improvement(governance): workspace-org invitation system consolidation #4230
improvement(governance): workspace-org invitation system consolidation #4230icecrasher321 wants to merge 14 commits intostagingfrom
Conversation
Resolve conflicts from staging's test-mock centralization and @sim/utils
extraction:
- Keep ours for invitation unification: organizations/[id]/invitations,
members, and workspaces/invitations routes use @/lib/invitations/send +
@/lib/invitations/core helpers (staging still referenced the dropped
workspaceInvitation table and inline sendEmail).
- Keep ours for the deleted /api/organizations/[id]/invitations/[invitationId]
and /api/workspaces/invitations/[invitationId] endpoints, replaced by
the unified /api/invitations/[id]/... routes.
- Keep ours for ownership transfer infra in lib/billing/organization.ts
(attachOwnedWorkspacesToOrganization import) and
lib/billing/organizations/membership.ts (revokeWorkspaceCredentialMemberships,
transferOrganizationOwnership, isSoleOwnerOfPaidOrganization,
removeUserFromOrganization rewrite).
- Take staging for users/me/subscription/transfer imports (already had
@sim/utils/errors) and v1/admin/organizations.
- Take staging's version of lib/workspaces/lifecycle.test.ts to adopt
the new centralized schemaMock pattern.
Test pattern migration:
- Add @sim/utils to apps/sim/package.json dependencies so
generateId/toError resolve via workspace link.
- Swap @/lib/core/utils/uuid imports to @sim/utils/id across
invitations/core, invitations/send, billing/organizations/*, and
workspaces/organization-workspaces (uuid.ts was deleted on staging).
- Extend packages/testing/src/mocks/schema.mock.ts to expose the
post-unification schema: invitationKindEnum, invitationStatusEnum,
updated invitation (kind/token/updatedAt), invitationWorkspaceGrant,
workspaceModeEnum, and workspace.organizationId + workspace.workspaceMode.
- Migrate our authored tests to centralized mocks per sim-testing.mdc:
- schemaMock for @sim/db/schema (drops per-test local schema defs)
- authMock + authMockFns for @/lib/auth in the invitations route test
- permissionsMock + permissionsMockFns for getWorkspaceWithOwner
- auditMock for @/lib/audit/log
- Drop redundant drizzle-orm and @sim/logger local mocks (globally
mocked via vitest.setup.ts)
All 5326 tests across 308 files pass, typecheck clean, biome clean.
Made-with: Cursor
|
The latest updates on your projects. Learn more about Vercel for GitHub. |
PR SummaryHigh Risk Overview Refactors org invitation creation to use the new invitation send/core helpers (single email per invite, rollback on send failure, partial-failure reporting), removes the legacy org and workspace invitation routes/tests, and adds a new org Adds explicit ownership transfer APIs (user and admin) and hardens org/session/billing flows: block Better Auth org mutation endpoints, auto-activate an org after subscription upgrade, prevent billed-account changes on org workspaces, clear active org on self-removal, include pending invites in seat reduction checks, validate org slug updates in admin API, and updates docs/pricing copy to clarify workspace limits and shared workspaces. Reviewed by Cursor Bugbot for commit 37eb540. Configure here. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
|
bugbot run |
|
bugbot run |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 37eb540. Configure here.
| error: 'Some invitation emails failed to send.', | ||
| message: `${sentInvitations.length} invitation(s) sent, ${failedInvitations.length} failed`, | ||
| data: responseData, | ||
| }) |
There was a problem hiding this comment.
Partial batch failure returns HTTP 200 with success false
Medium Severity
When some invitation emails fail but others succeed, the response returns HTTP 200 (the default NextResponse.json status) with success: false. Clients that check only the HTTP status code would treat this as a fully successful request, silently missing that some invitations were never delivered. The all-fail case correctly returns 502, but this partial-failure path lacks an explicit non-2xx status code like 207.
Reviewed by Cursor Bugbot for commit 37eb540. Configure here.
| grantUpdates: grantsToApply, | ||
| }, | ||
| request, | ||
| }) |
There was a problem hiding this comment.
PATCH audit always uses org type for workspace invitations
Low Severity
The PATCH handler unconditionally records AuditAction.ORG_INVITATION_UPDATED with AuditResourceType.ORGANIZATION regardless of inv.kind. For workspace-scoped invitations, this produces misleading audit entries. The sibling DELETE handler in the same file correctly branches on inv.kind to choose between workspace and organization audit actions.
Reviewed by Cursor Bugbot for commit 37eb540. Configure here.
1 participant
Summary
Organization - Workspace consolidation for UX improvement. Adds functionality like ownership transferring, billing improvements, ux improvements, etc.
Type of Change
Testing
Tested manually
Checklist