Cap-go · riderx · Apr 2, 2026 · Mar 30, 2026 · Mar 30, 2026 · Mar 30, 2026
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -144,6 +144,8 @@ jobs:
           version: latest
       - name: Show Supabase CLI version
         run: supabase --version
+      - name: Link Supabase templates
+        run: ln -sfn supabase/templates templates
       - name: Run Supabase Start
         run: supabase start -x imgproxy,studio,mailpit,realtime,postgres-meta,supavisor,studio,logflare,vector,realtime
       - name: Run Supabase Test DB

diff --git a/AGENTS.md b/AGENTS.md
@@ -164,6 +164,16 @@ Capgo relies on two layered caches for plugin endpoints (`/updates`, `/stats`, `
    - Use the public shape like `npx @capgo/cli@latest ...` for customer-facing command examples.
    - Use internal execution equivalents (for example, `bunx @capgo/cli@latest ...`) only in internal tooling context.
 
+### Email Templates
+
+- `supabase/templates/invite_new_user_to_org.html` and `supabase/templates/invite_existing_user_to_org.html` are Bento templates.
+- Every other file in `supabase/templates/` is a Supabase auth or notification template.
+- Supabase templates use Supabase template syntax.
+- Bento templates use Bento template syntax.
+- Updating templates in the repository does not upload them anywhere automatically.
+- Supabase email templates must be uploaded manually to Supabase.
+- Bento email templates must be uploaded manually to Bento.
+
 ### Environment Setup
 
 1. Install dependencies: `bun install`

diff --git a/cloudflare_workers/api/index.ts b/cloudflare_workers/api/index.ts
@@ -9,6 +9,7 @@ import { app as deleted_failed_version } from '../../supabase/functions/_backend
 import { app as devices_priv } from '../../supabase/functions/_backend/private/devices.ts'
 import { app as events } from '../../supabase/functions/_backend/private/events.ts'
 import { app as groups } from '../../supabase/functions/_backend/private/groups.ts'
+import { app as invite_existing_user_to_org } from '../../supabase/functions/_backend/private/invite_existing_user_to_org.ts'
 import { app as invite_new_user_to_org } from '../../supabase/functions/_backend/private/invite_new_user_to_org.ts'
 import { app as latency } from '../../supabase/functions/_backend/private/latency.ts'
 import { app as log_as } from '../../supabase/functions/_backend/private/log_as.ts'
@@ -100,6 +101,7 @@ appPrivate.route('/accept_invitation', accept_invitation)
 appPrivate.route('/devices', devices_priv)
 appPrivate.route('/log_as', log_as)
 appPrivate.route('/invite_new_user_to_org', invite_new_user_to_org)
+appPrivate.route('/invite_existing_user_to_org', invite_existing_user_to_org)
 appPrivate.route('/set_org_email', set_org_email)
 appPrivate.route('/validate_password_compliance', validate_password_compliance)
 appPrivate.route('/admin_credits', admin_credits)

diff --git a/messages/en.json b/messages/en.json
@@ -1265,6 +1265,7 @@
   "org-changes-set-email-other-error": "Cannot set the management email, please contact support",
   "org-created-successfully": "Org created successfully!",
   "org-deleted": "Org deleted successfully",
+  "org-invite-email-notification-failed": "The invitation was created, but we could not send the email notification.",
   "org-invited-user": "Successfully invited user to org",
   "org-name": "Organization Name",
   "org-name-required": "Organization name required",

diff --git a/scripts/supabase-worktree.ts b/scripts/supabase-worktree.ts
@@ -103,6 +103,8 @@ function rewriteConfigToml(raw: string, cfg: ReturnType<typeof getSupabaseWorktr
       out.push(`inspector_port = ${ports.edgeInspector}`)
     else if (section in portBySection && line.match(/^\s*port\s*=\s*\d+\s*$/))
       out.push(`port = ${portBySection[section]}`)
+    else if (line.includes('./supabase/templates/'))
+      out.push(line.replace('./supabase/templates/', './templates/'))
     else
       out.push(line)
   }
@@ -125,6 +127,7 @@ function ensureWorktreeSupabaseDir(repoRoot: string): { workdir: string, cfg: Re
 
   // Symlink everything except config.toml so we can safely rewrite ports + project_id per worktree.
   const repoSupaDir = resolve(cfg.repoRoot, 'supabase')
+  const repoTemplatesDir = resolve(repoSupaDir, 'templates')
   for (const entry of ['functions', 'migrations', 'schemas', 'tests', 'seed.sql', 'migration_guide.md', '.gitignore']) {
     const src = resolve(repoSupaDir, entry)
     if (!existsSync(src))
@@ -133,6 +136,11 @@ function ensureWorktreeSupabaseDir(repoRoot: string): { workdir: string, cfg: Re
     ensureSymlink(dst, src)
   }
 
+  if (existsSync(repoTemplatesDir)) {
+    ensureSymlink(resolve(workdir, 'templates'), repoTemplatesDir)
+    ensureSymlink(resolve(supaDir, 'templates'), repoTemplatesDir)
+  }
+
   const baseConfig = readFileSync(resolve(repoSupaDir, 'config.toml'), 'utf8')
   const rewritten = rewriteConfigToml(baseConfig, cfg)
   writeFileSync(resolve(supaDir, 'config.toml'), rewritten)

diff --git a/src/auto-imports.d.ts b/src/auto-imports.d.ts
@@ -660,4 +660,4 @@ declare module 'vue' {
     readonly watchWithFilter: UnwrapRef<typeof import('@vueuse/core')['watchWithFilter']>
     readonly whenever: UnwrapRef<typeof import('@vueuse/core')['whenever']>
   }
-}
+}
diff --git a/src/components/dashboard/DropdownOrganization.vue b/src/components/dashboard/DropdownOrganization.vue
@@ -12,7 +12,10 @@ import { useDialogV2Store } from '~/stores/dialogv2'
 import { useMainStore } from '~/stores/main'
 import { useOrganizationStore } from '~/stores/organization'
 
+type OrganizationInvitationTarget = Pick<Organization, 'gid' | 'name' | 'role'>
+
 const router = useRouter()
+const route = useRoute()
 const organizationStore = useOrganizationStore()
 const { currentOrganization } = storeToRefs(organizationStore)
 const dialogStore = useDialogV2Store()
@@ -29,6 +32,7 @@ const lastOrganizationLogoRefreshAt = ref(0)
 const refreshedBrokenLogoKeys = new Set<string>()
 let organizationLogoRefreshInterval: number | null = null
 let isOrganizationDropdownMounted = false
+const handledInviteOrgId = ref<string | null>(null)
 
 function refreshOnFocus() {
   void refreshOrganizationLogosIfNeeded()
@@ -47,6 +51,8 @@ onMounted(async () => {
   if (!isOrganizationDropdownMounted)
     return
 
+  await openInvitationFromRouteIfNeeded()
+
   lastOrganizationLogoRefreshAt.value = Date.now()
 
   window.addEventListener('focus', refreshOnFocus)
@@ -66,8 +72,9 @@ onUnmounted(() => {
   organizationLogoRefreshInterval = null
 })
 
-async function handleOrganizationInvitation(org: Organization) {
+async function handleOrganizationInvitation(org: OrganizationInvitationTarget) {
   const newName = t('alert-accept-invitation').replace('%ORG%', org.name)
+  let invitationHandled = false
   dialogStore.openDialog({
     title: t('alert-confirm-invite'),
     description: `${newName}`,
@@ -86,8 +93,9 @@ async function handleOrganizationInvitation(org: Organization) {
           }
 
           if (data === 'OK') {
+            invitationHandled = true
             organizationStore.setCurrentOrganization(org.gid)
-            organizationStore.fetchOrganizations()
+            await organizationStore.fetchOrganizations()
             toast.success(t('invite-accepted'))
           }
           else if (data === 'NO_INVITE') {
@@ -112,12 +120,16 @@ async function handleOrganizationInvitation(org: Organization) {
           const { error } = await supabase
             .from('org_users')
             .delete()
+            .eq('org_id', org.gid)
             .eq('user_id', userId)
 
-          if (error)
+          if (error) {
             console.log('Error delete: ', error)
+            return
+          }
 
-          organizationStore.fetchOrganizations()
+          invitationHandled = true
+          await organizationStore.fetchOrganizations()
           toast.success(t('alert-denied-invite'))
         },
       },
@@ -127,6 +139,34 @@ async function handleOrganizationInvitation(org: Organization) {
       },
     ],
   })
+
+  await dialogStore.onDialogDismiss()
+  if (invitationHandled)
+    await clearInviteOrgQuery()
+}
+
+async function clearInviteOrgQuery() {
+  if (!('invite_org' in route.query))
+    return
+
+  const nextQuery = { ...route.query }
+  delete nextQuery.invite_org
+  await router.replace({ query: nextQuery })
+  handledInviteOrgId.value = null
+}
+
+async function openInvitationFromRouteIfNeeded() {
+  const inviteOrgId = typeof route.query.invite_org === 'string' ? route.query.invite_org : ''
+  if (!inviteOrgId || inviteOrgId === handledInviteOrgId.value)
+    return
+
+  const inviteOrg = organizationStore.organizations.find(org => org.gid === inviteOrgId)
+  if (!inviteOrg)
+    return
+
+  handledInviteOrgId.value = inviteOrgId
+  if (isInvitation(inviteOrg))
+    await handleOrganizationInvitation(inviteOrg)
 }
 
 function closeDropdown() {
@@ -266,6 +306,23 @@ function onOrgItemKeydown(org: Organization, e: KeyboardEvent) {
   closeDropdown()
   onOrganizationClick(org)
 }
+
+watch(
+  () => route.query.invite_org,
+  (inviteOrg) => {
+    if (typeof inviteOrg !== 'string' || !inviteOrg)
+      handledInviteOrgId.value = null
+    void openInvitationFromRouteIfNeeded()
+  },
+  { immediate: true },
+)
+
+watch(
+  () => organizationStore.organizations.map(org => `${org.gid}:${org.role}`),
+  () => {
+    void openInvitationFromRouteIfNeeded()
+  },
+)
 </script>
 
 <template>

diff --git a/src/components/dashboard/InviteTeammateModal.vue b/src/components/dashboard/InviteTeammateModal.vue
@@ -8,7 +8,7 @@ import { useSupabase } from '~/services/supabase'
 import { sendEvent } from '~/services/tracking'
 import { useDialogV2Store } from '~/stores/dialogv2'
 import { useOrganizationStore } from '~/stores/organization'
-import { resolveInviteNewUserErrorMessage } from '~/utils/invites'
+import { notifyExistingUserInvite, resolveInviteNewUserErrorMessage, shouldNotifyExistingUserInvite } from '~/utils/invites'
 
 interface InviteSuccessPayload {
   email: string
@@ -40,7 +40,8 @@ const captchaKey = ref(import.meta.env.VITE_CAPTCHA_KEY)
 const shouldUseCaptcha = computed(() => Boolean(captchaKey.value))
 const isInviting = ref(false)
 const useRbacInvites = computed(() => organizationStore.currentOrganization?.use_new_rbac === true)
-const inviteRole = computed(() => (useRbacInvites.value ? 'org_admin' : 'admin'))
+const existingUserInviteRole = computed(() => (useRbacInvites.value ? 'org_admin' : 'invite_admin'))
+const newUserInviteRole = computed(() => (useRbacInvites.value ? 'org_admin' : 'admin'))
 const emailDialogTitle = computed(() => props.inviteKind === 'technical'
   ? t('onboarding-invite-option-modal-title')
   : t('invite-teammate-modal-title'))
@@ -215,7 +216,7 @@ async function handleEmailSubmit() {
       const result = await supabase.rpc('invite_user_to_org_rbac', {
         email,
         org_id: orgId,
-        role_name: inviteRole.value,
+        role_name: existingUserInviteRole.value,
       })
       data = result.data
       error = result.error
@@ -224,7 +225,7 @@ async function handleEmailSubmit() {
       const result = await supabase.rpc('invite_user_to_org', {
         email,
         org_id: orgId,
-        invite_type: inviteRole.value as Database['public']['Enums']['user_min_right'],
+        invite_type: existingUserInviteRole.value as Database['public']['Enums']['user_min_right'],
       })
       data = result.data
       error = result.error
@@ -242,6 +243,13 @@ async function handleEmailSubmit() {
     }
 
     if (data === 'OK') {
+      if (shouldNotifyExistingUserInvite(existingUserInviteRole.value, useRbacInvites.value)) {
+        const notified = await notifyExistingUserInvite(supabase, email, orgId)
+        if (!notified) {
+          console.warn('Failed to send invite email notification, but invite was created')
+          toast.warning(t('org-invite-email-notification-failed'))
+        }
+      }
       toast.success(t('org-invited-user'))
       completeInviteSuccess({
         email,
@@ -322,7 +330,7 @@ async function handleFullDetailsSubmit() {
       body: {
         email,
         org_id: orgId,
-        invite_type: inviteRole.value,
+        invite_type: newUserInviteRole.value,
         captcha_token: shouldUseCaptcha.value ? inviteCaptchaToken.value : undefined,
         first_name: firstName,
         last_name: lastName,

diff --git a/src/modules/auth.ts b/src/modules/auth.ts
@@ -96,7 +96,9 @@ async function guard(
   const hasAuth = !!claimsData?.claims?.sub && !!sessionUser
   const hadAuth = !!main.auth
   const needsVerifiedEmail = to.path.startsWith('/settings') || to.path === '/delete_account'
-  const shouldRedirectToOrgOnboarding = !to.path.startsWith('/onboarding/organization')
+  const inviteOrgId = typeof to.query.invite_org === 'string' && to.query.invite_org.length > 0
+    ? to.query.invite_org
+    : null
   const isAdminRoute = to.path.startsWith('/admin')
 
   async function tryLoadOrganizations(fetcher: () => Promise<void>) {
@@ -110,6 +112,14 @@ async function guard(
     }
   }
 
+  function shouldRedirectToOrgOnboarding() {
+    if (to.path.startsWith('/onboarding/organization'))
+      return false
+    if (!inviteOrgId)
+      return true
+    return !organizationStore.organizations.some(org => org.gid === inviteOrgId && org.role.startsWith('invite'))
+  }
+
   if (hasAuth && sessionUser) {
     const authConfirmedAt = main.auth?.email_confirmed_at
     if (!main.auth || main.auth.id !== sessionUser.id || authConfirmedAt !== sessionUser.email_confirmed_at) {
@@ -134,7 +144,12 @@ async function guard(
     && mfaData.nextLevel === 'aal2'
     && !isAdminForced
   ) {
-    return next(`/login?to=${to.path}`)
+    return next({
+      path: '/login',
+      query: {
+        to: to.fullPath,
+      },
+    })
   }
 
   if (hasAuth && sessionUser && !hadAuth) {
@@ -143,7 +158,7 @@ async function guard(
         path: '/resend_email',
         query: {
           reason: 'email_not_verified',
-          return_to: to.path,
+          return_to: to.fullPath,
         },
       })
     }
@@ -180,7 +195,7 @@ async function guard(
       }
     }
 
-    if (organizationsLoaded && !organizationStore.hasOrganizations && shouldRedirectToOrgOnboarding) {
+    if (organizationsLoaded && !organizationStore.hasOrganizations && shouldRedirectToOrgOnboarding()) {
       if (!isAdminRoute || !main.isAdmin) {
         return next({
           path: '/onboarding/organization',
@@ -217,7 +232,12 @@ async function guard(
   }
   else if (from.path !== 'login' && !hasAuth) {
     main.auth = undefined
-    next(`/login?to=${to.path}`)
+    next({
+      path: '/login',
+      query: {
+        to: to.fullPath,
+      },
+    })
   }
   else if (hasAuth && main.auth) {
     // User is already authenticated, but check if account got disabled
@@ -228,7 +248,7 @@ async function guard(
           path: '/resend_email',
           query: {
             reason: 'email_not_verified',
-            return_to: to.path,
+            return_to: to.fullPath,
           },
         })
       }
@@ -251,7 +271,7 @@ async function guard(
     }
 
     const organizationsLoaded = await tryLoadOrganizations(() => organizationStore.dedupFetchOrganizations())
-    if (organizationsLoaded && !organizationStore.hasOrganizations && shouldRedirectToOrgOnboarding) {
+    if (organizationsLoaded && !organizationStore.hasOrganizations && shouldRedirectToOrgOnboarding()) {
       return next('/onboarding/organization')
     }
-Original file line number
+Diff line change
@@ Expand Up / @@ -660,4 +660,4 @@ declare module 'vue' { @@
         readonly watchWithFilter: UnwrapRef<typeof import('@vueuse/core')['watchWithFilter']>
         readonly whenever: UnwrapRef<typeof import('@vueuse/core')['whenever']>
       }
-    }
+    }