3.7 KiB
02_PLAN — Group Settings + Invite/Join System
This plan is the source of truth for the Group Settings system and related join/invite flows. Keep the full backlog intact; only add sub-tasks under existing items.
(A) Backlog snapshot (all epics/tasks)
Epic 1 — Roles, permissions, and invariants
1.1 Define GROUP_OWNER role and permission matrix (owner/admin/member).
- Status: completed
1.2 Define server-enforced invariants:
- Exactly 1 owner per group.
- Owner cannot be removed or leave without transfer.
- Admins optional; no lockout/privilege escalation.
- Status: completed
1.3 Decide admin abilities:
- Admins can approve join requests and create/revive invite links.
- Admins cannot change owner.
- Status: completed
Epic 2 — DB schema + migrations
2.1 Add GROUP_OWNER role to group_members and migrate existing groups (first admin becomes owner).
- Status: completed
2.2 Add join settings to group settings:
- join policy:
NOT_ACCEPTING(default) |AUTO_ACCEPT|APPROVAL_REQUIRED. - Status: completed
2.3 Add invite link table and fields:
- Immutable settings:
single_use,policy,expires_at. - Mutable on revive:
used_at,revoked_at,expires_at. - Retain expired links; delete single-use links after use.
- Status: completed
2.4 Add audit log table for membership + invite actions.
- Include request_id, actor, group, event type, ip, user-agent.
- Store invite code last4 only.
- Status: completed
Epic 3 — Server services (lib/server)
3.1 Ownership transfer rules (manual only; auto-transfer paused until cron).
- Status: completed
3.2 Membership management services:
- list members, approve/deny join, kick, leave, promote/demote.
- Status: completed
3.3 Invite link services:
- create/revoke/revive/list, enforce immutability and TTL (1–7 days).
- Status: completed
3.4 Audit logging helpers:
- API-generated request_id stored with events.
- Status: completed
Epic 4 — API routes (app/api)
4.1 Group settings endpoints:
- rename group, update join policy.
- Status: completed
4.2 Membership endpoints:
- list members, approve/deny join, kick, leave, transfer ownership.
- Status: completed
4.3 Invite endpoints:
- create invite link, revoke, revive, list links.
- Status: completed
4.4 Audit endpoints (optional for UI):
- list recent audit events per group.
- Status: completed
Epic 5 — Client wrappers + hooks
5.1 Client APIs for settings, members, invites, audit.
- Status: completed
5.2 Hooks for UI consumption:
use-group-members,use-group-settings,use-invites,use-audit.- Status: completed
Epic 6 — UI: Group Settings page
6.1 Profile section: rename group (confirm modal).
- Status: completed
6.2 Members section:
- list members, approve/deny join requests.
- promote/demote, kick (confirm modal).
- Status: completed
6.3 Ownership section:
- transfer ownership (owner-only, confirm).
- Status: completed
6.4 Invite section:
- show invite code, generate link with 1–7 day TTL, policy, single-use.
- revoke/revive link, show status.
- Status: completed
6.5 Danger zone:
- delete group (typed confirm).
- Status: completed
Epic 7 — Testing
7.1 Unit tests for permissions/invariants. Status: completed
Status: completed
- Status: in-progress Status: not-started (requires UI test framework) 7.3 UI behavior tests for disabled actions + confirmations.
- Status: not-started
Epic 8 — Documentation updates
8.1 Update project instructions with owner role, join policies, invite links, audit rules, paused cron.
- Status: completed
(B) Current focus (detailed)
Focus: Epic 7 — Testing
-- UI behavior tests pending framework selection. -- Updated existing tests for owner role and cleanup of new tables.