fix(people): default portal email checkbox to checked, respect user choice

[Marfuen]

Summary

• Default the "Send portal invite email" checkbox to checked so the UI reflects the intended behavior.
• Remove the hasPublishedPolicies auto-override — unchecking the checkbox now actually prevents the portal email from being sent.
• Guard resendPortalInvite endpoint to reject non-employee/contractor members (admin/owner/auditor roles).

Follow-up to #2800.

Test plan

• Open Add User modal → checkbox should be checked by default
• Uncheck the checkbox, invite an employee → they should receive the standard invite email, not the portal email
• Leave checkbox checked, invite an employee → they should receive the portal email
• Try resending portal invite to an admin → should get a 400 error
• Resend portal invite to an employee → should succeed

🤖 Generated with Claude Code

---

Summary by cubic

Default the “Send portal invite email” checkbox to checked and make it respect the user’s choice. Switch invite/resend gating to RBAC-based compliance so only members with compliance obligations receive portal emails; aligns with Linear CS-72.

• Bug Fixes

  • UI: Checkbox in Invite Members modal now defaults to checked.
  • Backend: Removed auto-send tied to published policies; unchecking now blocks the portal email.
  • API: resendPortalInvite returns 400 for members without compliance obligations.

• Refactors

  • Use BUILT_IN_ROLE_OBLIGATIONS and custom role obligations from the DB to detect compliance.
  • Use RESTRICTED_ROLES to identify strictly-employee invites; removed hardcoded role checks.

^{Written for commit 10bcffb. Summary will update on new commits.}

[linear]

CS-72

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
comp-framework-editor	Ready	Preview, Comment	May 8, 2026 1:21pm

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
app	Skipped		May 8, 2026 1:21pm
portal	Skipped		May 8, 2026 1:21pm

[cubic-dev-ai]

cubic analysis

No issues found across 2 files

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.

Linked issue analysis

Linked issue: CS-72: [Improvement] - Option to trigger employee portal email for employees added after policies have been published

Status	Acceptance criteria	Notes
✅	Provide an option to send the onboarding/employee portal email when new employees are added if policies have been published	UI + backend now honor invite.sendPortalEmail flag
✅	Unchecking the option should prevent the portal email from being sent (respect user choice)	Backend uses invite.sendPortalEmail only to decide send
✅	Default to sending the portal email when adding new employees (checkbox default checked)	Invite modal default set to true
❌	Automatically send this email upon user creation when there are existing published policies	Removed hasPublishedPolicies auto-send logic
⚠️	New employees added after policies published receive portal email prompting review/sign	Default + backend flag present, explicit send call not shown in diffs

[cubic-dev-ai]

1 issue found across 1 file (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="apps/api/src/people/people-invite.service.ts">

<violation number="1" location="apps/api/src/people/people-invite.service.ts:373">
P1: The new resend guard allows admin/owner roles because it checks compliance obligation instead of restricting to employee/contractor roles.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.}

[claudfuen]

🎉 This PR is included in version 3.48.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀