feat(web): add teams API client (in progress)

Hit rate limit mid-flight.

.mosaic/orchestrator/mission.json

@@ -1,14 +1,80 @@
 {
   "schema_version": 1,
-  "mission_id": "prd-implementation-20260222",
-  "name": "PRD implementation",
-  "description": "",
+  "mission_id": "ms21-multi-tenant-rbac-data-migration-20260228",
+  "name": "MS21 Multi-Tenant RBAC Data Migration",
+  "description": "Build multi-tenant user/workspace/team management, break-glass auth, RBAC UI enforcement, and migrate jarvis-brain data into Mosaic Stack",
   "project_path": "/home/jwoltje/src/mosaic-stack",
-  "created_at": "2026-02-23T03:20:55Z",
+  "created_at": "2026-02-28T17:10:22Z",
   "status": "active",
-  "task_prefix": "",
-  "quality_gates": "",
-  "milestone_version": "0.0.20",
-  "milestones": [],
-  "sessions": []
+  "task_prefix": "MS21",
+  "quality_gates": "pnpm lint && pnpm build && pnpm test",
+  "milestone_version": "0.0.21",
+  "milestones": [
+    {
+      "id": "phase-1",
+      "name": "Schema and Admin API",
+      "status": "pending",
+      "branch": "schema-and-admin-api",
+      "issue_ref": "",
+      "started_at": "",
+      "completed_at": ""
+    },
+    {
+      "id": "phase-2",
+      "name": "Break-Glass Authentication",
+      "status": "pending",
+      "branch": "break-glass-authentication",
+      "issue_ref": "",
+      "started_at": "",
+      "completed_at": ""
+    },
+    {
+      "id": "phase-3",
+      "name": "Data Migration",
+      "status": "pending",
+      "branch": "data-migration",
+      "issue_ref": "",
+      "started_at": "",
+      "completed_at": ""
+    },
+    {
+      "id": "phase-4",
+      "name": "Admin UI",
+      "status": "pending",
+      "branch": "admin-ui",
+      "issue_ref": "",
+      "started_at": "",
+      "completed_at": ""
+    },
+    {
+      "id": "phase-5",
+      "name": "RBAC UI Enforcement",
+      "status": "pending",
+      "branch": "rbac-ui-enforcement",
+      "issue_ref": "",
+      "started_at": "",
+      "completed_at": ""
+    },
+    {
+      "id": "phase-6",
+      "name": "Verification",
+      "status": "pending",
+      "branch": "verification",
+      "issue_ref": "",
+      "started_at": "",
+      "completed_at": ""
+    }
+  ],
+  "sessions": [
+    {
+      "session_id": "sess-001",
+      "runtime": "unknown",
+      "started_at": "2026-02-28T17:48:51Z",
+      "ended_at": "",
+      "ended_reason": "",
+      "milestone_at_end": "",
+      "tasks_completed": [],
+      "last_task_id": ""
+    }
+  ]
 }

.mosaic/orchestrator/session.lock

@@ -0,0 +1,8 @@
+{
+  "session_id": "sess-001",
+  "runtime": "unknown",
+  "pid": 2396592,
+  "started_at": "2026-02-28T17:48:51Z",
+  "project_path": "/tmp/ms21-api-003",
+  "milestone_id": ""
+}

apps/api/package.json

@@ -52,6 +52,7 @@
     "adm-zip": "^0.5.16",
     "archiver": "^7.0.1",
     "axios": "^1.13.5",
+    "bcryptjs": "^3.0.3",
     "better-auth": "^1.4.17",
     "bullmq": "^5.67.2",
     "class-transformer": "^0.5.1",
@@ -85,6 +86,7 @@
     "@swc/core": "^1.10.18",
     "@types/adm-zip": "^0.5.7",
     "@types/archiver": "^7.0.0",
+    "@types/bcryptjs": "^3.0.0",
     "@types/cookie-parser": "^1.4.10",
     "@types/express": "^5.0.1",
     "@types/highlight.js": "^10.1.0",

apps/api/prisma/schema.prisma

@@ -227,6 +227,14 @@ model User {
   createdAt      DateTime @default(now()) @map("created_at") @db.Timestamptz
   updatedAt      DateTime @updatedAt @map("updated_at") @db.Timestamptz
 
+  // MS21: Admin, local auth, and invitation fields
+  deactivatedAt   DateTime?  @map("deactivated_at") @db.Timestamptz
+  isLocalAuth     Boolean    @default(false) @map("is_local_auth")
+  passwordHash    String?    @map("password_hash")
+  invitedBy       String?    @map("invited_by") @db.Uuid
+  invitationToken String?    @unique @map("invitation_token")
+  invitedAt       DateTime?  @map("invited_at") @db.Timestamptz
+
   // Relations
   ownedWorkspaces        Workspace[]             @relation("WorkspaceOwner")
   workspaceMemberships   WorkspaceMember[]

apps/api/src/admin/admin.controller.spec.ts

@@ -0,0 +1,258 @@
+import { describe, it, expect, beforeEach, vi } from "vitest";
+import { Test, TestingModule } from "@nestjs/testing";
+import { AdminController } from "./admin.controller";
+import { AdminService } from "./admin.service";
+import { AuthGuard } from "../auth/guards/auth.guard";
+import { AdminGuard } from "../auth/guards/admin.guard";
+import { WorkspaceMemberRole } from "@prisma/client";
+import type { ExecutionContext } from "@nestjs/common";
+
+describe("AdminController", () => {
+  let controller: AdminController;
+  let service: AdminService;
+
+  const mockAdminService = {
+    listUsers: vi.fn(),
+    inviteUser: vi.fn(),
+    updateUser: vi.fn(),
+    deactivateUser: vi.fn(),
+    createWorkspace: vi.fn(),
+    updateWorkspace: vi.fn(),
+  };
+
+  const mockAuthGuard = {
+    canActivate: vi.fn((context: ExecutionContext) => {
+      const request = context.switchToHttp().getRequest();
+      request.user = {
+        id: "550e8400-e29b-41d4-a716-446655440001",
+        email: "admin@example.com",
+        name: "Admin User",
+      };
+      return true;
+    }),
+  };
+
+  const mockAdminGuard = {
+    canActivate: vi.fn(() => true),
+  };
+
+  const mockAdminId = "550e8400-e29b-41d4-a716-446655440001";
+  const mockUserId = "550e8400-e29b-41d4-a716-446655440002";
+  const mockWorkspaceId = "550e8400-e29b-41d4-a716-446655440003";
+
+  const mockAdminUser = {
+    id: mockAdminId,
+    email: "admin@example.com",
+    name: "Admin User",
+  };
+
+  const mockUserResponse = {
+    id: mockUserId,
+    name: "Test User",
+    email: "test@example.com",
+    emailVerified: false,
+    image: null,
+    createdAt: new Date("2026-01-01"),
+    deactivatedAt: null,
+    isLocalAuth: false,
+    invitedAt: null,
+    invitedBy: null,
+    workspaceMemberships: [],
+  };
+
+  const mockWorkspaceResponse = {
+    id: mockWorkspaceId,
+    name: "Test Workspace",
+    ownerId: mockAdminId,
+    settings: {},
+    createdAt: new Date("2026-01-01"),
+    updatedAt: new Date("2026-01-01"),
+    memberCount: 1,
+  };
+
+  beforeEach(async () => {
+    const module: TestingModule = await Test.createTestingModule({
+      controllers: [AdminController],
+      providers: [
+        {
+          provide: AdminService,
+          useValue: mockAdminService,
+        },
+      ],
+    })
+      .overrideGuard(AuthGuard)
+      .useValue(mockAuthGuard)
+      .overrideGuard(AdminGuard)
+      .useValue(mockAdminGuard)
+      .compile();
+
+    controller = module.get<AdminController>(AdminController);
+    service = module.get<AdminService>(AdminService);
+
+    vi.clearAllMocks();
+  });
+
+  it("should be defined", () => {
+    expect(controller).toBeDefined();
+  });
+
+  describe("listUsers", () => {
+    it("should return paginated users", async () => {
+      const paginatedResult = {
+        data: [mockUserResponse],
+        meta: { total: 1, page: 1, limit: 50, totalPages: 1 },
+      };
+      mockAdminService.listUsers.mockResolvedValue(paginatedResult);
+
+      const result = await controller.listUsers({ page: 1, limit: 50 });
+
+      expect(result).toEqual(paginatedResult);
+      expect(service.listUsers).toHaveBeenCalledWith(1, 50);
+    });
+
+    it("should use default pagination", async () => {
+      const paginatedResult = {
+        data: [],
+        meta: { total: 0, page: 1, limit: 50, totalPages: 0 },
+      };
+      mockAdminService.listUsers.mockResolvedValue(paginatedResult);
+
+      await controller.listUsers({});
+
+      expect(service.listUsers).toHaveBeenCalledWith(undefined, undefined);
+    });
+  });
+
+  describe("inviteUser", () => {
+    it("should invite a user", async () => {
+      const inviteDto = { email: "new@example.com" };
+      const invitationResponse = {
+        userId: "new-id",
+        invitationToken: "token",
+        email: "new@example.com",
+        invitedAt: new Date(),
+      };
+      mockAdminService.inviteUser.mockResolvedValue(invitationResponse);
+
+      const result = await controller.inviteUser(inviteDto, mockAdminUser);
+
+      expect(result).toEqual(invitationResponse);
+      expect(service.inviteUser).toHaveBeenCalledWith(inviteDto, mockAdminId);
+    });
+
+    it("should invite a user with workspace and role", async () => {
+      const inviteDto = {
+        email: "new@example.com",
+        workspaceId: mockWorkspaceId,
+        role: WorkspaceMemberRole.ADMIN,
+      };
+      mockAdminService.inviteUser.mockResolvedValue({
+        userId: "new-id",
+        invitationToken: "token",
+        email: "new@example.com",
+        invitedAt: new Date(),
+      });
+
+      await controller.inviteUser(inviteDto, mockAdminUser);
+
+      expect(service.inviteUser).toHaveBeenCalledWith(inviteDto, mockAdminId);
+    });
+  });
+
+  describe("updateUser", () => {
+    it("should update a user", async () => {
+      const updateDto = { name: "Updated Name" };
+      mockAdminService.updateUser.mockResolvedValue({
+        ...mockUserResponse,
+        name: "Updated Name",
+      });
+
+      const result = await controller.updateUser(mockUserId, updateDto);
+
+      expect(result.name).toBe("Updated Name");
+      expect(service.updateUser).toHaveBeenCalledWith(mockUserId, updateDto);
+    });
+
+    it("should deactivate a user via update", async () => {
+      const deactivatedAt = "2026-02-28T00:00:00.000Z";
+      const updateDto = { deactivatedAt };
+      mockAdminService.updateUser.mockResolvedValue({
+        ...mockUserResponse,
+        deactivatedAt: new Date(deactivatedAt),
+      });
+
+      const result = await controller.updateUser(mockUserId, updateDto);
+
+      expect(result.deactivatedAt).toEqual(new Date(deactivatedAt));
+    });
+  });
+
+  describe("deactivateUser", () => {
+    it("should soft-delete a user", async () => {
+      mockAdminService.deactivateUser.mockResolvedValue({
+        ...mockUserResponse,
+        deactivatedAt: new Date(),
+      });
+
+      const result = await controller.deactivateUser(mockUserId);
+
+      expect(result.deactivatedAt).toBeDefined();
+      expect(service.deactivateUser).toHaveBeenCalledWith(mockUserId);
+    });
+  });
+
+  describe("createWorkspace", () => {
+    it("should create a workspace", async () => {
+      const createDto = { name: "New Workspace", ownerId: mockAdminId };
+      mockAdminService.createWorkspace.mockResolvedValue(mockWorkspaceResponse);
+
+      const result = await controller.createWorkspace(createDto);
+
+      expect(result).toEqual(mockWorkspaceResponse);
+      expect(service.createWorkspace).toHaveBeenCalledWith(createDto);
+    });
+
+    it("should create workspace with settings", async () => {
+      const createDto = {
+        name: "New Workspace",
+        ownerId: mockAdminId,
+        settings: { feature: true },
+      };
+      mockAdminService.createWorkspace.mockResolvedValue({
+        ...mockWorkspaceResponse,
+        settings: { feature: true },
+      });
+
+      const result = await controller.createWorkspace(createDto);
+
+      expect(result.settings).toEqual({ feature: true });
+    });
+  });
+
+  describe("updateWorkspace", () => {
+    it("should update a workspace", async () => {
+      const updateDto = { name: "Updated Workspace" };
+      mockAdminService.updateWorkspace.mockResolvedValue({
+        ...mockWorkspaceResponse,
+        name: "Updated Workspace",
+      });
+
+      const result = await controller.updateWorkspace(mockWorkspaceId, updateDto);
+
+      expect(result.name).toBe("Updated Workspace");
+      expect(service.updateWorkspace).toHaveBeenCalledWith(mockWorkspaceId, updateDto);
+    });
+
+    it("should update workspace settings", async () => {
+      const updateDto = { settings: { notifications: false } };
+      mockAdminService.updateWorkspace.mockResolvedValue({
+        ...mockWorkspaceResponse,
+        settings: { notifications: false },
+      });
+
+      const result = await controller.updateWorkspace(mockWorkspaceId, updateDto);
+
+      expect(result.settings).toEqual({ notifications: false });
+    });
+  });
+});

apps/api/src/admin/admin.controller.ts

@@ -0,0 +1,64 @@
+import {
+  Controller,
+  Get,
+  Post,
+  Patch,
+  Delete,
+  Body,
+  Param,
+  Query,
+  UseGuards,
+  ParseUUIDPipe,
+} from "@nestjs/common";
+import { AdminService } from "./admin.service";
+import { AuthGuard } from "../auth/guards/auth.guard";
+import { AdminGuard } from "../auth/guards/admin.guard";
+import { CurrentUser } from "../auth/decorators/current-user.decorator";
+import type { AuthUser } from "@mosaic/shared";
+import { InviteUserDto } from "./dto/invite-user.dto";
+import { UpdateUserDto } from "./dto/update-user.dto";
+import { CreateWorkspaceDto } from "./dto/create-workspace.dto";
+import { UpdateWorkspaceDto } from "./dto/update-workspace.dto";
+import { QueryUsersDto } from "./dto/query-users.dto";
+
+@Controller("admin")
+@UseGuards(AuthGuard, AdminGuard)
+export class AdminController {
+  constructor(private readonly adminService: AdminService) {}
+
+  @Get("users")
+  async listUsers(@Query() query: QueryUsersDto) {
+    return this.adminService.listUsers(query.page, query.limit);
+  }
+
+  @Post("users/invite")
+  async inviteUser(@Body() dto: InviteUserDto, @CurrentUser() user: AuthUser) {
+    return this.adminService.inviteUser(dto, user.id);
+  }
+
+  @Patch("users/:id")
+  async updateUser(
+    @Param("id", new ParseUUIDPipe({ version: "4" })) id: string,
+    @Body() dto: UpdateUserDto
+  ) {
+    return this.adminService.updateUser(id, dto);
+  }
+
+  @Delete("users/:id")
+  async deactivateUser(@Param("id", new ParseUUIDPipe({ version: "4" })) id: string) {
+    return this.adminService.deactivateUser(id);
+  }
+
+  @Post("workspaces")
+  async createWorkspace(@Body() dto: CreateWorkspaceDto) {
+    return this.adminService.createWorkspace(dto);
+  }
+
+  @Patch("workspaces/:id")
+  async updateWorkspace(
+    @Param("id", new ParseUUIDPipe({ version: "4" })) id: string,
+    @Body() dto: UpdateWorkspaceDto
+  ) {
+    return this.adminService.updateWorkspace(id, dto);
+  }
+}

apps/api/src/admin/admin.module.ts

@@ -0,0 +1,13 @@
+import { Module } from "@nestjs/common";
+import { AdminController } from "./admin.controller";
+import { AdminService } from "./admin.service";
+import { PrismaModule } from "../prisma/prisma.module";
+import { AuthModule } from "../auth/auth.module";
+
+@Module({
+  imports: [PrismaModule, AuthModule],
+  controllers: [AdminController],
+  providers: [AdminService],
+  exports: [AdminService],
+})
+export class AdminModule {}

apps/api/src/admin/admin.service.spec.ts

@@ -0,0 +1,471 @@
+import { describe, it, expect, beforeEach, vi } from "vitest";
+import { Test, TestingModule } from "@nestjs/testing";
+import { AdminService } from "./admin.service";
+import { PrismaService } from "../prisma/prisma.service";
+import { BadRequestException, ConflictException, NotFoundException } from "@nestjs/common";
+import { WorkspaceMemberRole } from "@prisma/client";
+
+describe("AdminService", () => {
+  let service: AdminService;
+
+  const mockPrismaService = {
+    user: {
+      findMany: vi.fn(),
+      findUnique: vi.fn(),
+      count: vi.fn(),
+      create: vi.fn(),
+      update: vi.fn(),
+    },
+    workspace: {
+      findUnique: vi.fn(),
+      create: vi.fn(),
+      update: vi.fn(),
+    },
+    workspaceMember: {
+      create: vi.fn(),
+    },
+    $transaction: vi.fn(),
+  };
+
+  const mockAdminId = "550e8400-e29b-41d4-a716-446655440001";
+  const mockUserId = "550e8400-e29b-41d4-a716-446655440002";
+  const mockWorkspaceId = "550e8400-e29b-41d4-a716-446655440003";
+
+  const mockUser = {
+    id: mockUserId,
+    name: "Test User",
+    email: "test@example.com",
+    emailVerified: false,
+    image: null,
+    createdAt: new Date("2026-01-01"),
+    updatedAt: new Date("2026-01-01"),
+    deactivatedAt: null,
+    isLocalAuth: false,
+    passwordHash: null,
+    invitedBy: null,
+    invitationToken: null,
+    invitedAt: null,
+    authProviderId: null,
+    preferences: {},
+    workspaceMemberships: [
+      {
+        workspaceId: mockWorkspaceId,
+        userId: mockUserId,
+        role: WorkspaceMemberRole.MEMBER,
+        joinedAt: new Date("2026-01-01"),
+        workspace: { id: mockWorkspaceId, name: "Test Workspace" },
+      },
+    ],
+  };
+
+  const mockWorkspace = {
+    id: mockWorkspaceId,
+    name: "Test Workspace",
+    ownerId: mockAdminId,
+    settings: {},
+    createdAt: new Date("2026-01-01"),
+    updatedAt: new Date("2026-01-01"),
+    matrixRoomId: null,
+  };
+
+  beforeEach(async () => {
+    const module: TestingModule = await Test.createTestingModule({
+      providers: [
+        AdminService,
+        {
+          provide: PrismaService,
+          useValue: mockPrismaService,
+        },
+      ],
+    }).compile();
+
+    service = module.get<AdminService>(AdminService);
+
+    vi.clearAllMocks();
+
+    mockPrismaService.$transaction.mockImplementation(async (fn: (tx: unknown) => unknown) => {
+      return fn(mockPrismaService);
+    });
+  });
+
+  it("should be defined", () => {
+    expect(service).toBeDefined();
+  });
+
+  describe("listUsers", () => {
+    it("should return paginated users with memberships", async () => {
+      mockPrismaService.user.findMany.mockResolvedValue([mockUser]);
+      mockPrismaService.user.count.mockResolvedValue(1);
+
+      const result = await service.listUsers(1, 50);
+
+      expect(result.data).toHaveLength(1);
+      expect(result.data[0]?.id).toBe(mockUserId);
+      expect(result.data[0]?.workspaceMemberships).toHaveLength(1);
+      expect(result.meta).toEqual({
+        total: 1,
+        page: 1,
+        limit: 50,
+        totalPages: 1,
+      });
+    });
+
+    it("should use default pagination when not provided", async () => {
+      mockPrismaService.user.findMany.mockResolvedValue([]);
+      mockPrismaService.user.count.mockResolvedValue(0);
+
+      await service.listUsers();
+
+      expect(mockPrismaService.user.findMany).toHaveBeenCalledWith(
+        expect.objectContaining({
+          skip: 0,
+          take: 50,
+        })
+      );
+    });
+
+    it("should calculate pagination correctly", async () => {
+      mockPrismaService.user.findMany.mockResolvedValue([]);
+      mockPrismaService.user.count.mockResolvedValue(150);
+
+      const result = await service.listUsers(3, 25);
+
+      expect(mockPrismaService.user.findMany).toHaveBeenCalledWith(
+        expect.objectContaining({
+          skip: 50,
+          take: 25,
+        })
+      );
+      expect(result.meta.totalPages).toBe(6);
+    });
+  });
+
+  describe("inviteUser", () => {
+    it("should create a user with invitation token", async () => {
+      mockPrismaService.user.findUnique.mockResolvedValue(null);
+      const createdUser = {
+        id: "new-user-id",
+        email: "new@example.com",
+        name: "new",
+        invitationToken: "some-token",
+      };
+      mockPrismaService.user.create.mockResolvedValue(createdUser);
+
+      const result = await service.inviteUser({ email: "new@example.com" }, mockAdminId);
+
+      expect(result.email).toBe("new@example.com");
+      expect(result.invitationToken).toBeDefined();
+      expect(result.userId).toBe("new-user-id");
+      expect(mockPrismaService.user.create).toHaveBeenCalledWith(
+        expect.objectContaining({
+          data: expect.objectContaining({
+            email: "new@example.com",
+            invitedBy: mockAdminId,
+            invitationToken: expect.any(String),
+          }),
+        })
+      );
+    });
+
+    it("should add user to workspace when workspaceId provided", async () => {
+      mockPrismaService.user.findUnique.mockResolvedValue(null);
+      mockPrismaService.workspace.findUnique.mockResolvedValue(mockWorkspace);
+      const createdUser = { id: "new-user-id", email: "new@example.com", name: "new" };
+      mockPrismaService.user.create.mockResolvedValue(createdUser);
+
+      await service.inviteUser(
+        {
+          email: "new@example.com",
+          workspaceId: mockWorkspaceId,
+          role: WorkspaceMemberRole.ADMIN,
+        },
+        mockAdminId
+      );
+
+      expect(mockPrismaService.workspaceMember.create).toHaveBeenCalledWith({
+        data: {
+          workspaceId: mockWorkspaceId,
+          userId: "new-user-id",
+          role: WorkspaceMemberRole.ADMIN,
+        },
+      });
+    });
+
+    it("should throw ConflictException if email already exists", async () => {
+      mockPrismaService.user.findUnique.mockResolvedValue(mockUser);
+
+      await expect(service.inviteUser({ email: "test@example.com" }, mockAdminId)).rejects.toThrow(
+        ConflictException
+      );
+    });
+
+    it("should throw NotFoundException if workspace does not exist", async () => {
+      mockPrismaService.user.findUnique.mockResolvedValue(null);
+      mockPrismaService.workspace.findUnique.mockResolvedValue(null);
+
+      await expect(
+        service.inviteUser({ email: "new@example.com", workspaceId: "non-existent" }, mockAdminId)
+      ).rejects.toThrow(NotFoundException);
+    });
+
+    it("should use email prefix as default name", async () => {
+      mockPrismaService.user.findUnique.mockResolvedValue(null);
+      const createdUser = { id: "new-user-id", email: "jane.doe@example.com", name: "jane.doe" };
+      mockPrismaService.user.create.mockResolvedValue(createdUser);
+
+      await service.inviteUser({ email: "jane.doe@example.com" }, mockAdminId);
+
+      expect(mockPrismaService.user.create).toHaveBeenCalledWith(
+        expect.objectContaining({
+          data: expect.objectContaining({
+            name: "jane.doe",
+          }),
+        })
+      );
+    });
+
+    it("should use provided name when given", async () => {
+      mockPrismaService.user.findUnique.mockResolvedValue(null);
+      const createdUser = { id: "new-user-id", email: "j@example.com", name: "Jane Doe" };
+      mockPrismaService.user.create.mockResolvedValue(createdUser);
+
+      await service.inviteUser({ email: "j@example.com", name: "Jane Doe" }, mockAdminId);
+
+      expect(mockPrismaService.user.create).toHaveBeenCalledWith(
+        expect.objectContaining({
+          data: expect.objectContaining({
+            name: "Jane Doe",
+          }),
+        })
+      );
+    });
+  });
+
+  describe("updateUser", () => {
+    it("should update user fields", async () => {
+      mockPrismaService.user.findUnique.mockResolvedValue(mockUser);
+      mockPrismaService.user.update.mockResolvedValue({
+        ...mockUser,
+        name: "Updated Name",
+      });
+
+      const result = await service.updateUser(mockUserId, { name: "Updated Name" });
+
+      expect(result.name).toBe("Updated Name");
+      expect(mockPrismaService.user.update).toHaveBeenCalledWith(
+        expect.objectContaining({
+          where: { id: mockUserId },
+          data: { name: "Updated Name" },
+        })
+      );
+    });
+
+    it("should set deactivatedAt when provided", async () => {
+      const deactivatedAt = "2026-02-28T00:00:00.000Z";
+      mockPrismaService.user.findUnique.mockResolvedValue(mockUser);
+      mockPrismaService.user.update.mockResolvedValue({
+        ...mockUser,
+        deactivatedAt: new Date(deactivatedAt),
+      });
+
+      const result = await service.updateUser(mockUserId, { deactivatedAt });
+
+      expect(result.deactivatedAt).toEqual(new Date(deactivatedAt));
+    });
+
+    it("should clear deactivatedAt when set to null", async () => {
+      const deactivatedUser = { ...mockUser, deactivatedAt: new Date() };
+      mockPrismaService.user.findUnique.mockResolvedValue(deactivatedUser);
+      mockPrismaService.user.update.mockResolvedValue({
+        ...deactivatedUser,
+        deactivatedAt: null,
+      });
+
+      const result = await service.updateUser(mockUserId, { deactivatedAt: null });
+
+      expect(result.deactivatedAt).toBeNull();
+    });
+
+    it("should throw NotFoundException if user does not exist", async () => {
+      mockPrismaService.user.findUnique.mockResolvedValue(null);
+
+      await expect(service.updateUser("non-existent", { name: "Test" })).rejects.toThrow(
+        NotFoundException
+      );
+    });
+
+    it("should update emailVerified", async () => {
+      mockPrismaService.user.findUnique.mockResolvedValue(mockUser);
+      mockPrismaService.user.update.mockResolvedValue({
+        ...mockUser,
+        emailVerified: true,
+      });
+
+      const result = await service.updateUser(mockUserId, { emailVerified: true });
+
+      expect(result.emailVerified).toBe(true);
+    });
+
+    it("should update preferences", async () => {
+      const prefs = { theme: "dark" };
+      mockPrismaService.user.findUnique.mockResolvedValue(mockUser);
+      mockPrismaService.user.update.mockResolvedValue({
+        ...mockUser,
+        preferences: prefs,
+      });
+
+      await service.updateUser(mockUserId, { preferences: prefs });
+
+      expect(mockPrismaService.user.update).toHaveBeenCalledWith(
+        expect.objectContaining({
+          data: expect.objectContaining({ preferences: prefs }),
+        })
+      );
+    });
+  });
+
+  describe("deactivateUser", () => {
+    it("should set deactivatedAt on the user", async () => {
+      mockPrismaService.user.findUnique.mockResolvedValue(mockUser);
+      mockPrismaService.user.update.mockResolvedValue({
+        ...mockUser,
+        deactivatedAt: new Date(),
+      });
+
+      const result = await service.deactivateUser(mockUserId);
+
+      expect(result.deactivatedAt).toBeDefined();
+      expect(mockPrismaService.user.update).toHaveBeenCalledWith(
+        expect.objectContaining({
+          where: { id: mockUserId },
+          data: { deactivatedAt: expect.any(Date) },
+        })
+      );
+    });
+
+    it("should throw NotFoundException if user does not exist", async () => {
+      mockPrismaService.user.findUnique.mockResolvedValue(null);
+
+      await expect(service.deactivateUser("non-existent")).rejects.toThrow(NotFoundException);
+    });
+
+    it("should throw BadRequestException if user is already deactivated", async () => {
+      mockPrismaService.user.findUnique.mockResolvedValue({
+        ...mockUser,
+        deactivatedAt: new Date(),
+      });
+
+      await expect(service.deactivateUser(mockUserId)).rejects.toThrow(BadRequestException);
+    });
+  });
+
+  describe("createWorkspace", () => {
+    it("should create a workspace with owner membership", async () => {
+      mockPrismaService.user.findUnique.mockResolvedValue(mockUser);
+      mockPrismaService.workspace.create.mockResolvedValue(mockWorkspace);
+
+      const result = await service.createWorkspace({
+        name: "New Workspace",
+        ownerId: mockAdminId,
+      });
+
+      expect(result.name).toBe("Test Workspace");
+      expect(result.memberCount).toBe(1);
+      expect(mockPrismaService.workspace.create).toHaveBeenCalled();
+      expect(mockPrismaService.workspaceMember.create).toHaveBeenCalledWith({
+        data: {
+          workspaceId: mockWorkspace.id,
+          userId: mockAdminId,
+          role: WorkspaceMemberRole.OWNER,
+        },
+      });
+    });
+
+    it("should throw NotFoundException if owner does not exist", async () => {
+      mockPrismaService.user.findUnique.mockResolvedValue(null);
+
+      await expect(
+        service.createWorkspace({ name: "New Workspace", ownerId: "non-existent" })
+      ).rejects.toThrow(NotFoundException);
+    });
+
+    it("should pass settings when provided", async () => {
+      const settings = { theme: "dark", features: ["chat"] };
+      mockPrismaService.user.findUnique.mockResolvedValue(mockUser);
+      mockPrismaService.workspace.create.mockResolvedValue({
+        ...mockWorkspace,
+        settings,
+      });
+
+      await service.createWorkspace({
+        name: "New Workspace",
+        ownerId: mockAdminId,
+        settings,
+      });
+
+      expect(mockPrismaService.workspace.create).toHaveBeenCalledWith(
+        expect.objectContaining({
+          data: expect.objectContaining({ settings }),
+        })
+      );
+    });
+  });
+
+  describe("updateWorkspace", () => {
+    it("should update workspace name", async () => {
+      mockPrismaService.workspace.findUnique.mockResolvedValue(mockWorkspace);
+      mockPrismaService.workspace.update.mockResolvedValue({
+        ...mockWorkspace,
+        name: "Updated Workspace",
+        _count: { members: 3 },
+      });
+
+      const result = await service.updateWorkspace(mockWorkspaceId, {
+        name: "Updated Workspace",
+      });
+
+      expect(result.name).toBe("Updated Workspace");
+      expect(result.memberCount).toBe(3);
+    });
+
+    it("should update workspace settings", async () => {
+      const newSettings = { notifications: true };
+      mockPrismaService.workspace.findUnique.mockResolvedValue(mockWorkspace);
+      mockPrismaService.workspace.update.mockResolvedValue({
+        ...mockWorkspace,
+        settings: newSettings,
+        _count: { members: 1 },
+      });
+
+      const result = await service.updateWorkspace(mockWorkspaceId, {
+        settings: newSettings,
+      });
+
+      expect(result.settings).toEqual(newSettings);
+    });
+
+    it("should throw NotFoundException if workspace does not exist", async () => {
+      mockPrismaService.workspace.findUnique.mockResolvedValue(null);
+
+      await expect(service.updateWorkspace("non-existent", { name: "Test" })).rejects.toThrow(
+        NotFoundException
+      );
+    });
+
+    it("should only update provided fields", async () => {
+      mockPrismaService.workspace.findUnique.mockResolvedValue(mockWorkspace);
+      mockPrismaService.workspace.update.mockResolvedValue({
+        ...mockWorkspace,
+        _count: { members: 1 },
+      });
+
+      await service.updateWorkspace(mockWorkspaceId, { name: "Only Name" });
+
+      expect(mockPrismaService.workspace.update).toHaveBeenCalledWith(
+        expect.objectContaining({
+          data: { name: "Only Name" },
+        })
+      );
+    });
+  });
+});

apps/api/src/admin/admin.service.ts

@@ -0,0 +1,306 @@
+import {
+  BadRequestException,
+  ConflictException,
+  Injectable,
+  Logger,
+  NotFoundException,
+} from "@nestjs/common";
+import { Prisma, WorkspaceMemberRole } from "@prisma/client";
+import { randomUUID } from "node:crypto";
+import { PrismaService } from "../prisma/prisma.service";
+import type { InviteUserDto } from "./dto/invite-user.dto";
+import type { UpdateUserDto } from "./dto/update-user.dto";
+import type { CreateWorkspaceDto } from "./dto/create-workspace.dto";
+import type {
+  AdminUserResponse,
+  AdminWorkspaceResponse,
+  InvitationResponse,
+  PaginatedResponse,
+} from "./types/admin.types";
+
+@Injectable()
+export class AdminService {
+  private readonly logger = new Logger(AdminService.name);
+
+  constructor(private readonly prisma: PrismaService) {}
+
+  async listUsers(page = 1, limit = 50): Promise<PaginatedResponse<AdminUserResponse>> {
+    const skip = (page - 1) * limit;
+
+    const [users, total] = await Promise.all([
+      this.prisma.user.findMany({
+        include: {
+          workspaceMemberships: {
+            include: {
+              workspace: { select: { id: true, name: true } },
+            },
+          },
+        },
+        orderBy: { createdAt: "desc" },
+        skip,
+        take: limit,
+      }),
+      this.prisma.user.count(),
+    ]);
+
+    return {
+      data: users.map((user) => ({
+        id: user.id,
+        name: user.name,
+        email: user.email,
+        emailVerified: user.emailVerified,
+        image: user.image,
+        createdAt: user.createdAt,
+        deactivatedAt: user.deactivatedAt,
+        isLocalAuth: user.isLocalAuth,
+        invitedAt: user.invitedAt,
+        invitedBy: user.invitedBy,
+        workspaceMemberships: user.workspaceMemberships.map((m) => ({
+          workspaceId: m.workspaceId,
+          workspaceName: m.workspace.name,
+          role: m.role,
+          joinedAt: m.joinedAt,
+        })),
+      })),
+      meta: {
+        total,
+        page,
+        limit,
+        totalPages: Math.ceil(total / limit),
+      },
+    };
+  }
+
+  async inviteUser(dto: InviteUserDto, inviterId: string): Promise<InvitationResponse> {
+    const existing = await this.prisma.user.findUnique({
+      where: { email: dto.email },
+    });
+
+    if (existing) {
+      throw new ConflictException(`User with email ${dto.email} already exists`);
+    }
+
+    if (dto.workspaceId) {
+      const workspace = await this.prisma.workspace.findUnique({
+        where: { id: dto.workspaceId },
+      });
+      if (!workspace) {
+        throw new NotFoundException(`Workspace ${dto.workspaceId} not found`);
+      }
+    }
+
+    const invitationToken = randomUUID();
+    const now = new Date();
+
+    const user = await this.prisma.$transaction(async (tx) => {
+      const created = await tx.user.create({
+        data: {
+          email: dto.email,
+          name: dto.name ?? dto.email.split("@")[0] ?? dto.email,
+          emailVerified: false,
+          invitedBy: inviterId,
+          invitationToken,
+          invitedAt: now,
+        },
+      });
+
+      if (dto.workspaceId) {
+        await tx.workspaceMember.create({
+          data: {
+            workspaceId: dto.workspaceId,
+            userId: created.id,
+            role: dto.role ?? WorkspaceMemberRole.MEMBER,
+          },
+        });
+      }
+
+      return created;
+    });
+
+    this.logger.log(`User invited: ${user.email} by ${inviterId}`);
+
+    return {
+      userId: user.id,
+      invitationToken,
+      email: user.email,
+      invitedAt: now,
+    };
+  }
+
+  async updateUser(id: string, dto: UpdateUserDto): Promise<AdminUserResponse> {
+    const existing = await this.prisma.user.findUnique({ where: { id } });
+    if (!existing) {
+      throw new NotFoundException(`User ${id} not found`);
+    }
+
+    const data: Prisma.UserUpdateInput = {};
+
+    if (dto.name !== undefined) {
+      data.name = dto.name;
+    }
+    if (dto.emailVerified !== undefined) {
+      data.emailVerified = dto.emailVerified;
+    }
+    if (dto.preferences !== undefined) {
+      data.preferences = dto.preferences as Prisma.InputJsonValue;
+    }
+    if (dto.deactivatedAt !== undefined) {
+      data.deactivatedAt = dto.deactivatedAt ? new Date(dto.deactivatedAt) : null;
+    }
+
+    const user = await this.prisma.user.update({
+      where: { id },
+      data,
+      include: {
+        workspaceMemberships: {
+          include: {
+            workspace: { select: { id: true, name: true } },
+          },
+        },
+      },
+    });
+
+    this.logger.log(`User updated: ${id}`);
+
+    return {
+      id: user.id,
+      name: user.name,
+      email: user.email,
+      emailVerified: user.emailVerified,
+      image: user.image,
+      createdAt: user.createdAt,
+      deactivatedAt: user.deactivatedAt,
+      isLocalAuth: user.isLocalAuth,
+      invitedAt: user.invitedAt,
+      invitedBy: user.invitedBy,
+      workspaceMemberships: user.workspaceMemberships.map((m) => ({
+        workspaceId: m.workspaceId,
+        workspaceName: m.workspace.name,
+        role: m.role,
+        joinedAt: m.joinedAt,
+      })),
+    };
+  }
+
+  async deactivateUser(id: string): Promise<AdminUserResponse> {
+    const existing = await this.prisma.user.findUnique({ where: { id } });
+    if (!existing) {
+      throw new NotFoundException(`User ${id} not found`);
+    }
+
+    if (existing.deactivatedAt) {
+      throw new BadRequestException(`User ${id} is already deactivated`);
+    }
+
+    const user = await this.prisma.user.update({
+      where: { id },
+      data: { deactivatedAt: new Date() },
+      include: {
+        workspaceMemberships: {
+          include: {
+            workspace: { select: { id: true, name: true } },
+          },
+        },
+      },
+    });
+
+    this.logger.log(`User deactivated: ${id}`);
+
+    return {
+      id: user.id,
+      name: user.name,
+      email: user.email,
+      emailVerified: user.emailVerified,
+      image: user.image,
+      createdAt: user.createdAt,
+      deactivatedAt: user.deactivatedAt,
+      isLocalAuth: user.isLocalAuth,
+      invitedAt: user.invitedAt,
+      invitedBy: user.invitedBy,
+      workspaceMemberships: user.workspaceMemberships.map((m) => ({
+        workspaceId: m.workspaceId,
+        workspaceName: m.workspace.name,
+        role: m.role,
+        joinedAt: m.joinedAt,
+      })),
+    };
+  }
+
+  async createWorkspace(dto: CreateWorkspaceDto): Promise<AdminWorkspaceResponse> {
+    const owner = await this.prisma.user.findUnique({ where: { id: dto.ownerId } });
+    if (!owner) {
+      throw new NotFoundException(`User ${dto.ownerId} not found`);
+    }
+
+    const workspace = await this.prisma.$transaction(async (tx) => {
+      const created = await tx.workspace.create({
+        data: {
+          name: dto.name,
+          ownerId: dto.ownerId,
+          settings: dto.settings ? (dto.settings as Prisma.InputJsonValue) : {},
+        },
+      });
+
+      await tx.workspaceMember.create({
+        data: {
+          workspaceId: created.id,
+          userId: dto.ownerId,
+          role: WorkspaceMemberRole.OWNER,
+        },
+      });
+
+      return created;
+    });
+
+    this.logger.log(`Workspace created: ${workspace.id} with owner ${dto.ownerId}`);
+
+    return {
+      id: workspace.id,
+      name: workspace.name,
+      ownerId: workspace.ownerId,
+      settings: workspace.settings as Record<string, unknown>,
+      createdAt: workspace.createdAt,
+      updatedAt: workspace.updatedAt,
+      memberCount: 1,
+    };
+  }
+
+  async updateWorkspace(
+    id: string,
+    dto: { name?: string; settings?: Record<string, unknown> }
+  ): Promise<AdminWorkspaceResponse> {
+    const existing = await this.prisma.workspace.findUnique({ where: { id } });
+    if (!existing) {
+      throw new NotFoundException(`Workspace ${id} not found`);
+    }
+
+    const data: Prisma.WorkspaceUpdateInput = {};
+
+    if (dto.name !== undefined) {
+      data.name = dto.name;
+    }
+    if (dto.settings !== undefined) {
+      data.settings = dto.settings as Prisma.InputJsonValue;
+    }
+
+    const workspace = await this.prisma.workspace.update({
+      where: { id },
+      data,
+      include: {
+        _count: { select: { members: true } },
+      },
+    });
+
+    this.logger.log(`Workspace updated: ${id}`);
+
+    return {
+      id: workspace.id,
+      name: workspace.name,
+      ownerId: workspace.ownerId,
+      settings: workspace.settings as Record<string, unknown>,
+      createdAt: workspace.createdAt,
+      updatedAt: workspace.updatedAt,
+      memberCount: workspace._count.members,
+    };
+  }
+}

apps/api/src/admin/dto/create-workspace.dto.ts

@@ -0,0 +1,15 @@
+import { IsObject, IsOptional, IsString, IsUUID, MaxLength, MinLength } from "class-validator";
+
+export class CreateWorkspaceDto {
+  @IsString({ message: "name must be a string" })
+  @MinLength(1, { message: "name must not be empty" })
+  @MaxLength(255, { message: "name must not exceed 255 characters" })
+  name!: string;
+
+  @IsUUID("4", { message: "ownerId must be a valid UUID" })
+  ownerId!: string;
+
+  @IsOptional()
+  @IsObject({ message: "settings must be an object" })
+  settings?: Record<string, unknown>;
+}

apps/api/src/admin/dto/invite-user.dto.ts

@@ -0,0 +1,20 @@
+import { WorkspaceMemberRole } from "@prisma/client";
+import { IsEmail, IsEnum, IsOptional, IsString, IsUUID, MaxLength } from "class-validator";
+
+export class InviteUserDto {
+  @IsEmail({}, { message: "email must be a valid email address" })
+  email!: string;
+
+  @IsOptional()
+  @IsString({ message: "name must be a string" })
+  @MaxLength(255, { message: "name must not exceed 255 characters" })
+  name?: string;
+
+  @IsOptional()
+  @IsUUID("4", { message: "workspaceId must be a valid UUID" })
+  workspaceId?: string;
+
+  @IsOptional()
+  @IsEnum(WorkspaceMemberRole, { message: "role must be a valid WorkspaceMemberRole" })
+  role?: WorkspaceMemberRole;
+}

apps/api/src/admin/dto/manage-member.dto.ts

@@ -0,0 +1,15 @@
+import { WorkspaceMemberRole } from "@prisma/client";
+import { IsEnum, IsUUID } from "class-validator";
+
+export class AddMemberDto {
+  @IsUUID("4", { message: "userId must be a valid UUID" })
+  userId!: string;
+
+  @IsEnum(WorkspaceMemberRole, { message: "role must be a valid WorkspaceMemberRole" })
+  role!: WorkspaceMemberRole;
+}
+
+export class UpdateMemberRoleDto {
+  @IsEnum(WorkspaceMemberRole, { message: "role must be a valid WorkspaceMemberRole" })
+  role!: WorkspaceMemberRole;
+}

apps/api/src/admin/dto/query-users.dto.ts

@@ -0,0 +1,17 @@
+import { IsInt, IsOptional, Max, Min } from "class-validator";
+import { Type } from "class-transformer";
+
+export class QueryUsersDto {
+  @IsOptional()
+  @Type(() => Number)
+  @IsInt({ message: "page must be an integer" })
+  @Min(1, { message: "page must be at least 1" })
+  page?: number;
+
+  @IsOptional()
+  @Type(() => Number)
+  @IsInt({ message: "limit must be an integer" })
+  @Min(1, { message: "limit must be at least 1" })
+  @Max(100, { message: "limit must not exceed 100" })
+  limit?: number;
+}

apps/api/src/admin/dto/update-user.dto.ts

@@ -0,0 +1,27 @@
+import {
+  IsBoolean,
+  IsDateString,
+  IsObject,
+  IsOptional,
+  IsString,
+  MaxLength,
+} from "class-validator";
+
+export class UpdateUserDto {
+  @IsOptional()
+  @IsString({ message: "name must be a string" })
+  @MaxLength(255, { message: "name must not exceed 255 characters" })
+  name?: string;
+
+  @IsOptional()
+  @IsDateString({}, { message: "deactivatedAt must be a valid ISO 8601 date string" })
+  deactivatedAt?: string | null;
+
+  @IsOptional()
+  @IsBoolean({ message: "emailVerified must be a boolean" })
+  emailVerified?: boolean;
+
+  @IsOptional()
+  @IsObject({ message: "preferences must be an object" })
+  preferences?: Record<string, unknown>;
+}

apps/api/src/admin/dto/update-workspace.dto.ts

@@ -0,0 +1,13 @@
+import { IsObject, IsOptional, IsString, MaxLength, MinLength } from "class-validator";
+
+export class UpdateWorkspaceDto {
+  @IsOptional()
+  @IsString({ message: "name must be a string" })
+  @MinLength(1, { message: "name must not be empty" })
+  @MaxLength(255, { message: "name must not exceed 255 characters" })
+  name?: string;
+
+  @IsOptional()
+  @IsObject({ message: "settings must be an object" })
+  settings?: Record<string, unknown>;
+}

apps/api/src/admin/types/admin.types.ts

@@ -0,0 +1,49 @@
+import type { WorkspaceMemberRole } from "@prisma/client";
+
+export interface AdminUserResponse {
+  id: string;
+  name: string;
+  email: string;
+  emailVerified: boolean;
+  image: string | null;
+  createdAt: Date;
+  deactivatedAt: Date | null;
+  isLocalAuth: boolean;
+  invitedAt: Date | null;
+  invitedBy: string | null;
+  workspaceMemberships: WorkspaceMembershipResponse[];
+}
+
+export interface WorkspaceMembershipResponse {
+  workspaceId: string;
+  workspaceName: string;
+  role: WorkspaceMemberRole;
+  joinedAt: Date;
+}
+
+export interface PaginatedResponse<T> {
+  data: T[];
+  meta: {
+    total: number;
+    page: number;
+    limit: number;
+    totalPages: number;
+  };
+}
+
+export interface InvitationResponse {
+  userId: string;
+  invitationToken: string;
+  email: string;
+  invitedAt: Date;
+}
+
+export interface AdminWorkspaceResponse {
+  id: string;
+  name: string;
+  ownerId: string;
+  settings: Record<string, unknown>;
+  createdAt: Date;
+  updatedAt: Date;
+  memberCount: number;
+}

apps/api/src/app.module.ts

@@ -42,6 +42,9 @@ import { SpeechModule } from "./speech/speech.module";
 import { DashboardModule } from "./dashboard/dashboard.module";
 import { TerminalModule } from "./terminal/terminal.module";
 import { PersonalitiesModule } from "./personalities/personalities.module";
+import { WorkspacesModule } from "./workspaces/workspaces.module";
+import { AdminModule } from "./admin/admin.module";
+import { TeamsModule } from "./teams/teams.module";
 import { RlsContextInterceptor } from "./common/interceptors/rls-context.interceptor";
 
 @Module({
@@ -107,6 +110,9 @@ import { RlsContextInterceptor } from "./common/interceptors/rls-context.interce
     DashboardModule,
     TerminalModule,
     PersonalitiesModule,
+    WorkspacesModule,
+    AdminModule,
+    TeamsModule,
   ],
   controllers: [AppController, CsrfController],
   providers: [

apps/api/src/auth/auth.controller.spec.ts

@@ -361,16 +361,13 @@ describe("AuthController", () => {
   });
 
   describe("getProfile", () => {
-    it("should return complete user profile with workspace fields", () => {
+    it("should return complete user profile with identity fields", () => {
       const mockUser: AuthUser = {
         id: "user-123",
         email: "test@example.com",
         name: "Test User",
         image: "https://example.com/avatar.jpg",
         emailVerified: true,
-        workspaceId: "workspace-123",
-        currentWorkspaceId: "workspace-456",
-        workspaceRole: "admin",
       };
 
       const result = controller.getProfile(mockUser);
@@ -381,13 +378,10 @@ describe("AuthController", () => {
         name: mockUser.name,
         image: mockUser.image,
         emailVerified: mockUser.emailVerified,
-        workspaceId: mockUser.workspaceId,
-        currentWorkspaceId: mockUser.currentWorkspaceId,
-        workspaceRole: mockUser.workspaceRole,
       });
     });
 
-    it("should return user profile with optional fields undefined", () => {
+    it("should return user profile with only required fields", () => {
       const mockUser: AuthUser = {
         id: "user-123",
         email: "test@example.com",
@@ -400,12 +394,11 @@ describe("AuthController", () => {
         id: mockUser.id,
         email: mockUser.email,
         name: mockUser.name,
-        image: undefined,
-        emailVerified: undefined,
-        workspaceId: undefined,
-        currentWorkspaceId: undefined,
-        workspaceRole: undefined,
       });
+      // Workspace fields are not included — served by GET /api/workspaces
+      expect(result).not.toHaveProperty("workspaceId");
+      expect(result).not.toHaveProperty("currentWorkspaceId");
+      expect(result).not.toHaveProperty("workspaceRole");
     });
   });
 

apps/api/src/auth/auth.controller.ts

@@ -72,15 +72,10 @@ export class AuthController {
     if (user.emailVerified !== undefined) {
       profile.emailVerified = user.emailVerified;
     }
-    if (user.workspaceId !== undefined) {
-      profile.workspaceId = user.workspaceId;
-    }
-    if (user.currentWorkspaceId !== undefined) {
-      profile.currentWorkspaceId = user.currentWorkspaceId;
-    }
-    if (user.workspaceRole !== undefined) {
-      profile.workspaceRole = user.workspaceRole;
-    }
+
+    // Workspace context is served by GET /api/workspaces, not the auth profile.
+    // The deprecated workspaceId/currentWorkspaceId/workspaceRole fields on
+    // AuthUser are never populated by BetterAuth and are omitted here.
 
     return profile;
   }

apps/api/src/auth/auth.module.ts

@@ -3,11 +3,14 @@ import { PrismaModule } from "../prisma/prisma.module";
 import { AuthService } from "./auth.service";
 import { AuthController } from "./auth.controller";
 import { AuthGuard } from "./guards/auth.guard";
+import { LocalAuthController } from "./local/local-auth.controller";
+import { LocalAuthService } from "./local/local-auth.service";
+import { LocalAuthEnabledGuard } from "./local/local-auth.guard";
 
 @Module({
   imports: [PrismaModule],
-  controllers: [AuthController],
-  providers: [AuthService, AuthGuard],
+  controllers: [AuthController, LocalAuthController],
+  providers: [AuthService, AuthGuard, LocalAuthService, LocalAuthEnabledGuard],
   exports: [AuthService, AuthGuard],
 })
 export class AuthModule {}

apps/api/src/auth/local/dto/local-login.dto.ts

@@ -0,0 +1,10 @@
+import { IsEmail, IsString, MinLength } from "class-validator";
+
+export class LocalLoginDto {
+  @IsEmail({}, { message: "email must be a valid email address" })
+  email!: string;
+
+  @IsString({ message: "password must be a string" })
+  @MinLength(1, { message: "password must not be empty" })
+  password!: string;
+}

apps/api/src/auth/local/dto/local-setup.dto.ts

@@ -0,0 +1,20 @@
+import { IsEmail, IsString, MinLength, MaxLength } from "class-validator";
+
+export class LocalSetupDto {
+  @IsEmail({}, { message: "email must be a valid email address" })
+  email!: string;
+
+  @IsString({ message: "name must be a string" })
+  @MinLength(1, { message: "name must not be empty" })
+  @MaxLength(255, { message: "name must not exceed 255 characters" })
+  name!: string;
+
+  @IsString({ message: "password must be a string" })
+  @MinLength(12, { message: "password must be at least 12 characters" })
+  @MaxLength(128, { message: "password must not exceed 128 characters" })
+  password!: string;
+
+  @IsString({ message: "setupToken must be a string" })
+  @MinLength(1, { message: "setupToken must not be empty" })
+  setupToken!: string;
+}

apps/api/src/auth/local/local-auth.controller.spec.ts

@@ -0,0 +1,232 @@
+import { describe, it, expect, beforeEach, afterEach, vi } from "vitest";
+import { Test, TestingModule } from "@nestjs/testing";
+import {
+  NotFoundException,
+  ForbiddenException,
+  UnauthorizedException,
+  ConflictException,
+} from "@nestjs/common";
+import { LocalAuthController } from "./local-auth.controller";
+import { LocalAuthService } from "./local-auth.service";
+import { LocalAuthEnabledGuard } from "./local-auth.guard";
+
+describe("LocalAuthController", () => {
+  let controller: LocalAuthController;
+  let localAuthService: LocalAuthService;
+
+  const mockLocalAuthService = {
+    setup: vi.fn(),
+    login: vi.fn(),
+  };
+
+  const mockRequest = {
+    headers: { "user-agent": "TestAgent/1.0" },
+    ip: "127.0.0.1",
+    socket: { remoteAddress: "127.0.0.1" },
+  };
+
+  const originalEnv = {
+    ENABLE_LOCAL_AUTH: process.env.ENABLE_LOCAL_AUTH,
+  };
+
+  beforeEach(async () => {
+    process.env.ENABLE_LOCAL_AUTH = "true";
+
+    const module: TestingModule = await Test.createTestingModule({
+      controllers: [LocalAuthController],
+      providers: [
+        {
+          provide: LocalAuthService,
+          useValue: mockLocalAuthService,
+        },
+      ],
+    })
+      .overrideGuard(LocalAuthEnabledGuard)
+      .useValue({ canActivate: () => true })
+      .compile();
+
+    controller = module.get<LocalAuthController>(LocalAuthController);
+    localAuthService = module.get<LocalAuthService>(LocalAuthService);
+
+    vi.clearAllMocks();
+  });
+
+  afterEach(() => {
+    vi.restoreAllMocks();
+    if (originalEnv.ENABLE_LOCAL_AUTH !== undefined) {
+      process.env.ENABLE_LOCAL_AUTH = originalEnv.ENABLE_LOCAL_AUTH;
+    } else {
+      delete process.env.ENABLE_LOCAL_AUTH;
+    }
+  });
+
+  describe("setup", () => {
+    const setupDto = {
+      email: "admin@example.com",
+      name: "Break Glass Admin",
+      password: "securePassword123!",
+      setupToken: "valid-token-123",
+    };
+
+    const mockSetupResult = {
+      user: {
+        id: "user-uuid-123",
+        email: "admin@example.com",
+        name: "Break Glass Admin",
+        isLocalAuth: true,
+        createdAt: new Date("2026-02-28T00:00:00Z"),
+      },
+      session: {
+        token: "session-token-abc",
+        expiresAt: new Date("2026-03-07T00:00:00Z"),
+      },
+    };
+
+    it("should create a break-glass user and return user data with session", async () => {
+      mockLocalAuthService.setup.mockResolvedValue(mockSetupResult);
+
+      const result = await controller.setup(setupDto, mockRequest as never);
+
+      expect(result).toEqual({
+        user: mockSetupResult.user,
+        session: mockSetupResult.session,
+      });
+      expect(mockLocalAuthService.setup).toHaveBeenCalledWith(
+        "admin@example.com",
+        "Break Glass Admin",
+        "securePassword123!",
+        "valid-token-123",
+        "127.0.0.1",
+        "TestAgent/1.0"
+      );
+    });
+
+    it("should extract client IP from x-forwarded-for header", async () => {
+      mockLocalAuthService.setup.mockResolvedValue(mockSetupResult);
+      const reqWithProxy = {
+        ...mockRequest,
+        headers: {
+          ...mockRequest.headers,
+          "x-forwarded-for": "203.0.113.50, 70.41.3.18",
+        },
+      };
+
+      await controller.setup(setupDto, reqWithProxy as never);
+
+      expect(mockLocalAuthService.setup).toHaveBeenCalledWith(
+        expect.any(String) as string,
+        expect.any(String) as string,
+        expect.any(String) as string,
+        expect.any(String) as string,
+        "203.0.113.50",
+        "TestAgent/1.0"
+      );
+    });
+
+    it("should propagate ForbiddenException from service", async () => {
+      mockLocalAuthService.setup.mockRejectedValue(new ForbiddenException("Invalid setup token"));
+
+      await expect(controller.setup(setupDto, mockRequest as never)).rejects.toThrow(
+        ForbiddenException
+      );
+    });
+
+    it("should propagate ConflictException from service", async () => {
+      mockLocalAuthService.setup.mockRejectedValue(
+        new ConflictException("A user with this email already exists")
+      );
+
+      await expect(controller.setup(setupDto, mockRequest as never)).rejects.toThrow(
+        ConflictException
+      );
+    });
+  });
+
+  describe("login", () => {
+    const loginDto = {
+      email: "admin@example.com",
+      password: "securePassword123!",
+    };
+
+    const mockLoginResult = {
+      user: {
+        id: "user-uuid-123",
+        email: "admin@example.com",
+        name: "Break Glass Admin",
+      },
+      session: {
+        token: "session-token-abc",
+        expiresAt: new Date("2026-03-07T00:00:00Z"),
+      },
+    };
+
+    it("should authenticate and return user data with session", async () => {
+      mockLocalAuthService.login.mockResolvedValue(mockLoginResult);
+
+      const result = await controller.login(loginDto, mockRequest as never);
+
+      expect(result).toEqual({
+        user: mockLoginResult.user,
+        session: mockLoginResult.session,
+      });
+      expect(mockLocalAuthService.login).toHaveBeenCalledWith(
+        "admin@example.com",
+        "securePassword123!",
+        "127.0.0.1",
+        "TestAgent/1.0"
+      );
+    });
+
+    it("should propagate UnauthorizedException from service", async () => {
+      mockLocalAuthService.login.mockRejectedValue(
+        new UnauthorizedException("Invalid email or password")
+      );
+
+      await expect(controller.login(loginDto, mockRequest as never)).rejects.toThrow(
+        UnauthorizedException
+      );
+    });
+  });
+});
+
+describe("LocalAuthEnabledGuard", () => {
+  let guard: LocalAuthEnabledGuard;
+
+  const originalEnv = process.env.ENABLE_LOCAL_AUTH;
+
+  beforeEach(() => {
+    guard = new LocalAuthEnabledGuard();
+  });
+
+  afterEach(() => {
+    if (originalEnv !== undefined) {
+      process.env.ENABLE_LOCAL_AUTH = originalEnv;
+    } else {
+      delete process.env.ENABLE_LOCAL_AUTH;
+    }
+  });
+
+  it("should allow access when ENABLE_LOCAL_AUTH is true", () => {
+    process.env.ENABLE_LOCAL_AUTH = "true";
+
+    expect(guard.canActivate()).toBe(true);
+  });
+
+  it("should throw NotFoundException when ENABLE_LOCAL_AUTH is not set", () => {
+    delete process.env.ENABLE_LOCAL_AUTH;
+
+    expect(() => guard.canActivate()).toThrow(NotFoundException);
+  });
+
+  it("should throw NotFoundException when ENABLE_LOCAL_AUTH is false", () => {
+    process.env.ENABLE_LOCAL_AUTH = "false";
+
+    expect(() => guard.canActivate()).toThrow(NotFoundException);
+  });
+
+  it("should throw NotFoundException when ENABLE_LOCAL_AUTH is empty", () => {
+    process.env.ENABLE_LOCAL_AUTH = "";
+
+    expect(() => guard.canActivate()).toThrow(NotFoundException);
+  });
+});

apps/api/src/auth/local/local-auth.controller.ts

@@ -0,0 +1,81 @@
+import {
+  Controller,
+  Post,
+  Body,
+  UseGuards,
+  Req,
+  Logger,
+  HttpCode,
+  HttpStatus,
+} from "@nestjs/common";
+import { Throttle } from "@nestjs/throttler";
+import type { Request as ExpressRequest } from "express";
+import { SkipCsrf } from "../../common/decorators/skip-csrf.decorator";
+import { LocalAuthService } from "./local-auth.service";
+import { LocalAuthEnabledGuard } from "./local-auth.guard";
+import { LocalLoginDto } from "./dto/local-login.dto";
+import { LocalSetupDto } from "./dto/local-setup.dto";
+
+@Controller("auth/local")
+@UseGuards(LocalAuthEnabledGuard)
+export class LocalAuthController {
+  private readonly logger = new Logger(LocalAuthController.name);
+
+  constructor(private readonly localAuthService: LocalAuthService) {}
+
+  /**
+   * First-time break-glass user creation.
+   * Requires BREAKGLASS_SETUP_TOKEN from environment.
+   */
+  @Post("setup")
+  @SkipCsrf()
+  @Throttle({ strict: { limit: 5, ttl: 60000 } })
+  async setup(@Body() dto: LocalSetupDto, @Req() req: ExpressRequest) {
+    const ipAddress = this.getClientIp(req);
+    const userAgent = req.headers["user-agent"];
+
+    this.logger.log(`Break-glass setup attempt from ${ipAddress}`);
+
+    const result = await this.localAuthService.setup(
+      dto.email,
+      dto.name,
+      dto.password,
+      dto.setupToken,
+      ipAddress,
+      userAgent
+    );
+
+    return {
+      user: result.user,
+      session: result.session,
+    };
+  }
+
+  /**
+   * Break-glass login with email + password.
+   */
+  @Post("login")
+  @SkipCsrf()
+  @HttpCode(HttpStatus.OK)
+  @Throttle({ strict: { limit: 10, ttl: 60000 } })
+  async login(@Body() dto: LocalLoginDto, @Req() req: ExpressRequest) {
+    const ipAddress = this.getClientIp(req);
+    const userAgent = req.headers["user-agent"];
+
+    const result = await this.localAuthService.login(dto.email, dto.password, ipAddress, userAgent);
+
+    return {
+      user: result.user,
+      session: result.session,
+    };
+  }
+
+  private getClientIp(req: ExpressRequest): string {
+    const forwardedFor = req.headers["x-forwarded-for"];
+    if (forwardedFor) {
+      const ips = Array.isArray(forwardedFor) ? forwardedFor[0] : forwardedFor;
+      return ips?.split(",")[0]?.trim() ?? "unknown";
+    }
+    return req.ip ?? req.socket.remoteAddress ?? "unknown";
+  }
+}

apps/api/src/auth/local/local-auth.guard.ts

@@ -0,0 +1,15 @@
+import { Injectable, CanActivate, NotFoundException } from "@nestjs/common";
+
+/**
+ * Guard that checks if local authentication is enabled via ENABLE_LOCAL_AUTH env var.
+ * Returns 404 when disabled so endpoints are invisible to callers.
+ */
+@Injectable()
+export class LocalAuthEnabledGuard implements CanActivate {
+  canActivate(): boolean {
+    if (process.env.ENABLE_LOCAL_AUTH !== "true") {
+      throw new NotFoundException();
+    }
+    return true;
+  }
+}

apps/api/src/auth/local/local-auth.service.spec.ts

@@ -0,0 +1,389 @@
+import { describe, it, expect, beforeEach, afterEach, vi } from "vitest";
+import { Test, TestingModule } from "@nestjs/testing";
+import {
+  ConflictException,
+  ForbiddenException,
+  InternalServerErrorException,
+  UnauthorizedException,
+} from "@nestjs/common";
+import { hash } from "bcryptjs";
+import { LocalAuthService } from "./local-auth.service";
+import { PrismaService } from "../../prisma/prisma.service";
+
+describe("LocalAuthService", () => {
+  let service: LocalAuthService;
+
+  const mockTxSession = {
+    create: vi.fn(),
+  };
+
+  const mockTxWorkspace = {
+    findFirst: vi.fn(),
+    create: vi.fn(),
+  };
+
+  const mockTxWorkspaceMember = {
+    create: vi.fn(),
+  };
+
+  const mockTxUser = {
+    create: vi.fn(),
+    findUnique: vi.fn(),
+  };
+
+  const mockTx = {
+    user: mockTxUser,
+    workspace: mockTxWorkspace,
+    workspaceMember: mockTxWorkspaceMember,
+    session: mockTxSession,
+  };
+
+  const mockPrismaService = {
+    user: {
+      findUnique: vi.fn(),
+    },
+    session: {
+      create: vi.fn(),
+    },
+    $transaction: vi
+      .fn()
+      .mockImplementation((fn: (tx: typeof mockTx) => Promise<unknown>) => fn(mockTx)),
+  };
+
+  const originalEnv = {
+    BREAKGLASS_SETUP_TOKEN: process.env.BREAKGLASS_SETUP_TOKEN,
+  };
+
+  beforeEach(async () => {
+    const module: TestingModule = await Test.createTestingModule({
+      providers: [
+        LocalAuthService,
+        {
+          provide: PrismaService,
+          useValue: mockPrismaService,
+        },
+      ],
+    }).compile();
+
+    service = module.get<LocalAuthService>(LocalAuthService);
+    vi.clearAllMocks();
+  });
+
+  afterEach(() => {
+    vi.restoreAllMocks();
+    if (originalEnv.BREAKGLASS_SETUP_TOKEN !== undefined) {
+      process.env.BREAKGLASS_SETUP_TOKEN = originalEnv.BREAKGLASS_SETUP_TOKEN;
+    } else {
+      delete process.env.BREAKGLASS_SETUP_TOKEN;
+    }
+  });
+
+  describe("setup", () => {
+    const validSetupArgs = {
+      email: "admin@example.com",
+      name: "Break Glass Admin",
+      password: "securePassword123!",
+      setupToken: "valid-token-123",
+    };
+
+    const mockCreatedUser = {
+      id: "user-uuid-123",
+      email: "admin@example.com",
+      name: "Break Glass Admin",
+      isLocalAuth: true,
+      createdAt: new Date("2026-02-28T00:00:00Z"),
+    };
+
+    const mockWorkspace = {
+      id: "workspace-uuid-123",
+    };
+
+    beforeEach(() => {
+      process.env.BREAKGLASS_SETUP_TOKEN = "valid-token-123";
+      mockPrismaService.user.findUnique.mockResolvedValue(null);
+      mockTxUser.create.mockResolvedValue(mockCreatedUser);
+      mockTxWorkspace.findFirst.mockResolvedValue(mockWorkspace);
+      mockTxWorkspaceMember.create.mockResolvedValue({});
+      mockTxSession.create.mockResolvedValue({});
+    });
+
+    it("should create a local auth user with hashed password", async () => {
+      const result = await service.setup(
+        validSetupArgs.email,
+        validSetupArgs.name,
+        validSetupArgs.password,
+        validSetupArgs.setupToken
+      );
+
+      expect(result.user).toEqual(mockCreatedUser);
+      expect(result.session.token).toBeDefined();
+      expect(result.session.token.length).toBeGreaterThan(0);
+      expect(result.session.expiresAt).toBeInstanceOf(Date);
+      expect(result.session.expiresAt.getTime()).toBeGreaterThan(Date.now());
+
+      expect(mockTxUser.create).toHaveBeenCalledWith({
+        data: expect.objectContaining({
+          email: "admin@example.com",
+          name: "Break Glass Admin",
+          isLocalAuth: true,
+          emailVerified: true,
+          passwordHash: expect.any(String) as string,
+        }),
+        select: {
+          id: true,
+          email: true,
+          name: true,
+          isLocalAuth: true,
+          createdAt: true,
+        },
+      });
+    });
+
+    it("should assign OWNER role on default workspace", async () => {
+      await service.setup(
+        validSetupArgs.email,
+        validSetupArgs.name,
+        validSetupArgs.password,
+        validSetupArgs.setupToken
+      );
+
+      expect(mockTxWorkspaceMember.create).toHaveBeenCalledWith({
+        data: {
+          workspaceId: "workspace-uuid-123",
+          userId: "user-uuid-123",
+          role: "OWNER",
+        },
+      });
+    });
+
+    it("should create a new workspace if none exists", async () => {
+      mockTxWorkspace.findFirst.mockResolvedValue(null);
+      mockTxWorkspace.create.mockResolvedValue({ id: "new-workspace-uuid" });
+
+      await service.setup(
+        validSetupArgs.email,
+        validSetupArgs.name,
+        validSetupArgs.password,
+        validSetupArgs.setupToken
+      );
+
+      expect(mockTxWorkspace.create).toHaveBeenCalledWith({
+        data: {
+          name: "Default Workspace",
+          ownerId: "user-uuid-123",
+          settings: {},
+        },
+        select: { id: true },
+      });
+      expect(mockTxWorkspaceMember.create).toHaveBeenCalledWith({
+        data: {
+          workspaceId: "new-workspace-uuid",
+          userId: "user-uuid-123",
+          role: "OWNER",
+        },
+      });
+    });
+
+    it("should create a BetterAuth-compatible session", async () => {
+      await service.setup(
+        validSetupArgs.email,
+        validSetupArgs.name,
+        validSetupArgs.password,
+        validSetupArgs.setupToken,
+        "192.168.1.1",
+        "TestAgent/1.0"
+      );
+
+      expect(mockTxSession.create).toHaveBeenCalledWith({
+        data: {
+          userId: "user-uuid-123",
+          token: expect.any(String) as string,
+          expiresAt: expect.any(Date) as Date,
+          ipAddress: "192.168.1.1",
+          userAgent: "TestAgent/1.0",
+        },
+      });
+    });
+
+    it("should reject when BREAKGLASS_SETUP_TOKEN is not set", async () => {
+      delete process.env.BREAKGLASS_SETUP_TOKEN;
+
+      await expect(
+        service.setup(
+          validSetupArgs.email,
+          validSetupArgs.name,
+          validSetupArgs.password,
+          validSetupArgs.setupToken
+        )
+      ).rejects.toThrow(ForbiddenException);
+    });
+
+    it("should reject when BREAKGLASS_SETUP_TOKEN is empty", async () => {
+      process.env.BREAKGLASS_SETUP_TOKEN = "";
+
+      await expect(
+        service.setup(
+          validSetupArgs.email,
+          validSetupArgs.name,
+          validSetupArgs.password,
+          validSetupArgs.setupToken
+        )
+      ).rejects.toThrow(ForbiddenException);
+    });
+
+    it("should reject when setup token does not match", async () => {
+      await expect(
+        service.setup(
+          validSetupArgs.email,
+          validSetupArgs.name,
+          validSetupArgs.password,
+          "wrong-token"
+        )
+      ).rejects.toThrow(ForbiddenException);
+    });
+
+    it("should reject when email already exists", async () => {
+      mockPrismaService.user.findUnique.mockResolvedValue({
+        id: "existing-user",
+        email: "admin@example.com",
+      });
+
+      await expect(
+        service.setup(
+          validSetupArgs.email,
+          validSetupArgs.name,
+          validSetupArgs.password,
+          validSetupArgs.setupToken
+        )
+      ).rejects.toThrow(ConflictException);
+    });
+
+    it("should return session token and expiry", async () => {
+      const result = await service.setup(
+        validSetupArgs.email,
+        validSetupArgs.name,
+        validSetupArgs.password,
+        validSetupArgs.setupToken
+      );
+
+      expect(typeof result.session.token).toBe("string");
+      expect(result.session.token.length).toBe(64); // 32 bytes hex
+      expect(result.session.expiresAt).toBeInstanceOf(Date);
+    });
+  });
+
+  describe("login", () => {
+    const validPasswordHash = "$2a$12$LJ3m4ys3Lz/YgP7xYz5k5uU6b5F6X1234567890abcdefghijkl";
+
+    beforeEach(async () => {
+      // Create a real bcrypt hash for testing
+      const realHash = await hash("securePassword123!", 4); // Low rounds for test speed
+      mockPrismaService.user.findUnique.mockResolvedValue({
+        id: "user-uuid-123",
+        email: "admin@example.com",
+        name: "Break Glass Admin",
+        isLocalAuth: true,
+        passwordHash: realHash,
+        deactivatedAt: null,
+      });
+      mockPrismaService.session.create.mockResolvedValue({});
+    });
+
+    it("should authenticate a valid local auth user", async () => {
+      const result = await service.login("admin@example.com", "securePassword123!");
+
+      expect(result.user).toEqual({
+        id: "user-uuid-123",
+        email: "admin@example.com",
+        name: "Break Glass Admin",
+      });
+      expect(result.session.token).toBeDefined();
+      expect(result.session.expiresAt).toBeInstanceOf(Date);
+    });
+
+    it("should create a session with ip and user agent", async () => {
+      await service.login("admin@example.com", "securePassword123!", "10.0.0.1", "Mozilla/5.0");
+
+      expect(mockPrismaService.session.create).toHaveBeenCalledWith({
+        data: {
+          userId: "user-uuid-123",
+          token: expect.any(String) as string,
+          expiresAt: expect.any(Date) as Date,
+          ipAddress: "10.0.0.1",
+          userAgent: "Mozilla/5.0",
+        },
+      });
+    });
+
+    it("should reject when user does not exist", async () => {
+      mockPrismaService.user.findUnique.mockResolvedValue(null);
+
+      await expect(service.login("nonexistent@example.com", "password123456")).rejects.toThrow(
+        UnauthorizedException
+      );
+    });
+
+    it("should reject when user is not a local auth user", async () => {
+      mockPrismaService.user.findUnique.mockResolvedValue({
+        id: "user-uuid-123",
+        email: "admin@example.com",
+        name: "OIDC User",
+        isLocalAuth: false,
+        passwordHash: null,
+        deactivatedAt: null,
+      });
+
+      await expect(service.login("admin@example.com", "password123456")).rejects.toThrow(
+        UnauthorizedException
+      );
+    });
+
+    it("should reject when user is deactivated", async () => {
+      const realHash = await hash("securePassword123!", 4);
+      mockPrismaService.user.findUnique.mockResolvedValue({
+        id: "user-uuid-123",
+        email: "admin@example.com",
+        name: "Deactivated User",
+        isLocalAuth: true,
+        passwordHash: realHash,
+        deactivatedAt: new Date("2026-01-01"),
+      });
+
+      await expect(service.login("admin@example.com", "securePassword123!")).rejects.toThrow(
+        new UnauthorizedException("Account has been deactivated")
+      );
+    });
+
+    it("should reject when password is incorrect", async () => {
+      await expect(service.login("admin@example.com", "wrongPassword123!")).rejects.toThrow(
+        UnauthorizedException
+      );
+    });
+
+    it("should throw InternalServerError when local auth user has no password hash", async () => {
+      mockPrismaService.user.findUnique.mockResolvedValue({
+        id: "user-uuid-123",
+        email: "admin@example.com",
+        name: "Broken User",
+        isLocalAuth: true,
+        passwordHash: null,
+        deactivatedAt: null,
+      });
+
+      await expect(service.login("admin@example.com", "securePassword123!")).rejects.toThrow(
+        InternalServerErrorException
+      );
+    });
+
+    it("should not reveal whether email exists in error messages", async () => {
+      mockPrismaService.user.findUnique.mockResolvedValue(null);
+
+      try {
+        await service.login("nonexistent@example.com", "password123456");
+      } catch (error) {
+        expect(error).toBeInstanceOf(UnauthorizedException);
+        expect((error as UnauthorizedException).message).toBe("Invalid email or password");
+      }
+    });
+  });
+});

apps/api/src/auth/local/local-auth.service.ts

@@ -0,0 +1,230 @@
+import {
+  Injectable,
+  Logger,
+  ForbiddenException,
+  UnauthorizedException,
+  ConflictException,
+  InternalServerErrorException,
+} from "@nestjs/common";
+import { WorkspaceMemberRole } from "@prisma/client";
+import { hash, compare } from "bcryptjs";
+import { randomBytes, timingSafeEqual } from "crypto";
+import { PrismaService } from "../../prisma/prisma.service";
+
+const BCRYPT_ROUNDS = 12;
+
+/** Session expiry: 7 days (matches BetterAuth config in auth.config.ts) */
+const SESSION_EXPIRY_MS = 7 * 24 * 60 * 60 * 1000;
+
+interface SetupResult {
+  user: {
+    id: string;
+    email: string;
+    name: string;
+    isLocalAuth: boolean;
+    createdAt: Date;
+  };
+  session: {
+    token: string;
+    expiresAt: Date;
+  };
+}
+
+interface LoginResult {
+  user: {
+    id: string;
+    email: string;
+    name: string;
+  };
+  session: {
+    token: string;
+    expiresAt: Date;
+  };
+}
+
+@Injectable()
+export class LocalAuthService {
+  private readonly logger = new Logger(LocalAuthService.name);
+
+  constructor(private readonly prisma: PrismaService) {}
+
+  /**
+   * First-time break-glass user creation.
+   * Validates the setup token, creates a local auth user with bcrypt-hashed password,
+   * and assigns OWNER role on the default workspace.
+   */
+  async setup(
+    email: string,
+    name: string,
+    password: string,
+    setupToken: string,
+    ipAddress?: string,
+    userAgent?: string
+  ): Promise<SetupResult> {
+    this.validateSetupToken(setupToken);
+
+    const existing = await this.prisma.user.findUnique({ where: { email } });
+    if (existing) {
+      throw new ConflictException("A user with this email already exists");
+    }
+
+    const passwordHash = await hash(password, BCRYPT_ROUNDS);
+
+    const result = await this.prisma.$transaction(async (tx) => {
+      const user = await tx.user.create({
+        data: {
+          email,
+          name,
+          isLocalAuth: true,
+          passwordHash,
+          emailVerified: true,
+        },
+        select: {
+          id: true,
+          email: true,
+          name: true,
+          isLocalAuth: true,
+          createdAt: true,
+        },
+      });
+
+      // Find or create a default workspace and assign OWNER role
+      await this.assignDefaultWorkspace(tx, user.id);
+
+      // Create a BetterAuth-compatible session
+      const session = await this.createSession(tx, user.id, ipAddress, userAgent);
+
+      return { user, session };
+    });
+
+    this.logger.log(`Break-glass user created: ${email}`);
+    return result;
+  }
+
+  /**
+   * Break-glass login: verify email + password against bcrypt hash.
+   * Only works for users with isLocalAuth=true.
+   */
+  async login(
+    email: string,
+    password: string,
+    ipAddress?: string,
+    userAgent?: string
+  ): Promise<LoginResult> {
+    const user = await this.prisma.user.findUnique({
+      where: { email },
+      select: {
+        id: true,
+        email: true,
+        name: true,
+        isLocalAuth: true,
+        passwordHash: true,
+        deactivatedAt: true,
+      },
+    });
+
+    if (!user?.isLocalAuth) {
+      throw new UnauthorizedException("Invalid email or password");
+    }
+
+    if (user.deactivatedAt) {
+      throw new UnauthorizedException("Account has been deactivated");
+    }
+
+    if (!user.passwordHash) {
+      this.logger.error(`Local auth user ${email} has no password hash`);
+      throw new InternalServerErrorException("Account configuration error");
+    }
+
+    const passwordValid = await compare(password, user.passwordHash);
+    if (!passwordValid) {
+      throw new UnauthorizedException("Invalid email or password");
+    }
+
+    const session = await this.createSession(this.prisma, user.id, ipAddress, userAgent);
+
+    this.logger.log(`Break-glass login: ${email}`);
+    return {
+      user: { id: user.id, email: user.email, name: user.name },
+      session,
+    };
+  }
+
+  /**
+   * Validate the setup token against the environment variable.
+   */
+  private validateSetupToken(token: string): void {
+    const expectedToken = process.env.BREAKGLASS_SETUP_TOKEN;
+
+    if (!expectedToken || expectedToken.trim() === "") {
+      throw new ForbiddenException(
+        "Break-glass setup is not configured. Set BREAKGLASS_SETUP_TOKEN environment variable."
+      );
+    }
+
+    const tokenBuffer = Buffer.from(token);
+    const expectedBuffer = Buffer.from(expectedToken);
+    if (
+      tokenBuffer.length !== expectedBuffer.length ||
+      !timingSafeEqual(tokenBuffer, expectedBuffer)
+    ) {
+      this.logger.warn("Invalid break-glass setup token attempt");
+      throw new ForbiddenException("Invalid setup token");
+    }
+  }
+
+  /**
+   * Find the first workspace or create a default one, then assign OWNER role.
+   */
+  private async assignDefaultWorkspace(
+    tx: Parameters<Parameters<PrismaService["$transaction"]>[0]>[0],
+    userId: string
+  ): Promise<void> {
+    let workspace = await tx.workspace.findFirst({
+      orderBy: { createdAt: "asc" },
+      select: { id: true },
+    });
+
+    workspace ??= await tx.workspace.create({
+      data: {
+        name: "Default Workspace",
+        ownerId: userId,
+        settings: {},
+      },
+      select: { id: true },
+    });
+
+    await tx.workspaceMember.create({
+      data: {
+        workspaceId: workspace.id,
+        userId,
+        role: WorkspaceMemberRole.OWNER,
+      },
+    });
+  }
+
+  /**
+   * Create a BetterAuth-compatible session record.
+   */
+  private async createSession(
+    tx: { session: { create: typeof PrismaService.prototype.session.create } },
+    userId: string,
+    ipAddress?: string,
+    userAgent?: string
+  ): Promise<{ token: string; expiresAt: Date }> {
+    const token = randomBytes(32).toString("hex");
+    const expiresAt = new Date(Date.now() + SESSION_EXPIRY_MS);
+
+    await tx.session.create({
+      data: {
+        userId,
+        token,
+        expiresAt,
+        ipAddress: ipAddress ?? null,
+        userAgent: userAgent ?? null,
+      },
+    });
+
+    return { token, expiresAt };
+  }
+}

apps/api/src/common/utils/log-sanitizer.spec.ts

@@ -270,7 +270,7 @@ describe("sanitizeForLogging", () => {
       const duration = Date.now() - start;
 
       expect(result.password).toBe("[REDACTED]");
-      expect(duration).toBeLessThan(100); // Should complete in under 100ms
+      expect(duration).toBeLessThan(500); // Should complete in under 500ms
     });
   });
 

apps/api/src/coordinator-integration/coordinator-integration.rate-limit.spec.ts

@@ -245,7 +245,7 @@ describe("CoordinatorIntegrationController - Rate Limiting", () => {
         .set("X-API-Key", "test-coordinator-key");
 
       expect(response.status).toBe(HttpStatus.TOO_MANY_REQUESTS);
-    });
+    }, 30000);
   });
 
   describe("Per-API-Key Rate Limiting", () => {

apps/api/src/teams/dto/create-team.dto.ts

@@ -0,0 +1,13 @@
+import { IsOptional, IsString, MaxLength, MinLength } from "class-validator";
+
+export class CreateTeamDto {
+  @IsString({ message: "name must be a string" })
+  @MinLength(1, { message: "name must not be empty" })
+  @MaxLength(255, { message: "name must not exceed 255 characters" })
+  name!: string;
+
+  @IsOptional()
+  @IsString({ message: "description must be a string" })
+  @MaxLength(10000, { message: "description must not exceed 10000 characters" })
+  description?: string;
+}

apps/api/src/teams/dto/manage-team-member.dto.ts

@@ -0,0 +1,11 @@
+import { TeamMemberRole } from "@prisma/client";
+import { IsEnum, IsOptional, IsUUID } from "class-validator";
+
+export class ManageTeamMemberDto {
+  @IsUUID("4", { message: "userId must be a valid UUID" })
+  userId!: string;
+
+  @IsOptional()
+  @IsEnum(TeamMemberRole, { message: "role must be a valid TeamMemberRole" })
+  role?: TeamMemberRole;
+}

apps/api/src/teams/teams.controller.spec.ts

@@ -0,0 +1,150 @@
+import { Test, TestingModule } from "@nestjs/testing";
+import { describe, it, expect, beforeEach, vi } from "vitest";
+import { TeamMemberRole } from "@prisma/client";
+import { AuthGuard } from "../auth/guards/auth.guard";
+import { PermissionGuard, WorkspaceGuard } from "../common/guards";
+import { TeamsController } from "./teams.controller";
+import { TeamsService } from "./teams.service";
+
+describe("TeamsController", () => {
+  let controller: TeamsController;
+  let service: TeamsService;
+
+  const mockTeamsService = {
+    create: vi.fn(),
+    findAll: vi.fn(),
+    addMember: vi.fn(),
+    removeMember: vi.fn(),
+    remove: vi.fn(),
+  };
+
+  const mockWorkspaceId = "550e8400-e29b-41d4-a716-446655440001";
+  const mockTeamId = "550e8400-e29b-41d4-a716-446655440002";
+  const mockUserId = "550e8400-e29b-41d4-a716-446655440003";
+
+  beforeEach(async () => {
+    const module: TestingModule = await Test.createTestingModule({
+      controllers: [TeamsController],
+      providers: [
+        {
+          provide: TeamsService,
+          useValue: mockTeamsService,
+        },
+      ],
+    })
+      .overrideGuard(AuthGuard)
+      .useValue({ canActivate: vi.fn(() => true) })
+      .overrideGuard(WorkspaceGuard)
+      .useValue({ canActivate: vi.fn(() => true) })
+      .overrideGuard(PermissionGuard)
+      .useValue({ canActivate: vi.fn(() => true) })
+      .compile();
+
+    controller = module.get<TeamsController>(TeamsController);
+    service = module.get<TeamsService>(TeamsService);
+
+    vi.clearAllMocks();
+  });
+
+  it("should be defined", () => {
+    expect(controller).toBeDefined();
+  });
+
+  describe("create", () => {
+    it("should create a team in a workspace", async () => {
+      const createDto = {
+        name: "Platform Team",
+        description: "Owns platform services",
+      };
+
+      const createdTeam = {
+        id: mockTeamId,
+        workspaceId: mockWorkspaceId,
+        name: createDto.name,
+        description: createDto.description,
+        metadata: {},
+        createdAt: new Date(),
+        updatedAt: new Date(),
+      };
+
+      mockTeamsService.create.mockResolvedValue(createdTeam);
+
+      const result = await controller.create(createDto, mockWorkspaceId);
+
+      expect(result).toEqual(createdTeam);
+      expect(service.create).toHaveBeenCalledWith(mockWorkspaceId, createDto);
+    });
+  });
+
+  describe("findAll", () => {
+    it("should list teams in a workspace", async () => {
+      const teams = [
+        {
+          id: mockTeamId,
+          workspaceId: mockWorkspaceId,
+          name: "Platform Team",
+          description: "Owns platform services",
+          metadata: {},
+          createdAt: new Date(),
+          updatedAt: new Date(),
+          _count: { members: 2 },
+        },
+      ];
+
+      mockTeamsService.findAll.mockResolvedValue(teams);
+
+      const result = await controller.findAll(mockWorkspaceId);
+
+      expect(result).toEqual(teams);
+      expect(service.findAll).toHaveBeenCalledWith(mockWorkspaceId);
+    });
+  });
+
+  describe("addMember", () => {
+    it("should add a member to a team", async () => {
+      const dto = {
+        userId: mockUserId,
+        role: TeamMemberRole.ADMIN,
+      };
+
+      const createdTeamMember = {
+        teamId: mockTeamId,
+        userId: mockUserId,
+        role: TeamMemberRole.ADMIN,
+        joinedAt: new Date(),
+        user: {
+          id: mockUserId,
+          name: "Test User",
+          email: "test@example.com",
+        },
+      };
+
+      mockTeamsService.addMember.mockResolvedValue(createdTeamMember);
+
+      const result = await controller.addMember(mockTeamId, dto, mockWorkspaceId);
+
+      expect(result).toEqual(createdTeamMember);
+      expect(service.addMember).toHaveBeenCalledWith(mockWorkspaceId, mockTeamId, dto);
+    });
+  });
+
+  describe("removeMember", () => {
+    it("should remove a member from a team", async () => {
+      mockTeamsService.removeMember.mockResolvedValue(undefined);
+
+      await controller.removeMember(mockTeamId, mockUserId, mockWorkspaceId);
+
+      expect(service.removeMember).toHaveBeenCalledWith(mockWorkspaceId, mockTeamId, mockUserId);
+    });
+  });
+
+  describe("remove", () => {
+    it("should delete a team", async () => {
+      mockTeamsService.remove.mockResolvedValue(undefined);
+
+      await controller.remove(mockTeamId, mockWorkspaceId);
+
+      expect(service.remove).toHaveBeenCalledWith(mockWorkspaceId, mockTeamId);
+    });
+  });
+});

apps/api/src/teams/teams.controller.ts

@@ -0,0 +1,51 @@
+import { Body, Controller, Delete, Get, Param, Post, UseGuards } from "@nestjs/common";
+import { AuthGuard } from "../auth/guards/auth.guard";
+import { PermissionGuard, WorkspaceGuard } from "../common/guards";
+import { Permission, RequirePermission, Workspace } from "../common/decorators";
+import { CreateTeamDto } from "./dto/create-team.dto";
+import { ManageTeamMemberDto } from "./dto/manage-team-member.dto";
+import { TeamsService } from "./teams.service";
+
+@Controller("workspaces/:workspaceId/teams")
+@UseGuards(AuthGuard, WorkspaceGuard, PermissionGuard)
+export class TeamsController {
+  constructor(private readonly teamsService: TeamsService) {}
+
+  @Post()
+  @RequirePermission(Permission.WORKSPACE_ADMIN)
+  async create(@Body() createTeamDto: CreateTeamDto, @Workspace() workspaceId: string) {
+    return this.teamsService.create(workspaceId, createTeamDto);
+  }
+
+  @Get()
+  @RequirePermission(Permission.WORKSPACE_ANY)
+  async findAll(@Workspace() workspaceId: string) {
+    return this.teamsService.findAll(workspaceId);
+  }
+
+  @Post(":teamId/members")
+  @RequirePermission(Permission.WORKSPACE_ADMIN)
+  async addMember(
+    @Param("teamId") teamId: string,
+    @Body() dto: ManageTeamMemberDto,
+    @Workspace() workspaceId: string
+  ) {
+    return this.teamsService.addMember(workspaceId, teamId, dto);
+  }
+
+  @Delete(":teamId/members/:userId")
+  @RequirePermission(Permission.WORKSPACE_ADMIN)
+  async removeMember(
+    @Param("teamId") teamId: string,
+    @Param("userId") userId: string,
+    @Workspace() workspaceId: string
+  ) {
+    return this.teamsService.removeMember(workspaceId, teamId, userId);
+  }
+
+  @Delete(":teamId")
+  @RequirePermission(Permission.WORKSPACE_ADMIN)
+  async remove(@Param("teamId") teamId: string, @Workspace() workspaceId: string) {
+    return this.teamsService.remove(workspaceId, teamId);
+  }
+}

apps/api/src/teams/teams.module.ts

@@ -0,0 +1,13 @@
+import { Module } from "@nestjs/common";
+import { AuthModule } from "../auth/auth.module";
+import { PrismaModule } from "../prisma/prisma.module";
+import { TeamsController } from "./teams.controller";
+import { TeamsService } from "./teams.service";
+
+@Module({
+  imports: [PrismaModule, AuthModule],
+  controllers: [TeamsController],
+  providers: [TeamsService],
+  exports: [TeamsService],
+})
+export class TeamsModule {}

apps/api/src/teams/teams.service.spec.ts

@@ -0,0 +1,286 @@
+import { BadRequestException, ConflictException, NotFoundException } from "@nestjs/common";
+import { Test, TestingModule } from "@nestjs/testing";
+import { TeamMemberRole } from "@prisma/client";
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import { PrismaService } from "../prisma/prisma.service";
+import { TeamsService } from "./teams.service";
+
+describe("TeamsService", () => {
+  let service: TeamsService;
+  let prisma: PrismaService;
+
+  const mockPrismaService = {
+    team: {
+      create: vi.fn(),
+      findMany: vi.fn(),
+      findFirst: vi.fn(),
+      deleteMany: vi.fn(),
+    },
+    workspaceMember: {
+      findUnique: vi.fn(),
+    },
+    teamMember: {
+      findUnique: vi.fn(),
+      create: vi.fn(),
+      deleteMany: vi.fn(),
+    },
+  };
+
+  const mockWorkspaceId = "550e8400-e29b-41d4-a716-446655440001";
+  const mockTeamId = "550e8400-e29b-41d4-a716-446655440002";
+  const mockUserId = "550e8400-e29b-41d4-a716-446655440003";
+
+  beforeEach(async () => {
+    const module: TestingModule = await Test.createTestingModule({
+      providers: [
+        TeamsService,
+        {
+          provide: PrismaService,
+          useValue: mockPrismaService,
+        },
+      ],
+    }).compile();
+
+    service = module.get<TeamsService>(TeamsService);
+    prisma = module.get<PrismaService>(PrismaService);
+
+    vi.clearAllMocks();
+  });
+
+  it("should be defined", () => {
+    expect(service).toBeDefined();
+  });
+
+  describe("create", () => {
+    it("should create a team", async () => {
+      const createDto = {
+        name: "Platform Team",
+        description: "Owns platform services",
+      };
+
+      const createdTeam = {
+        id: mockTeamId,
+        workspaceId: mockWorkspaceId,
+        name: createDto.name,
+        description: createDto.description,
+        metadata: {},
+        createdAt: new Date(),
+        updatedAt: new Date(),
+      };
+
+      mockPrismaService.team.create.mockResolvedValue(createdTeam);
+
+      const result = await service.create(mockWorkspaceId, createDto);
+
+      expect(result).toEqual(createdTeam);
+      expect(prisma.team.create).toHaveBeenCalledWith({
+        data: {
+          workspaceId: mockWorkspaceId,
+          name: createDto.name,
+          description: createDto.description,
+        },
+      });
+    });
+  });
+
+  describe("findAll", () => {
+    it("should list teams for a workspace", async () => {
+      const teams = [
+        {
+          id: mockTeamId,
+          workspaceId: mockWorkspaceId,
+          name: "Platform Team",
+          description: "Owns platform services",
+          metadata: {},
+          createdAt: new Date(),
+          updatedAt: new Date(),
+          _count: { members: 1 },
+        },
+      ];
+
+      mockPrismaService.team.findMany.mockResolvedValue(teams);
+
+      const result = await service.findAll(mockWorkspaceId);
+
+      expect(result).toEqual(teams);
+      expect(prisma.team.findMany).toHaveBeenCalledWith({
+        where: { workspaceId: mockWorkspaceId },
+        include: {
+          _count: {
+            select: { members: true },
+          },
+        },
+        orderBy: { createdAt: "asc" },
+      });
+    });
+  });
+
+  describe("addMember", () => {
+    it("should add a workspace member to a team", async () => {
+      const dto = {
+        userId: mockUserId,
+        role: TeamMemberRole.ADMIN,
+      };
+
+      const createdTeamMember = {
+        teamId: mockTeamId,
+        userId: mockUserId,
+        role: TeamMemberRole.ADMIN,
+        joinedAt: new Date(),
+        user: {
+          id: mockUserId,
+          name: "Test User",
+          email: "test@example.com",
+        },
+      };
+
+      mockPrismaService.team.findFirst.mockResolvedValue({ id: mockTeamId });
+      mockPrismaService.workspaceMember.findUnique.mockResolvedValue({ userId: mockUserId });
+      mockPrismaService.teamMember.findUnique.mockResolvedValue(null);
+      mockPrismaService.teamMember.create.mockResolvedValue(createdTeamMember);
+
+      const result = await service.addMember(mockWorkspaceId, mockTeamId, dto);
+
+      expect(result).toEqual(createdTeamMember);
+      expect(prisma.team.findFirst).toHaveBeenCalledWith({
+        where: {
+          id: mockTeamId,
+          workspaceId: mockWorkspaceId,
+        },
+        select: { id: true },
+      });
+      expect(prisma.workspaceMember.findUnique).toHaveBeenCalledWith({
+        where: {
+          workspaceId_userId: {
+            workspaceId: mockWorkspaceId,
+            userId: mockUserId,
+          },
+        },
+        select: { userId: true },
+      });
+      expect(prisma.teamMember.create).toHaveBeenCalledWith({
+        data: {
+          teamId: mockTeamId,
+          userId: mockUserId,
+          role: TeamMemberRole.ADMIN,
+        },
+        include: {
+          user: {
+            select: {
+              id: true,
+              name: true,
+              email: true,
+            },
+          },
+        },
+      });
+    });
+
+    it("should use MEMBER role when role is omitted", async () => {
+      const dto = { userId: mockUserId };
+
+      mockPrismaService.team.findFirst.mockResolvedValue({ id: mockTeamId });
+      mockPrismaService.workspaceMember.findUnique.mockResolvedValue({ userId: mockUserId });
+      mockPrismaService.teamMember.findUnique.mockResolvedValue(null);
+      mockPrismaService.teamMember.create.mockResolvedValue({
+        teamId: mockTeamId,
+        userId: mockUserId,
+        role: TeamMemberRole.MEMBER,
+        joinedAt: new Date(),
+      });
+
+      await service.addMember(mockWorkspaceId, mockTeamId, dto);
+
+      expect(prisma.teamMember.create).toHaveBeenCalledWith(
+        expect.objectContaining({
+          data: expect.objectContaining({
+            role: TeamMemberRole.MEMBER,
+          }),
+        })
+      );
+    });
+
+    it("should throw when team does not belong to workspace", async () => {
+      mockPrismaService.team.findFirst.mockResolvedValue(null);
+
+      await expect(
+        service.addMember(mockWorkspaceId, mockTeamId, { userId: mockUserId })
+      ).rejects.toThrow(NotFoundException);
+      expect(prisma.workspaceMember.findUnique).not.toHaveBeenCalled();
+    });
+
+    it("should throw when user is not a workspace member", async () => {
+      mockPrismaService.team.findFirst.mockResolvedValue({ id: mockTeamId });
+      mockPrismaService.workspaceMember.findUnique.mockResolvedValue(null);
+
+      await expect(
+        service.addMember(mockWorkspaceId, mockTeamId, { userId: mockUserId })
+      ).rejects.toThrow(BadRequestException);
+    });
+
+    it("should throw when user is already in the team", async () => {
+      mockPrismaService.team.findFirst.mockResolvedValue({ id: mockTeamId });
+      mockPrismaService.workspaceMember.findUnique.mockResolvedValue({ userId: mockUserId });
+      mockPrismaService.teamMember.findUnique.mockResolvedValue({ userId: mockUserId });
+
+      await expect(
+        service.addMember(mockWorkspaceId, mockTeamId, { userId: mockUserId })
+      ).rejects.toThrow(ConflictException);
+    });
+  });
+
+  describe("removeMember", () => {
+    it("should remove a member from a team", async () => {
+      mockPrismaService.team.findFirst.mockResolvedValue({ id: mockTeamId });
+      mockPrismaService.teamMember.deleteMany.mockResolvedValue({ count: 1 });
+
+      await service.removeMember(mockWorkspaceId, mockTeamId, mockUserId);
+
+      expect(prisma.teamMember.deleteMany).toHaveBeenCalledWith({
+        where: {
+          teamId: mockTeamId,
+          userId: mockUserId,
+        },
+      });
+    });
+
+    it("should throw when team does not belong to workspace", async () => {
+      mockPrismaService.team.findFirst.mockResolvedValue(null);
+
+      await expect(service.removeMember(mockWorkspaceId, mockTeamId, mockUserId)).rejects.toThrow(
+        NotFoundException
+      );
+      expect(prisma.teamMember.deleteMany).not.toHaveBeenCalled();
+    });
+
+    it("should throw when user is not in the team", async () => {
+      mockPrismaService.team.findFirst.mockResolvedValue({ id: mockTeamId });
+      mockPrismaService.teamMember.deleteMany.mockResolvedValue({ count: 0 });
+
+      await expect(service.removeMember(mockWorkspaceId, mockTeamId, mockUserId)).rejects.toThrow(
+        NotFoundException
+      );
+    });
+  });
+
+  describe("remove", () => {
+    it("should delete a team", async () => {
+      mockPrismaService.team.deleteMany.mockResolvedValue({ count: 1 });
+
+      await service.remove(mockWorkspaceId, mockTeamId);
+
+      expect(prisma.team.deleteMany).toHaveBeenCalledWith({
+        where: {
+          id: mockTeamId,
+          workspaceId: mockWorkspaceId,
+        },
+      });
+    });
+
+    it("should throw when team is not found", async () => {
+      mockPrismaService.team.deleteMany.mockResolvedValue({ count: 0 });
+
+      await expect(service.remove(mockWorkspaceId, mockTeamId)).rejects.toThrow(NotFoundException);
+    });
+  });
+});

apps/api/src/teams/teams.service.ts

@@ -0,0 +1,130 @@
+import {
+  BadRequestException,
+  ConflictException,
+  Injectable,
+  NotFoundException,
+} from "@nestjs/common";
+import { TeamMemberRole } from "@prisma/client";
+import { PrismaService } from "../prisma/prisma.service";
+import { CreateTeamDto } from "./dto/create-team.dto";
+import { ManageTeamMemberDto } from "./dto/manage-team-member.dto";
+
+@Injectable()
+export class TeamsService {
+  constructor(private readonly prisma: PrismaService) {}
+
+  async create(workspaceId: string, createTeamDto: CreateTeamDto) {
+    return this.prisma.team.create({
+      data: {
+        workspaceId,
+        name: createTeamDto.name,
+        description: createTeamDto.description ?? null,
+      },
+    });
+  }
+
+  async findAll(workspaceId: string) {
+    return this.prisma.team.findMany({
+      where: { workspaceId },
+      include: {
+        _count: {
+          select: { members: true },
+        },
+      },
+      orderBy: { createdAt: "asc" },
+    });
+  }
+
+  async addMember(workspaceId: string, teamId: string, dto: ManageTeamMemberDto) {
+    await this.ensureTeamInWorkspace(workspaceId, teamId);
+
+    const workspaceMember = await this.prisma.workspaceMember.findUnique({
+      where: {
+        workspaceId_userId: {
+          workspaceId,
+          userId: dto.userId,
+        },
+      },
+      select: { userId: true },
+    });
+
+    if (!workspaceMember) {
+      throw new BadRequestException(
+        `User ${dto.userId} must be a workspace member before being added to a team`
+      );
+    }
+
+    const existingTeamMember = await this.prisma.teamMember.findUnique({
+      where: {
+        teamId_userId: {
+          teamId,
+          userId: dto.userId,
+        },
+      },
+      select: { userId: true },
+    });
+
+    if (existingTeamMember) {
+      throw new ConflictException(`User ${dto.userId} is already a member of team ${teamId}`);
+    }
+
+    return this.prisma.teamMember.create({
+      data: {
+        teamId,
+        userId: dto.userId,
+        role: dto.role ?? TeamMemberRole.MEMBER,
+      },
+      include: {
+        user: {
+          select: {
+            id: true,
+            name: true,
+            email: true,
+          },
+        },
+      },
+    });
+  }
+
+  async removeMember(workspaceId: string, teamId: string, userId: string): Promise<void> {
+    await this.ensureTeamInWorkspace(workspaceId, teamId);
+
+    const result = await this.prisma.teamMember.deleteMany({
+      where: {
+        teamId,
+        userId,
+      },
+    });
+
+    if (result.count === 0) {
+      throw new NotFoundException(`User ${userId} is not a member of team ${teamId}`);
+    }
+  }
+
+  async remove(workspaceId: string, teamId: string): Promise<void> {
+    const result = await this.prisma.team.deleteMany({
+      where: {
+        id: teamId,
+        workspaceId,
+      },
+    });
+
+    if (result.count === 0) {
+      throw new NotFoundException(`Team with ID ${teamId} not found`);
+    }
+  }
+
+  private async ensureTeamInWorkspace(workspaceId: string, teamId: string): Promise<void> {
+    const team = await this.prisma.team.findFirst({
+      where: {
+        id: teamId,
+        workspaceId,
+      },
+      select: { id: true },
+    });
+
+    if (!team) {
+      throw new NotFoundException(`Team with ID ${teamId} not found`);
+    }
+  }
+}

apps/api/src/websocket/websocket.gateway.ts

@@ -7,6 +7,7 @@ import {
 import { Logger } from "@nestjs/common";
 import { Server, Socket } from "socket.io";
 import { AuthService } from "../auth/auth.service";
+import { getTrustedOrigins } from "../auth/auth.config";
 import { PrismaService } from "../prisma/prisma.service";
 
 interface AuthenticatedSocket extends Socket {
@@ -77,7 +78,7 @@ interface StepOutputData {
  */
 @WSGateway({
   cors: {
-    origin: process.env.WEB_URL ?? "http://localhost:3000",
+    origin: getTrustedOrigins(),
     credentials: true,
   },
 })
@@ -167,17 +168,36 @@ export class WebSocketGateway implements OnGatewayConnection, OnGatewayDisconnec
   }
 
   /**
-   * @description Extract authentication token from Socket.IO handshake
+   * @description Extract authentication token from Socket.IO handshake.
+   *
+   * Checks sources in order:
+   * 1. handshake.auth.token  — explicit token (e.g. from API clients)
+   * 2. handshake.headers.cookie — session cookie sent by browser via withCredentials
+   * 3. query.token           — URL query parameter fallback
+   * 4. Authorization header  — Bearer token fallback
+   *
    * @param client - The socket client
    * @returns The token string or undefined if not found
    */
   private extractTokenFromHandshake(client: Socket): string | undefined {
-    // Check handshake.auth.token (preferred method)
+    // Check handshake.auth.token (preferred method for non-browser clients)
     const authToken = client.handshake.auth.token as unknown;
     if (typeof authToken === "string" && authToken.length > 0) {
       return authToken;
     }
 
+    // Fallback: parse session cookie from request headers.
+    // Browsers send httpOnly cookies automatically when withCredentials: true is set
+    // on the socket.io client.  BetterAuth uses one of these cookie names depending
+    // on whether the connection is HTTPS (Secure prefix) or HTTP (dev).
+    const cookieHeader = client.handshake.headers.cookie;
+    if (typeof cookieHeader === "string" && cookieHeader.length > 0) {
+      const cookieToken = this.extractTokenFromCookieHeader(cookieHeader);
+      if (cookieToken) {
+        return cookieToken;
+      }
+    }
+
     // Fallback: check query parameters
     const queryToken = client.handshake.query.token as unknown;
     if (typeof queryToken === "string" && queryToken.length > 0) {
@@ -197,6 +217,45 @@ export class WebSocketGateway implements OnGatewayConnection, OnGatewayDisconnec
     return undefined;
   }
 
+  /**
+   * @description Parse the BetterAuth session token from a raw Cookie header string.
+   *
+   * BetterAuth names the session cookie differently based on the security context:
+   * - `__Secure-better-auth.session_token` — HTTPS with Secure flag
+   * - `better-auth.session_token`           — HTTP (development)
+   * - `__Host-better-auth.session_token`    — HTTPS with Host prefix
+   *
+   * @param cookieHeader - The raw Cookie header value
+   * @returns The session token value or undefined if no matching cookie found
+   */
+  private extractTokenFromCookieHeader(cookieHeader: string): string | undefined {
+    const SESSION_COOKIE_NAMES = [
+      "__Secure-better-auth.session_token",
+      "better-auth.session_token",
+      "__Host-better-auth.session_token",
+    ] as const;
+
+    // Parse the Cookie header into a key-value map
+    const cookies = Object.fromEntries(
+      cookieHeader.split(";").map((pair) => {
+        const eqIndex = pair.indexOf("=");
+        if (eqIndex === -1) {
+          return [pair.trim(), ""];
+        }
+        return [pair.slice(0, eqIndex).trim(), pair.slice(eqIndex + 1).trim()];
+      })
+    );
+
+    for (const name of SESSION_COOKIE_NAMES) {
+      const value = cookies[name];
+      if (typeof value === "string" && value.length > 0) {
+        return value;
+      }
+    }
+
+    return undefined;
+  }
+
   /**
    * @description Handle client disconnect by leaving the workspace room.
    * @param client - The socket client containing workspaceId in data.

apps/api/src/workspaces/dto/add-member.dto.ts

@@ -0,0 +1,13 @@
+import { WorkspaceMemberRole } from "@prisma/client";
+import { IsEnum, IsUUID } from "class-validator";
+
+/**
+ * DTO for adding a user to a workspace.
+ */
+export class AddMemberDto {
+  @IsUUID("4", { message: "userId must be a valid UUID" })
+  userId!: string;
+
+  @IsEnum(WorkspaceMemberRole, { message: "role must be a valid WorkspaceMemberRole" })
+  role!: WorkspaceMemberRole;
+}

apps/api/src/workspaces/dto/index.ts

@@ -0,0 +1,3 @@
+export { AddMemberDto } from "./add-member.dto";
+export { UpdateMemberRoleDto } from "./update-member-role.dto";
+export { WorkspaceResponseDto } from "./workspace-response.dto";

apps/api/src/workspaces/dto/update-member-role.dto.ts

@@ -0,0 +1,10 @@
+import { WorkspaceMemberRole } from "@prisma/client";
+import { IsEnum } from "class-validator";
+
+/**
+ * DTO for updating a workspace member's role.
+ */
+export class UpdateMemberRoleDto {
+  @IsEnum(WorkspaceMemberRole, { message: "role must be a valid WorkspaceMemberRole" })
+  role!: WorkspaceMemberRole;
+}

apps/api/src/workspaces/dto/workspace-response.dto.ts

@@ -0,0 +1,12 @@
+import type { WorkspaceMemberRole } from "@prisma/client";
+
+/**
+ * Response DTO for a workspace the authenticated user belongs to.
+ */
+export class WorkspaceResponseDto {
+  id!: string;
+  name!: string;
+  ownerId!: string;
+  role!: WorkspaceMemberRole;
+  createdAt!: Date;
+}

apps/api/src/workspaces/index.ts

@@ -0,0 +1,3 @@
+export { WorkspacesModule } from "./workspaces.module";
+export { WorkspacesService } from "./workspaces.service";
+export { WorkspacesController } from "./workspaces.controller";

apps/api/src/workspaces/workspaces.controller.spec.ts

@@ -0,0 +1,149 @@
+import { describe, it, expect, beforeEach, vi } from "vitest";
+import { Test, TestingModule } from "@nestjs/testing";
+import { WorkspacesController } from "./workspaces.controller";
+import { WorkspacesService } from "./workspaces.service";
+import { AuthGuard } from "../auth/guards/auth.guard";
+import { WorkspaceGuard, PermissionGuard } from "../common/guards";
+import { WorkspaceMemberRole } from "@prisma/client";
+import type { AuthUser } from "@mosaic/shared";
+
+describe("WorkspacesController", () => {
+  let controller: WorkspacesController;
+  let service: WorkspacesService;
+
+  const mockWorkspacesService = {
+    getUserWorkspaces: vi.fn(),
+    addMember: vi.fn(),
+    updateMemberRole: vi.fn(),
+    removeMember: vi.fn(),
+  };
+
+  const mockUser: AuthUser = {
+    id: "user-1",
+    email: "test@example.com",
+    name: "Test User",
+  };
+
+  beforeEach(async () => {
+    const module: TestingModule = await Test.createTestingModule({
+      controllers: [WorkspacesController],
+      providers: [
+        {
+          provide: WorkspacesService,
+          useValue: mockWorkspacesService,
+        },
+      ],
+    })
+      .overrideGuard(AuthGuard)
+      .useValue({ canActivate: () => true })
+      .overrideGuard(WorkspaceGuard)
+      .useValue({ canActivate: () => true })
+      .overrideGuard(PermissionGuard)
+      .useValue({ canActivate: () => true })
+      .compile();
+
+    controller = module.get<WorkspacesController>(WorkspacesController);
+    service = module.get<WorkspacesService>(WorkspacesService);
+
+    vi.clearAllMocks();
+  });
+
+  describe("GET /api/workspaces", () => {
+    it("should call service with authenticated user id", async () => {
+      mockWorkspacesService.getUserWorkspaces.mockResolvedValueOnce([]);
+
+      await controller.getUserWorkspaces(mockUser);
+
+      expect(service.getUserWorkspaces).toHaveBeenCalledWith("user-1");
+    });
+
+    it("should return workspace list from service", async () => {
+      const mockWorkspaces = [
+        {
+          id: "ws-1",
+          name: "My Workspace",
+          ownerId: "user-1",
+          role: WorkspaceMemberRole.OWNER,
+          createdAt: new Date("2026-01-01"),
+        },
+      ];
+      mockWorkspacesService.getUserWorkspaces.mockResolvedValueOnce(mockWorkspaces);
+
+      const result = await controller.getUserWorkspaces(mockUser);
+
+      expect(result).toEqual(mockWorkspaces);
+    });
+
+    it("should propagate service errors", async () => {
+      mockWorkspacesService.getUserWorkspaces.mockRejectedValueOnce(new Error("Database error"));
+
+      await expect(controller.getUserWorkspaces(mockUser)).rejects.toThrow("Database error");
+    });
+  });
+
+  describe("POST /api/workspaces/:id/members", () => {
+    it("should call service with workspace id, actor id, and add member dto", async () => {
+      const workspaceId = "ws-1";
+      const addMemberDto = {
+        userId: "user-2",
+        role: WorkspaceMemberRole.MEMBER,
+      };
+      const mockMember = {
+        workspaceId,
+        userId: "user-2",
+        role: WorkspaceMemberRole.MEMBER,
+        joinedAt: new Date("2026-02-01"),
+      };
+      mockWorkspacesService.addMember.mockResolvedValueOnce(mockMember);
+
+      const result = await controller.addMember(workspaceId, addMemberDto, mockUser);
+
+      expect(result).toEqual(mockMember);
+      expect(service.addMember).toHaveBeenCalledWith(workspaceId, mockUser.id, addMemberDto);
+    });
+  });
+
+  describe("PATCH /api/workspaces/:id/members/:userId", () => {
+    it("should call service with workspace id, actor id, target user id, and role dto", async () => {
+      const workspaceId = "ws-1";
+      const targetUserId = "user-2";
+      const updateRoleDto = {
+        role: WorkspaceMemberRole.ADMIN,
+      };
+      const mockMember = {
+        workspaceId,
+        userId: targetUserId,
+        role: WorkspaceMemberRole.ADMIN,
+        joinedAt: new Date("2026-02-01"),
+      };
+      mockWorkspacesService.updateMemberRole.mockResolvedValueOnce(mockMember);
+
+      const result = await controller.updateMemberRole(
+        workspaceId,
+        targetUserId,
+        updateRoleDto,
+        mockUser
+      );
+
+      expect(result).toEqual(mockMember);
+      expect(service.updateMemberRole).toHaveBeenCalledWith(
+        workspaceId,
+        mockUser.id,
+        targetUserId,
+        updateRoleDto
+      );
+    });
+  });
+
+  describe("DELETE /api/workspaces/:id/members/:userId", () => {
+    it("should call service with workspace id, actor id, and target user id", async () => {
+      const workspaceId = "ws-1";
+      const targetUserId = "user-2";
+      mockWorkspacesService.removeMember.mockResolvedValueOnce(undefined);
+
+      await controller.removeMember(workspaceId, targetUserId, mockUser);
+
+      expect(service.removeMember).toHaveBeenCalledWith(workspaceId, mockUser.id, targetUserId);
+    });
+  });
+});

apps/api/src/workspaces/workspaces.controller.ts

@@ -0,0 +1,85 @@
+import { Body, Controller, Delete, Get, Param, Patch, Post, UseGuards } from "@nestjs/common";
+import { WorkspacesService } from "./workspaces.service";
+import { AuthGuard } from "../auth/guards/auth.guard";
+import { CurrentUser } from "../auth/decorators/current-user.decorator";
+import { WorkspaceGuard, PermissionGuard } from "../common/guards";
+import { Permission, RequirePermission } from "../common/decorators";
+import type { WorkspaceMember } from "@prisma/client";
+import type { AuthenticatedUser } from "../common/types/user.types";
+import type { AddMemberDto, UpdateMemberRoleDto, WorkspaceResponseDto } from "./dto";
+
+/**
+ * User-scoped workspace operations.
+ *
+ * Intentionally does NOT use WorkspaceGuard — these routes operate across all
+ * workspaces the user belongs to, not within a single workspace context.
+ */
+@Controller("workspaces")
+@UseGuards(AuthGuard)
+export class WorkspacesController {
+  constructor(private readonly workspacesService: WorkspacesService) {}
+
+  /**
+   * GET /api/workspaces
+   * Returns workspaces the authenticated user is a member of.
+   * Auto-provisions a default workspace if the user has none.
+   */
+  @Get()
+  async getUserWorkspaces(@CurrentUser() user: AuthenticatedUser): Promise<WorkspaceResponseDto[]> {
+    return this.workspacesService.getUserWorkspaces(user.id);
+  }
+
+  /**
+   * POST /api/workspaces/:workspaceId/members
+   * Add a member to a workspace with the specified role.
+   * Requires: ADMIN role or higher.
+   */
+  @Post(":workspaceId/members")
+  @UseGuards(WorkspaceGuard, PermissionGuard)
+  @RequirePermission(Permission.WORKSPACE_ADMIN)
+  async addMember(
+    @Param("workspaceId") workspaceId: string,
+    @Body() addMemberDto: AddMemberDto,
+    @CurrentUser() user: AuthenticatedUser
+  ): Promise<WorkspaceMember> {
+    return this.workspacesService.addMember(workspaceId, user.id, addMemberDto);
+  }
+
+  /**
+   * PATCH /api/workspaces/:workspaceId/members/:userId
+   * Change a member role in a workspace.
+   * Requires: ADMIN role or higher.
+   */
+  @Patch(":workspaceId/members/:userId")
+  @UseGuards(WorkspaceGuard, PermissionGuard)
+  @RequirePermission(Permission.WORKSPACE_ADMIN)
+  async updateMemberRole(
+    @Param("workspaceId") workspaceId: string,
+    @Param("userId") targetUserId: string,
+    @Body() updateMemberRoleDto: UpdateMemberRoleDto,
+    @CurrentUser() user: AuthenticatedUser
+  ): Promise<WorkspaceMember> {
+    return this.workspacesService.updateMemberRole(
+      workspaceId,
+      user.id,
+      targetUserId,
+      updateMemberRoleDto
+    );
+  }
+
+  /**
+   * DELETE /api/workspaces/:workspaceId/members/:userId
+   * Remove a member from a workspace.
+   * Requires: ADMIN role or higher.
+   */
+  @Delete(":workspaceId/members/:userId")
+  @UseGuards(WorkspaceGuard, PermissionGuard)
+  @RequirePermission(Permission.WORKSPACE_ADMIN)
+  async removeMember(
+    @Param("workspaceId") workspaceId: string,
+    @Param("userId") targetUserId: string,
+    @CurrentUser() user: AuthenticatedUser
+  ): Promise<void> {
+    await this.workspacesService.removeMember(workspaceId, user.id, targetUserId);
+  }
+}

apps/api/src/workspaces/workspaces.module.ts

@@ -0,0 +1,13 @@
+import { Module } from "@nestjs/common";
+import { WorkspacesController } from "./workspaces.controller";
+import { WorkspacesService } from "./workspaces.service";
+import { PrismaModule } from "../prisma/prisma.module";
+import { AuthModule } from "../auth/auth.module";
+
+@Module({
+  imports: [PrismaModule, AuthModule],
+  controllers: [WorkspacesController],
+  providers: [WorkspacesService],
+  exports: [WorkspacesService],
+})
+export class WorkspacesModule {}

apps/api/src/workspaces/workspaces.service.spec.ts

@@ -0,0 +1,516 @@
+import { describe, it, expect, beforeEach, vi } from "vitest";
+import { Test, TestingModule } from "@nestjs/testing";
+import { WorkspacesService } from "./workspaces.service";
+import { PrismaService } from "../prisma/prisma.service";
+import { WorkspaceMemberRole } from "@prisma/client";
+import {
+  BadRequestException,
+  ConflictException,
+  ForbiddenException,
+  NotFoundException,
+} from "@nestjs/common";
+
+describe("WorkspacesService", () => {
+  let service: WorkspacesService;
+
+  const mockUserId = "550e8400-e29b-41d4-a716-446655440001";
+  const mockAdminUserId = "550e8400-e29b-41d4-a716-446655440010";
+  const mockMemberUserId = "550e8400-e29b-41d4-a716-446655440011";
+  const mockWorkspaceId = "550e8400-e29b-41d4-a716-446655440002";
+
+  const mockWorkspace = {
+    id: mockWorkspaceId,
+    name: "Test Workspace",
+    ownerId: mockUserId,
+    settings: {},
+    matrixRoomId: null,
+    createdAt: new Date("2026-01-01"),
+    updatedAt: new Date("2026-01-01"),
+  };
+
+  const mockMembership = {
+    workspaceId: mockWorkspaceId,
+    userId: mockUserId,
+    role: WorkspaceMemberRole.OWNER,
+    joinedAt: new Date("2026-01-01"),
+    workspace: {
+      id: mockWorkspaceId,
+      name: "Test Workspace",
+      ownerId: mockUserId,
+      createdAt: new Date("2026-01-01"),
+    },
+  };
+
+  const mockPrismaService = {
+    workspaceMember: {
+      findMany: vi.fn(),
+      findUnique: vi.fn(),
+      count: vi.fn(),
+      create: vi.fn(),
+      update: vi.fn(),
+      delete: vi.fn(),
+    },
+    workspace: {
+      create: vi.fn(),
+    },
+    user: {
+      findUnique: vi.fn(),
+    },
+    $transaction: vi.fn(),
+  };
+
+  beforeEach(async () => {
+    const module: TestingModule = await Test.createTestingModule({
+      providers: [
+        WorkspacesService,
+        {
+          provide: PrismaService,
+          useValue: mockPrismaService,
+        },
+      ],
+    }).compile();
+
+    service = module.get<WorkspacesService>(WorkspacesService);
+
+    vi.clearAllMocks();
+
+    mockPrismaService.$transaction.mockImplementation(
+      async (fn: (tx: typeof mockPrismaService) => Promise<unknown>) =>
+        fn(mockPrismaService as unknown as typeof mockPrismaService)
+    );
+  });
+
+  describe("getUserWorkspaces", () => {
+    it("should return all workspaces user is a member of", async () => {
+      mockPrismaService.workspaceMember.findMany.mockResolvedValueOnce([mockMembership]);
+
+      const result = await service.getUserWorkspaces(mockUserId);
+
+      expect(result).toEqual([
+        {
+          id: mockWorkspaceId,
+          name: "Test Workspace",
+          ownerId: mockUserId,
+          role: WorkspaceMemberRole.OWNER,
+          createdAt: mockMembership.workspace.createdAt,
+        },
+      ]);
+      expect(mockPrismaService.workspaceMember.findMany).toHaveBeenCalledWith({
+        where: { userId: mockUserId },
+        include: {
+          workspace: {
+            select: { id: true, name: true, ownerId: true, createdAt: true },
+          },
+        },
+        orderBy: { joinedAt: "asc" },
+      });
+    });
+
+    it("should return multiple workspaces ordered by joinedAt", async () => {
+      const secondWorkspace = {
+        ...mockMembership,
+        workspaceId: "ws-2",
+        role: WorkspaceMemberRole.MEMBER,
+        joinedAt: new Date("2026-02-01"),
+        workspace: {
+          id: "ws-2",
+          name: "Second Workspace",
+          ownerId: "other-user",
+          createdAt: new Date("2026-02-01"),
+        },
+      };
+
+      mockPrismaService.workspaceMember.findMany.mockResolvedValueOnce([
+        mockMembership,
+        secondWorkspace,
+      ]);
+
+      const result = await service.getUserWorkspaces(mockUserId);
+
+      expect(result).toHaveLength(2);
+      expect(result[0].id).toBe(mockWorkspaceId);
+      expect(result[1].id).toBe("ws-2");
+      expect(result[1].role).toBe(WorkspaceMemberRole.MEMBER);
+    });
+
+    it("should auto-provision a default workspace when user has no memberships", async () => {
+      mockPrismaService.workspaceMember.findMany.mockResolvedValueOnce([]);
+      mockPrismaService.$transaction.mockImplementationOnce(
+        async (fn: (tx: typeof mockPrismaService) => Promise<unknown>) => {
+          const txMock = {
+            workspaceMember: {
+              findFirst: vi.fn().mockResolvedValueOnce(null),
+              create: vi.fn().mockResolvedValueOnce({}),
+            },
+            workspace: {
+              create: vi.fn().mockResolvedValueOnce(mockWorkspace),
+            },
+          };
+          return fn(txMock as unknown as typeof mockPrismaService);
+        }
+      );
+
+      const result = await service.getUserWorkspaces(mockUserId);
+
+      expect(result).toHaveLength(1);
+      expect(result[0].name).toBe("Test Workspace");
+      expect(result[0].role).toBe(WorkspaceMemberRole.OWNER);
+      expect(mockPrismaService.$transaction).toHaveBeenCalledTimes(1);
+    });
+
+    it("should return existing workspace if one was created between initial check and transaction", async () => {
+      // Simulates a race condition: initial findMany returns [], but inside the
+      // transaction another request already created a workspace.
+      mockPrismaService.workspaceMember.findMany.mockResolvedValueOnce([]);
+      mockPrismaService.$transaction.mockImplementationOnce(
+        async (fn: (tx: typeof mockPrismaService) => Promise<unknown>) => {
+          const txMock = {
+            workspaceMember: {
+              findFirst: vi.fn().mockResolvedValueOnce(mockMembership),
+            },
+            workspace: {
+              create: vi.fn(),
+            },
+          };
+          return fn(txMock as unknown as typeof mockPrismaService);
+        }
+      );
+
+      const result = await service.getUserWorkspaces(mockUserId);
+
+      expect(result).toHaveLength(1);
+      expect(result[0].id).toBe(mockWorkspaceId);
+      expect(result[0].name).toBe("Test Workspace");
+    });
+
+    it("should create workspace with correct data during auto-provisioning", async () => {
+      mockPrismaService.workspaceMember.findMany.mockResolvedValueOnce([]);
+
+      let capturedWorkspaceData: unknown;
+      let capturedMemberData: unknown;
+
+      mockPrismaService.$transaction.mockImplementationOnce(
+        async (fn: (tx: typeof mockPrismaService) => Promise<unknown>) => {
+          const txMock = {
+            workspaceMember: {
+              findFirst: vi.fn().mockResolvedValueOnce(null),
+              create: vi.fn().mockImplementation((args: unknown) => {
+                capturedMemberData = args;
+                return {};
+              }),
+            },
+            workspace: {
+              create: vi.fn().mockImplementation((args: unknown) => {
+                capturedWorkspaceData = args;
+                return mockWorkspace;
+              }),
+            },
+          };
+          return fn(txMock as unknown as typeof mockPrismaService);
+        }
+      );
+
+      await service.getUserWorkspaces(mockUserId);
+
+      expect(capturedWorkspaceData).toEqual({
+        data: {
+          name: "My Workspace",
+          ownerId: mockUserId,
+          settings: {},
+        },
+      });
+      expect(capturedMemberData).toEqual({
+        data: {
+          workspaceId: mockWorkspaceId,
+          userId: mockUserId,
+          role: WorkspaceMemberRole.OWNER,
+        },
+      });
+    });
+
+    it("should not auto-provision when user already has workspaces", async () => {
+      mockPrismaService.workspaceMember.findMany.mockResolvedValueOnce([mockMembership]);
+
+      await service.getUserWorkspaces(mockUserId);
+
+      expect(mockPrismaService.$transaction).not.toHaveBeenCalled();
+    });
+
+    it("should propagate database errors", async () => {
+      mockPrismaService.workspaceMember.findMany.mockRejectedValueOnce(
+        new Error("Database connection failed")
+      );
+
+      await expect(service.getUserWorkspaces(mockUserId)).rejects.toThrow(
+        "Database connection failed"
+      );
+    });
+  });
+
+  describe("addMember", () => {
+    const addMemberDto = {
+      userId: mockMemberUserId,
+      role: WorkspaceMemberRole.MEMBER,
+    };
+
+    it("should add a new member to the workspace", async () => {
+      const createdMembership = {
+        workspaceId: mockWorkspaceId,
+        userId: mockMemberUserId,
+        role: WorkspaceMemberRole.MEMBER,
+        joinedAt: new Date("2026-02-02"),
+      };
+      mockPrismaService.user.findUnique.mockResolvedValueOnce({ id: mockMemberUserId });
+      mockPrismaService.workspaceMember.findUnique
+        .mockResolvedValueOnce({
+          workspaceId: mockWorkspaceId,
+          userId: mockAdminUserId,
+          role: WorkspaceMemberRole.ADMIN,
+          joinedAt: new Date("2026-01-01"),
+        })
+        .mockResolvedValueOnce(null);
+      mockPrismaService.workspaceMember.create.mockResolvedValueOnce(createdMembership);
+
+      const result = await service.addMember(mockWorkspaceId, mockAdminUserId, addMemberDto);
+
+      expect(result).toEqual(createdMembership);
+      expect(mockPrismaService.workspaceMember.create).toHaveBeenCalledWith({
+        data: {
+          workspaceId: mockWorkspaceId,
+          userId: mockMemberUserId,
+          role: WorkspaceMemberRole.MEMBER,
+        },
+      });
+    });
+
+    it("should throw NotFoundException when user does not exist", async () => {
+      mockPrismaService.workspaceMember.findUnique.mockResolvedValueOnce({
+        workspaceId: mockWorkspaceId,
+        userId: mockAdminUserId,
+        role: WorkspaceMemberRole.ADMIN,
+        joinedAt: new Date("2026-01-01"),
+      });
+      mockPrismaService.user.findUnique.mockResolvedValueOnce(null);
+
+      await expect(
+        service.addMember(mockWorkspaceId, mockAdminUserId, addMemberDto)
+      ).rejects.toThrow(NotFoundException);
+    });
+
+    it("should throw ConflictException when user is already a member", async () => {
+      mockPrismaService.workspaceMember.findUnique.mockResolvedValueOnce({
+        workspaceId: mockWorkspaceId,
+        userId: mockAdminUserId,
+        role: WorkspaceMemberRole.ADMIN,
+        joinedAt: new Date("2026-01-01"),
+      });
+      mockPrismaService.user.findUnique.mockResolvedValueOnce({ id: mockMemberUserId });
+      mockPrismaService.workspaceMember.findUnique.mockResolvedValueOnce({
+        workspaceId: mockWorkspaceId,
+        userId: mockMemberUserId,
+        role: WorkspaceMemberRole.MEMBER,
+        joinedAt: new Date("2026-01-02"),
+      });
+
+      await expect(
+        service.addMember(mockWorkspaceId, mockAdminUserId, addMemberDto)
+      ).rejects.toThrow(ConflictException);
+    });
+
+    it("should throw ForbiddenException when admin tries to assign OWNER role", async () => {
+      mockPrismaService.workspaceMember.findUnique.mockResolvedValueOnce({
+        workspaceId: mockWorkspaceId,
+        userId: mockAdminUserId,
+        role: WorkspaceMemberRole.ADMIN,
+        joinedAt: new Date("2026-01-01"),
+      });
+
+      await expect(
+        service.addMember(mockWorkspaceId, mockAdminUserId, {
+          userId: mockMemberUserId,
+          role: WorkspaceMemberRole.OWNER,
+        })
+      ).rejects.toThrow(ForbiddenException);
+    });
+  });
+
+  describe("updateMemberRole", () => {
+    it("should update a member role", async () => {
+      const updatedMembership = {
+        workspaceId: mockWorkspaceId,
+        userId: mockMemberUserId,
+        role: WorkspaceMemberRole.ADMIN,
+        joinedAt: new Date("2026-01-02"),
+      };
+      mockPrismaService.workspaceMember.findUnique
+        .mockResolvedValueOnce({
+          workspaceId: mockWorkspaceId,
+          userId: mockUserId,
+          role: WorkspaceMemberRole.OWNER,
+          joinedAt: new Date("2026-01-01"),
+        })
+        .mockResolvedValueOnce({
+          workspaceId: mockWorkspaceId,
+          userId: mockMemberUserId,
+          role: WorkspaceMemberRole.MEMBER,
+          joinedAt: new Date("2026-01-02"),
+        });
+      mockPrismaService.workspaceMember.update.mockResolvedValueOnce(updatedMembership);
+
+      const result = await service.updateMemberRole(mockWorkspaceId, mockUserId, mockMemberUserId, {
+        role: WorkspaceMemberRole.ADMIN,
+      });
+
+      expect(result).toEqual(updatedMembership);
+      expect(mockPrismaService.workspaceMember.update).toHaveBeenCalledWith({
+        where: {
+          workspaceId_userId: {
+            workspaceId: mockWorkspaceId,
+            userId: mockMemberUserId,
+          },
+        },
+        data: {
+          role: WorkspaceMemberRole.ADMIN,
+        },
+      });
+    });
+
+    it("should throw NotFoundException when target member does not exist", async () => {
+      mockPrismaService.workspaceMember.findUnique
+        .mockResolvedValueOnce({
+          workspaceId: mockWorkspaceId,
+          userId: mockUserId,
+          role: WorkspaceMemberRole.OWNER,
+          joinedAt: new Date("2026-01-01"),
+        })
+        .mockResolvedValueOnce(null);
+
+      await expect(
+        service.updateMemberRole(mockWorkspaceId, mockUserId, mockMemberUserId, {
+          role: WorkspaceMemberRole.ADMIN,
+        })
+      ).rejects.toThrow(NotFoundException);
+    });
+
+    it("should throw BadRequestException when sole owner attempts self-demotion", async () => {
+      mockPrismaService.workspaceMember.findUnique
+        .mockResolvedValueOnce({
+          workspaceId: mockWorkspaceId,
+          userId: mockUserId,
+          role: WorkspaceMemberRole.OWNER,
+          joinedAt: new Date("2026-01-01"),
+        })
+        .mockResolvedValueOnce({
+          workspaceId: mockWorkspaceId,
+          userId: mockUserId,
+          role: WorkspaceMemberRole.OWNER,
+          joinedAt: new Date("2026-01-01"),
+        });
+      mockPrismaService.workspaceMember.count.mockResolvedValueOnce(1);
+
+      await expect(
+        service.updateMemberRole(mockWorkspaceId, mockUserId, mockUserId, {
+          role: WorkspaceMemberRole.ADMIN,
+        })
+      ).rejects.toThrow(BadRequestException);
+    });
+
+    it("should throw ForbiddenException when actor tries to change role of higher-ranked member", async () => {
+      mockPrismaService.workspaceMember.findUnique
+        .mockResolvedValueOnce({
+          workspaceId: mockWorkspaceId,
+          userId: mockAdminUserId,
+          role: WorkspaceMemberRole.ADMIN,
+          joinedAt: new Date("2026-01-01"),
+        })
+        .mockResolvedValueOnce({
+          workspaceId: mockWorkspaceId,
+          userId: mockUserId,
+          role: WorkspaceMemberRole.OWNER,
+          joinedAt: new Date("2026-01-01"),
+        });
+
+      await expect(
+        service.updateMemberRole(mockWorkspaceId, mockAdminUserId, mockUserId, {
+          role: WorkspaceMemberRole.MEMBER,
+        })
+      ).rejects.toThrow(ForbiddenException);
+    });
+  });
+
+  describe("removeMember", () => {
+    it("should remove a workspace member", async () => {
+      mockPrismaService.workspaceMember.findUnique
+        .mockResolvedValueOnce({
+          workspaceId: mockWorkspaceId,
+          userId: mockUserId,
+          role: WorkspaceMemberRole.OWNER,
+          joinedAt: new Date("2026-01-01"),
+        })
+        .mockResolvedValueOnce({
+          workspaceId: mockWorkspaceId,
+          userId: mockMemberUserId,
+          role: WorkspaceMemberRole.MEMBER,
+          joinedAt: new Date("2026-01-02"),
+        });
+      mockPrismaService.workspaceMember.delete.mockResolvedValueOnce({
+        workspaceId: mockWorkspaceId,
+        userId: mockMemberUserId,
+        role: WorkspaceMemberRole.MEMBER,
+        joinedAt: new Date("2026-01-02"),
+      });
+
+      await service.removeMember(mockWorkspaceId, mockUserId, mockMemberUserId);
+
+      expect(mockPrismaService.workspaceMember.delete).toHaveBeenCalledWith({
+        where: {
+          workspaceId_userId: {
+            workspaceId: mockWorkspaceId,
+            userId: mockMemberUserId,
+          },
+        },
+      });
+    });
+
+    it("should throw BadRequestException when trying to remove the last owner", async () => {
+      mockPrismaService.workspaceMember.findUnique
+        .mockResolvedValueOnce({
+          workspaceId: mockWorkspaceId,
+          userId: mockUserId,
+          role: WorkspaceMemberRole.OWNER,
+          joinedAt: new Date("2026-01-01"),
+        })
+        .mockResolvedValueOnce({
+          workspaceId: mockWorkspaceId,
+          userId: mockUserId,
+          role: WorkspaceMemberRole.OWNER,
+          joinedAt: new Date("2026-01-01"),
+        });
+      mockPrismaService.workspaceMember.count.mockResolvedValueOnce(1);
+
+      await expect(service.removeMember(mockWorkspaceId, mockUserId, mockUserId)).rejects.toThrow(
+        BadRequestException
+      );
+    });
+
+    it("should throw ForbiddenException when admin attempts to remove an owner", async () => {
+      mockPrismaService.workspaceMember.findUnique
+        .mockResolvedValueOnce({
+          workspaceId: mockWorkspaceId,
+          userId: mockAdminUserId,
+          role: WorkspaceMemberRole.ADMIN,
+          joinedAt: new Date("2026-01-01"),
+        })
+        .mockResolvedValueOnce({
+          workspaceId: mockWorkspaceId,
+          userId: mockUserId,
+          role: WorkspaceMemberRole.OWNER,
+          joinedAt: new Date("2026-01-01"),
+        });
+
+      await expect(
+        service.removeMember(mockWorkspaceId, mockAdminUserId, mockUserId)
+      ).rejects.toThrow(ForbiddenException);
+    });
+  });
+});

apps/api/src/workspaces/workspaces.service.ts

@@ -0,0 +1,345 @@
+import {
+  BadRequestException,
+  ConflictException,
+  ForbiddenException,
+  Injectable,
+  Logger,
+  NotFoundException,
+} from "@nestjs/common";
+import { Prisma, WorkspaceMemberRole } from "@prisma/client";
+import type { WorkspaceMember } from "@prisma/client";
+import { PrismaService } from "../prisma/prisma.service";
+import type { AddMemberDto, UpdateMemberRoleDto, WorkspaceResponseDto } from "./dto";
+
+const WORKSPACE_ROLE_RANK: Record<WorkspaceMemberRole, number> = {
+  [WorkspaceMemberRole.GUEST]: 1,
+  [WorkspaceMemberRole.MEMBER]: 2,
+  [WorkspaceMemberRole.ADMIN]: 3,
+  [WorkspaceMemberRole.OWNER]: 4,
+};
+
+@Injectable()
+export class WorkspacesService {
+  private readonly logger = new Logger(WorkspacesService.name);
+
+  constructor(private readonly prisma: PrismaService) {}
+
+  /**
+   * Get all workspaces the user is a member of.
+   *
+   * Auto-provisioning: if the user has no workspace memberships (e.g. fresh
+   * signup via BetterAuth), a default workspace is created atomically and
+   * returned.  This is the only call site for workspace bootstrapping.
+   */
+  async getUserWorkspaces(userId: string): Promise<WorkspaceResponseDto[]> {
+    const memberships = await this.prisma.workspaceMember.findMany({
+      where: { userId },
+      include: {
+        workspace: {
+          select: { id: true, name: true, ownerId: true, createdAt: true },
+        },
+      },
+      orderBy: { joinedAt: "asc" },
+    });
+
+    if (memberships.length > 0) {
+      return memberships.map((m) => ({
+        id: m.workspace.id,
+        name: m.workspace.name,
+        ownerId: m.workspace.ownerId,
+        role: m.role,
+        createdAt: m.workspace.createdAt,
+      }));
+    }
+
+    // Auto-provision a default workspace for new users.
+    // Re-query inside the transaction to guard against concurrent requests
+    // both seeing zero memberships and creating duplicate workspaces.
+    this.logger.log(`Auto-provisioning default workspace for user ${userId}`);
+
+    const workspace = await this.prisma.$transaction(async (tx) => {
+      const existing = await tx.workspaceMember.findFirst({
+        where: { userId },
+        include: {
+          workspace: {
+            select: { id: true, name: true, ownerId: true, createdAt: true },
+          },
+        },
+      });
+      if (existing) {
+        return { ...existing.workspace, alreadyExisted: true as const };
+      }
+
+      const created = await tx.workspace.create({
+        data: {
+          name: "My Workspace",
+          ownerId: userId,
+          settings: {},
+        },
+      });
+      await tx.workspaceMember.create({
+        data: {
+          workspaceId: created.id,
+          userId,
+          role: WorkspaceMemberRole.OWNER,
+        },
+      });
+      return { ...created, alreadyExisted: false as const };
+    });
+
+    if (workspace.alreadyExisted) {
+      return [
+        {
+          id: workspace.id,
+          name: workspace.name,
+          ownerId: workspace.ownerId,
+          role: WorkspaceMemberRole.OWNER,
+          createdAt: workspace.createdAt,
+        },
+      ];
+    }
+
+    return [
+      {
+        id: workspace.id,
+        name: workspace.name,
+        ownerId: workspace.ownerId,
+        role: WorkspaceMemberRole.OWNER,
+        createdAt: workspace.createdAt,
+      },
+    ];
+  }
+
+  /**
+   * Add a member to a workspace.
+   */
+  async addMember(
+    workspaceId: string,
+    actorUserId: string,
+    addMemberDto: AddMemberDto
+  ): Promise<WorkspaceMember> {
+    const actorMembership = await this.prisma.workspaceMember.findUnique({
+      where: {
+        workspaceId_userId: {
+          workspaceId,
+          userId: actorUserId,
+        },
+      },
+      select: {
+        role: true,
+      },
+    });
+
+    if (!actorMembership) {
+      throw new ForbiddenException("You are not a member of this workspace");
+    }
+
+    this.assertCanAssignRole(actorMembership.role, addMemberDto.role);
+
+    const user = await this.prisma.user.findUnique({
+      where: { id: addMemberDto.userId },
+      select: { id: true },
+    });
+
+    if (!user) {
+      throw new NotFoundException(`User with ID ${addMemberDto.userId} not found`);
+    }
+
+    const existingMembership = await this.prisma.workspaceMember.findUnique({
+      where: {
+        workspaceId_userId: {
+          workspaceId,
+          userId: addMemberDto.userId,
+        },
+      },
+      select: {
+        workspaceId: true,
+        userId: true,
+      },
+    });
+
+    if (existingMembership) {
+      throw new ConflictException("User is already a member of this workspace");
+    }
+
+    try {
+      return await this.prisma.workspaceMember.create({
+        data: {
+          workspaceId,
+          userId: addMemberDto.userId,
+          role: addMemberDto.role,
+        },
+      });
+    } catch (error) {
+      if (this.isUniqueConstraintError(error)) {
+        throw new ConflictException("User is already a member of this workspace");
+      }
+      throw error;
+    }
+  }
+
+  /**
+   * Update the role of an existing workspace member.
+   */
+  async updateMemberRole(
+    workspaceId: string,
+    actorUserId: string,
+    targetUserId: string,
+    updateMemberRoleDto: UpdateMemberRoleDto
+  ): Promise<WorkspaceMember> {
+    return this.prisma.$transaction(async (tx) => {
+      const actorMembership = await tx.workspaceMember.findUnique({
+        where: {
+          workspaceId_userId: {
+            workspaceId,
+            userId: actorUserId,
+          },
+        },
+        select: {
+          role: true,
+        },
+      });
+
+      if (!actorMembership) {
+        throw new ForbiddenException("You are not a member of this workspace");
+      }
+
+      const targetMembership = await tx.workspaceMember.findUnique({
+        where: {
+          workspaceId_userId: {
+            workspaceId,
+            userId: targetUserId,
+          },
+        },
+        select: {
+          role: true,
+        },
+      });
+
+      if (!targetMembership) {
+        throw new NotFoundException(`User ${targetUserId} is not a member of this workspace`);
+      }
+
+      this.assertCanManageTargetMember(actorMembership.role, targetMembership.role);
+      this.assertCanAssignRole(actorMembership.role, updateMemberRoleDto.role);
+
+      if (targetMembership.role === WorkspaceMemberRole.OWNER) {
+        const isDemotion = updateMemberRoleDto.role !== WorkspaceMemberRole.OWNER;
+        if (isDemotion) {
+          const ownerCount = await tx.workspaceMember.count({
+            where: {
+              workspaceId,
+              role: WorkspaceMemberRole.OWNER,
+            },
+          });
+          if (ownerCount <= 1) {
+            if (actorUserId === targetUserId) {
+              throw new BadRequestException("Cannot self-demote if you are the sole owner");
+            }
+            throw new BadRequestException("Cannot remove the last owner from a workspace");
+          }
+        }
+      }
+
+      return tx.workspaceMember.update({
+        where: {
+          workspaceId_userId: {
+            workspaceId,
+            userId: targetUserId,
+          },
+        },
+        data: {
+          role: updateMemberRoleDto.role,
+        },
+      });
+    });
+  }
+
+  /**
+   * Remove a member from a workspace.
+   */
+  async removeMember(
+    workspaceId: string,
+    actorUserId: string,
+    targetUserId: string
+  ): Promise<void> {
+    await this.prisma.$transaction(async (tx) => {
+      const actorMembership = await tx.workspaceMember.findUnique({
+        where: {
+          workspaceId_userId: {
+            workspaceId,
+            userId: actorUserId,
+          },
+        },
+        select: {
+          role: true,
+        },
+      });
+
+      if (!actorMembership) {
+        throw new ForbiddenException("You are not a member of this workspace");
+      }
+
+      const targetMembership = await tx.workspaceMember.findUnique({
+        where: {
+          workspaceId_userId: {
+            workspaceId,
+            userId: targetUserId,
+          },
+        },
+        select: {
+          role: true,
+        },
+      });
+
+      if (!targetMembership) {
+        throw new NotFoundException(`User ${targetUserId} is not a member of this workspace`);
+      }
+
+      this.assertCanManageTargetMember(actorMembership.role, targetMembership.role);
+
+      if (targetMembership.role === WorkspaceMemberRole.OWNER) {
+        const ownerCount = await tx.workspaceMember.count({
+          where: {
+            workspaceId,
+            role: WorkspaceMemberRole.OWNER,
+          },
+        });
+        if (ownerCount <= 1) {
+          throw new BadRequestException("Cannot remove the last owner from a workspace");
+        }
+      }
+
+      await tx.workspaceMember.delete({
+        where: {
+          workspaceId_userId: {
+            workspaceId,
+            userId: targetUserId,
+          },
+        },
+      });
+    });
+  }
+
+  private assertCanAssignRole(
+    actorRole: WorkspaceMemberRole,
+    requestedRole: WorkspaceMemberRole
+  ): void {
+    if (WORKSPACE_ROLE_RANK[actorRole] < WORKSPACE_ROLE_RANK[requestedRole]) {
+      throw new ForbiddenException("You cannot assign a role higher than your own");
+    }
+  }
+
+  private assertCanManageTargetMember(
+    actorRole: WorkspaceMemberRole,
+    targetRole: WorkspaceMemberRole
+  ): void {
+    if (WORKSPACE_ROLE_RANK[actorRole] < WORKSPACE_ROLE_RANK[targetRole]) {
+      throw new ForbiddenException("You cannot manage a member with a higher role");
+    }
+  }
+
+  private isUniqueConstraintError(error: unknown): error is Prisma.PrismaClientKnownRequestError {
+    return error instanceof Prisma.PrismaClientKnownRequestError && error.code === "P2002";
+  }
+}

apps/web/src/app/(authenticated)/profile/page.tsx

@@ -265,23 +265,8 @@ export default function ProfilePage(): ReactElement {
               </p>
             )}
 
-            {user?.workspaceRole && (
-              <span
-                style={{
-                  display: "inline-block",
-                  marginTop: 8,
-                  padding: "3px 10px",
-                  borderRadius: "var(--r)",
-                  background: "rgba(47, 128, 255, 0.1)",
-                  color: "var(--ms-blue-400)",
-                  fontSize: "0.75rem",
-                  fontWeight: 600,
-                  textTransform: "capitalize",
-                }}
-              >
-                {user.workspaceRole}
-              </span>
-            )}
+            {/* Workspace role badge — placeholder until workspace context API
+                provides role data via GET /api/workspaces */}
           </div>
         </div>
       </div>

apps/web/src/app/(authenticated)/settings/workspaces/[id]/page.tsx

@@ -39,6 +39,12 @@ const mockMembers: WorkspaceMemberWithUser[] = [
       image: null,
       authProviderId: null,
       preferences: {},
+      deactivatedAt: null,
+      isLocalAuth: false,
+      passwordHash: null,
+      invitedBy: null,
+      invitationToken: null,
+      invitedAt: null,
       createdAt: new Date("2024-01-15"),
       updatedAt: new Date("2024-01-15"),
     },
@@ -56,6 +62,12 @@ const mockMembers: WorkspaceMemberWithUser[] = [
       image: null,
       authProviderId: null,
       preferences: {},
+      deactivatedAt: null,
+      isLocalAuth: false,
+      passwordHash: null,
+      invitedBy: null,
+      invitationToken: null,
+      invitedAt: null,
       createdAt: new Date("2024-01-16"),
       updatedAt: new Date("2024-01-16"),
     },
@@ -73,6 +85,12 @@ const mockMembers: WorkspaceMemberWithUser[] = [
       image: null,
       authProviderId: null,
       preferences: {},
+      deactivatedAt: null,
+      isLocalAuth: false,
+      passwordHash: null,
+      invitedBy: null,
+      invitationToken: null,
+      invitedAt: null,
       createdAt: new Date("2024-01-17"),
       updatedAt: new Date("2024-01-17"),
     },

apps/web/src/app/settings/workspaces/[id]/teams/[teamId]/page.tsx

@@ -21,6 +21,12 @@ const mockAvailableUsers: User[] = [
     image: null,
     authProviderId: null,
     preferences: {},
+    deactivatedAt: null,
+    isLocalAuth: false,
+    passwordHash: null,
+    invitedBy: null,
+    invitationToken: null,
+    invitedAt: null,
     createdAt: new Date("2026-01-17"),
     updatedAt: new Date("2026-01-17"),
   },
@@ -32,6 +38,12 @@ const mockAvailableUsers: User[] = [
     image: null,
     authProviderId: null,
     preferences: {},
+    deactivatedAt: null,
+    isLocalAuth: false,
+    passwordHash: null,
+    invitedBy: null,
+    invitationToken: null,
+    invitedAt: null,
     createdAt: new Date("2026-01-18"),
     updatedAt: new Date("2026-01-18"),
   },

apps/web/src/components/chat/Chat.tsx

@@ -5,6 +5,7 @@ import { useAuth } from "@/lib/auth/auth-context";
 import { useChat } from "@/hooks/useChat";
 import { useOrchestratorCommands } from "@/hooks/useOrchestratorCommands";
 import { useWebSocket } from "@/hooks/useWebSocket";
+import { useWorkspaceId } from "@/lib/hooks";
 import { MessageList } from "./MessageList";
 import { ChatInput, type ModelId, DEFAULT_TEMPERATURE, DEFAULT_MAX_TOKENS } from "./ChatInput";
 import { ChatEmptyState } from "./ChatEmptyState";
@@ -89,7 +90,11 @@ export const Chat = forwardRef<ChatRef, ChatProps>(function Chat(
     ...(initialProjectId !== undefined && { projectId: initialProjectId }),
   });
 
-  const { isConnected: isWsConnected } = useWebSocket(user?.id ?? "", "", {});
+  // Read workspace ID from localStorage (set by auth-context after session check).
+  // Cookie-based auth (withCredentials) handles authentication, so no explicit
+  // token is needed here — pass an empty string as the token placeholder.
+  const workspaceId = useWorkspaceId() ?? "";
+  const { isConnected: isWsConnected } = useWebSocket(workspaceId, "", {});
 
   const { isCommand, executeCommand } = useOrchestratorCommands();
 

apps/web/src/components/layout/AppSidebar.tsx

@@ -464,7 +464,7 @@ function UserCard({ collapsed }: UserCardProps): React.JSX.Element {
 
   const displayName = user?.name ?? "User";
   const initials = getInitials(displayName);
-  const role = user?.workspaceRole ?? "Member";
+  const role = "Member";
 
   return (
     <footer

apps/web/src/components/workspace/MemberList.test.tsx

@@ -20,6 +20,12 @@ const makeMember = (
     image: null,
     authProviderId: `auth-${overrides.userId}`,
     preferences: {},
+    deactivatedAt: null,
+    isLocalAuth: false,
+    passwordHash: null,
+    invitedBy: null,
+    invitationToken: null,
+    invitedAt: null,
     createdAt: new Date("2025-01-01"),
     updatedAt: new Date("2025-01-01"),
   },
@@ -62,6 +68,12 @@ describe("MemberList", (): void => {
           image: null,
           authProviderId: "auth-2",
           preferences: {},
+          deactivatedAt: null,
+          isLocalAuth: false,
+          passwordHash: null,
+          invitedBy: null,
+          invitationToken: null,
+          invitedAt: null,
           createdAt: new Date("2025-01-01"),
           updatedAt: new Date("2025-01-01"),
         },

apps/web/src/hooks/useWebSocket.test.tsx

@@ -47,6 +47,7 @@ describe("useWebSocket", (): void => {
     expect(io).toHaveBeenCalledWith(expect.any(String), {
       auth: { token },
       query: { workspaceId },
+      withCredentials: true,
     });
   });
 

apps/web/src/hooks/useWebSocket.ts

@@ -97,9 +97,12 @@ export function useWebSocket(
     setConnectionError(null);
 
     // Create socket connection
+    // withCredentials sends session cookies cross-origin so the gateway can
+    // authenticate via cookie when no explicit token is provided.
     const newSocket = io(wsUrl, {
       auth: { token },
       query: { workspaceId },
+      withCredentials: true,
     });
 
     setSocket(newSocket);

apps/web/src/lib/api/index.ts

@@ -15,3 +15,4 @@ export * from "./personalities";
 export * from "./telemetry";
 export * from "./dashboard";
 export * from "./projects";
+export * from "./workspaces";

apps/web/src/lib/api/teams.ts

@@ -1,14 +1,29 @@
-/**
- * Teams API Client
- * Handles team-related API requests
- */
-
-import type { Team, TeamMember, User } from "@mosaic/shared";
+import type {
+  Team,
+  TeamMember,
+  User,
+  WorkspaceMemberRole,
+} from "@mosaic/shared";
 import { TeamMemberRole } from "@mosaic/shared";
-import { apiGet, apiPost, apiPatch, apiDelete, type ApiResponse } from "./client";
+import { apiDelete, apiGet, apiPost, type ApiResponse } from "./client";
+
+export interface TeamMemberWithUser extends TeamMember {
+  user: Pick<User, "id" | "name" | "email" | "image">;
+}
 
 export interface TeamWithMembers extends Team {
-  members: (TeamMember & { user: User })[];
+  members?: TeamMemberWithUser[];
+  _count?: {
+    members: number;
+  };
+}
+
+export interface WorkspaceMemberWithUser {
+  workspaceId: string;
+  userId: string;
+  role: WorkspaceMemberRole;
+  joinedAt: string | Date;
+  user: Pick<User, "id" | "name" | "email" | "image">;
 }
 
 export interface CreateTeamDto {
@@ -16,108 +31,81 @@ export interface CreateTeamDto {
   description?: string;
 }
 
-export interface UpdateTeamDto {
-  name?: string;
-  description?: string;
-}
-
 export interface AddTeamMemberDto {
   userId: string;
   role?: TeamMemberRole;
 }
 
-/**
- * Fetch all teams for a workspace
- */
-export async function fetchTeams(workspaceId: string): Promise<Team[]> {
-  const response = await apiGet<ApiResponse<Team[]>>(`/api/workspaces/${workspaceId}/teams`);
-  return response.data;
+type ApiPayload<T> = T | ApiResponse<T>;
+
+function isApiResponse<T>(payload: ApiPayload<T>): payload is ApiResponse<T> {
+  return typeof payload === "object" && payload !== null && "data" in payload;
 }
 
-/**
- * Fetch a single team with members
- */
-export async function fetchTeam(workspaceId: string, teamId: string): Promise<TeamWithMembers> {
-  const response = await apiGet<ApiResponse<TeamWithMembers>>(
-    `/api/workspaces/${workspaceId}/teams/${teamId}`
+function unwrapPayload<T>(payload: ApiPayload<T>): T {
+  return isApiResponse(payload) ? payload.data : payload;
+}
+
+export function getTeamMemberCount(team: TeamWithMembers): number {
+  if (Array.isArray(team.members)) {
+    return team.members.length;
+  }
+
+  return team._count?.members ?? 0;
+}
+
+export async function fetchTeams(workspaceId: string): Promise<TeamWithMembers[]> {
+  const payload = await apiGet<ApiPayload<TeamWithMembers[]>>(
+    `/api/workspaces/${workspaceId}/teams`,
+    workspaceId
   );
-  return response.data;
+  return unwrapPayload(payload);
 }
 
-/**
- * Create a new team
- */
-export async function createTeam(workspaceId: string, data: CreateTeamDto): Promise<Team> {
-  const response = await apiPost<ApiResponse<Team>>(`/api/workspaces/${workspaceId}/teams`, data);
-  return response.data;
-}
-
-/**
- * Update a team
- */
-export async function updateTeam(
-  workspaceId: string,
-  teamId: string,
-  data: UpdateTeamDto
-): Promise<Team> {
-  const response = await apiPatch<ApiResponse<Team>>(
-    `/api/workspaces/${workspaceId}/teams/${teamId}`,
-    data
+export async function createTeam(workspaceId: string, data: CreateTeamDto): Promise<TeamWithMembers> {
+  const payload = await apiPost<ApiPayload<TeamWithMembers>>(
+    `/api/workspaces/${workspaceId}/teams`,
+    data,
+    workspaceId
   );
-  return response.data;
+  return unwrapPayload(payload);
 }
 
-/**
- * Delete a team
- */
 export async function deleteTeam(workspaceId: string, teamId: string): Promise<void> {
-  await apiDelete(`/api/workspaces/${workspaceId}/teams/${teamId}`);
+  await apiDelete<void>(`/api/workspaces/${workspaceId}/teams/${teamId}`, workspaceId);
 }
 
-/**
- * Add a member to a team
- */
 export async function addTeamMember(
   workspaceId: string,
   teamId: string,
   data: AddTeamMemberDto
-): Promise<TeamMember> {
-  const response = await apiPost<ApiResponse<TeamMember>>(
+): Promise<TeamMemberWithUser> {
+  const payload = await apiPost<ApiPayload<TeamMemberWithUser>>(
     `/api/workspaces/${workspaceId}/teams/${teamId}/members`,
-    data
+    data,
+    workspaceId
   );
-  return response.data;
+  return unwrapPayload(payload);
 }
 
-/**
- * Remove a member from a team
- */
 export async function removeTeamMember(
   workspaceId: string,
   teamId: string,
   userId: string
 ): Promise<void> {
-  await apiDelete(`/api/workspaces/${workspaceId}/teams/${teamId}/members/${userId}`);
+  await apiDelete<void>(`/api/workspaces/${workspaceId}/teams/${teamId}/members/${userId}`, workspaceId);
 }
 
-/**
- * Update a team member's role
- */
-export async function updateTeamMemberRole(
-  workspaceId: string,
-  teamId: string,
-  userId: string,
-  role: TeamMemberRole
-): Promise<TeamMember> {
-  const response = await apiPatch<ApiResponse<TeamMember>>(
-    `/api/workspaces/${workspaceId}/teams/${teamId}/members/${userId}`,
-    { role }
+export async function fetchWorkspaceMembers(workspaceId: string): Promise<WorkspaceMemberWithUser[]> {
+  const payload = await apiGet<ApiPayload<WorkspaceMemberWithUser[]>>(
+    `/api/workspaces/${workspaceId}/members`,
+    workspaceId
   );
-  return response.data;
+  return unwrapPayload(payload);
 }
 
 /**
- * Mock teams for development (until backend endpoints are ready)
+ * Mock teams for development in legacy routes under /app/settings.
  */
 export const mockTeams: Team[] = [
   {
@@ -133,7 +121,7 @@ export const mockTeams: Team[] = [
     id: "team-2",
     workspaceId: "workspace-1",
     name: "Design",
-    description: "UI/UX design team",
+    description: "UI and UX design team",
     metadata: {},
     createdAt: new Date("2026-01-22"),
     updatedAt: new Date("2026-01-22"),
@@ -149,24 +137,16 @@ export const mockTeams: Team[] = [
   },
 ];
 
-/**
- * Mock team with members for development
- */
-const baseTeam = mockTeams[0];
-if (!baseTeam) {
-  throw new Error("Mock team not found");
+const [defaultMockTeam] = mockTeams;
+if (!defaultMockTeam) {
+  throw new Error("Mock team was not found");
 }
+
 export const mockTeamWithMembers: TeamWithMembers = {
-  id: baseTeam.id,
-  workspaceId: baseTeam.workspaceId,
-  name: baseTeam.name,
-  description: baseTeam.description,
-  metadata: baseTeam.metadata,
-  createdAt: baseTeam.createdAt,
-  updatedAt: baseTeam.updatedAt,
+  ...defaultMockTeam,
   members: [
     {
-      teamId: "team-1",
+      teamId: defaultMockTeam.id,
       userId: "user-1",
       role: TeamMemberRole.OWNER,
       joinedAt: new Date("2026-01-20"),
@@ -174,16 +154,11 @@ export const mockTeamWithMembers: TeamWithMembers = {
         id: "user-1",
         email: "john@example.com",
         name: "John Doe",
-        emailVerified: true,
         image: null,
-        authProviderId: null,
-        preferences: {},
-        createdAt: new Date("2026-01-15"),
-        updatedAt: new Date("2026-01-15"),
       },
     },
     {
-      teamId: "team-1",
+      teamId: defaultMockTeam.id,
       userId: "user-2",
       role: TeamMemberRole.MEMBER,
       joinedAt: new Date("2026-01-21"),
@@ -191,12 +166,7 @@ export const mockTeamWithMembers: TeamWithMembers = {
         id: "user-2",
         email: "jane@example.com",
         name: "Jane Smith",
-        emailVerified: true,
         image: null,
-        authProviderId: null,
-        preferences: {},
-        createdAt: new Date("2026-01-16"),
-        updatedAt: new Date("2026-01-16"),
       },
     },
   ],

apps/web/src/lib/api/workspaces.ts

@@ -0,0 +1,26 @@
+/**
+ * Workspaces API Client
+ * User-scoped workspace discovery — does NOT require X-Workspace-Id header.
+ */
+
+import { apiGet } from "./client";
+
+/**
+ * A workspace entry from the user's membership list.
+ * Matches WorkspaceResponseDto from the API.
+ */
+export interface UserWorkspace {
+  id: string;
+  name: string;
+  ownerId: string;
+  role: string;
+  createdAt: string;
+}
+
+/**
+ * Fetch all workspaces the authenticated user is a member of.
+ * The API auto-provisions a default workspace if the user has none.
+ */
+export async function fetchUserWorkspaces(): Promise<UserWorkspace[]> {
+  return apiGet<UserWorkspace[]>("/api/workspaces");
+}

apps/web/src/lib/auth/auth-context.test.tsx

@@ -10,7 +10,13 @@ vi.mock("../api/client", () => ({
   apiPost: vi.fn(),
 }));
 
+// Mock the workspaces API client
+vi.mock("../api/workspaces", () => ({
+  fetchUserWorkspaces: vi.fn(),
+}));
+
 const { apiGet, apiPost } = await import("../api/client");
+const { fetchUserWorkspaces } = await import("../api/workspaces");
 
 /** Helper: returns a date far in the future (1 hour from now) for session mocks */
 function futureExpiry(): string {
@@ -691,4 +697,225 @@ describe("AuthContext", (): void => {
       });
     });
   });
+
+  describe("workspace ID persistence", (): void => {
+    // ---------------------------------------------------------------------------
+    // localStorage mock for workspace persistence tests
+    // ---------------------------------------------------------------------------
+    interface MockLocalStorage {
+      getItem: ReturnType<typeof vi.fn>;
+      setItem: ReturnType<typeof vi.fn>;
+      removeItem: ReturnType<typeof vi.fn>;
+      clear: ReturnType<typeof vi.fn>;
+      readonly length: number;
+      key: ReturnType<typeof vi.fn>;
+    }
+
+    let localStorageMock: MockLocalStorage;
+
+    beforeEach((): void => {
+      let store: Record<string, string> = {};
+      localStorageMock = {
+        getItem: vi.fn((key: string): string | null => store[key] ?? null),
+        setItem: vi.fn((key: string, value: string): void => {
+          store[key] = value;
+        }),
+        removeItem: vi.fn((key: string): void => {
+          store = Object.fromEntries(Object.entries(store).filter(([k]) => k !== key));
+        }),
+        clear: vi.fn((): void => {
+          store = {};
+        }),
+        get length(): number {
+          return Object.keys(store).length;
+        },
+        key: vi.fn((_index: number): string | null => null),
+      };
+
+      Object.defineProperty(window, "localStorage", {
+        value: localStorageMock,
+        writable: true,
+        configurable: true,
+      });
+
+      vi.resetAllMocks();
+    });
+
+    afterEach((): void => {
+      vi.restoreAllMocks();
+    });
+
+    it("should call fetchUserWorkspaces after successful session check", async (): Promise<void> => {
+      const mockUser: AuthUser = {
+        id: "user-1",
+        email: "test@example.com",
+        name: "Test User",
+      };
+
+      vi.mocked(apiGet).mockResolvedValueOnce({
+        user: mockUser,
+        session: { id: "session-1", token: "token123", expiresAt: futureExpiry() },
+      });
+      vi.mocked(fetchUserWorkspaces).mockResolvedValueOnce([
+        {
+          id: "ws-1",
+          name: "My Workspace",
+          ownerId: "user-1",
+          role: "OWNER",
+          createdAt: "2026-01-01",
+        },
+      ]);
+
+      render(
+        <AuthProvider>
+          <TestComponent />
+        </AuthProvider>
+      );
+
+      await waitFor(() => {
+        expect(screen.getByTestId("auth-status")).toHaveTextContent("Authenticated");
+      });
+
+      expect(fetchUserWorkspaces).toHaveBeenCalledTimes(1);
+    });
+
+    it("should persist the first workspace ID to localStorage", async (): Promise<void> => {
+      const mockUser: AuthUser = {
+        id: "user-1",
+        email: "test@example.com",
+        name: "Test User",
+      };
+
+      vi.mocked(apiGet).mockResolvedValueOnce({
+        user: mockUser,
+        session: { id: "session-1", token: "token123", expiresAt: futureExpiry() },
+      });
+      vi.mocked(fetchUserWorkspaces).mockResolvedValueOnce([
+        {
+          id: "ws-abc-123",
+          name: "My Workspace",
+          ownerId: "user-1",
+          role: "OWNER",
+          createdAt: "2026-01-01",
+        },
+        {
+          id: "ws-def-456",
+          name: "Second Workspace",
+          ownerId: "other",
+          role: "MEMBER",
+          createdAt: "2026-02-01",
+        },
+      ]);
+
+      render(
+        <AuthProvider>
+          <TestComponent />
+        </AuthProvider>
+      );
+
+      await waitFor(() => {
+        expect(screen.getByTestId("auth-status")).toHaveTextContent("Authenticated");
+      });
+
+      expect(localStorageMock.setItem).toHaveBeenCalledWith("mosaic-workspace-id", "ws-abc-123");
+    });
+
+    it("should not write localStorage when fetchUserWorkspaces returns empty array", async (): Promise<void> => {
+      const mockUser: AuthUser = {
+        id: "user-1",
+        email: "test@example.com",
+        name: "Test User",
+      };
+
+      vi.mocked(apiGet).mockResolvedValueOnce({
+        user: mockUser,
+        session: { id: "session-1", token: "token123", expiresAt: futureExpiry() },
+      });
+      vi.mocked(fetchUserWorkspaces).mockResolvedValueOnce([]);
+
+      render(
+        <AuthProvider>
+          <TestComponent />
+        </AuthProvider>
+      );
+
+      await waitFor(() => {
+        expect(screen.getByTestId("auth-status")).toHaveTextContent("Authenticated");
+      });
+
+      expect(localStorageMock.setItem).not.toHaveBeenCalledWith(
+        "mosaic-workspace-id",
+        expect.anything()
+      );
+    });
+
+    it("should handle fetchUserWorkspaces failure gracefully — auth still succeeds", async (): Promise<void> => {
+      const mockUser: AuthUser = {
+        id: "user-1",
+        email: "test@example.com",
+        name: "Test User",
+      };
+
+      vi.mocked(apiGet).mockResolvedValueOnce({
+        user: mockUser,
+        session: { id: "session-1", token: "token123", expiresAt: futureExpiry() },
+      });
+      vi.mocked(fetchUserWorkspaces).mockRejectedValueOnce(new Error("Network error"));
+
+      render(
+        <AuthProvider>
+          <TestComponent />
+        </AuthProvider>
+      );
+
+      await waitFor(() => {
+        expect(screen.getByTestId("auth-status")).toHaveTextContent("Authenticated");
+      });
+
+      // Auth succeeded despite workspace fetch failure
+      expect(screen.getByTestId("auth-error")).toHaveTextContent("none");
+    });
+
+    it("should remove workspace ID from localStorage on sign-out", async (): Promise<void> => {
+      const mockUser: AuthUser = {
+        id: "user-1",
+        email: "test@example.com",
+        name: "Test User",
+      };
+
+      vi.mocked(apiGet).mockResolvedValueOnce({
+        user: mockUser,
+        session: { id: "session-1", token: "token123", expiresAt: futureExpiry() },
+      });
+      vi.mocked(fetchUserWorkspaces).mockResolvedValueOnce([
+        {
+          id: "ws-1",
+          name: "My Workspace",
+          ownerId: "user-1",
+          role: "OWNER",
+          createdAt: "2026-01-01",
+        },
+      ]);
+      vi.mocked(apiPost).mockResolvedValueOnce({ success: true });
+
+      render(
+        <AuthProvider>
+          <TestComponent />
+        </AuthProvider>
+      );
+
+      await waitFor(() => {
+        expect(screen.getByTestId("auth-status")).toHaveTextContent("Authenticated");
+      });
+
+      const signOutButton = screen.getByRole("button", { name: "Sign Out" });
+      signOutButton.click();
+
+      await waitFor(() => {
+        expect(screen.getByTestId("auth-status")).toHaveTextContent("Not Authenticated");
+      });
+
+      expect(localStorageMock.removeItem).toHaveBeenCalledWith("mosaic-workspace-id");
+    });
+  });
 });

apps/web/src/lib/auth/auth-context.tsx

@@ -11,6 +11,7 @@ import {
 } from "react";
 import type { AuthUser, AuthSession } from "@mosaic/shared";
 import { apiGet, apiPost } from "../api/client";
+import { fetchUserWorkspaces } from "../api/workspaces";
 import { IS_MOCK_AUTH_MODE } from "../config";
 import { parseAuthError } from "./auth-errors";
 
@@ -24,6 +25,43 @@ const SESSION_EXPIRY_WARNING_MINUTES = 5;
 
 /** Interval in milliseconds to check session expiry */
 const SESSION_CHECK_INTERVAL_MS = 60_000;
+
+/**
+ * localStorage key for the active workspace ID.
+ * Must match the WORKSPACE_KEY constant in useLayout.ts and the key read
+ * by apiRequest in client.ts.
+ */
+const WORKSPACE_STORAGE_KEY = "mosaic-workspace-id";
+
+/**
+ * Persist the workspace ID to localStorage so it is available to
+ * useWorkspaceId and apiRequest on the next render / request cycle.
+ * Silently ignores localStorage errors (private browsing, storage full).
+ */
+function persistWorkspaceId(workspaceId: string | undefined): void {
+  if (typeof window === "undefined") return;
+  try {
+    if (workspaceId) {
+      localStorage.setItem(WORKSPACE_STORAGE_KEY, workspaceId);
+    }
+  } catch {
+    // localStorage unavailable — not fatal
+  }
+}
+
+/**
+ * Remove the workspace ID from localStorage on sign-out so stale workspace
+ * context is not sent on subsequent unauthenticated requests.
+ */
+function clearWorkspaceId(): void {
+  if (typeof window === "undefined") return;
+  try {
+    localStorage.removeItem(WORKSPACE_STORAGE_KEY);
+  } catch {
+    // localStorage unavailable — not fatal
+  }
+}
+
 const MOCK_AUTH_USER: AuthUser = {
   id: "dev-user-local",
   email: "dev@localhost",
@@ -97,6 +135,19 @@ function RealAuthProvider({ children }: { children: ReactNode }): React.JSX.Elem
       setUser(session.user);
       setAuthError(null);
 
+      // Fetch the user's workspace memberships and persist the default.
+      // Workspace context is an application concern, not an auth concern —
+      // BetterAuth does not return workspace fields on the session user.
+      try {
+        const workspaces = await fetchUserWorkspaces();
+        const defaultWorkspace = workspaces[0];
+        if (defaultWorkspace) {
+          persistWorkspaceId(defaultWorkspace.id);
+        }
+      } catch (wsError) {
+        logAuthError("Failed to fetch workspaces after session check", wsError);
+      }
+
       // Track session expiry timestamp
       expiresAtRef.current = new Date(session.session.expiresAt);
 
@@ -128,6 +179,9 @@ function RealAuthProvider({ children }: { children: ReactNode }): React.JSX.Elem
       setUser(null);
       expiresAtRef.current = null;
       setSessionExpiring(false);
+      // Clear persisted workspace ID so stale context is not sent on
+      // subsequent unauthenticated API requests.
+      clearWorkspaceId();
     }
   }, []);
 

docs/MISSION-MANIFEST.md

@@ -1,74 +1,52 @@
-# Mission Manifest — MS20 Site Stabilization
+# Mission Manifest — MS21 Multi-Tenant RBAC Data Migration
 
 > Persistent document tracking full mission scope, status, and session history.
 > Updated by the orchestrator at each phase transition and milestone completion.
 
 ## Mission
 
-**ID:** ms20-site-stabilization-20260227
-**Statement:** Fix runtime bugs, missing API endpoints, orchestrator connectivity, and feature gaps discovered during live site testing at mosaic.woltje.com
-**Phase:** Planning
-**Current Milestone:** MS20-SiteStabilization
-**Progress:** 0 / 1 milestones
+**ID:** ms21-multi-tenant-rbac-data-migration-20260228
+**Statement:** Build multi-tenant user/workspace/team management, break-glass auth, RBAC UI enforcement, and migrate jarvis-brain data into Mosaic Stack
+**Phase:** Intake
+**Current Milestone:** —
+**Progress:** 0 / 6 milestones
 **Status:** active
-**Last Updated:** 2026-02-27T05:30Z
+**Last Updated:** 2026-02-28 17:10 UTC
 
 ## Success Criteria
 
-1. Domains page: can create and list domains without workspace errors
-2. Projects page: can create new projects without workspace errors
-3. Personalities page: full CRUD works with proper dark mode theming
-4. User preferences endpoint (`/users/me/preferences`) returns data
-5. Credentials page: can add, view credentials (not just disabled stub)
-6. Orchestrator proxy endpoints return real data (no 502)
-7. Orchestrator WebSocket connects successfully
-8. Dashboard Agent Status, Task Progress, Orchestrator Events widgets work
-9. Terminal has dedicated `/terminal` page route
-10. favicon.ico serves correctly (no 404)
-11. `useWorkspaceId` warning resolved — workspace ID persists in localStorage
-12. All 5 themes render correctly on all affected pages
-13. Lint, typecheck, and tests pass
-14. Deployed and verified at mosaic.woltje.com
-
-## Existing Infrastructure
-
-Key components already built that MS20 builds upon:
-
-| Component                 | Status          | Location                                        |
-| ------------------------- | --------------- | ----------------------------------------------- |
-| WorkspaceGuard            | Working         | `apps/api/src/common/guards/workspace.guard.ts` |
-| Auto-detect workspace ID  | Working (reads) | `apps/web/src/lib/api/client.ts`                |
-| Credentials API backend   | Built (M7)      | `apps/api/src/credentials/`                     |
-| Orchestrator proxy routes | Built (MS19)    | `apps/web/src/app/api/orchestrator/`            |
-| Terminal components       | Built (MS19)    | `apps/web/src/components/terminal/`             |
-| Theme system              | Working (MS18)  | `apps/web/src/lib/themes/`                      |
+<!-- Define measurable success criteria here -->
 
 ## Milestones
 
-| #   | ID   | Name               | Status      | Branch                    | Issue | Started    | Completed |
-| --- | ---- | ------------------ | ----------- | ------------------------- | ----- | ---------- | --------- |
-| 1   | MS20 | Site Stabilization | not-started | per-task feature branches | TBD   | 2026-02-27 | —         |
+| #   | ID      | Name                       | Status  | Branch | Issue | Started | Completed |
+| --- | ------- | -------------------------- | ------- | ------ | ----- | ------- | --------- |
+| 1   | phase-1 | Schema and Admin API       | pending | —      | —     | —       | —         |
+| 2   | phase-2 | Break-Glass Authentication | pending | —      | —     | —       | —         |
+| 3   | phase-3 | Data Migration             | pending | —      | —     | —       | —         |
+| 4   | phase-4 | Admin UI                   | pending | —      | —     | —       | —         |
+| 5   | phase-5 | RBAC UI Enforcement        | pending | —      | —     | —       | —         |
+| 6   | phase-6 | Verification               | pending | —      | —     | —       | —         |
 
 ## Deployment
 
-| Target    | URL               | Method                      |
-| --------- | ----------------- | --------------------------- |
-| Portainer | mosaic.woltje.com | CI/CD pipeline (Woodpecker) |
+| Target | URL | Method |
+| ------ | --- | ------ |
+| —      | —   | —      |
 
 ## Token Budget
 
-| Metric | Value             |
-| ------ | ----------------- |
-| Budget | ~400K (estimated) |
-| Used   | 0                 |
-| Mode   | normal            |
+| Metric | Value  |
+| ------ | ------ |
+| Budget | —      |
+| Used   | 0      |
+| Mode   | normal |
 
 ## Session History
 
-| Session | Runtime         | Started           | Duration | Ended Reason | Last Task |
-| ------- | --------------- | ----------------- | -------- | ------------ | --------- |
-| S1      | Claude Opus 4.6 | 2026-02-27T05:30Z | —        | —            | Planning  |
+| Session | Runtime | Started | Duration | Ended Reason | Last Task |
+| ------- | ------- | ------- | -------- | ------------ | --------- |
 
 ## Scratchpad
 
-Path: `docs/scratchpads/ms20-site-stabilization-20260227.md`
+Path: `docs/scratchpads/ms21-multi-tenant-rbac-data-migration-20260228.md`

docs/PRD-MS21.md

@@ -0,0 +1,246 @@
+# PRD: MS21 — Multi-Tenant Platform, RBAC Enforcement, and Data Migration
+
+## Metadata
+
+- Owner: Jason Woltje
+- Orchestrator: Jarvis (OpenClaw)
+- Date: 2026-02-28
+- Status: in-progress
+- Version: 0.0.21
+
+## Problem Statement
+
+Mosaic Stack is a single-user deployment. The Workspace, Team, WorkspaceMember, and RBAC infrastructure exist in the schema and codebase (PermissionGuard, WorkspaceGuard, roles: OWNER/ADMIN/MEMBER/GUEST), but there is no admin UI for managing users, workspaces, or teams. There is no invitation flow, no user management page, and no break-glass authentication mechanism for emergency access without OIDC. Additionally, the platform has no real operational data — jarvis-brain contains 106 projects and 95 tasks that need migrating into Mosaic Stack to make the dashboard, kanban, and project pages useful.
+
+## Objectives
+
+1. Build admin UI for user management (list, invite, deactivate, assign roles)
+2. Build workspace management UI (create, configure, manage members)
+3. Build team management UI (create teams within workspaces, assign members)
+4. Implement user invitation flow (email or link-based)
+5. Implement break-glass local authentication (bypass OIDC for emergency access)
+6. Enforce RBAC across all UI surfaces (show/hide based on role)
+7. Build admin Settings pages for workspace and platform configuration
+8. Migrate jarvis-brain data (95 tasks, 106 projects) into Mosaic Stack PostgreSQL
+9. Build data import API endpoint for bulk task/project creation
+
+## Completed Work
+
+### Existing Infrastructure (Already Built)
+
+| Component                                                         | Status   | Location                                                |
+| ----------------------------------------------------------------- | -------- | ------------------------------------------------------- |
+| Prisma models: User, Workspace, WorkspaceMember, Team, TeamMember | Complete | apps/api/prisma/schema.prisma                           |
+| WorkspaceMemberRole enum (OWNER, ADMIN, MEMBER, GUEST)            | Complete | schema.prisma                                           |
+| TeamMemberRole enum (OWNER, ADMIN, MEMBER)                        | Complete | schema.prisma                                           |
+| PermissionGuard with role hierarchy                               | Complete | apps/api/src/common/guards/permission.guard.ts          |
+| Permission decorator (@RequirePermission)                         | Complete | apps/api/src/common/decorators/permissions.decorator.ts |
+| Permission enum (WORKSPACE_OWNER, ADMIN, MEMBER, ANY)             | Complete | permissions.decorator.ts                                |
+| WorkspaceGuard                                                    | Complete | apps/api/src/common/guards/workspace.guard.ts           |
+| RBAC applied to 18+ controllers                                   | Complete | All resource controllers                                |
+| Workspaces CRUD API                                               | Complete | apps/api/src/workspaces/                                |
+| BetterAuth + Authentik OIDC                                       | Complete | apps/api/src/auth/                                      |
+| AdminGuard                                                        | Complete | apps/api/src/auth/guards/admin.guard.ts                 |
+
+## Scope
+
+### In Scope (MS21)
+
+#### S1: Admin API Endpoints (Backend)
+
+1. GET /api/admin/users — List all users with workspace memberships and roles
+2. POST /api/admin/users/invite — Generate invitation (email or link)
+3. PATCH /api/admin/users/:id — Update user metadata (deactivate, change global role)
+4. DELETE /api/admin/users/:id — Deactivate user (soft delete, preserve data)
+5. POST /api/admin/workspaces — Create workspace with owner assignment
+6. PATCH /api/admin/workspaces/:id — Update workspace settings
+7. POST /api/workspaces/:id/members — Add member to workspace with role
+8. PATCH /api/workspaces/:id/members/:userId — Change member role
+9. DELETE /api/workspaces/:id/members/:userId — Remove member from workspace
+10. POST /api/workspaces/:id/teams — Create team within workspace
+11. POST /api/workspaces/:id/teams/:teamId/members — Add member to team
+12. DELETE /api/workspaces/:id/teams/:teamId/members/:userId — Remove from team
+13. POST /api/import/tasks — Bulk import tasks from jarvis-brain format
+14. POST /api/import/projects — Bulk import projects from jarvis-brain format
+
+#### S2: Break-Glass Authentication
+
+15. Add isLocalAuth boolean field to User model (Prisma migration)
+16. Add passwordHash optional field to User model (for local auth users)
+17. Implement /api/auth/local/login endpoint (email + password, bcrypt)
+18. Implement /api/auth/local/setup endpoint (first-time break-glass user creation, requires admin token from env)
+19. Break-glass user bypasses OIDC entirely — session-based auth via BetterAuth
+20. Environment variable BREAKGLASS_SETUP_TOKEN controls initial setup access
+
+#### S3: Admin UI Pages (Frontend)
+
+21. /settings/users — User management page (table: name, email, role, status, workspaces, last login)
+22. User detail/edit dialog (change role, deactivate, view workspace memberships)
+23. Invite user dialog (email input, workspace selection, role selection)
+24. /settings/workspaces — Workspace management page (list workspaces, member counts)
+25. Workspace detail page (members list, team list, settings)
+26. Add/remove workspace member dialog with role picker
+27. /settings/teams — Team management within workspace context
+28. Create team dialog, add/remove team members
+
+#### S4: RBAC UI Enforcement
+
+29. Navigation sidebar: show/hide admin items based on user role
+30. Settings pages: restrict access to admin-only pages
+31. Action buttons: disable/hide create/delete based on permission level
+32. User profile: show current role and workspace memberships
+
+#### S5: Data Migration
+
+33. Build scripts/migrate-brain.ts — TypeScript migration script
+34. Read jarvis-brain data/tasks/\*.json (v2.0 format: { version, domain, tasks: [...] })
+35. Read jarvis-brain data/projects/\*.json (format: { version, project: {...}, tasks: [...] })
+36. Map brain status to Mosaic TaskStatus (done->COMPLETED, in-progress->IN_PROGRESS, backlog/pending/scheduled/not-started/planned->NOT_STARTED, blocked/on-hold->PAUSED, cancelled->ARCHIVED)
+37. Map brain priority to Mosaic TaskPriority (critical/high->HIGH, medium->MEDIUM, low->LOW)
+38. Create Domain records for unique domains (work, homelab, finances, family, etc.)
+39. Create Project records from project data, linking to domains
+40. Create Task records linking to projects, preserving brain-specific fields in metadata JSON
+41. Preserve blocks, blocked_by, repo, branch, current_milestone, notes in task/project metadata
+42. Dry-run mode with validation report before actual import
+43. Idempotent — skip records that already exist (match by metadata.brainId)
+
+### Out of Scope
+
+- Federation (MS22)
+- Agent task mapping and telemetry (MS23)
+- Playwright E2E tests (MS24)
+- Email delivery service (invitations stored as links for now)
+- User self-registration (admin-only invitation model)
+
+## User/Stakeholder Requirements
+
+1. Jason (admin) can invite Melanie to a shared workspace
+2. Jason can create a "USC IT" workspace and invite employees
+3. Each user sees only their workspace(s) data
+4. Break-glass user can log in without Authentik being available
+5. Admin pages are only visible to OWNER/ADMIN roles
+6. Data from jarvis-brain appears in the dashboard, kanban, and project pages after migration
+7. All existing tests continue to pass after changes
+
+## Functional Requirements
+
+### FR-001: Admin User Management API
+
+- AdminGuard protects all /api/admin/\* routes
+- List users returns: id, name, email, emailVerified, createdAt, workspace memberships with roles
+- Invite creates a User record with a pending invitation token
+- Deactivate sets a deactivatedAt timestamp (new field), does not delete data
+- ASSUMPTION: User deactivation is soft-delete via new deactivatedAt field on User model. Rationale: Hard delete would cascade and destroy workspace data.
+
+### FR-002: Workspace Member Management API
+
+- Add member requires WORKSPACE_ADMIN or WORKSPACE_OWNER permission
+- Role changes require equal or higher permission (MEMBER cannot promote to ADMIN)
+- Cannot remove the last OWNER of a workspace
+- Cannot change own role to lower than OWNER if sole owner
+
+### FR-003: Break-Glass Authentication
+
+- Local auth is opt-in per deployment via ENABLE_LOCAL_AUTH=true env var
+- Break-glass setup requires a one-time setup token from environment
+- Password stored as bcrypt hash, minimum 12 characters
+- Break-glass user gets OWNER role on default workspace
+- Session management identical to OIDC users (BetterAuth session tokens)
+- ASSUMPTION: BetterAuth supports custom credential providers alongside OIDC. Rationale: BetterAuth documentation confirms credential-based auth as a built-in feature.
+
+### FR-004: Admin UI
+
+- User management table with search, sort, filter by role/status
+- Inline role editing via dropdown
+- Confirmation dialog for destructive actions (deactivate user, remove from workspace)
+- PDA-friendly language: "Deactivate" not "Delete", "Pending" not "Expired"
+- Responsive design matching existing Settings page patterns
+- Dark/light theme support via existing design token system
+
+### FR-005: Data Migration Script
+
+- Standalone TypeScript script in scripts/migrate-brain.ts
+- Reads from jarvis-brain path (configurable via --brain-path flag)
+- Connects to Mosaic Stack database via DATABASE_URL
+- Requires target workspace ID (--workspace-id flag)
+- Requires creator user ID (--user-id flag)
+- Outputs validation report before writing (dry-run by default)
+- --apply flag to execute the migration
+- Creates Activity log entries for all imported records
+
+## Technical Design
+
+### Schema Changes (Prisma Migration)
+
+Add to User model:
+
+- deactivatedAt DateTime? (soft delete)
+- isLocalAuth Boolean default(false)
+- passwordHash String? (bcrypt hash for local auth)
+- invitedBy String? Uuid (FK to inviting user)
+- invitationToken String? unique
+- invitedAt DateTime?
+
+### New NestJS Module: AdminModule
+
+Location: apps/api/src/admin/
+Files: admin.module.ts, admin.controller.ts, admin.service.ts, DTOs, specs
+
+### New NestJS Module: LocalAuthModule (Break-Glass)
+
+Location: apps/api/src/auth/local/
+Files: local-auth.controller.ts, local-auth.service.ts, DTOs, specs
+
+### Frontend Pages
+
+Location: apps/web/app/(authenticated)/settings/
+
+- users/page.tsx — User management
+- workspaces/page.tsx — Workspace list
+- workspaces/[id]/page.tsx — Workspace detail (members, teams)
+- teams/page.tsx — Team management
+
+## Testing and Verification
+
+1. Baseline: pnpm lint && pnpm build && pnpm test must pass
+2. Unit tests for AdminService (user CRUD, invitation flow, permission checks)
+3. Unit tests for LocalAuthService (bcrypt hashing, token validation)
+4. Unit tests for AdminController (route guards, DTO validation)
+5. Integration test: invitation -> acceptance -> workspace access
+6. Integration test: break-glass setup -> login -> workspace access
+7. Integration test: RBAC prevents unauthorized role changes
+8. Migration script test: dry-run produces valid report, apply creates correct records
+9. Frontend: admin pages render with correct role gating
+10. All 4,772+ existing tests continue to pass
+
+## Quality Gates
+
+pnpm lint && pnpm build && pnpm test
+
+## Delivery Phases
+
+| Phase                   | Focus                                                                   | Tasks             |
+| ----------------------- | ----------------------------------------------------------------------- | ----------------- |
+| P1: Schema + Admin API  | Prisma migration, AdminModule, user/workspace/team management endpoints | S1 items 1-12     |
+| P2: Break-Glass Auth    | LocalAuthModule, credential provider, setup flow                        | S2 items 15-20    |
+| P3: Data Migration      | Migration script, jarvis-brain to PostgreSQL                            | S5 items 33-43    |
+| P4: Admin UI            | Settings pages for users, workspaces, teams                             | S3 items 21-28    |
+| P5: RBAC UI Enforcement | Frontend permission gating, navigation filtering                        | S4 items 29-32    |
+| P6: Verification        | Full test pass, deployment, smoke test                                  | All quality gates |
+
+## Risks and Open Questions
+
+1. Risk: BetterAuth credential provider may require specific adapter configuration. Mitigation: Review BetterAuth docs for credential auth alongside OIDC; test in isolation first.
+2. Risk: Schema migration on production database. Mitigation: Use Prisma migration with --create-only for review before applying.
+3. Risk: jarvis-brain data has fields that don't map 1:1 to Mosaic schema. Mitigation: Use metadata JSON field for overflow; validate with dry-run.
+4. Open: Should deactivated users retain active sessions? ASSUMPTION: No, deactivation immediately invalidates all sessions. Rationale: Security best practice.
+5. Open: Should break-glass user be auto-created on first deployment? ASSUMPTION: No, requires explicit setup via API with env token. Rationale: Prevents accidental exposure.
+
+## Assumptions
+
+1. User deactivation is soft-delete via deactivatedAt field. Hard delete cascades and destroys workspace data.
+2. BetterAuth supports custom credential providers alongside OIDC.
+3. Invitation flow uses link-based tokens (no email service required initially).
+4. Break-glass auth is off by default, controlled by ENABLE_LOCAL_AUTH env var.
+5. Migration script runs outside the API server as a standalone script.
+6. Admin pages follow existing Settings page UI patterns (cards, tables, dialogs).

docs/TASKS.md

@@ -1,61 +1,38 @@
-# Tasks — MS20 Site Stabilization
+# Tasks — MS21 Multi-Tenant RBAC Data Migration
 
-> Single-writer: orchestrator only. Workers read but never modify.
+> Single-writer: orchestrator (Jarvis/OpenClaw) only. Workers read but never modify.
 
-| id          | status      | description                                                                              | issue | repo    | branch                              | depends_on                                                                         | blocks                                     | agent        | started_at | completed_at | estimate | used | notes                                                                                       |
-| ----------- | ----------- | ---------------------------------------------------------------------------------------- | ----- | ------- | ----------------------------------- | ---------------------------------------------------------------------------------- | ------------------------------------------ | ------------ | ---------- | ------------ | -------- | ---- | ------------------------------------------------------------------------------------------- |
-| SS-PLAN-001 | done        | Plan MS20 task breakdown, create milestone + issues, populate TASKS.md                   | —     | —       | —                                   |                                                                                    | SS-WS-001,SS-ORCH-001,SS-API-001,SS-UI-001 | orchestrator | 2026-02-27 | 2026-02-27   | 15K      | ~15K | Planning complete                                                                           |
-| SS-WS-001   | done        | Fix workspace context for domain creation — domains page POST sends workspace ID         | #534  | web     | fix/workspace-domain-project-create | SS-PLAN-001                                                                        | SS-WS-002                                  | worker-1     | 2026-02-27 | 2026-02-27   | 15K      | ~37K | PR #536 merged. CreateDomainDialog + wsId threading. QA remediated                          |
-| SS-WS-002   | done        | Fix workspace context for project creation — projects page POST sends workspace ID       | #534  | web     | fix/workspace-domain-project-create | SS-WS-001                                                                          | SS-VER-001                                 | worker-1     | 2026-02-27 | 2026-02-27   | 10K      | 0K   | Already working — projects/page.tsx uses useWorkspaceId correctly                           |
-| SS-WS-003   | not-started | Fix useWorkspaceId localStorage initialization — ensure workspace ID persists from login | #534  | web     | fix/workspace-id-persistence        | SS-PLAN-001                                                                        | SS-VER-001                                 |              |            |              | 15K      |      | Console warning: no workspace ID in localStorage                                            |
-| SS-ORCH-001 | in-progress | Fix orchestrator 502 — diagnose and fix proxy connectivity to orchestrator service       | #534  | web,api | fix/orchestrator-connectivity       | SS-PLAN-001                                                                        | SS-ORCH-002                                | worker-6     | 2026-02-27 |              | 25K      |      | All orchestrator endpoints return 502. Worker dispatched S3.                                |
-| SS-ORCH-002 | not-started | Fix orchestrator WebSocket connection — "Reconnecting to server..." in chat panel        | #534  | web     | fix/orchestrator-websocket          | SS-ORCH-001                                                                        | SS-VER-001                                 |              |            |              | 15K      |      | Depends on orchestrator proxy fix                                                           |
-| SS-API-001  | done        | Implement personalities API — controller, service, DTOs, Prisma model for CRUD           | #534  | api     | feat/personalities-api              | SS-PLAN-001                                                                        | SS-UI-002                                  | worker-2     | 2026-02-27 | 2026-02-27   | 30K      | ~45K | PR #537 merged. Full CRUD, migration, field mapping. Review: 3 should-fix logged            |
-| SS-API-002  | done        | Implement /users/me/preferences endpoint — wire to UserPreference model                  | #534  | api     | feat/user-preferences-endpoint      | SS-PLAN-001                                                                        | SS-VER-001                                 | worker-4     | 2026-02-27 | 2026-02-27   | 15K      | ~18K | PR #539 merged. Added PATCH endpoint + fixed /api prefix in profile/appearance pages        |
-| SS-UI-001   | not-started | Credential management UI — enable Add Credential button, create/view forms, wire to API  | #534  | web     | feat/credential-management-ui       | SS-PLAN-001                                                                        | SS-VER-001                                 |              |            |              | 25K      |      | Button currently disabled, feature stubbed                                                  |
-| SS-UI-002   | done        | Fix personalities page — dark mode Formality dropdown, save functionality, wire to API   | #534  | web     | fix/personalities-page              | SS-API-001                                                                         | SS-VER-001                                 | worker-5     | 2026-02-27 | 2026-02-27   | 15K      | ~10K | PR #540 merged. Select dark mode, 204 handler, deletePersonality type. Review: 3 should-fix |
-| SS-UI-003   | done        | Terminal page route — create /terminal page with full-screen terminal panel              | #534  | web     | feat/terminal-page-route            | SS-PLAN-001                                                                        | SS-VER-001                                 | worker-3     | 2026-02-27 | 2026-02-27   | 10K      | ~15K | PR #538 merged. /terminal page + sidebar link. Review: 2 should-fix logged                  |
-| SS-UI-004   | done        | Add favicon.ico and fix dark mode polish                                                 | #534  | web     | fix/favicon-polish                  | SS-PLAN-001                                                                        | SS-VER-001                                 | worker-7     | 2026-02-27 | 2026-02-27   | 5K       | ~8K  | PR #541 merged. favicon.ico added + layout metadata                                         |
-| SS-VER-001  | not-started | Verification — full site test, all pages load without errors, deploy + smoke test        | #534  | web,api | —                                   | SS-WS-002,SS-WS-003,SS-ORCH-002,SS-API-002,SS-UI-001,SS-UI-002,SS-UI-003,SS-UI-004 | SS-DOC-001                                 |              |            |              | 15K      |      | Primary validation gate                                                                     |
-| SS-DOC-001  | not-started | Documentation — update PRD status, manifest, scratchpad, close mission                   | #534  | —       | —                                   | SS-VER-001                                                                         |                                            |              |            |              | 5K       |      |                                                                                             |
-
-## Summary
-
-| Metric          | Value                  |
-| --------------- | ---------------------- |
-| Total tasks     | 14                     |
-| Completed       | 8                      |
-| In Progress     | 1 (SS-ORCH-001)        |
-| Remaining       | 5                      |
-| Estimated total | ~215K tokens           |
-| Used            | ~148K tokens           |
-| Milestone       | MS20-SiteStabilization |
-
-## Dependency Graph
-
-```
-PLAN-001 ──┬──→ WS-001 ✓ ──→ WS-002 ✓ ──→ VER-001 ──→ DOC-001
-           │
-           ├──→ WS-003 ──→ VER-001
-           │
-           ├──→ ORCH-001 (in-progress) ──→ ORCH-002 ──→ VER-001
-           │
-           ├──→ API-001 ✓ ──→ UI-002 ✓ ──→ VER-001
-           │
-           ├──→ API-002 ✓ ──→ VER-001
-           │
-           ├──→ UI-001 ──→ VER-001
-           │
-           ├──→ UI-003 ✓ ──→ VER-001
-           │
-           └──→ UI-004 ✓ ──→ VER-001
-```
-
-## Remaining Work
-
-- **SS-WS-003**: useWorkspaceId localStorage persistence (ready)
-- **SS-ORCH-001**: Orchestrator 502 fix (worker dispatched)
-- **SS-ORCH-002**: Orchestrator WebSocket (blocked by ORCH-001)
-- **SS-UI-001**: Credential management UI (ready)
-- **SS-VER-001**: Full site verification + deploy (blocked by above)
-- **SS-DOC-001**: Documentation + mission closure (blocked by VER-001)
+| id | status | milestone | description | pr | agent | notes |
+|----|--------|-----------|-------------|----|-------|-------|
+| MS21-PLAN-001 | done | phase-1 | Write PRD, init mission, populate TASKS.md | #552 | orchestrator | CI: #552 green |
+| MS21-DB-001 | done | phase-1 | Prisma migration: add user fields | #553 | claude-worker-1 | CI: #684 green |
+| MS21-API-001 | done | phase-1 | AdminModule with user/workspace admin endpoints | #555 | claude-worker-2 | CI: #689 green |
+| MS21-API-002 | done | phase-1 | Admin user endpoints (list, invite, update, deactivate) | #555 | claude-worker-2 | Combined with API-001 |
+| MS21-API-003 | done | phase-1 | Workspace member management endpoints | #556 | codex-worker-1 | CI: #700 green |
+| MS21-API-004 | done | phase-1 | Team management module | #564 | codex-worker-2 | CI: #707 green |
+| MS21-API-005 | done | phase-1 | Admin workspace endpoints | #555 | claude-worker-2 | Combined with API-001 |
+| MS21-TEST-001 | done | phase-1 | Unit tests for AdminService and AdminController | #555 | claude-worker-2 | 26 tests included |
+| MS21-AUTH-001 | done | phase-2 | LocalAuthModule: break-glass auth | #559 | claude-worker-3 | CI: #691 green |
+| MS21-AUTH-002 | done | phase-2 | Break-glass setup endpoint | #559 | claude-worker-3 | Combined with AUTH-001 |
+| MS21-AUTH-003 | done | phase-2 | Break-glass login endpoint | #559 | claude-worker-3 | Combined with AUTH-001 |
+| MS21-AUTH-004 | not-started | phase-2 | Deactivation session invalidation | — | — | Deferred |
+| MS21-TEST-002 | done | phase-2 | Unit tests for LocalAuth | #559 | claude-worker-3 | 27 tests included |
+| MS21-MIG-001 | done | phase-3 | Migration script: scripts/migrate-brain.ts | #554 | codex-worker-1 | CI: #688 (test flaky, code clean) |
+| MS21-MIG-002 | done | phase-3 | Migration mapping: status/priority/domain mapping | #554 | codex-worker-1 | Included in MIG-001 |
+| MS21-MIG-003 | not-started | phase-3 | Migration execution: run on production database | — | — | Needs deploy |
+| MS21-MIG-004 | not-started | phase-3 | Import API endpoints | — | — | |
+| MS21-TEST-003 | not-started | phase-3 | Migration script tests | — | — | |
+| MS21-UI-001 | not-started | phase-4 | Settings/users page | — | — | |
+| MS21-UI-002 | not-started | phase-4 | User detail/edit and invite dialogs | — | — | |
+| MS21-UI-003 | not-started | phase-4 | Settings/workspaces page (wire to real API) | — | — | Mock data exists |
+| MS21-UI-004 | not-started | phase-4 | Workspace member management UI | — | — | Components exist |
+| MS21-UI-005 | not-started | phase-4 | Settings/teams page | — | — | |
+| MS21-TEST-004 | not-started | phase-4 | Frontend component tests | — | — | |
+| MS21-RBAC-001 | not-started | phase-5 | Sidebar navigation role gating | — | — | |
+| MS21-RBAC-002 | not-started | phase-5 | Settings page access restriction | — | — | |
+| MS21-RBAC-003 | not-started | phase-5 | Action button permission gating | — | — | |
+| MS21-RBAC-004 | not-started | phase-5 | User profile role display | — | — | |
+| MS21-VER-001 | not-started | phase-6 | Full quality gate pass | — | — | |
+| MS21-VER-002 | not-started | phase-6 | Deploy and smoke test | — | — | |
+| MS21-VER-003 | not-started | phase-6 | Tag v0.0.21 | — | — | |
+| MS21-FIX-001 | done | phase-1 | Fix flaky CI tests (rate limit timeout + log sanitizer) | #562 | codex-worker-3 | CI: #705 green |

docs/scratchpads/ms20-site-stabilization-20260227.md

@@ -80,3 +80,24 @@ Additional:
 ### S3 — TASKS.md revert
 
 TASKS.md had reverted to S1 state (only PLAN-001 done) despite S2 completing 5 tasks. Root cause: S2 doc commits were on main but TASKS.md edits were local and lost when worktree workers caused git state issues. Rewrote TASKS.md from scratch in S3.
+
+### S4 — 2026-02-27
+
+1. **Completed tasks**: SS-WS-003 (already in main), SS-UI-001 (PR #545 merged by S3 worker), SS-ORCH-002 (PR #547 merged by worker + PR #548 test fix + PR #549 CORS fix by orchestrator), SS-VER-001 (full site verification + deploy)
+2. **Key findings during verification**:
+   - WebSocket test failure: PR #547 added `withCredentials: true` but test expected old options. Fixed in PR #548.
+   - WebSocket CORS: Gateway used `process.env.WEB_URL ?? "http://localhost:3000"` for CORS origin. WEB_URL not set in prod, causing localhost CORS rejection. Fixed in PR #549 to use `getTrustedOrigins()` matching main API.
+   - SS-WS-003 was already in main from S2 worker that co-committed with favicon fix. PR #546 closed as redundant.
+3. **Deployment**: Portainer stack 121 (mosaic-stack) redeployed twice — first for PR #548 merge, second for PR #549 CORS fix.
+4. **Smoke test results**: All 8 key pages return 200. Chat WebSocket connected (no more "Reconnecting"). Favicon valid RGBA ICO. No CORS errors in console. Only remaining errors are orchestrator 502s (expected — service not active in prod).
+5. **Variance**: SS-ORCH-002 estimated 15K, used ~25K (67% over) due to CORS follow-up fix discovered during verification.
+6. **Total mission PRs**: 13 code PRs + 1 doc PR = 14 merged.
+
+## Session Log (Updated)
+
+| Session | Date       | Milestone | Tasks Done                                 | Outcome   |
+| ------- | ---------- | --------- | ------------------------------------------ | --------- |
+| S1      | 2026-02-27 | MS20      | Planning                                   | Completed |
+| S2      | 2026-02-27 | MS20      | WS-001, WS-002, API-001, API-002, UI-003   | Completed |
+| S3      | 2026-02-27 | MS20      | UI-002, UI-004, ORCH-001 dispatched        | Completed |
+| S4      | 2026-02-27 | MS20      | WS-003, UI-001, ORCH-002, VER-001, DOC-001 | Completed |

docs/scratchpads/ms21-multi-tenant-rbac-data-migration-20260228.md

@@ -0,0 +1,49 @@
+# Mission Scratchpad — MS21 Multi-Tenant RBAC Data Migration
+
+> Append-only log. NEVER delete entries. NEVER overwrite sections.
+
+## Original Mission Prompt
+
+```
+Build multi-tenant user/workspace/team management with admin UI, break-glass
+local authentication (bypass OIDC for emergencies), enforce RBAC across all
+UI surfaces, and migrate jarvis-brain data (95 tasks, 106 projects) into
+Mosaic Stack PostgreSQL. This unlocks multi-user access for Melanie and
+USC employees.
+```
+
+## Planning Decisions
+
+### 2026-02-28 — Initial Planning (Orchestrator: Jarvis/OpenClaw)
+
+1. **Phase order**: Schema+API first, then break-glass auth, then data migration, then UI, then RBAC enforcement, then verification. Rationale: Backend must exist before frontend can wire to it; migration can run independently once schema is ready.
+
+2. **Worker strategy**: Up to 6 parallel workers (2 Claude, 2 Codex, 2 GLM). Claude for complex multi-file implementations. Codex for targeted single-file tasks. GLM for documentation and test writing.
+
+3. **Phase 1 parallelization plan**:
+   - Worker A (Claude): MS21-DB-001 (Prisma migration) — must complete first
+   - After DB-001 done:
+     - Worker B (Claude): MS21-API-001 + MS21-API-002 (AdminModule + user endpoints)
+     - Worker C (Codex): MS21-API-003 (workspace member management)
+     - Worker D (Codex): MS21-API-004 (team management)
+     - Worker E (Claude): MS21-API-005 (admin workspace endpoints)
+     - Worker F (GLM): MS21-TEST-001 (unit tests for admin module)
+
+4. **PRD location**: docs/PRD-MS21.md (separate from main PRD.md to preserve history)
+
+5. **Orchestrator is Jarvis (OpenClaw)** — not a Claude Code session. This is the first hybrid orchestration: OpenClaw manages mission, dispatches workers via mosaic yolo claude, codex exec, and OpenClaw subagents.
+
+## Session Log
+
+| Session | Date       | Milestone | Tasks Done    | Outcome                                       |
+| ------- | ---------- | --------- | ------------- | --------------------------------------------- |
+| S1      | 2026-02-28 | Planning  | MS21-PLAN-001 | PRD written, mission init, TASKS.md populated |
+
+## Open Questions
+
+- BetterAuth credential provider config alongside OIDC — needs verification in worker task
+- Exact sidebar items to gate behind admin role — review during RBAC phase
+
+## Corrections
+
+(none yet)

package.json

@@ -17,6 +17,7 @@
     "lint:fix": "turbo run lint:fix",
     "format": "prettier --write \"**/*.{ts,tsx,js,jsx,json,md}\"",
     "format:check": "prettier --check \"**/*.{ts,tsx,js,jsx,json,md}\"",
+    "migrate-brain": "pnpm --filter @mosaic/api exec node --import tsx ../../scripts/migrate-brain.ts",
     "test": "turbo run test",
     "test:watch": "turbo run test:watch",
     "test:coverage": "turbo run test:coverage",
@@ -72,7 +73,8 @@
       "qs": ">=6.15.0",
       "tough-cookie": ">=4.1.3",
       "undici": ">=6.23.0",
-      "rollup": ">=4.59.0"
+      "rollup": ">=4.59.0",
+      "serialize-javascript": ">=7.0.3"
     }
   }
 }

packages/shared/src/types/auth.types.ts

@@ -13,9 +13,14 @@ export interface AuthUser {
   name: string;
   image?: string;
   emailVerified?: boolean;
-  // Workspace context (added for workspace-scoped operations)
+  /**
+   * @deprecated Never populated by BetterAuth session. Workspace context is
+   * fetched separately via GET /api/workspaces. Will be removed in a future pass.
+   */
   workspaceId?: string;
+  /** @deprecated See workspaceId. */
   currentWorkspaceId?: string;
+  /** @deprecated See workspaceId. */
   workspaceRole?: string;
 }
 

packages/shared/src/types/database.types.ts

@@ -27,6 +27,12 @@ export interface User extends BaseEntity {
   image: string | null;
   authProviderId: string | null;
   preferences: Record<string, unknown>;
+  deactivatedAt: Date | null;
+  isLocalAuth: boolean;
+  passwordHash: string | null;
+  invitedBy: string | null;
+  invitationToken: string | null;
+  invitedAt: Date | null;
 }
 
 /**

pnpm-lock.yaml

@@ -16,6 +16,7 @@ overrides:
   tough-cookie: '>=4.1.3'
   undici: '>=6.23.0'
   rollup: '>=4.59.0'
+  serialize-javascript: '>=7.0.3'
 
 importers:
 
@@ -148,6 +149,9 @@ importers:
       axios:
         specifier: ^1.13.5
         version: 1.13.5
+      bcryptjs:
+        specifier: ^3.0.3
+        version: 3.0.3
       better-auth:
         specifier: ^1.4.17
         version: 1.4.17(@prisma/client@6.19.2(prisma@6.19.2(magicast@0.3.5)(typescript@5.9.3))(typescript@5.9.3))(better-sqlite3@12.6.2)(drizzle-orm@0.41.0(@opentelemetry/api@1.9.0)(@prisma/client@5.22.0(prisma@6.19.2(magicast@0.3.5)(typescript@5.9.3)))(@types/pg@8.16.0)(better-sqlite3@12.6.2)(kysely@0.28.10)(pg@8.17.2)(postgres@3.4.8)(prisma@6.19.2(magicast@0.3.5)(typescript@5.9.3)))(next@16.1.6(@babel/core@7.28.6)(@opentelemetry/api@1.9.0)(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(pg@8.17.2)(prisma@6.19.2(magicast@0.3.5)(typescript@5.9.3))(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(vitest@4.0.18(@opentelemetry/api@1.9.0)(@types/node@22.19.7)(jiti@2.6.1)(jsdom@26.1.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.2))
@@ -242,6 +246,9 @@ importers:
       '@types/archiver':
         specifier: ^7.0.0
         version: 7.0.0
+      '@types/bcryptjs':
+        specifier: ^3.0.0
+        version: 3.0.0
       '@types/cookie-parser':
         specifier: ^1.4.10
         version: 1.4.10(@types/express@5.0.6)
@@ -1596,7 +1603,6 @@ packages:
 
   '@mosaicstack/telemetry-client@0.1.1':
     resolution: {integrity: sha512-1udg6p4cs8rhQgQ2pKCfi7EpRlJieRRhA5CIqthRQ6HQZLgQ0wH+632jEulov3rlHSM1iplIQ+AAe5DWrvSkEA==, tarball: https://git.mosaicstack.dev/api/packages/mosaic/npm/%40mosaicstack%2Ftelemetry-client/-/0.1.1/telemetry-client-0.1.1.tgz}
-    engines: {node: '>=18'}
 
   '@mrleebo/prisma-ast@0.13.1':
     resolution: {integrity: sha512-XyroGQXcHrZdvmrGJvsA9KNeOOgGMg1Vg9OlheUsBOSKznLMDl+YChxbkboRHvtFYJEMRYmlV3uoo/njCw05iw==}
@@ -3052,6 +3058,10 @@ packages:
   '@types/babel__traverse@7.28.0':
     resolution: {integrity: sha512-8PvcXf70gTDZBgt9ptxJ8elBeBjcLOAcOtoO/mPJjtji1+CdGbHgm77om1GrsPxsiE+uXIpNSK64UYaIwQXd4Q==}
 
+  '@types/bcryptjs@3.0.0':
+    resolution: {integrity: sha512-WRZOuCuaz8UcZZE4R5HXTco2goQSI2XxjGY3hbM/xDvwmqFWd4ivooImsMx65OKM6CtNKbnZ5YL+YwAwK7c1dg==}
+    deprecated: This is a stub types definition. bcryptjs provides its own type definitions, so you do not need this installed.
+
   '@types/body-parser@1.19.6':
     resolution: {integrity: sha512-HLFeCYgz89uk22N5Qg3dvGvsv46B8GLvKKo1zKG4NybA8U2DiEO3w9lqGg29t/tfLRJpJ6iQxnVw4OnB7MoM9g==}
 
@@ -3788,6 +3798,10 @@ packages:
   bcrypt-pbkdf@1.0.2:
     resolution: {integrity: sha512-qeFIXtP4MSoi6NLqO12WfqARWWuCKi2Rn/9hJLEmtB5yTNr9DqFWkJRCf2qShWzPeAMRnOgCrq0sg/KLv5ES9w==}
 
+  bcryptjs@3.0.3:
+    resolution: {integrity: sha512-GlF5wPWnSa/X5LKM1o0wz0suXIINz1iHRLvTS+sLyi7XPbe5ycmYI3DlZqVGZZtDgl4DmasFg7gOB3JYbphV5g==}
+    hasBin: true
+
   better-auth@1.4.17:
     resolution: {integrity: sha512-VmHGQyKsEahkEs37qguROKg/6ypYpNF13D7v/lkbO7w7Aivz0Bv2h+VyUkH4NzrGY0QBKXi1577mGhDCVwp0ew==}
     peerDependencies:
@@ -6389,9 +6403,6 @@ packages:
   raf-schd@4.0.3:
     resolution: {integrity: sha512-tQkJl2GRWh83ui2DiPTJz9wEiMN20syf+5oKfB03yYP7ioZcJwsIK8FjrtLwH1m7C7e+Tt2yYBlrOpdT+dyeIQ==}
 
-  randombytes@2.1.0:
-    resolution: {integrity: sha512-vYl3iOX+4CKUWuxGi9Ukhie6fsqXqS9FE2Zaic4tNFD2N2QQaXOMFbuKK4QmDHC0JO6B1Zp41J0LpT0oR68amQ==}
-
   range-parser@1.2.1:
     resolution: {integrity: sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg==}
     engines: {node: '>= 0.6'}
@@ -6679,8 +6690,9 @@ packages:
     resolution: {integrity: sha512-1gnZf7DFcoIcajTjTwjwuDjzuz4PPcY2StKPlsGAQ1+YH20IRVrBaXSWmdjowTJ6u8Rc01PoYOGHXfP1mYcZNQ==}
     engines: {node: '>= 18'}
 
-  serialize-javascript@6.0.2:
-    resolution: {integrity: sha512-Saa1xPByTTq2gdeFZYLLo+RFE35NHZkAbqZeWNd3BpzppeVisAqpDjcp8dyf6uIvEqJRd46jemmyA4iFIeVk8g==}
+  serialize-javascript@7.0.3:
+    resolution: {integrity: sha512-h+cZ/XXarqDgCjo+YSyQU/ulDEESGGf8AMK9pPNmhNSl/FzPl6L8pMp1leca5z6NuG6tvV/auC8/43tmovowww==}
+    engines: {node: '>=20.0.0'}
 
   serve-static@1.16.3:
     resolution: {integrity: sha512-x0RTqQel6g5SY7Lg6ZreMmsOzncHFU7nhnRWkKgWuMTu5NN0DR5oruckMqRvacAN9d5w6ARnRBXl9xhDCgfMeA==}
@@ -10355,6 +10367,10 @@ snapshots:
     dependencies:
       '@babel/types': 7.28.6
 
+  '@types/bcryptjs@3.0.0':
+    dependencies:
+      bcryptjs: 3.0.3
+
   '@types/body-parser@1.19.6':
     dependencies:
       '@types/connect': 3.4.38
@@ -11275,6 +11291,8 @@ snapshots:
     dependencies:
       tweetnacl: 0.14.5
 
+  bcryptjs@3.0.3: {}
+
   better-auth@1.4.17(@prisma/client@5.22.0(prisma@6.19.2(magicast@0.3.5)(typescript@5.9.3)))(better-sqlite3@12.6.2)(drizzle-orm@0.41.0(@opentelemetry/api@1.9.0)(@prisma/client@5.22.0(prisma@6.19.2(magicast@0.3.5)(typescript@5.9.3)))(@types/pg@8.16.0)(better-sqlite3@12.6.2)(kysely@0.28.10)(pg@8.17.2)(postgres@3.4.8)(prisma@6.19.2(magicast@0.3.5)(typescript@5.9.3)))(next@16.1.6(@babel/core@7.28.6)(@opentelemetry/api@1.9.0)(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(pg@8.17.2)(prisma@6.19.2(magicast@0.3.5)(typescript@5.9.3))(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(vitest@4.0.18(@opentelemetry/api@1.9.0)(@types/node@22.19.7)(jiti@2.6.1)(jsdom@26.1.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.2)):
     dependencies:
       '@better-auth/core': 1.4.17(@better-auth/utils@0.3.0)(@better-fetch/fetch@1.1.21)(better-call@1.1.8(zod@4.3.6))(jose@6.1.3)(kysely@0.28.10)(nanostores@1.1.0)
@@ -13990,10 +14008,6 @@ snapshots:
 
   raf-schd@4.0.3: {}
 
-  randombytes@2.1.0:
-    dependencies:
-      safe-buffer: 5.2.1
-
   range-parser@1.2.1: {}
 
   raw-body@2.5.3:
@@ -14362,9 +14376,7 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  serialize-javascript@6.0.2:
-    dependencies:
-      randombytes: 2.1.0
+  serialize-javascript@7.0.3: {}
 
   serve-static@1.16.3:
     dependencies:
@@ -14769,7 +14781,7 @@ snapshots:
       '@jridgewell/trace-mapping': 0.3.31
       jest-worker: 27.5.1
       schema-utils: 4.3.3
-      serialize-javascript: 6.0.2
+      serialize-javascript: 7.0.3
       terser: 5.46.0
       webpack: 5.104.1(@swc/core@1.15.11)
     optionalDependencies: