Organizations — Behavior

State

No explicit status enum. Lifecycle is conveyed by:

Field	Semantic
`is_active=true`	Default; org operates normally.
`is_active=false`	Inactive. (No code path observed that flips this off — TODO: verify.)
`deleted_at IS NOT NULL`	Soft-deleted. Not currently set by any service path.
`platform_tier ∈ {lite, pro, elite}`	Commercial tier. Drives feature gates and entity caps.

platform_tier_updated_at tracks the most recent tier change (set by the platform-billing module, not by this one).

One Clerk org per FitKit org — clerk_organization_id UNIQUE.
Slug uniqueness — slug UNIQUE NOT NULL. Auto-generated as slugify(name) + '-' + 6char-random.
Caller becomes owner on create — POST /organizations always inserts a memberships row with role='owner', status='active'.
Owner protection on membership update — flipping the last owner away from owner or to suspended/cancelled is rejected by MembershipsService.updateMembership. (No similar guard on DELETE /users/me self-delete; see Known Gaps in README.)
Onboarding-complete is owner-only — even admins are rejected.
Logo upload size 2MB max, MIME ∈ {jpeg, png, webp}. The r2Key is fixed to orgs/${orgId}/logo. Existing logos are overwritten in place.
Defense-in-depth on logo confirm — confirm checks both the Redis upload-session blob (signals upload was initiated) AND r2.objectExists(r2Key) (signals the bytes actually landed).
Timezone default: UTC (overrideable on create). Currency default: USD.
Cancellation policy defaults: cancellationWindowHours=2, allowLateCancellation=false.

Wizard step “org”: user enters name + org type. (See onboarding.)
Wizard handleFinish calls POST /organizations with {name, type}.
Service:
- Calls usersService.findOrCreateFromClerk(clerkId) to ensure the caller has a DB row.
- Calls clerk.organizations.createOrganization({name, slug, createdBy: clerkId}) — the Clerk side adds the caller as org:admin automatically.
- Inserts organizations row with default tier lite.
- Inserts owner memberships row.
Legal consents POST (/legal/consents) immediately follows.
Wizard calls POST /:id/onboarding-complete with empty body (default — no class type, no invites) and the welcome email is sent.

PATCH /organizations/:id with {name, description, contactEmail, contactPhone, website, logoUrl}.
All fields conditional on !== undefined; empty string for contactEmail/Phone/website/logoUrl is normalized to null.

Web: user picks file. POST /:id/logo/upload-url with {mimeType, fileSize}.
Server validates MIME + size; generates presigned R2 PUT URL; stashes {r2Key, mimeType} in Redis under upload:logo:${orgId} with TTL 600s.
Web: PUTs the file directly to R2 with the presigned URL.
Web: POST /:id/logo/confirm. Server verifies the Redis blob and r2.objectExists; UPDATEs logo_url = orgs/${orgId}/logo; invalidates cached presigned read URL; deletes the Redis blob.

POST /organizations/:id/onboarding-complete with optional {classTypeName, defaultDurationMin, defaultCapacity, inviteEmails}.
If classTypeName: find the org’s first program; insert a class type under it.
If inviteEmails: loop and call MembershipsService.createInvitation for each.
Send welcome email via the welcome template (apps/api/src/notifications/templates/welcome.ts). Pulls owner name from Clerk.
Returns { classTypeCreated, invitationsSent, emailSent }.

Scenario	Behavior
`POST /organizations` with name that slugifies to existing slug	Random 6-char suffix prevents collision in practice; theoretical race could fail with a UNIQUE violation (not handled).
Clerk `createOrganization` fails	The DB org row is never created (Clerk call happens first); error bubbles.
Logo upload-url with disallowed MIME	400 ‘Unsupported file type. Use JPEG, PNG, or WebP.’.
Logo upload-url with size > 2MB	400 ‘File too large (max 2MB)’.
Logo confirm without prior upload-url (Redis blob expired)	400 ‘Upload session expired. Please try again.’.
Logo confirm but file never PUT to R2	400 ‘Upload not found. Please re-upload the file.’.
Coach/member tries to update org	403 ‘Only owners and admins can update the organization’.
Non-owner calls `onboarding-complete`	403 ‘Only owners can complete onboarding’.
Cross-org access via `GET /organizations/:id`	404 ‘Organization not found’ (no membership in that org).
`onboarding-complete` with `inviteEmails` where one is invalid	Per-email try/catch in the loop; failed ones logged, others continue; final `invitationsSent` count reflects successes only.
`onboarding-complete` with no program existing	`classTypeCreated=false` returned; no error.
Welcome email send failure	Logged; `emailSent=false`; method still returns 200.

Operation	Side effects
Create	Clerk org created, FitKit org inserted, owner membership inserted.
Update	DB write only.
Logo upload-url	Redis SET with 600s TTL.
Logo confirm	DB write (logo_url), Redis DEL, R2 presigned URL cache invalidated.
Onboarding complete	Optional class type insert; optional Clerk invitations + DB invitation rows; welcome email (fire-and-forget).

Endpoint	owner	admin	coach	member
`POST /organizations`	(caller becomes owner)
`GET /organizations`	self	self	self	self (only orgs with active membership)
`GET /:id`	✓	✓	✓	✓
`PATCH /:id`	✓	✓	✗	✗
`POST /:id/logo/upload-url`	✓	✓	✗	✗
`POST /:id/logo/confirm`	✓	✓	✗	✗
`POST /:id/onboarding-complete`	✓	✗	✗	✗