Shipflash logoDocs

Team

Team owns staff invites, role editing, team member management, and the public team directory.

On this page

Where to look

AreaPaths
Admin routesrc/app/(dashboard)/admin/team/page.tsx
Public routessrc/app/(marketing)/team, src/app/(marketing)/team/[id]
Access server codesrc/features/team/server/access/actions, queries, services, persistence, schemas
Public directory server codesrc/features/team/server/public-directory
Access UIsrc/features/team/ui/access
Public directory UIsrc/features/team/ui/public-directory
Shared typessrc/features/team/shared/access, src/features/team/shared/public-directory

Code-backed team map

Access management

Admin team pages manage staff, invites, custom roles, permissions, and member status through feature-owned server actions.

  • src/app/(dashboard)/admin/team/page.tsx
  • src/features/team/server/access/actions/staff-invites.ts
  • src/features/team/server/access/actions/custom-roles.ts
  • src/features/team/server/access/actions/team-members.ts

Role services and persistence

Custom role, permission, member, and invite services keep RBAC behavior separate from UI.

  • src/features/team/server/access/services/custom-role.ts
  • src/features/team/server/access/services/permissions.ts
  • src/features/team/server/access/persistence/custom-roles.ts
  • src/lib/auth/rbac/features.ts

Public directory

Public team pages use a separate directory domain with its own queries, actions, repository, schemas, and UI.

  • src/app/(marketing)/team/page.tsx
  • src/app/(marketing)/team/[id]/page.tsx
  • src/features/team/server/public-directory/queries.ts
  • src/features/team/server/public-directory/actions.ts
  • src/features/team/ui/public-directory/dashboard.tsx

Team access flow

  1. 1

    Gate admin work

    Team management runs behind admin access before invite, role, permission, or member actions execute.

    • src/app/(dashboard)/admin/team/page.tsx
    • src/lib/auth/guards/route.ts
  2. 2

    Validate action payloads

    Invite and role schemas normalize user input before services apply business rules.

    • src/features/team/server/access/schemas/invite.ts
    • src/features/team/server/access/actions/permission-form.ts
  3. 3

    Apply RBAC changes through services

    Role and permission services write through persistence modules and keep navigation feature gates aligned.

    • src/features/team/server/access/services/custom-role.ts
    • src/features/team/server/access/services/permissions.ts
    • src/lib/auth/rbac/nav-config.ts
  4. 4

    Keep public directory separate

    Public team member content uses its own repository and does not grant staff access by itself.

    • src/features/team/server/public-directory/repository.ts
    • src/features/team/server/public-directory/actions.ts

Staff invite action

Source: src/features/team/server/access/actions/staff-invites.ts

Invite creation checks write access, validates the form, delegates to a service, and revalidates the admin team route.

ts
export async function createStaffInvite(prevState: InviteState, formData: FormData): Promise<InviteState> {
  const profile = await getActiveProfile();

  const accessCheck = await assertTeamWriteAccess(profile);
  if (!accessCheck.success) return { error: accessCheck.error };

  const rawEmail = formData.get("email")?.toString().toLowerCase().trim();
  const rawAssignedRole = formData.get("assignedRole")?.toString() || null;

  const result = InviteSchema.safeParse({
    email: rawEmail,
    assignedRole: rawAssignedRole,
  });

  if (!result.success) {
    return { error: result.error.errors[0].message };
  }

Team rules

  • Use canonical default roles: super_admin and user.
  • Check authorization before role edits, invite actions, and team member changes.
  • Keep public directory content separate from staff access management.
  • Audit important admin changes.