@varshylinc/team-management 0.1.0 → 0.2.0

package/src/server/routes/me.routes.ts

@@ -1,143 +0,0 @@
-import { Router } from 'express';
-import type { Pool } from 'pg';
-import type { ServerModuleAdapter, TeamManagementFeatureFlags } from '../types.js';
-import { requestEmailChange, verifyEmailChange, cancelEmailChange } from '../services/email-change.service.js';
-import { requestPasswordReset, resetPassword } from '../services/password-reset.service.js';
-import { getActiveMembership } from '../services/organizations.service.js';
-import { sha256 } from '../crypto.js';
-
-export function createMeRouter(
-  pool: Pool,
-  adapter: ServerModuleAdapter,
-  flags: TeamManagementFeatureFlags,
-  baseUrl: string
-): Router {
-  const router = Router();
-
-  router.get('/membership', async (req, res) => {
-    try {
-      const userId = await adapter.getCurrentUserId(req);
-      if (!userId) { res.status(401).json({ error: 'Authentication required' }); return; }
-      const orgId = await adapter.getOrganizationIdForUser(userId);
-      if (!orgId) { res.status(404).json({ error: 'No organization membership found' }); return; }
-      const membership = await getActiveMembership(pool, orgId, userId);
-      res.json({ membership });
-    } catch (e) {
-      adapter.logger.error('[me] GET /membership', { error: (e as Error).message });
-      res.status(500).json({ error: 'Failed to fetch membership' });
-    }
-  });
-
-  router.post('/email-change', async (req, res) => {
-    if (!flags.enableEmailChange) { res.status(501).json({ error: 'Email change is not enabled' }); return; }
-    try {
-      const userId = await adapter.getCurrentUserId(req);
-      if (!userId) { res.status(401).json({ error: 'Authentication required' }); return; }
-      const user = await adapter.getUserById(userId);
-      if (!user) { res.status(404).json({ error: 'User not found' }); return; }
-      const { newEmail } = req.body as { newEmail?: string };
-      if (!newEmail) { res.status(400).json({ error: 'newEmail is required' }); return; }
-      await requestEmailChange(pool, adapter, { userId, currentEmail: user.email, newEmail, baseUrl });
-      res.json({ message: 'Verification email sent to your new address' });
-    } catch (e) {
-      const msg = (e as Error).message;
-      adapter.logger.error('[me] POST /email-change', { error: msg });
-      if (msg.includes('Too many')) {
-        res.status(429).json({ error: msg });
-      } else if (msg.includes('already in use')) {
-        res.status(422).json({ error: msg });
-      } else {
-        res.status(500).json({ error: 'Failed to request email change' });
-      }
-    }
-  });
-
-  router.get('/email-change/verify', async (req, res) => {
-    if (!flags.enableEmailChange) { res.status(501).json({ error: 'Email change is not enabled' }); return; }
-    const token = req.query.token as string;
-    if (!token) { res.status(400).json({ error: 'token query parameter is required' }); return; }
-    try {
-      // Token-based verification — no authentication required; token is self-authenticating
-      const userId = await adapter.getCurrentUserId(req);
-      await verifyEmailChange(pool, adapter, { token, userId: userId ?? null });
-      res.json({ message: 'Email address updated successfully' });
-    } catch (e) {
-      const msg = (e as Error).message;
-      adapter.logger.error('[me] GET /email-change/verify', { error: msg });
-      if (msg.includes('Invalid') || msg.includes('expired')) {
-        res.status(404).json({ error: msg });
-      } else {
-        res.status(500).json({ error: 'Failed to verify email change' });
-      }
-    }
-  });
-
-  router.get('/email-change/cancel', async (req, res) => {
-    if (!flags.enableEmailChange) { res.status(501).json({ error: 'Email change is not enabled' }); return; }
-    const token = req.query.token as string;
-    if (!token) { res.status(400).json({ error: 'token query parameter is required' }); return; }
-    try {
-      await cancelEmailChange(pool, adapter, { token });
-      res.json({ message: 'Email change cancelled. Your sessions have been invalidated for security.' });
-    } catch (e) {
-      const msg = (e as Error).message;
-      adapter.logger.error('[me] GET /email-change/cancel', { error: msg });
-      if (msg.includes('Invalid') || msg.includes('expired')) {
-        res.status(404).json({ error: msg });
-      } else {
-        res.status(500).json({ error: 'Failed to cancel email change' });
-      }
-    }
-  });
-
-  router.post('/password-reset/request', async (req, res) => {
-    if (!flags.enablePasswordReset) { res.status(501).json({ error: 'Password reset is not enabled' }); return; }
-    const { email } = req.body as { email?: string };
-    if (!email) { res.status(400).json({ error: 'email is required' }); return; }
-    try {
-      await requestPasswordReset(pool, adapter, { email, baseUrl });
-      res.json({ message: 'If that email exists, a reset link has been sent' });
-    } catch (e) {
-      adapter.logger.error('[me] POST /password-reset/request', { error: (e as Error).message });
-      res.json({ message: 'If that email exists, a reset link has been sent' });
-    }
-  });
-
-  router.get('/password-reset', async (req, res) => {
-    if (!flags.enablePasswordReset) { res.status(501).json({ error: 'Password reset is not enabled' }); return; }
-    const token = req.query.token as string;
-    if (!token) { res.status(400).json({ error: 'token query parameter is required' }); return; }
-    try {
-      const tokenHash = sha256(token);
-      const result = await pool.query(
-        `SELECT id FROM tm_password_reset_requests WHERE token_hash = $1 AND used_at IS NULL AND expires_at > NOW()`,
-        [tokenHash]
-      );
-      if (result.rows.length === 0) { res.status(404).json({ error: 'Invalid or expired password reset token' }); return; }
-      res.json({ valid: true });
-    } catch (e) {
-      adapter.logger.error('[me] GET /password-reset', { error: (e as Error).message });
-      res.status(500).json({ error: 'Failed to validate token' });
-    }
-  });
-
-  router.post('/password-reset', async (req, res) => {
-    if (!flags.enablePasswordReset) { res.status(501).json({ error: 'Password reset is not enabled' }); return; }
-    const { token, newPassword } = req.body as { token?: string; newPassword?: string };
-    if (!token || !newPassword) { res.status(400).json({ error: 'token and newPassword are required' }); return; }
-    try {
-      await resetPassword(pool, adapter, { token, newPassword });
-      res.json({ message: 'Password updated successfully. Please log in again.' });
-    } catch (e) {
-      const msg = (e as Error).message;
-      adapter.logger.error('[me] POST /password-reset', { error: msg });
-      if (msg.includes('Invalid') || msg.includes('expired') || msg.includes('8 characters')) {
-        res.status(422).json({ error: msg });
-      } else {
-        res.status(500).json({ error: 'Failed to reset password' });
-      }
-    }
-  });
-
-  return router;
-}

package/src/server/routes/orgs.routes.ts

@@ -1,428 +0,0 @@
-import { Router } from 'express';
-import type { Pool } from 'pg';
-import type { ServerModuleAdapter, TeamManagementFeatureFlags, OrgRole } from '../types.js';
-import { requireMembership, type AuthenticatedRequest } from '../middleware/require-membership.js';
-import { requireRole } from '../middleware/require-role.js';
-import { getOrg, updateOrg, softDeleteOrg, listOrgMembers } from '../services/organizations.service.js';
-import { removeMember, changeRole, validateRoleChange } from '../services/memberships.service.js';
-import { getPendingTransfer } from '../services/ownership.service.js';
-import { writeAuditEvent, getClientIp } from '../services/audit.service.js';
-
-export function createOrgsRouter(
-  pool: Pool,
-  adapter: ServerModuleAdapter,
-  flags: TeamManagementFeatureFlags
-): Router {
-  const router = Router({ mergeParams: true });
-  const authMiddleware = requireMembership(pool, adapter);
-
-  // POST /orgs — create org (any authenticated user)
-  router.post('/', async (req, res) => {
-    try {
-      const userId = await adapter.getCurrentUserId(req as import('express').Request);
-      if (!userId) {
-        res.status(401).json({ error: 'Authentication required' });
-        return;
-      }
-      const { name, slug, settings } = req.body as { name?: string; slug?: string; settings?: Record<string, unknown> };
-      if (!name || !slug) {
-        res.status(400).json({ error: 'name and slug are required' });
-        return;
-      }
-
-      const result = await pool.query(
-        `INSERT INTO tm_organizations (name, slug, owner_user_id, settings)
-         VALUES ($1, $2, $3, $4) RETURNING *`,
-        [name, slug, userId, JSON.stringify(settings ?? {})]
-      );
-      const org = result.rows[0];
-
-      await pool.query(
-        `INSERT INTO tm_memberships (org_id, user_id, role, joined_at)
-         VALUES ($1, $2, 'owner', NOW())`,
-        [org.id, userId]
-      );
-
-      if (flags.enableAuditLog) {
-        await writeAuditEvent({
-          pool,
-          orgId: org.id,
-          actorUserId: userId,
-          action: 'org.created',
-          targetType: 'org',
-          targetId: org.id,
-          after: { name, slug },
-          ip: getClientIp(req),
-          userAgent: req.headers['user-agent'] ?? null,
-        });
-      }
-
-      res.status(201).json({ org });
-    } catch (e) {
-      const msg = (e as Error).message;
-      adapter.logger.error('[orgs] POST /', { error: msg });
-      if (msg.includes('unique') || msg.includes('duplicate') || msg.includes('already exists')) {
-        res.status(409).json({ error: 'Organization with that slug already exists' });
-      } else {
-        res.status(500).json({ error: 'Failed to create organization' });
-      }
-    }
-  });
-
-  // GET /orgs/:orgId — org info (member+)
-  router.get('/:orgId', authMiddleware, async (req, res) => {
-    const { orgId } = req as AuthenticatedRequest;
-    try {
-      const org = await getOrg(pool, orgId);
-      if (!org) {
-        res.status(404).json({ error: 'Organization not found' });
-        return;
-      }
-      res.json({ org });
-    } catch (e) {
-      adapter.logger.error('[orgs] GET /:orgId', { error: (e as Error).message });
-      res.status(500).json({ error: 'Failed to fetch organization' });
-    }
-  });
-
-  // PATCH /orgs/:orgId — update name/slug/settings (admin+)
-  router.patch('/:orgId', authMiddleware, requireRole('admin'), async (req, res) => {
-    const { orgId, userId } = req as AuthenticatedRequest;
-    const { name, slug } = req.body as { name?: string; slug?: string };
-    try {
-      const before = await getOrg(pool, orgId);
-      const updated = await updateOrg(pool, orgId, { name, slug });
-
-      if (flags.enableAuditLog) {
-        await writeAuditEvent({
-          pool,
-          orgId,
-          actorUserId: userId,
-          action: 'org.settings.updated',
-          targetType: 'org',
-          targetId: orgId,
-          before: { name: before?.name, slug: before?.slug },
-          after: { name: updated.name, slug: updated.slug },
-          ip: getClientIp(req),
-          userAgent: req.headers['user-agent'] ?? null,
-        });
-      }
-
-      res.json({ org: updated });
-    } catch (e) {
-      adapter.logger.error('[orgs] PATCH /:orgId', { error: (e as Error).message });
-      res.status(500).json({ error: 'Failed to update organization' });
-    }
-  });
-
-  // DELETE /orgs/:orgId — soft delete (owner only), requires confirmName
-  router.delete('/:orgId', authMiddleware, requireRole('owner'), async (req, res) => {
-    const { orgId, userId } = req as AuthenticatedRequest;
-    // Accept both confirmName and confirmOrgName for compatibility
-    const { confirmName, confirmOrgName } = req.body as { confirmName?: string; confirmOrgName?: string };
-    const confirm = confirmName ?? confirmOrgName;
-    try {
-      const org = await getOrg(pool, orgId);
-      if (!org) {
-        res.status(404).json({ error: 'Organization not found' });
-        return;
-      }
-      if (!confirm || confirm !== org.name) {
-        res.status(422).json({ error: 'Confirmation name does not match organization name' });
-        return;
-      }
-
-      // Transfer lock: cannot delete org while ownership transfer is pending
-      const pendingTransfer = await getPendingTransfer(pool, orgId);
-      if (pendingTransfer) {
-        res.status(409).json({ error: 'Cannot delete organization while an ownership transfer is pending. Cancel the transfer first.' });
-        return;
-      }
-
-      await softDeleteOrg(pool, orgId, userId);
-
-      if (flags.enableAuditLog) {
-        await writeAuditEvent({
-          pool,
-          orgId,
-          actorUserId: userId,
-          action: 'org.deleted',
-          targetType: 'org',
-          targetId: orgId,
-          ip: getClientIp(req),
-          userAgent: req.headers['user-agent'] ?? null,
-        });
-      }
-
-      try {
-        const members = await listOrgMembers(pool, orgId, { includeRemoved: false });
-        const userIds = members.map(m => m.user_id);
-        const users = await adapter.getUsersByIds(userIds);
-        const scheduledFor = new Date(Date.now() + 30 * 24 * 60 * 60 * 1000);
-        for (const user of users) {
-          await adapter.sendOrgDeletionNotice({
-            to: user.email,
-            orgName: org.name,
-            scheduledFor,
-          });
-        }
-      } catch (e) {
-        adapter.logger.warn('[orgs] Failed to send deletion notices', { error: (e as Error).message });
-      }
-
-      res.json({ message: 'Organization scheduled for deletion in 30 days' });
-    } catch (e) {
-      adapter.logger.error('[orgs] DELETE /:orgId', { error: (e as Error).message });
-      res.status(500).json({ error: 'Failed to delete organization' });
-    }
-  });
-
-  // GET /orgs/:orgId/members — list members (member+)
-  router.get('/:orgId/members', authMiddleware, async (req, res) => {
-    const { orgId } = req as AuthenticatedRequest;
-    try {
-      const members = await listOrgMembers(pool, orgId);
-      const userIds = members.map(m => m.user_id);
-      const users = await adapter.getUsersByIds(userIds);
-      const userMap = new Map(users.map(u => [u.id, u]));
-      const enriched = members.map(m => ({ ...m, user: userMap.get(m.user_id) }));
-      res.json({ members: enriched });
-    } catch (e) {
-      adapter.logger.error('[orgs] GET /:orgId/members', { error: (e as Error).message });
-      res.status(500).json({ error: 'Failed to fetch members' });
-    }
-  });
-
-  // GET /orgs/:orgId/members/former — former members (admin+)
-  router.get('/:orgId/members/former', authMiddleware, requireRole('admin'), async (req, res) => {
-    const { orgId } = req as AuthenticatedRequest;
-    try {
-      const allMembers = await listOrgMembers(pool, orgId, { includeRemoved: true });
-      const former = allMembers.filter(m => m.removed_at !== null);
-      res.json({ members: former });
-    } catch (e) {
-      adapter.logger.error('[orgs] GET /:orgId/members/former', { error: (e as Error).message });
-      res.status(500).json({ error: 'Failed to fetch former members' });
-    }
-  });
-
-  // DELETE /orgs/:orgId/members/:userId — remove member (admin+)
-  router.delete('/:orgId/members/:userId', authMiddleware, requireRole('admin'), async (req, res) => {
-    const { orgId, userId: actorId, userRole } = req as AuthenticatedRequest;
-    const targetUserId = parseInt(req.params.userId, 10);
-    const { reason } = req.body as { reason?: string };
-
-    if (isNaN(targetUserId)) {
-      res.status(400).json({ error: 'Invalid user ID' });
-      return;
-    }
-    if (targetUserId === actorId) {
-      res.status(400).json({ message: 'Cannot remove yourself: you are the owner of this organization' });
-      return;
-    }
-
-    try {
-      const targetMemberResult = await pool.query(
-        `SELECT role FROM tm_memberships WHERE org_id = $1 AND user_id = $2 AND removed_at IS NULL`,
-        [orgId, targetUserId]
-      );
-      if (targetMemberResult.rows.length === 0) {
-        res.status(404).json({ error: 'Member not found' });
-        return;
-      }
-      const targetRole = targetMemberResult.rows[0].role;
-
-      if (userRole === 'admin' && (targetRole === 'owner' || targetRole === 'admin')) {
-        res.status(403).json({ error: 'Admins cannot remove owners or other admins' });
-        return;
-      }
-
-      // Transfer lock: cannot remove a user involved in a pending transfer
-      const pendingTransferForRemove = await getPendingTransfer(pool, orgId);
-      if (pendingTransferForRemove &&
-          (pendingTransferForRemove.from_user_id === targetUserId ||
-           pendingTransferForRemove.to_user_id === targetUserId)) {
-        res.status(409).json({ error: 'Cannot remove a member involved in a pending ownership transfer. Cancel the transfer first.' });
-        return;
-      }
-
-      await removeMember(pool, { orgId, userId: targetUserId, removedByUserId: actorId, reason });
-
-      if (flags.enableAuditLog) {
-        await writeAuditEvent({
-          pool,
-          orgId,
-          actorUserId: actorId,
-          action: 'member.removed',
-          targetType: 'user',
-          targetId: targetUserId,
-          before: { role: targetRole },
-          reason: reason ?? null,
-          ip: getClientIp(req),
-          userAgent: req.headers['user-agent'] ?? null,
-        });
-      }
-
-      res.json({ message: 'Member removed successfully' });
-    } catch (e) {
-      adapter.logger.error('[orgs] DELETE /:orgId/members/:userId', { error: (e as Error).message });
-      res.status(500).json({ error: 'Failed to remove member' });
-    }
-  });
-
-  // PATCH /orgs/:orgId/members/:userId/role — change role (admin+)
-  router.patch('/:orgId/members/:userId/role', authMiddleware, requireRole('admin'), async (req, res) => {
-    const { orgId, userId: actorId, userRole } = req as AuthenticatedRequest;
-    const targetUserId = parseInt(req.params.userId, 10);
-    const { role: newRole } = req.body as { role?: string };
-
-    if (isNaN(targetUserId)) {
-      res.status(400).json({ error: 'Invalid user ID' });
-      return;
-    }
-    if (!newRole) {
-      res.status(400).json({ error: 'role is required' });
-      return;
-    }
-
-    try {
-      await validateRoleChange(pool, { orgId, actorRole: userRole, targetUserId, newRole: newRole as OrgRole });
-
-      // Transfer lock: cannot change role of a user involved in a pending transfer
-      const pendingTransferForPatch = await getPendingTransfer(pool, orgId);
-      if (pendingTransferForPatch &&
-          (pendingTransferForPatch.from_user_id === targetUserId ||
-           pendingTransferForPatch.to_user_id === targetUserId)) {
-        res.status(409).json({ error: 'Cannot change role of a member involved in a pending ownership transfer. Cancel the transfer first.' });
-        return;
-      }
-
-      const before = await pool.query(
-        `SELECT role FROM tm_memberships WHERE org_id = $1 AND user_id = $2 AND removed_at IS NULL`,
-        [orgId, targetUserId]
-      );
-      const updated = await changeRole(pool, { orgId, userId: targetUserId, newRole: newRole as OrgRole, changedByUserId: actorId });
-
-      if (flags.enableAuditLog) {
-        await writeAuditEvent({
-          pool,
-          orgId,
-          actorUserId: actorId,
-          action: 'member.role_changed',
-          targetType: 'user',
-          targetId: targetUserId,
-          before: { role: before.rows[0]?.role },
-          after: { role: newRole },
-          ip: getClientIp(req),
-          userAgent: req.headers['user-agent'] ?? null,
-        });
-      }
-
-      res.json({ membership: updated });
-    } catch (e) {
-      const msg = (e as Error).message;
-      adapter.logger.error('[orgs] PATCH /:orgId/members/:userId/role', { error: msg });
-      if (msg.includes('Cannot') || msg.includes('Requires') || msg.includes('cannot')) {
-        res.status(403).json({ error: msg });
-      } else {
-        res.status(500).json({ error: 'Failed to change role' });
-      }
-    }
-  });
-
-  // PATCH /orgs/:orgId/members/:userId — alias without /role suffix (for compatibility)
-  router.patch('/:orgId/members/:userId', authMiddleware, requireRole('admin'), async (req, res) => {
-    const { orgId, userId: actorId, userRole } = req as AuthenticatedRequest;
-    const targetUserId = parseInt(req.params.userId, 10);
-    const { role: newRole } = req.body as { role?: string };
-
-    if (isNaN(targetUserId)) {
-      res.status(400).json({ error: 'Invalid user ID' });
-      return;
-    }
-    if (!newRole) {
-      res.status(400).json({ error: 'role is required' });
-      return;
-    }
-
-    try {
-      await validateRoleChange(pool, { orgId, actorRole: userRole, targetUserId, newRole: newRole as OrgRole });
-
-      // Transfer lock: cannot change role of a user involved in a pending transfer
-      const pendingTransferForPatch = await getPendingTransfer(pool, orgId);
-      if (pendingTransferForPatch &&
-          (pendingTransferForPatch.from_user_id === targetUserId ||
-           pendingTransferForPatch.to_user_id === targetUserId)) {
-        res.status(409).json({ error: 'Cannot change role of a member involved in a pending ownership transfer. Cancel the transfer first.' });
-        return;
-      }
-
-      const before = await pool.query(
-        `SELECT role FROM tm_memberships WHERE org_id = $1 AND user_id = $2 AND removed_at IS NULL`,
-        [orgId, targetUserId]
-      );
-      const updated = await changeRole(pool, { orgId, userId: targetUserId, newRole: newRole as OrgRole, changedByUserId: actorId });
-
-      if (flags.enableAuditLog) {
-        await writeAuditEvent({
-          pool,
-          orgId,
-          actorUserId: actorId,
-          action: 'member.role_changed',
-          targetType: 'user',
-          targetId: targetUserId,
-          before: { role: before.rows[0]?.role },
-          after: { role: newRole },
-          ip: getClientIp(req),
-          userAgent: req.headers['user-agent'] ?? null,
-        });
-      }
-
-      res.json({ membership: updated });
-    } catch (e) {
-      const msg = (e as Error).message;
-      adapter.logger.error('[orgs] PATCH /:orgId/members/:userId', { error: msg });
-      if (msg.includes('Cannot') || msg.includes('Requires') || msg.includes('cannot')) {
-        res.status(403).json({ error: msg });
-      } else {
-        res.status(500).json({ error: 'Failed to change role' });
-      }
-    }
-  });
-
-
-  // GET /orgs/:orgId/members/:userId/cascade-preview — preview cascade effects of removing a member (admin+)
-  router.get('/:orgId/members/:userId/cascade-preview', authMiddleware, requireRole('admin'), async (req, res) => {
-    const { orgId } = req as AuthenticatedRequest;
-    const targetUserId = parseInt(req.params.userId, 10);
-    if (isNaN(targetUserId)) {
-      res.status(400).json({ error: 'Invalid user ID' });
-      return;
-    }
-    try {
-      const membershipResult = await pool.query(
-        `SELECT * FROM tm_memberships WHERE org_id = $1 AND user_id = $2 AND removed_at IS NULL`,
-        [orgId, targetUserId]
-      );
-      if (membershipResult.rows.length === 0) {
-        res.status(404).json({ error: 'Member not found' });
-        return;
-      }
-      const membership = membershipResult.rows[0];
-
-      const invitationsResult = await pool.query(
-        `SELECT * FROM tm_invitations
-         WHERE org_id = $1 AND invited_by_user_id = $2
-           AND revoked_at IS NULL AND accepted_at IS NULL AND expires_at > NOW()`,
-        [orgId, targetUserId]
-      );
-
-      res.json({ membership, pendingInvitations: invitationsResult.rows });
-    } catch (e) {
-      adapter.logger.error('[orgs] GET cascade-preview', { error: (e as Error).message });
-      res.status(500).json({ error: 'Failed to fetch cascade preview' });
-    }
-  });
-
-  return router;
-}

package/src/server/routes/transfer.routes.ts

@@ -1,110 +0,0 @@
-import { Router } from 'express';
-import type { Pool } from 'pg';
-import type { ServerModuleAdapter, TeamManagementFeatureFlags } from '../types.js';
-import { requireMembership, type AuthenticatedRequest } from '../middleware/require-membership.js';
-import { requireRole } from '../middleware/require-role.js';
-import {
-  initiateTransfer,
-  acceptTransfer,
-  cancelTransfer,
-  getPendingTransfer,
-} from '../services/ownership.service.js';
-import { writeAuditEvent, getClientIp } from '../services/audit.service.js';
-
-export function createTransferRouter(
-  pool: Pool,
-  adapter: ServerModuleAdapter,
-  flags: TeamManagementFeatureFlags,
-  baseUrl: string
-): Router {
-  const router = Router({ mergeParams: true });
-  const authMiddleware = requireMembership(pool, adapter);
-
-  function featureCheck(res: import('express').Response): boolean {
-    if (!flags.enableOwnershipTransfer) {
-      res.status(501).json({ error: 'Ownership transfer is not enabled' });
-      return false;
-    }
-    return true;
-  }
-
-  router.get('/:orgId/transfer', authMiddleware, async (req, res) => {
-    if (!featureCheck(res)) return;
-    const { orgId } = req as AuthenticatedRequest;
-    try {
-      const transfer = await getPendingTransfer(pool, orgId);
-      res.json({ transfer });
-    } catch (e) {
-      adapter.logger.error('[transfer] GET', { error: (e as Error).message });
-      res.status(500).json({ error: 'Failed to fetch transfer' });
-    }
-  });
-
-  router.post('/:orgId/transfer', authMiddleware, requireRole('owner'), async (req, res) => {
-    if (!featureCheck(res)) return;
-    const { orgId, userId } = req as AuthenticatedRequest;
-    const { toUserId } = req.body as { toUserId?: number };
-    if (!toUserId) { res.status(400).json({ error: 'toUserId is required' }); return; }
-    try {
-      const transfer = await initiateTransfer(pool, adapter, { orgId, fromUserId: userId, toUserId, baseUrl });
-      if (flags.enableAuditLog) {
-        await writeAuditEvent({ pool, orgId, actorUserId: userId, action: 'ownership.transfer_initiated',
-          targetType: 'user', targetId: toUserId, ip: getClientIp(req), userAgent: req.headers['user-agent'] ?? null });
-      }
-      res.status(201).json({ transfer });
-    } catch (e) {
-      const msg = (e as Error).message;
-      adapter.logger.error('[transfer] POST initiate', { error: msg });
-      if (msg.includes('not a member') || msg.includes('admin') || msg.includes('pending')) {
-        res.status(422).json({ error: msg });
-      } else {
-        res.status(500).json({ error: 'Failed to initiate transfer' });
-      }
-    }
-  });
-
-  router.post('/:orgId/transfer/accept', authMiddleware, async (req, res) => {
-    if (!featureCheck(res)) return;
-    const { orgId, userId } = req as AuthenticatedRequest;
-    try {
-      await acceptTransfer(pool, adapter, { orgId, acceptingUserId: userId });
-      if (flags.enableAuditLog) {
-        await writeAuditEvent({ pool, orgId, actorUserId: userId, action: 'ownership.transfer_accepted',
-          targetType: 'org', targetId: orgId, ip: getClientIp(req), userAgent: req.headers['user-agent'] ?? null });
-      }
-      res.json({ message: 'Ownership transfer accepted. You are now the owner.' });
-    } catch (e) {
-      const msg = (e as Error).message;
-      adapter.logger.error('[transfer] POST accept', { error: msg });
-      if (msg.includes('No valid') || msg.includes('Only the designated')) {
-        res.status(422).json({ error: msg });
-      } else {
-        res.status(500).json({ error: 'Failed to accept transfer' });
-      }
-    }
-  });
-
-  router.delete('/:orgId/transfer', authMiddleware, async (req, res) => {
-    if (!featureCheck(res)) return;
-    const { orgId, userId, userRole } = req as AuthenticatedRequest;
-    try {
-      const pending = await getPendingTransfer(pool, orgId);
-      if (!pending) { res.status(404).json({ error: 'No pending transfer found' }); return; }
-      if (userRole !== 'owner' && pending.to_user_id !== userId) {
-        res.status(403).json({ error: 'Only the initiating owner or designated recipient can cancel this transfer' });
-        return;
-      }
-      await cancelTransfer(pool, { orgId, cancelledByUserId: userId });
-      if (flags.enableAuditLog) {
-        await writeAuditEvent({ pool, orgId, actorUserId: userId, action: 'ownership.transfer_cancelled',
-          targetType: 'org', targetId: orgId, ip: getClientIp(req), userAgent: req.headers['user-agent'] ?? null });
-      }
-      res.json({ message: 'Transfer cancelled' });
-    } catch (e) {
-      adapter.logger.error('[transfer] DELETE cancel', { error: (e as Error).message });
-      res.status(500).json({ error: 'Failed to cancel transfer' });
-    }
-  });
-
-  return router;
-}