Phase 5 Week 2 Plan: Team Member Management + Beta Launch Preparation

Status: ⏳ IN PROGRESS Timeline: 5 days (November 4-8, 2025) Goal: Complete team member management features and prepare for beta user recruitment

---

Week 2 Overview

Objectives

1. Team Member Management: Implement UI for inviting, managing, and removing team members
2. Beta Launch Preparation: Test complete payment flow and finalize onboarding experience
3. Documentation: Update all user-facing documentation
4. First Payment: Process first real Stripe payment to validate billing integration

Success Criteria

• ✅ Team owners can invite members via email
• ✅ Team members can accept invitations and join teams
• ✅ Role management (owner/member) working correctly
• ✅ Complete payment test from checkout → webhook → database update
• ✅ All documentation updated with correct URLs
• ✅ Ready to recruit first 5 beta users

---

Daily Breakdown

🚨 Day 0 (CRITICAL): Team-Scoped Code Analysis

Status: 🚨 CRITICAL - Must be fixed before beta launch Priority: P0 (Blocks billing, quotas, team collaboration)

Objective: Add team context to code analysis flow to enable quota enforcement, team attribution, and audit logging

Problem: Currently, all code analyses are orphaned (not linked to any team), preventing: - Quota enforcement (can't track team usage) - Team collaboration (no shared analysis history) - Billing attribution (can't bill teams) - Audit trails (analyses don't appear in team logs)

Tasks:

1. Add team context to /analyze page (2 hours):
2. Create team selector dropdown in analyze page header
3. Store selected team in session storage
4. Show current team context: "Analyzing as: {Team Name}"

5. Redirect to team selector if no team selected

6. Update API endpoint to accept teamId (1 hour):

7. Add teamId to /api/analyze request body
8. Validate user is member of the team

9. Pass teamId to trackIndividualAnalysis()

10. Implement quota enforcement (2 hours):

11. Create checkTeamQuota() function
12. Query team's current usage from database
13. Return 429 error if quota exceeded

14. Include upgrade CTA in error response

15. Update analytics tracking (1 hour):

16. Modify trackIndividualAnalysis() to store teamId
17. Update usageAnalytics table schema (add team_id column)

18. Ensure team attribution is preserved

19. Show analyses in team audit logs (2 hours):

20. Query analyses by teamId in /api/teams/{id}/audit
21. Display analysis summary in audit log

22. Link to analysis results (if stored)

23. Update UI components (1 hour):

24. Add team badge to analyze page
25. Show quota usage: "{used}/{limit} analyses this month"
26. Add "Switch Team" option in header

Database Migration:

ALTER TABLE "usageAnalytics"
ADD COLUMN IF NOT EXISTS team_id UUID REFERENCES teams(id) ON DELETE SET NULL;

CREATE INDEX IF NOT EXISTS idx_usage_analytics_team_id
ON "usageAnalytics"(team_id);

Deliverables: - Team context selector in /analyze page - teamId parameter in /api/analyze endpoint - Quota enforcement before analysis - Team attribution in analytics - Analyses visible in team audit logs - Database migration for team_id column - 15+ tests for team-scoped analysis

Estimated Time: 8-9 hours (1 full day)

Acceptance Criteria: - ✅ User must select a team before analyzing code - ✅ Analysis request includes teamId - ✅ Quota is checked and enforced - ✅ Analysis is tracked with team attribution - ✅ Analysis appears in team audit log - ✅ All existing tests still pass

See: PHASE_5_WEEK_2_CRITICAL_GAP.md for full analysis and rationale

---

Day 1 (Monday): Team Members List UI

Objective: Display current team members with their roles and permissions

Tasks:

1. Read current team settings implementation
2. Review /teams/[id]/settings/page.tsx (4 tabs: General, Members, Billing, Danger Zone)

3. Understand current Members tab structure

4. Create Members List Component (src/components/team/MembersList.tsx):

5. Fetch team members from database
6. Display member cards with:
   • Avatar (GitHub profile picture)
   • Name and email
   • Role badge (owner/member)
   • Join date
   • Last activity
7. Owner-only actions:
   • Change role button
   • Remove member button (with confirmation)

8. Empty state: "No members yet. Invite your first team member!"

9. Create API endpoint (/api/teams/[id]/members/route.ts):

   GET /api/teams/{id}/members
   - Returns: Array of team members
   - Auth: Must be team member
   - Filter: Can optionally filter by role
   

10. Test members list:

11. Create test with multiple team members
12. Verify owner sees all actions
13. Verify members see read-only view

Deliverables: - src/components/team/MembersList.tsx (150-200 lines) - /api/teams/[id]/members/route.ts (80-100 lines) - 5+ tests for members list - Updated Members tab in Settings page

Estimated Time: 4-5 hours

---

Day 2 (Tuesday): Team Member Invitations

Objective: Allow team owners to invite new members via email

Tasks:

1. Create Invite Modal Component (src/components/team/InviteMemberModal.tsx):
2. Form fields:
   • Email address (required, validation)
   • Role selection (member/owner)
   • Optional: Personal message
3. Send invitation button

4. Loading states and error handling

5. Create database schema for invitations (team_invitations table):

   - id (uuid, primary key)
   - team_id (uuid, foreign key)
   - email (text)
   - role (text: 'member' | 'owner')
   - invited_by_user_id (uuid, foreign key)
   - token (text, unique)
   - status (text: 'pending' | 'accepted' | 'expired')
   - expires_at (timestamp)
   - created_at (timestamp)
   - accepted_at (timestamp, nullable)
   

6. Create API endpoints:

   POST /api/teams/{id}/invitations
   - Body: { email, role, message? }
   - Auth: Must be team owner
   - Creates invitation, sends email
   - Returns: { invitation, success }
   
   GET /api/teams/{id}/invitations
   - Returns: Pending invitations
   - Auth: Must be team owner
   

7. Email notification (for now, just log to console):

8. Subject: "You've been invited to join {teamName} on CodeSlick"
9. Body: Invitation link: /teams/invitations/{token}
10. Include team name, inviter name, role

Deliverables: - InviteMemberModal.tsx component - Database migration for team_invitations - API routes for invitations - 8+ tests for invitation flow - Email template (console log for now)

Estimated Time: 5-6 hours

---

Day 3 (Wednesday): Accept Invitation Flow

Objective: Allow invited users to accept invitations and join teams

Tasks:

1. Create invitation acceptance page (/teams/invitations/[token]/page.tsx):
2. Fetch invitation details by token
3. Display team information:
   • Team name and logo
   • Invited by (user name)
   • Role you'll have
4. Two buttons:
   • "Accept Invitation" (green)
   • "Decline" (gray)

5. Handle expired/invalid tokens

6. Create API endpoint:

   POST /api/teams/invitations/{token}/accept
   - Validates token not expired
   - Creates team_members record
   - Updates invitation status to 'accepted'
   - Returns: { team, success }
   - Redirect to: /teams/{teamId}
   

7. Edge cases:

8. User not signed in: Redirect to /auth/signin?callbackUrl=/teams/invitations/{token}
9. After sign-in, process invitation automatically
10. User already member: Show "Already a member" message
11. Invitation expired: Show error with "Request new invitation" option

12. Invitation already accepted: Redirect to team dashboard

13. Update sign-in flow:

14. If callbackUrl contains /teams/invitations/, auto-process after auth

Deliverables: - Invitation acceptance page - API endpoint for accepting invitations - Edge case handling - 10+ tests for acceptance flow - Integration test: invite → accept → verify team membership

Estimated Time: 5-6 hours

---

Day 4 (Thursday): Role Management + Member Removal

Objective: Complete member management with role changes and removal

Tasks:

1. Role management:
2. Add "Change Role" modal

3. API endpoint:

   PATCH /api/teams/{id}/members/{memberId}
   - Body: { role: 'owner' | 'member' }
   - Auth: Must be team owner
   - Validation: Cannot demote last owner
   

4. Member removal:

5. Add confirmation modal: "Remove {name} from {team}?"

6. API endpoint:

   DELETE /api/teams/{id}/members/{memberId}
   - Auth: Must be team owner
   - Validation: Cannot remove last owner
   - Soft delete or hard delete?
   

7. Permission checks throughout app:

8. Review all team settings pages
9. Ensure only owners can:
   • Invite members
   • Change roles
   • Remove members
   • Update team settings
   • Access billing
   • Delete team

10. Members can:

    • View team dashboard
    • View audit logs
    • View team settings (read-only)

11. Add permission helpers:

    // src/lib/permissions/team.ts
    export function canManageTeam(role: string): boolean
    export function canInviteMembers(role: string): boolean
    export function canRemoveMembers(role: string): boolean
    

Deliverables: - Role change modal and API - Member removal with confirmation - Permission system implemented - 12+ tests for permissions - Documentation: "Team Roles & Permissions"

Estimated Time: 5-6 hours

---

Day 5 (Friday): Payment Testing + Beta Preparation

Objective: Complete end-to-end payment test and prepare for beta launch

Tasks:

1. Complete Payment Flow Test:
2. Use Stripe test card: 4242 4242 4242 4242
3. Test complete flow:
   1. Click "Upgrade to Team Plan" in team settings
   2. Complete Stripe Checkout
   3. Verify webhook received
   4. Check database: teams.plan updated to 'team'
   5. Check database: teams.stripeCustomerId populated
   6. Verify team dashboard shows "Team Plan" badge

4. Document any issues

5. Test Customer Portal:

6. Click "Manage Billing" in team settings
7. Opens Stripe Customer Portal
8. Test:
   • Update payment method
   • View invoices
   • Cancel subscription

9. Verify cancellation webhook updates database

10. Onboarding Experience Review:

11. New user signs in → Sees onboarding (0 teams)
12. Clicks "Install GitHub App" → Installs on repo
13. Team auto-created → Redirected to team dashboard

14. Review: Is anything confusing? Missing?

15. Documentation Update:

16. Update README.md with current status
17. Create BETA_LAUNCH_CHECKLIST.md

18. Create TEAM_MEMBER_GUIDE.md (how to invite, manage members)

19. Beta Recruitment Preparation:

20. Draft beta invitation email template
21. Create list of 10-15 potential beta testers:
    • LinkedIn connections (developers)
    • Twitter followers interested in DevSecOps
    • Reddit communities (r/devops, r/security)
    • Personal network contacts
22. Prepare beta pricing: Team plan free for 4 weeks, then 50% off (€49/month for 3 months)

Deliverables: - Complete payment test documentation - Beta launch checklist - Team member guide - Beta invitation email template - List of 10-15 beta candidates - All tests passing (536+ tests)

Estimated Time: 6-7 hours

---

Technical Architecture

Database Schema Changes

New Table: team_invitations

CREATE TABLE team_invitations (
  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
  team_id UUID NOT NULL REFERENCES teams(id) ON DELETE CASCADE,
  email TEXT NOT NULL,
  role TEXT NOT NULL CHECK (role IN ('owner', 'member')),
  invited_by_user_id UUID NOT NULL REFERENCES users(id),
  token TEXT NOT NULL UNIQUE,
  message TEXT,
  status TEXT NOT NULL DEFAULT 'pending' CHECK (status IN ('pending', 'accepted', 'declined', 'expired')),
  expires_at TIMESTAMP NOT NULL DEFAULT (NOW() + INTERVAL '7 days'),
  created_at TIMESTAMP NOT NULL DEFAULT NOW(),
  accepted_at TIMESTAMP,
  INDEX idx_team_invitations_team_id (team_id),
  INDEX idx_team_invitations_token (token),
  INDEX idx_team_invitations_email (email)
);

API Endpoints Summary

Method	Endpoint	Auth	Purpose
GET	/api/teams/{id}/members	Team member	List team members
POST	/api/teams/{id}/invitations	Owner	Send invitation
GET	/api/teams/{id}/invitations	Owner	List pending invitations
POST	/api/teams/invitations/{token}/accept	Authenticated	Accept invitation
PATCH	/api/teams/{id}/members/{memberId}	Owner	Change member role
DELETE	/api/teams/{id}/members/{memberId}	Owner	Remove member

Component Structure

src/components/team/
├── MembersList.tsx           (Day 1)
├── MemberCard.tsx            (Day 1)
├── InviteMemberModal.tsx     (Day 2)
├── ChangeRoleModal.tsx       (Day 4)
├── RemoveMemberModal.tsx     (Day 4)

src/app/teams/
├── [id]/settings/page.tsx    (Update Members tab)
├── invitations/
│   └── [token]/page.tsx      (Day 3)

src/lib/permissions/
└── team.ts                   (Day 4)

---

Risk Assessment

High Priority Risks

1. Email Delivery (Day 2):
2. Risk: No email service configured yet

3. Mitigation: For Week 2, log invitation links to console. Set up email service (SendGrid/Resend) in Week 3

4. Stripe Webhook Failures (Day 5):

5. Risk: Webhook might fail to update database

6. Mitigation: Add retry logic, webhook signature verification already in place

7. Permission Bypass (Day 4):

8. Risk: Non-owners might access restricted actions
9. Mitigation: Server-side validation on all API routes, never trust client

Medium Priority Risks

1. Invitation Expiry:
2. Risk: Users might try to accept expired invitations

3. Mitigation: Show clear error message, allow re-sending invitations

4. Last Owner Protection:

5. Risk: Team left with no owners
6. Mitigation: Prevent removing/demoting last owner, show warning

---

Testing Strategy

Unit Tests (50+ new tests)

• MembersList component rendering
• Invitation modal validation
• API route authentication
• Permission helpers
• Token generation/validation

Integration Tests (10+ new tests)

• Complete invitation flow: send → email → accept → verify membership
• Role change flow: owner → change role → verify database
• Member removal: owner → remove → verify gone from team
• Payment flow: checkout → webhook → plan upgrade

E2E Tests (5+ new tests)

• New user: sign in → install app → team created → invite member → member accepts
• Owner: invite member → member signs up → joins team → sees dashboard
• Payment: upgrade plan → complete checkout → verify billing page

---

Success Metrics

Week 2 Completion Criteria

• ✅ All API endpoints implemented and tested
• ✅ UI components complete and styled
• ✅ Database migrations applied
• ✅ Permission system enforced
• ✅ 536+ → 586+ tests (minimum +50 new tests)
• ✅ All tests passing (100%)
• ✅ Complete payment test successful
• ✅ Documentation updated
• ✅ Beta invitation template ready

Key Metrics to Track

• Development Velocity: 5 days to complete member management
• Code Quality: 100% test coverage for new features
• User Experience: Invitation flow takes <2 minutes
• Security: Zero permission bypass vulnerabilities

---

Post-Week 2: Beta Launch Timeline

Week 3 (Nov 11-15): Beta Recruitment

• Send invitations to 10-15 beta candidates
• Goal: 5 beta signups
• 1:1 onboarding calls
• Gather initial feedback

Week 4 (Nov 18-22): Beta Testing

• Monitor usage
• Fix critical bugs
• Improve onboarding based on feedback
• First payment processing

Week 5 (Nov 25-29): Public Launch Preparation

• Landing page redesign
• Pricing page update
• User documentation
• SEO optimization

---

Notes

• Week 2 is critical: After this week, we'll be ready for beta users
• Focus on quality: Every feature must be polished and tested
• Keep scope tight: No feature creep, stick to the plan
• Document everything: Beta users will need clear documentation

Next Actions (After Week 2): 1. Send beta invitations (Week 3 Monday) 2. Schedule onboarding calls with beta users 3. Monitor first week of beta usage closely 4. Begin landing page redesign (Week 3)

---

Author: Claude Code Created: November 3, 2025 Phase: 5 Week 2 Status: Ready to begin