />
+      </CardContent>
+    </Card>
+  );
+}

src/components/members/invite-accept.tsx

@@ -0,0 +1,105 @@
+"use client";
+
+import { useState } from "react";
+import { useRouter } from "next/navigation";
+import Link from "next/link";
+import { createClient } from "@/lib/supabase/client";
+import { Button } from "@/components/ui/button";
+
+interface InviteAcceptProps {
+  inviteId: string;
+  workspaceSlug: string;
+  email: string;
+  isAuthenticated: boolean;
+  userEmail: string | null;
+}
+
+export function InviteAccept({
+  inviteId,
+  workspaceSlug,
+  email,
+  isAuthenticated,
+  userEmail,
+}: InviteAcceptProps) {
+  const router = useRouter();
+  const [accepting, setAccepting] = useState(false);
+  const [error, setError] = useState<string | null>(null);
+
+  // Not authenticated — prompt to sign in or sign up
+  if (!isAuthenticated) {
+    return (
+      <div className="flex flex-col gap-3">
+        <p className="text-sm text-muted-foreground">
+          Sign in or create an account with{" "}
+          <span className="font-medium text-foreground">{email}</span> to
+          accept this invite.
+        </p>
+        <div className="flex gap-2">
+          <Button render={<Link href="/sign-in" />}>Sign in</Button>
+          <Button variant="outline" render={<Link href="/sign-up" />}>
+            Sign up
+          </Button>
+        </div>
+      </div>
+    );
+  }
+
+  // Authenticated but with a different email
+  const emailMismatch =
+    userEmail && userEmail.toLowerCase() !== email.toLowerCase();
+
+  if (emailMismatch) {
+    return (
+      <div className="flex flex-col gap-3">
+        <p className="text-sm text-muted-foreground">
+          This invite was sent to{" "}
+          <span className="font-medium text-foreground">{email}</span>, but
+          you&apos;re signed in as{" "}
+          <span className="font-medium text-foreground">{userEmail}</span>.
+        </p>
+        <p className="text-sm text-muted-foreground">
+          Sign in with the invited email to accept.
+        </p>
+      </div>
+    );
+  }
+
+  async function handleAccept() {
+    setAccepting(true);
+    setError(null);
+
+    const supabase = createClient();
+
+    // Use the security definer RPC which atomically marks the invite as
+    // accepted and inserts the member with the correct role from the invite.
+    const { error: acceptError } = await supabase.rpc("accept_invite", {
+      invite_id: inviteId,
+    });
+
+    if (acceptError) {
+      // Duplicate key means already a member — treat as success
+      if (acceptError.message.includes("duplicate key")) {
+        router.push(`/${workspaceSlug}`);
+        return;
+      }
+      setError(acceptError.message);
+      setAccepting(false);
+      return;
+    }
+
+    router.push(`/${workspaceSlug}`);
+  }
+
+  return (
+    <div className="flex flex-col gap-3">
+      <p className="text-sm text-muted-foreground">
+        You&apos;re signed in as{" "}
+        <span className="font-medium text-foreground">{userEmail}</span>.
+      </p>
+      {error && <p className="text-xs text-destructive">{error}</p>}
+      <Button onClick={handleAccept} disabled={accepting}>
+        {accepting ? "Joining…" : "Accept invite"}
+      </Button>
+    </div>
+  );
+}