test: add E2E tests for workspace member management (#110)

- 7 E2E tests covering invite, pending list, revoke, accept, role change,
  remove, and member role restrictions
- Fix ambiguous Supabase join in members page and invite form (members has
  two FKs to profiles; PostgREST requires explicit constraint name)
- Add supabase-admin test helper for creating/deleting temporary test users
- Update conventions.md with Supabase join disambiguation pattern
- Update quality.md to reflect new test coverage

Co-authored-by: Ona <no-reply@ona.com>

Author: zacharias-ona

.agents/conventions.md

@@ -141,6 +141,28 @@ The helper accepts `PostgrestError` (from query results) and generic `Error` (fr
 catch blocks). It tags the Sentry event with the operation name, error code, and
 message so errors are filterable in the Sentry dashboard.
 
+### Disambiguating Supabase joins
+
+When a table has multiple foreign keys to the same target table, PostgREST cannot
+infer which relationship to use. The query silently returns `null` data (no error
+thrown). Disambiguate by specifying the FK constraint name:
+
+```typescript
+// BAD — ambiguous: members has both user_id and invited_by referencing profiles
+const { data } = await supabase
+  .from("members")
+  .select("*, profiles(email, display_name)");
+// data will be null with a PGRST201 error
+
+// GOOD — specify the FK constraint
+const { data } = await supabase
+  .from("members")
+  .select("*, profiles!members_user_id_fkey(email, display_name)");
+```
+
+Check `supabase/migrations/` for constraint names. The naming convention is
+`{table}_{column}_fkey`.
+
 ### API route catch blocks
 
 All catch blocks in API routes must call `Sentry.captureException`:

.agents/quality.md

@@ -21,7 +21,7 @@ Updated weekly by the Automation Auditor. Tracks code quality per domain.
 | Editor | A | Full Lexical editor: slash commands, floating toolbar, floating link editor, drag-and-drop blocks, code highlighting, image upload, callouts, collapsible/toggle blocks. Markdown import/export. 4 unit test files (24 tests): theme mapping, markdown utils, design spec compliance, Node.contains safety. 4 E2E specs (editor-drag, editor-link, editor-slash-commands, editor-toolbar). Auto-save with debounce. Sentry error capture on save failures and image uploads. |
 | Search | B | Full-text search via PostgreSQL tsvector + tsquery. API route with integration tests (8 tests). Sidebar search component with debounced input (300ms) and results dropdown. Sentry error capture. No E2E test for search interaction. |
 | Import/Export | B | Markdown export (download .md) and import (parse .md, create page) via page menu. Markdown utils with unit tests (8 tests). No E2E test for import/export flow. |
-| Members | B | Member list with role badges, role change, remove. Invite form (email + role). Pending invite list with revoke. Invite accept page. Role select dropdown. Settings members page with server-side data fetching. No unit or E2E tests for member management. |
+| Members | A | Member list with role badges, role change, remove. Invite form (email + role). Pending invite list with revoke. Invite accept page. Role select dropdown. Settings members page with server-side data fetching. Full E2E coverage: invite, pending list, revoke, accept, role change, remove, member role restrictions. |
 | App Shell | B | Collapsible sidebar (desktop: aside, mobile: Sheet), sidebar context with ⌘+\ shortcut, workspace switcher, page tree, user menu with sign-out. Clean component decomposition. No unit tests for sidebar context or app shell layout. |
 | API Routes | A | Health endpoint (DB connectivity check, 6 tests) and search endpoint (full-text search, 8 tests). Both routes have Sentry error capture. Both have integration tests with mocked Supabase. |
 | UI Components | A | 13 shadcn/ui components (base-nova style): alert-dialog, badge, button, card, dialog, dropdown-menu, input, label, select, separator, sheet, table, tooltip. Overlay opacity regression test (2 tests). Toast error duration regression test (1 test). Design tokens use oklch color space, --radius: 0 for sharp corners. |
@@ -48,7 +48,7 @@ Updated weekly by the Automation Auditor. Tracks code quality per domain.
 
 ## Known Gaps
 
-- **Members**: No unit or E2E tests for member list, invite form, invite accept, or role changes.
+- **Members**: Full E2E coverage added (7 tests). Disambiguated Supabase join bug fixed in members page and invite form.
 - **Search UI**: No E2E test for the sidebar search interaction (typing, results display, navigation).
 - **Import/Export**: No E2E test for markdown export/import flow via page menu.
 - **Page tree**: No unit tests for the tree manipulation logic (nest, unnest, reorder). The component is 836 lines — extracting tree logic into a utility would improve testability.

e2e/fixtures/supabase-admin.ts

@@ -0,0 +1,152 @@
+import { createClient } from "@supabase/supabase-js";
+
+/**
+ * Creates a Supabase admin client using the secret (service role) key.
+ * Used in E2E tests to create/delete temporary test users and query data
+ * that bypasses RLS.
+ */
+function getAdminClient() {
+  const url = process.env.NEXT_PUBLIC_SUPABASE_URL;
+  const secretKey = process.env.SUPABASE_SECRET_KEY;
+
+  if (!url || !secretKey) {
+    throw new Error(
+      "NEXT_PUBLIC_SUPABASE_URL and SUPABASE_SECRET_KEY must be set for admin E2E helpers"
+    );
+  }
+
+  return createClient(url, secretKey, {
+    auth: { autoRefreshToken: false, persistSession: false },
+  });
+}
+
+interface TestUser {
+  id: string;
+  email: string;
+  password: string;
+}
+
+/**
+ * Creates a temporary test user via the Supabase Admin API.
+ * The user is auto-confirmed so they can sign in immediately.
+ */
+export async function createTestUser(
+  email: string,
+  password: string,
+  displayName: string
+): Promise<TestUser> {
+  const admin = getAdminClient();
+
+  const { data, error } = await admin.auth.admin.createUser({
+    email,
+    password,
+    email_confirm: true,
+    user_metadata: { display_name: displayName },
+  });
+
+  if (error) {
+    throw new Error(`Failed to create test user ${email}: ${error.message}`);
+  }
+
+  return { id: data.user.id, email, password };
+}
+
+/**
+ * Deletes a test user and all their data via the Supabase Admin API.
+ */
+export async function deleteTestUser(userId: string): Promise<void> {
+  const admin = getAdminClient();
+
+  // Delete memberships first (the user's personal workspace will cascade)
+  await admin.from("members").delete().eq("user_id", userId);
+
+  // Delete workspaces created by this user
+  await admin.from("workspaces").delete().eq("created_by", userId);
+
+  // Delete profile
+  await admin.from("profiles").delete().eq("id", userId);
+
+  // Delete the auth user
+  const { error } = await admin.auth.admin.deleteUser(userId);
+  if (error) {
+    console.warn(`Failed to delete test user ${userId}: ${error.message}`);
+  }
+}
+
+/**
+ * Fetches the invite token for a given email and workspace from the database.
+ * Bypasses RLS via the admin client.
+ */
+export async function getInviteToken(
+  workspaceId: string,
+  email: string
+): Promise<string> {
+  const admin = getAdminClient();
+
+  const { data, error } = await admin
+    .from("workspace_invites")
+    .select("token")
+    .eq("workspace_id", workspaceId)
+    .ilike("email", email)
+    .is("accepted_at", null)
+    .order("created_at", { ascending: false })
+    .limit(1)
+    .maybeSingle();
+
+  if (error || !data) {
+    throw new Error(
+      `No pending invite found for ${email}: ${error?.message ?? "not found"}`
+    );
+  }
+
+  return data.token;
+}
+
+/**
+ * Fetches the workspace ID and slug for a user's first non-personal workspace,
+ * or their personal workspace if no team workspaces exist.
+ */
+export async function getWorkspaceForUser(
+  userId: string
+): Promise<{ id: string; slug: string }> {
+  const admin = getAdminClient();
+
+  const { data, error } = await admin
+    .from("members")
+    .select("workspace_id, workspaces(id, slug, is_personal)")
+    .eq("user_id", userId)
+    .limit(10);
+
+  if (error || !data || data.length === 0) {
+    throw new Error(
+      `No workspace found for user ${userId}: ${error?.message ?? "no memberships"}`
+    );
+  }
+
+  // Prefer non-personal workspace, fall back to personal
+  for (const row of data) {
+    const ws = row.workspaces as unknown as {
+      id: string;
+      slug: string;
+      is_personal: boolean;
+    };
+    if (!ws.is_personal) {
+      return { id: ws.id, slug: ws.slug };
+    }
+  }
+
+  const ws = data[0].workspaces as unknown as { id: string; slug: string };
+  return { id: ws.id, slug: ws.slug };
+}
+
+/**
+ * Cleans up any pending invites for a given email across all workspaces.
+ */
+export async function cleanupInvitesForEmail(email: string): Promise<void> {
+  const admin = getAdminClient();
+  await admin
+    .from("workspace_invites")
+    .delete()
+    .ilike("email", email)
+    .is("accepted_at", null);
+}