You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As a guild owner, I need to grant and revoke guild_admin access for my guild so that I can delegate Station-Bot administration to trusted staff without giving away ownership.
As a Station super admin, I need an emergency owner reassignment flow so that I can recover a guild when the single owner is unavailable or misconfigured.
Definition of Done
Station supports the initial guild role model from #242: exactly one guild_owner, zero or more guild_admin, and ordinary guild_member users with no bot-admin access
A guild_owner can assign and revoke guild_admin access for users in their guild/org
Guild-owner management UI clearly distinguishes owner vs admin and prevents accidental owner loss
A station_super_admin can perform an emergency guild-owner reassignment as a break-glass recovery flow
Single-owner enforcement exists at the backend so a guild cannot end up with zero or multiple active owners through race conditions or malformed requests
Emergency owner reassignment is strongly audited with real actor, previous owner, new owner, target guild/org, reason, and timestamp
Tests cover normal admin assignment/removal, owner-only restrictions, single-owner enforcement, and emergency reassignment behavior
pnpm typecheck passes
Acceptance Criteria
A guild owner can add a guild admin and that user then gains access to the guild’s Station-Bot admin surface
A guild owner can remove a guild admin and that user immediately loses guild admin access
A guild admin cannot promote another user to owner or manage owner assignment
The system enforces exactly one owner per guild at all times
A station_super_admin can reassign guild ownership in an emergency with a required reason/comment
Emergency owner reassignment is recorded in audit history and is distinguishable from ordinary guild-owner actions
Technical Elaboration
This story implements the delegated guild access and recovery portion of the model established in #242.
Recommended behavior:
Guild owner/admin state should be represented in a backend-managed model that can be derived from Station role assignments and/or explicit mapping state, but the resulting business rule must be:
one owner only
admins delegated by owner
If implemented through Station permissions and role assignments, the backend should still expose a clear domain-level API for:
list current owner/admins for guild/org
assign guild admin
revoke guild admin
emergency reassign owner
Emergency owner reassignment should require:
station_super_admin privilege
explicit target guild/org
new owner user identity
required reason/comment
Audit logs should include:
real actor
previous owner
new owner
changed admin identities where relevant
target guild/org
reason/comment
timestamp
Recommended UI areas:
Guild access management panel for guild_owner
Emergency reassignment flow for station_super_admin
Clear warnings around owner changes and delegated admin scope
This story is intentionally limited to the initial coarse role model for this milestone. Finer-grained delegated permissions below owner/admin are future work.
Design Elaboration
This UI should emphasize clarity and safety over flexibility.
Owners need a simple way to delegate trusted admins. Super admins need a recovery path that is obviously exceptional. The system should make it very hard to accidentally strand a guild without an owner or to blur the boundary between owner powers and admin powers.
User Story
As a guild owner, I need to grant and revoke
guild_adminaccess for my guild so that I can delegate Station-Bot administration to trusted staff without giving away ownership.As a Station super admin, I need an emergency owner reassignment flow so that I can recover a guild when the single owner is unavailable or misconfigured.
Definition of Done
#242: exactly oneguild_owner, zero or moreguild_admin, and ordinaryguild_memberusers with no bot-admin accessguild_ownercan assign and revokeguild_adminaccess for users in their guild/orgstation_super_admincan perform an emergency guild-owner reassignment as a break-glass recovery flowpnpm typecheckpassesAcceptance Criteria
station_super_admincan reassign guild ownership in an emergency with a required reason/commentTechnical Elaboration
This story implements the delegated guild access and recovery portion of the model established in
#242.Recommended behavior:
station_super_adminprivilegeRecommended UI areas:
guild_ownerstation_super_adminThis story is intentionally limited to the initial coarse role model for this milestone. Finer-grained delegated permissions below owner/admin are future work.
Design Elaboration
This UI should emphasize clarity and safety over flexibility.
Owners need a simple way to delegate trusted admins. Super admins need a recovery path that is obviously exceptional. The system should make it very hard to accidentally strand a guild without an owner or to blur the boundary between owner powers and admin powers.
Parent Epic: #231
Depends on: #242