feat: Organization management API (invites, members)

[sre-helmcode]

Summary

Implement API endpoints for managing organizations: invite link generation, invite acceptance, member listing, and member removal.

Context

Organizations are the tenant boundary in AgentCrew. Users need to invite team members to their org without requiring SMTP/email services — invite links are shareable via any channel.

API Endpoints

Invite Management

POST /api/org/invites
{ "email": "maria@acme.com" }  ← optional
→ 201 {
  "id": "uuid",
  "token": "abc123...",
  "invite_url": "/invite/abc123...",
  "email": "maria@acme.com",
  "expires_at": "2026-03-14T00:00:00Z"
}

GET /api/org/invites
→ 200 [{ "id", "email", "expires_at", "used_at", "created_at" }]

DELETE /api/org/invites/:id
→ 204

Invite Acceptance (unauthenticated)

GET /api/auth/invite/:token
→ 200 { "org_name": "Acme Corp", "email": "maria@acme.com" }
(Preview info before registering)

POST /api/auth/register/invite
{
  "token": "abc123...",
  "name": "María García",
  "email": "maria@acme.com",
  "password": "..."
}
→ 201 { "access_token": "...", "user": {...}, "organization": {...} }

Validations:

• Token must not be expired
• Token must not be already used
• If invite has pre-set email, registration email must match
• Email must not already exist

Member Management

GET /api/org/members
→ 200 [{ "id", "name", "email", "is_owner", "created_at" }]

DELETE /api/org/members/:id
→ 204

Rules:

• Only the owner (is_owner=true) can remove members
• Owner cannot remove themselves
• Removing a member does NOT delete their created resources (teams, webhooks, etc.)

Organization Profile

GET /api/org
→ 200 { "id", "name", "slug", "created_at" }

PUT /api/org
{ "name": "New Org Name" }
→ 200 { "id", "name", "slug", ... }

Rules:

• Only owner can update org name
• Slug is re-generated when name changes (if new slug is available)

Invite Token Generation

• 32 bytes of crypto/rand, base64url-encoded
• Stored as SHA-256 hash in DB (like webhook tokens)
• Only the raw token is returned once at creation time
• Default expiration: 7 days

Acceptance Criteria

• Invite CRUD endpoints (create, list, delete)
• Invite acceptance endpoint with token validation
• Member list and remove endpoints
• Org profile get/update endpoints
• Only owner can manage invites and remove members
• Token hashing (store hash, return raw once)
• Expired/used token rejection
• Email matching validation when pre-set
• Unit tests for invite flow
• Integration tests for full invite → register → member lifecycle

Dependencies

• Depends on: feat: Organization, User, and Invite models + DB migration #49 (models), feat: Local auth provider (email/password + JWT) #51 (local auth provider), feat: Auth middleware + org-scoped database queries #52 (middleware)

Related Issues

Part of Auth & Multi-tenancy epic (Phase 1).