Issue 7 — Implement Company Members CRUD (DB-only) for the “chef” UI
Description
Implement member management endpoints that operate on company_members only (no Keycloak Admin API yet). This supports your “chef” CRUD UI while user accounts are still created manually in Keycloak.
Checklist
-
Add routes under auth middleware:
-
GET /companies/:id/members → list { keycloak_user_id, role }
-
PATCH /companies/:id/members/:keycloakUserId → update role
-
DELETE /companies/:id/members/:keycloakUserId → remove membership
-
Add authorization checks via Issue 6 helper.
-
Add validation:
-
role value valid on PATCH
-
can’t delete yourself if you are the last owner (recommended)
-
can’t remove the last company_owner of a company (recommended)
-
Update README endpoint table (mark old /companies/:id/users as deprecated if needed).
Acceptance Criteria
-
Owner/admin can list/update/delete members for their company.
-
Non-owner cannot manage members (403).
-
System prevents deleting the last owner of a company.
Issue 7 — Implement Company Members CRUD (DB-only) for the “chef” UI
Description
Implement member management endpoints that operate on
company_membersonly (no Keycloak Admin API yet). This supports your “chef” CRUD UI while user accounts are still created manually in Keycloak.Checklist
Add routes under auth middleware:
GET /companies/:id/members→ list{ keycloak_user_id, role }PATCH /companies/:id/members/:keycloakUserId→ update roleDELETE /companies/:id/members/:keycloakUserId→ remove membershipAdd authorization checks via Issue 6 helper.
Add validation:
role value valid on PATCH
can’t delete yourself if you are the last owner (recommended)
can’t remove the last
company_ownerof a company (recommended)Update README endpoint table (mark old
/companies/:id/usersas deprecated if needed).Acceptance Criteria
Owner/admin can list/update/delete members for their company.
Non-owner cannot manage members (403).
System prevents deleting the last owner of a company.