@varshylinc/team-management 0.1.0

package/src/server/routes/me.routes.ts

@@ -0,0 +1,143 @@
+import { Router } from 'express';
+import type { Pool } from 'pg';
+import type { ServerModuleAdapter, TeamManagementFeatureFlags } from '../types.js';
+import { requestEmailChange, verifyEmailChange, cancelEmailChange } from '../services/email-change.service.js';
+import { requestPasswordReset, resetPassword } from '../services/password-reset.service.js';
+import { getActiveMembership } from '../services/organizations.service.js';
+import { sha256 } from '../crypto.js';
+
+export function createMeRouter(
+  pool: Pool,
+  adapter: ServerModuleAdapter,
+  flags: TeamManagementFeatureFlags,
+  baseUrl: string
+): Router {
+  const router = Router();
+
+  router.get('/membership', async (req, res) => {
+    try {
+      const userId = await adapter.getCurrentUserId(req);
+      if (!userId) { res.status(401).json({ error: 'Authentication required' }); return; }
+      const orgId = await adapter.getOrganizationIdForUser(userId);
+      if (!orgId) { res.status(404).json({ error: 'No organization membership found' }); return; }
+      const membership = await getActiveMembership(pool, orgId, userId);
+      res.json({ membership });
+    } catch (e) {
+      adapter.logger.error('[me] GET /membership', { error: (e as Error).message });
+      res.status(500).json({ error: 'Failed to fetch membership' });
+    }
+  });
+
+  router.post('/email-change', async (req, res) => {
+    if (!flags.enableEmailChange) { res.status(501).json({ error: 'Email change is not enabled' }); return; }
+    try {
+      const userId = await adapter.getCurrentUserId(req);
+      if (!userId) { res.status(401).json({ error: 'Authentication required' }); return; }
+      const user = await adapter.getUserById(userId);
+      if (!user) { res.status(404).json({ error: 'User not found' }); return; }
+      const { newEmail } = req.body as { newEmail?: string };
+      if (!newEmail) { res.status(400).json({ error: 'newEmail is required' }); return; }
+      await requestEmailChange(pool, adapter, { userId, currentEmail: user.email, newEmail, baseUrl });
+      res.json({ message: 'Verification email sent to your new address' });
+    } catch (e) {
+      const msg = (e as Error).message;
+      adapter.logger.error('[me] POST /email-change', { error: msg });
+      if (msg.includes('Too many')) {
+        res.status(429).json({ error: msg });
+      } else if (msg.includes('already in use')) {
+        res.status(422).json({ error: msg });
+      } else {
+        res.status(500).json({ error: 'Failed to request email change' });
+      }
+    }
+  });
+
+  router.get('/email-change/verify', async (req, res) => {
+    if (!flags.enableEmailChange) { res.status(501).json({ error: 'Email change is not enabled' }); return; }
+    const token = req.query.token as string;
+    if (!token) { res.status(400).json({ error: 'token query parameter is required' }); return; }
+    try {
+      // Token-based verification — no authentication required; token is self-authenticating
+      const userId = await adapter.getCurrentUserId(req);
+      await verifyEmailChange(pool, adapter, { token, userId: userId ?? null });
+      res.json({ message: 'Email address updated successfully' });
+    } catch (e) {
+      const msg = (e as Error).message;
+      adapter.logger.error('[me] GET /email-change/verify', { error: msg });
+      if (msg.includes('Invalid') || msg.includes('expired')) {
+        res.status(404).json({ error: msg });
+      } else {
+        res.status(500).json({ error: 'Failed to verify email change' });
+      }
+    }
+  });
+
+  router.get('/email-change/cancel', async (req, res) => {
+    if (!flags.enableEmailChange) { res.status(501).json({ error: 'Email change is not enabled' }); return; }
+    const token = req.query.token as string;
+    if (!token) { res.status(400).json({ error: 'token query parameter is required' }); return; }
+    try {
+      await cancelEmailChange(pool, adapter, { token });
+      res.json({ message: 'Email change cancelled. Your sessions have been invalidated for security.' });
+    } catch (e) {
+      const msg = (e as Error).message;
+      adapter.logger.error('[me] GET /email-change/cancel', { error: msg });
+      if (msg.includes('Invalid') || msg.includes('expired')) {
+        res.status(404).json({ error: msg });
+      } else {
+        res.status(500).json({ error: 'Failed to cancel email change' });
+      }
+    }
+  });
+
+  router.post('/password-reset/request', async (req, res) => {
+    if (!flags.enablePasswordReset) { res.status(501).json({ error: 'Password reset is not enabled' }); return; }
+    const { email } = req.body as { email?: string };
+    if (!email) { res.status(400).json({ error: 'email is required' }); return; }
+    try {
+      await requestPasswordReset(pool, adapter, { email, baseUrl });
+      res.json({ message: 'If that email exists, a reset link has been sent' });
+    } catch (e) {
+      adapter.logger.error('[me] POST /password-reset/request', { error: (e as Error).message });
+      res.json({ message: 'If that email exists, a reset link has been sent' });
+    }
+  });
+
+  router.get('/password-reset', async (req, res) => {
+    if (!flags.enablePasswordReset) { res.status(501).json({ error: 'Password reset is not enabled' }); return; }
+    const token = req.query.token as string;
+    if (!token) { res.status(400).json({ error: 'token query parameter is required' }); return; }
+    try {
+      const tokenHash = sha256(token);
+      const result = await pool.query(
+        `SELECT id FROM tm_password_reset_requests WHERE token_hash = $1 AND used_at IS NULL AND expires_at > NOW()`,
+        [tokenHash]
+      );
+      if (result.rows.length === 0) { res.status(404).json({ error: 'Invalid or expired password reset token' }); return; }
+      res.json({ valid: true });
+    } catch (e) {
+      adapter.logger.error('[me] GET /password-reset', { error: (e as Error).message });
+      res.status(500).json({ error: 'Failed to validate token' });
+    }
+  });
+
+  router.post('/password-reset', async (req, res) => {
+    if (!flags.enablePasswordReset) { res.status(501).json({ error: 'Password reset is not enabled' }); return; }
+    const { token, newPassword } = req.body as { token?: string; newPassword?: string };
+    if (!token || !newPassword) { res.status(400).json({ error: 'token and newPassword are required' }); return; }
+    try {
+      await resetPassword(pool, adapter, { token, newPassword });
+      res.json({ message: 'Password updated successfully. Please log in again.' });
+    } catch (e) {
+      const msg = (e as Error).message;
+      adapter.logger.error('[me] POST /password-reset', { error: msg });
+      if (msg.includes('Invalid') || msg.includes('expired') || msg.includes('8 characters')) {
+        res.status(422).json({ error: msg });
+      } else {
+        res.status(500).json({ error: 'Failed to reset password' });
+      }
+    }
+  });
+
+  return router;
+}

package/src/server/routes/orgs.routes.ts

@@ -0,0 +1,428 @@
+import { Router } from 'express';
+import type { Pool } from 'pg';
+import type { ServerModuleAdapter, TeamManagementFeatureFlags, OrgRole } from '../types.js';
+import { requireMembership, type AuthenticatedRequest } from '../middleware/require-membership.js';
+import { requireRole } from '../middleware/require-role.js';
+import { getOrg, updateOrg, softDeleteOrg, listOrgMembers } from '../services/organizations.service.js';
+import { removeMember, changeRole, validateRoleChange } from '../services/memberships.service.js';
+import { getPendingTransfer } from '../services/ownership.service.js';
+import { writeAuditEvent, getClientIp } from '../services/audit.service.js';
+
+export function createOrgsRouter(
+  pool: Pool,
+  adapter: ServerModuleAdapter,
+  flags: TeamManagementFeatureFlags
+): Router {
+  const router = Router({ mergeParams: true });
+  const authMiddleware = requireMembership(pool, adapter);
+
+  // POST /orgs — create org (any authenticated user)
+  router.post('/', async (req, res) => {
+    try {
+      const userId = await adapter.getCurrentUserId(req as import('express').Request);
+      if (!userId) {
+        res.status(401).json({ error: 'Authentication required' });
+        return;
+      }
+      const { name, slug, settings } = req.body as { name?: string; slug?: string; settings?: Record<string, unknown> };
+      if (!name || !slug) {
+        res.status(400).json({ error: 'name and slug are required' });
+        return;
+      }
+
+      const result = await pool.query(
+        `INSERT INTO tm_organizations (name, slug, owner_user_id, settings)
+         VALUES ($1, $2, $3, $4) RETURNING *`,
+        [name, slug, userId, JSON.stringify(settings ?? {})]
+      );
+      const org = result.rows[0];
+
+      await pool.query(
+        `INSERT INTO tm_memberships (org_id, user_id, role, joined_at)
+         VALUES ($1, $2, 'owner', NOW())`,
+        [org.id, userId]
+      );
+
+      if (flags.enableAuditLog) {
+        await writeAuditEvent({
+          pool,
+          orgId: org.id,
+          actorUserId: userId,
+          action: 'org.created',
+          targetType: 'org',
+          targetId: org.id,
+          after: { name, slug },
+          ip: getClientIp(req),
+          userAgent: req.headers['user-agent'] ?? null,
+        });
+      }
+
+      res.status(201).json({ org });
+    } catch (e) {
+      const msg = (e as Error).message;
+      adapter.logger.error('[orgs] POST /', { error: msg });
+      if (msg.includes('unique') || msg.includes('duplicate') || msg.includes('already exists')) {
+        res.status(409).json({ error: 'Organization with that slug already exists' });
+      } else {
+        res.status(500).json({ error: 'Failed to create organization' });
+      }
+    }
+  });
+
+  // GET /orgs/:orgId — org info (member+)
+  router.get('/:orgId', authMiddleware, async (req, res) => {
+    const { orgId } = req as AuthenticatedRequest;
+    try {
+      const org = await getOrg(pool, orgId);
+      if (!org) {
+        res.status(404).json({ error: 'Organization not found' });
+        return;
+      }
+      res.json({ org });
+    } catch (e) {
+      adapter.logger.error('[orgs] GET /:orgId', { error: (e as Error).message });
+      res.status(500).json({ error: 'Failed to fetch organization' });
+    }
+  });
+
+  // PATCH /orgs/:orgId — update name/slug/settings (admin+)
+  router.patch('/:orgId', authMiddleware, requireRole('admin'), async (req, res) => {
+    const { orgId, userId } = req as AuthenticatedRequest;
+    const { name, slug } = req.body as { name?: string; slug?: string };
+    try {
+      const before = await getOrg(pool, orgId);
+      const updated = await updateOrg(pool, orgId, { name, slug });
+
+      if (flags.enableAuditLog) {
+        await writeAuditEvent({
+          pool,
+          orgId,
+          actorUserId: userId,
+          action: 'org.settings.updated',
+          targetType: 'org',
+          targetId: orgId,
+          before: { name: before?.name, slug: before?.slug },
+          after: { name: updated.name, slug: updated.slug },
+          ip: getClientIp(req),
+          userAgent: req.headers['user-agent'] ?? null,
+        });
+      }
+
+      res.json({ org: updated });
+    } catch (e) {
+      adapter.logger.error('[orgs] PATCH /:orgId', { error: (e as Error).message });
+      res.status(500).json({ error: 'Failed to update organization' });
+    }
+  });
+
+  // DELETE /orgs/:orgId — soft delete (owner only), requires confirmName
+  router.delete('/:orgId', authMiddleware, requireRole('owner'), async (req, res) => {
+    const { orgId, userId } = req as AuthenticatedRequest;
+    // Accept both confirmName and confirmOrgName for compatibility
+    const { confirmName, confirmOrgName } = req.body as { confirmName?: string; confirmOrgName?: string };
+    const confirm = confirmName ?? confirmOrgName;
+    try {
+      const org = await getOrg(pool, orgId);
+      if (!org) {
+        res.status(404).json({ error: 'Organization not found' });
+        return;
+      }
+      if (!confirm || confirm !== org.name) {
+        res.status(422).json({ error: 'Confirmation name does not match organization name' });
+        return;
+      }
+
+      // Transfer lock: cannot delete org while ownership transfer is pending
+      const pendingTransfer = await getPendingTransfer(pool, orgId);
+      if (pendingTransfer) {
+        res.status(409).json({ error: 'Cannot delete organization while an ownership transfer is pending. Cancel the transfer first.' });
+        return;
+      }
+
+      await softDeleteOrg(pool, orgId, userId);
+
+      if (flags.enableAuditLog) {
+        await writeAuditEvent({
+          pool,
+          orgId,
+          actorUserId: userId,
+          action: 'org.deleted',
+          targetType: 'org',
+          targetId: orgId,
+          ip: getClientIp(req),
+          userAgent: req.headers['user-agent'] ?? null,
+        });
+      }
+
+      try {
+        const members = await listOrgMembers(pool, orgId, { includeRemoved: false });
+        const userIds = members.map(m => m.user_id);
+        const users = await adapter.getUsersByIds(userIds);
+        const scheduledFor = new Date(Date.now() + 30 * 24 * 60 * 60 * 1000);
+        for (const user of users) {
+          await adapter.sendOrgDeletionNotice({
+            to: user.email,
+            orgName: org.name,
+            scheduledFor,
+          });
+        }
+      } catch (e) {
+        adapter.logger.warn('[orgs] Failed to send deletion notices', { error: (e as Error).message });
+      }
+
+      res.json({ message: 'Organization scheduled for deletion in 30 days' });
+    } catch (e) {
+      adapter.logger.error('[orgs] DELETE /:orgId', { error: (e as Error).message });
+      res.status(500).json({ error: 'Failed to delete organization' });
+    }
+  });
+
+  // GET /orgs/:orgId/members — list members (member+)
+  router.get('/:orgId/members', authMiddleware, async (req, res) => {
+    const { orgId } = req as AuthenticatedRequest;
+    try {
+      const members = await listOrgMembers(pool, orgId);
+      const userIds = members.map(m => m.user_id);
+      const users = await adapter.getUsersByIds(userIds);
+      const userMap = new Map(users.map(u => [u.id, u]));
+      const enriched = members.map(m => ({ ...m, user: userMap.get(m.user_id) }));
+      res.json({ members: enriched });
+    } catch (e) {
+      adapter.logger.error('[orgs] GET /:orgId/members', { error: (e as Error).message });
+      res.status(500).json({ error: 'Failed to fetch members' });
+    }
+  });
+
+  // GET /orgs/:orgId/members/former — former members (admin+)
+  router.get('/:orgId/members/former', authMiddleware, requireRole('admin'), async (req, res) => {
+    const { orgId } = req as AuthenticatedRequest;
+    try {
+      const allMembers = await listOrgMembers(pool, orgId, { includeRemoved: true });
+      const former = allMembers.filter(m => m.removed_at !== null);
+      res.json({ members: former });
+    } catch (e) {
+      adapter.logger.error('[orgs] GET /:orgId/members/former', { error: (e as Error).message });
+      res.status(500).json({ error: 'Failed to fetch former members' });
+    }
+  });
+
+  // DELETE /orgs/:orgId/members/:userId — remove member (admin+)
+  router.delete('/:orgId/members/:userId', authMiddleware, requireRole('admin'), async (req, res) => {
+    const { orgId, userId: actorId, userRole } = req as AuthenticatedRequest;
+    const targetUserId = parseInt(req.params.userId, 10);
+    const { reason } = req.body as { reason?: string };
+
+    if (isNaN(targetUserId)) {
+      res.status(400).json({ error: 'Invalid user ID' });
+      return;
+    }
+    if (targetUserId === actorId) {
+      res.status(400).json({ message: 'Cannot remove yourself: you are the owner of this organization' });
+      return;
+    }
+
+    try {
+      const targetMemberResult = await pool.query(
+        `SELECT role FROM tm_memberships WHERE org_id = $1 AND user_id = $2 AND removed_at IS NULL`,
+        [orgId, targetUserId]
+      );
+      if (targetMemberResult.rows.length === 0) {
+        res.status(404).json({ error: 'Member not found' });
+        return;
+      }
+      const targetRole = targetMemberResult.rows[0].role;
+
+      if (userRole === 'admin' && (targetRole === 'owner' || targetRole === 'admin')) {
+        res.status(403).json({ error: 'Admins cannot remove owners or other admins' });
+        return;
+      }
+
+      // Transfer lock: cannot remove a user involved in a pending transfer
+      const pendingTransferForRemove = await getPendingTransfer(pool, orgId);
+      if (pendingTransferForRemove &&
+          (pendingTransferForRemove.from_user_id === targetUserId ||
+           pendingTransferForRemove.to_user_id === targetUserId)) {
+        res.status(409).json({ error: 'Cannot remove a member involved in a pending ownership transfer. Cancel the transfer first.' });
+        return;
+      }
+
+      await removeMember(pool, { orgId, userId: targetUserId, removedByUserId: actorId, reason });
+
+      if (flags.enableAuditLog) {
+        await writeAuditEvent({
+          pool,
+          orgId,
+          actorUserId: actorId,
+          action: 'member.removed',
+          targetType: 'user',
+          targetId: targetUserId,
+          before: { role: targetRole },
+          reason: reason ?? null,
+          ip: getClientIp(req),
+          userAgent: req.headers['user-agent'] ?? null,
+        });
+      }
+
+      res.json({ message: 'Member removed successfully' });
+    } catch (e) {
+      adapter.logger.error('[orgs] DELETE /:orgId/members/:userId', { error: (e as Error).message });
+      res.status(500).json({ error: 'Failed to remove member' });
+    }
+  });
+
+  // PATCH /orgs/:orgId/members/:userId/role — change role (admin+)
+  router.patch('/:orgId/members/:userId/role', authMiddleware, requireRole('admin'), async (req, res) => {
+    const { orgId, userId: actorId, userRole } = req as AuthenticatedRequest;
+    const targetUserId = parseInt(req.params.userId, 10);
+    const { role: newRole } = req.body as { role?: string };
+
+    if (isNaN(targetUserId)) {
+      res.status(400).json({ error: 'Invalid user ID' });
+      return;
+    }
+    if (!newRole) {
+      res.status(400).json({ error: 'role is required' });
+      return;
+    }
+
+    try {
+      await validateRoleChange(pool, { orgId, actorRole: userRole, targetUserId, newRole: newRole as OrgRole });
+
+      // Transfer lock: cannot change role of a user involved in a pending transfer
+      const pendingTransferForPatch = await getPendingTransfer(pool, orgId);
+      if (pendingTransferForPatch &&
+          (pendingTransferForPatch.from_user_id === targetUserId ||
+           pendingTransferForPatch.to_user_id === targetUserId)) {
+        res.status(409).json({ error: 'Cannot change role of a member involved in a pending ownership transfer. Cancel the transfer first.' });
+        return;
+      }
+
+      const before = await pool.query(
+        `SELECT role FROM tm_memberships WHERE org_id = $1 AND user_id = $2 AND removed_at IS NULL`,
+        [orgId, targetUserId]
+      );
+      const updated = await changeRole(pool, { orgId, userId: targetUserId, newRole: newRole as OrgRole, changedByUserId: actorId });
+
+      if (flags.enableAuditLog) {
+        await writeAuditEvent({
+          pool,
+          orgId,
+          actorUserId: actorId,
+          action: 'member.role_changed',
+          targetType: 'user',
+          targetId: targetUserId,
+          before: { role: before.rows[0]?.role },
+          after: { role: newRole },
+          ip: getClientIp(req),
+          userAgent: req.headers['user-agent'] ?? null,
+        });
+      }
+
+      res.json({ membership: updated });
+    } catch (e) {
+      const msg = (e as Error).message;
+      adapter.logger.error('[orgs] PATCH /:orgId/members/:userId/role', { error: msg });
+      if (msg.includes('Cannot') || msg.includes('Requires') || msg.includes('cannot')) {
+        res.status(403).json({ error: msg });
+      } else {
+        res.status(500).json({ error: 'Failed to change role' });
+      }
+    }
+  });
+
+  // PATCH /orgs/:orgId/members/:userId — alias without /role suffix (for compatibility)
+  router.patch('/:orgId/members/:userId', authMiddleware, requireRole('admin'), async (req, res) => {
+    const { orgId, userId: actorId, userRole } = req as AuthenticatedRequest;
+    const targetUserId = parseInt(req.params.userId, 10);
+    const { role: newRole } = req.body as { role?: string };
+
+    if (isNaN(targetUserId)) {
+      res.status(400).json({ error: 'Invalid user ID' });
+      return;
+    }
+    if (!newRole) {
+      res.status(400).json({ error: 'role is required' });
+      return;
+    }
+
+    try {
+      await validateRoleChange(pool, { orgId, actorRole: userRole, targetUserId, newRole: newRole as OrgRole });
+
+      // Transfer lock: cannot change role of a user involved in a pending transfer
+      const pendingTransferForPatch = await getPendingTransfer(pool, orgId);
+      if (pendingTransferForPatch &&
+          (pendingTransferForPatch.from_user_id === targetUserId ||
+           pendingTransferForPatch.to_user_id === targetUserId)) {
+        res.status(409).json({ error: 'Cannot change role of a member involved in a pending ownership transfer. Cancel the transfer first.' });
+        return;
+      }
+
+      const before = await pool.query(
+        `SELECT role FROM tm_memberships WHERE org_id = $1 AND user_id = $2 AND removed_at IS NULL`,
+        [orgId, targetUserId]
+      );
+      const updated = await changeRole(pool, { orgId, userId: targetUserId, newRole: newRole as OrgRole, changedByUserId: actorId });
+
+      if (flags.enableAuditLog) {
+        await writeAuditEvent({
+          pool,
+          orgId,
+          actorUserId: actorId,
+          action: 'member.role_changed',
+          targetType: 'user',
+          targetId: targetUserId,
+          before: { role: before.rows[0]?.role },
+          after: { role: newRole },
+          ip: getClientIp(req),
+          userAgent: req.headers['user-agent'] ?? null,
+        });
+      }
+
+      res.json({ membership: updated });
+    } catch (e) {
+      const msg = (e as Error).message;
+      adapter.logger.error('[orgs] PATCH /:orgId/members/:userId', { error: msg });
+      if (msg.includes('Cannot') || msg.includes('Requires') || msg.includes('cannot')) {
+        res.status(403).json({ error: msg });
+      } else {
+        res.status(500).json({ error: 'Failed to change role' });
+      }
+    }
+  });
+
+
+  // GET /orgs/:orgId/members/:userId/cascade-preview — preview cascade effects of removing a member (admin+)
+  router.get('/:orgId/members/:userId/cascade-preview', authMiddleware, requireRole('admin'), async (req, res) => {
+    const { orgId } = req as AuthenticatedRequest;
+    const targetUserId = parseInt(req.params.userId, 10);
+    if (isNaN(targetUserId)) {
+      res.status(400).json({ error: 'Invalid user ID' });
+      return;
+    }
+    try {
+      const membershipResult = await pool.query(
+        `SELECT * FROM tm_memberships WHERE org_id = $1 AND user_id = $2 AND removed_at IS NULL`,
+        [orgId, targetUserId]
+      );
+      if (membershipResult.rows.length === 0) {
+        res.status(404).json({ error: 'Member not found' });
+        return;
+      }
+      const membership = membershipResult.rows[0];
+
+      const invitationsResult = await pool.query(
+        `SELECT * FROM tm_invitations
+         WHERE org_id = $1 AND invited_by_user_id = $2
+           AND revoked_at IS NULL AND accepted_at IS NULL AND expires_at > NOW()`,
+        [orgId, targetUserId]
+      );
+
+      res.json({ membership, pendingInvitations: invitationsResult.rows });
+    } catch (e) {
+      adapter.logger.error('[orgs] GET cascade-preview', { error: (e as Error).message });
+      res.status(500).json({ error: 'Failed to fetch cascade preview' });
+    }
+  });
+
+  return router;
+}

package/src/server/routes/transfer.routes.ts

@@ -0,0 +1,110 @@
+import { Router } from 'express';
+import type { Pool } from 'pg';
+import type { ServerModuleAdapter, TeamManagementFeatureFlags } from '../types.js';
+import { requireMembership, type AuthenticatedRequest } from '../middleware/require-membership.js';
+import { requireRole } from '../middleware/require-role.js';
+import {
+  initiateTransfer,
+  acceptTransfer,
+  cancelTransfer,
+  getPendingTransfer,
+} from '../services/ownership.service.js';
+import { writeAuditEvent, getClientIp } from '../services/audit.service.js';
+
+export function createTransferRouter(
+  pool: Pool,
+  adapter: ServerModuleAdapter,
+  flags: TeamManagementFeatureFlags,
+  baseUrl: string
+): Router {
+  const router = Router({ mergeParams: true });
+  const authMiddleware = requireMembership(pool, adapter);
+
+  function featureCheck(res: import('express').Response): boolean {
+    if (!flags.enableOwnershipTransfer) {
+      res.status(501).json({ error: 'Ownership transfer is not enabled' });
+      return false;
+    }
+    return true;
+  }
+
+  router.get('/:orgId/transfer', authMiddleware, async (req, res) => {
+    if (!featureCheck(res)) return;
+    const { orgId } = req as AuthenticatedRequest;
+    try {
+      const transfer = await getPendingTransfer(pool, orgId);
+      res.json({ transfer });
+    } catch (e) {
+      adapter.logger.error('[transfer] GET', { error: (e as Error).message });
+      res.status(500).json({ error: 'Failed to fetch transfer' });
+    }
+  });
+
+  router.post('/:orgId/transfer', authMiddleware, requireRole('owner'), async (req, res) => {
+    if (!featureCheck(res)) return;
+    const { orgId, userId } = req as AuthenticatedRequest;
+    const { toUserId } = req.body as { toUserId?: number };
+    if (!toUserId) { res.status(400).json({ error: 'toUserId is required' }); return; }
+    try {
+      const transfer = await initiateTransfer(pool, adapter, { orgId, fromUserId: userId, toUserId, baseUrl });
+      if (flags.enableAuditLog) {
+        await writeAuditEvent({ pool, orgId, actorUserId: userId, action: 'ownership.transfer_initiated',
+          targetType: 'user', targetId: toUserId, ip: getClientIp(req), userAgent: req.headers['user-agent'] ?? null });
+      }
+      res.status(201).json({ transfer });
+    } catch (e) {
+      const msg = (e as Error).message;
+      adapter.logger.error('[transfer] POST initiate', { error: msg });
+      if (msg.includes('not a member') || msg.includes('admin') || msg.includes('pending')) {
+        res.status(422).json({ error: msg });
+      } else {
+        res.status(500).json({ error: 'Failed to initiate transfer' });
+      }
+    }
+  });
+
+  router.post('/:orgId/transfer/accept', authMiddleware, async (req, res) => {
+    if (!featureCheck(res)) return;
+    const { orgId, userId } = req as AuthenticatedRequest;
+    try {
+      await acceptTransfer(pool, adapter, { orgId, acceptingUserId: userId });
+      if (flags.enableAuditLog) {
+        await writeAuditEvent({ pool, orgId, actorUserId: userId, action: 'ownership.transfer_accepted',
+          targetType: 'org', targetId: orgId, ip: getClientIp(req), userAgent: req.headers['user-agent'] ?? null });
+      }
+      res.json({ message: 'Ownership transfer accepted. You are now the owner.' });
+    } catch (e) {
+      const msg = (e as Error).message;
+      adapter.logger.error('[transfer] POST accept', { error: msg });
+      if (msg.includes('No valid') || msg.includes('Only the designated')) {
+        res.status(422).json({ error: msg });
+      } else {
+        res.status(500).json({ error: 'Failed to accept transfer' });
+      }
+    }
+  });
+
+  router.delete('/:orgId/transfer', authMiddleware, async (req, res) => {
+    if (!featureCheck(res)) return;
+    const { orgId, userId, userRole } = req as AuthenticatedRequest;
+    try {
+      const pending = await getPendingTransfer(pool, orgId);
+      if (!pending) { res.status(404).json({ error: 'No pending transfer found' }); return; }
+      if (userRole !== 'owner' && pending.to_user_id !== userId) {
+        res.status(403).json({ error: 'Only the initiating owner or designated recipient can cancel this transfer' });
+        return;
+      }
+      await cancelTransfer(pool, { orgId, cancelledByUserId: userId });
+      if (flags.enableAuditLog) {
+        await writeAuditEvent({ pool, orgId, actorUserId: userId, action: 'ownership.transfer_cancelled',
+          targetType: 'org', targetId: orgId, ip: getClientIp(req), userAgent: req.headers['user-agent'] ?? null });
+      }
+      res.json({ message: 'Transfer cancelled' });
+    } catch (e) {
+      adapter.logger.error('[transfer] DELETE cancel', { error: (e as Error).message });
+      res.status(500).json({ error: 'Failed to cancel transfer' });
+    }
+  });
+
+  return router;
+}