Merge M1: org, board, access, audit + shadcn UI

Brings the M1 milestone to main: Identity/RBAC + JWT, OrgBoard board+cartable,
Governance audit, the edit-distance metric, and the shadcn UI on the TeamUp design
language. Verified green: dotnet build (warnings-as-errors), ArchitectureTests 8/8,
IntegrationTests 20/20 (Testcontainers + real pgvector), client npm build, and a live
stack smoke (SPA + API served, bootstrap→board flow 200).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

Directory.Packages.props

@@ -19,6 +19,13 @@
     <PackageVersion Include="Pgvector.EntityFrameworkCore" Version="0.3.0" />
   </ItemGroup>
 
+  <ItemGroup Label="Identity / auth">
+    <PackageVersion Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="10.0.8" />
+    <PackageVersion Include="Microsoft.Extensions.Identity.Core" Version="10.0.8" />
+    <PackageVersion Include="Microsoft.IdentityModel.JsonWebTokens" Version="8.19.1" />
+    <PackageVersion Include="Microsoft.IdentityModel.Tokens" Version="8.19.1" />
+  </ItemGroup>
+
   <ItemGroup Label="Web / API">
     <PackageVersion Include="Microsoft.AspNetCore.OpenApi" Version="10.0.8" />
     <PackageVersion Include="Microsoft.Extensions.Diagnostics.HealthChecks.EntityFrameworkCore" Version="10.0.8" />

client/components.json

@@ -0,0 +1,25 @@
+{
+  "$schema": "https://ui.shadcn.com/schema.json",
+  "style": "radix-nova",
+  "rsc": false,
+  "tsx": true,
+  "tailwind": {
+    "config": "",
+    "css": "src/index.css",
+    "baseColor": "neutral",
+    "cssVariables": true,
+    "prefix": ""
+  },
+  "iconLibrary": "lucide",
+  "rtl": false,
+  "aliases": {
+    "components": "@/components",
+    "utils": "@/lib/utils",
+    "ui": "@/components/ui",
+    "lib": "@/lib",
+    "hooks": "@/hooks"
+  },
+  "menuColor": "default",
+  "menuAccent": "subtle",
+  "registries": {}
+}

client/package.json

@@ -11,14 +11,25 @@
   },
   "dependencies": {
     "@dnd-kit/core": "^6.3.1",
+    "@fontsource-variable/geist": "^5.2.9",
+    "@fontsource-variable/hanken-grotesk": "^5.2.8",
     "@hookform/resolvers": "^5.4.0",
     "@tanstack/react-query": "^5.101.0",
     "@xyflow/react": "^12.11.0",
+    "class-variance-authority": "^0.7.1",
+    "clsx": "^2.1.1",
+    "lucide-react": "^1.17.0",
+    "next-themes": "^0.4.6",
+    "radix-ui": "^1.5.0",
     "react": "^19.2.6",
     "react-dom": "^19.2.6",
     "react-hook-form": "^7.78.0",
     "react-router": "^7.17.0",
     "recharts": "^3.8.1",
+    "shadcn": "^4.11.0",
+    "sonner": "^2.0.7",
+    "tailwind-merge": "^3.6.0",
+    "tw-animate-css": "^1.4.0",
     "zod": "^4.4.3",
     "zustand": "^5.0.14"
   },

client/src/App.tsx

@@ -1,83 +1,20 @@
-import { useEffect, useState } from 'react'
+import { Navigate, Route, Routes } from 'react-router'
-
+import { Toaster } from '@/components/ui/sonner'
-const MODULES = [
+import { BoardPage } from '@/pages/BoardPage'
-  'identity',
+import { LoginPage } from '@/pages/LoginPage'
-  'orgboard',
+import { useAuth } from '@/store/auth'
-  'skills',
-  'integrations',
-  'memory',
-  'assembler',
-  'governance',
-] as const
-
-type Status = boolean | null // null = checking
-
-function StatusDot({ ok }: { ok: Status }) {
-  const color = ok === null ? 'bg-amber-400' : ok ? 'bg-teal-400' : 'bg-rose-500'
-  return <span className={`inline-block h-2.5 w-2.5 rounded-full ${color}`} aria-hidden />
-}
 
 export default function App() {
-  const [health, setHealth] = useState<Status>(null)
+  const token = useAuth((state) => state.token)
-  const [modules, setModules] = useState<Record<string, Status>>(
-    Object.fromEntries(MODULES.map((m) => [m, null])),
-  )
-
-  useEffect(() => {
-    fetch('/health')
-      .then((r) => setHealth(r.ok))
-      .catch(() => setHealth(false))
-
-    MODULES.forEach((m) => {
-      fetch(`/api/${m}/ping`)
-        .then((r) => setModules((s) => ({ ...s, [m]: r.ok })))
-        .catch(() => setModules((s) => ({ ...s, [m]: false })))
-    })
-  }, [])
 
   return (
-    <main className="min-h-screen bg-indigo-950 text-slate-100">
+    <>
-      <div className="mx-auto flex min-h-screen max-w-3xl flex-col justify-center px-6 py-16">
+      <Routes>
-        <p className="text-sm font-medium uppercase tracking-widest text-indigo-300">
+        <Route path="/login" element={token ? <Navigate to="/" replace /> : <LoginPage />} />
-          A product of AliaSaaS
+        <Route path="/" element={token ? <BoardPage /> : <Navigate to="/login" replace />} />
-        </p>
+        <Route path="*" element={<Navigate to="/" replace />} />
-        <h1 className="mt-2 text-5xl font-bold tracking-tight">TeamUp.AI</h1>
+      </Routes>
-        <p className="mt-3 text-lg text-indigo-200">
+      <Toaster richColors position="top-right" />
-          Build human + AI teams. A live org chart that does work.
+    </>
-        </p>
-
-        <div className="mt-10 rounded-xl border border-indigo-800/60 bg-indigo-900/40 p-5">
-          <div className="flex items-center justify-between">
-            <span className="font-medium">API health</span>
-            <span className="flex items-center gap-2 text-sm text-indigo-200">
-              <StatusDot ok={health} />
-              {health === null ? 'checking…' : health ? 'healthy' : 'unreachable'}
-            </span>
-          </div>
-        </div>
-
-        <h2 className="mt-10 text-sm font-semibold uppercase tracking-widest text-indigo-300">
-          Modules
-        </h2>
-        <ul className="mt-3 grid grid-cols-1 gap-2 sm:grid-cols-2">
-          {MODULES.map((m) => (
-            <li
-              key={m}
-              className="flex items-center justify-between rounded-lg border border-indigo-800/50 bg-indigo-900/30 px-4 py-2.5"
-            >
-              <span className="capitalize">{m}</span>
-              <span className="flex items-center gap-2 text-sm text-indigo-200">
-                <StatusDot ok={modules[m]} />
-                {modules[m] === null ? '…' : modules[m] ? 'ok' : 'down'}
-              </span>
-            </li>
-          ))}
-        </ul>
-
-        <p className="mt-12 text-xs text-indigo-400">
-          Pre-M1 skeleton · web + worker on one modular monolith · PostgreSQL 17 + pgvector
-        </p>
-      </div>
-    </main>
   )
 }

client/src/components/AppShell.tsx

@@ -0,0 +1,78 @@
+import type { ReactNode } from 'react'
+import { Inbox, type LucideIcon, LayoutDashboard, LogOut, Network } from 'lucide-react'
+import { Button } from '@/components/ui/button'
+import { Separator } from '@/components/ui/separator'
+import { cn } from '@/lib/utils'
+import { useAuth } from '@/store/auth'
+
+export function AppShell({ children }: { children: ReactNode }) {
+  const email = useAuth((s) => s.email)
+  const logout = useAuth((s) => s.logout)
+
+  return (
+    <div className="flex min-h-screen bg-background text-foreground">
+      <aside className="flex w-60 shrink-0 flex-col bg-sidebar text-sidebar-foreground">
+        <div className="flex items-center gap-3 px-5 py-4">
+          <span className="grid size-8 place-items-center rounded-md bg-sidebar-primary font-bold text-sidebar-primary-foreground">
+            T
+          </span>
+          <div className="leading-tight">
+            <div className="font-semibold tracking-tight">TeamUp.AI</div>
+            <div className="text-xs text-sidebar-foreground/60">command center</div>
+          </div>
+        </div>
+
+        <Separator className="bg-sidebar-border" />
+
+        <nav className="flex flex-1 flex-col gap-1 p-3">
+          <NavItem icon={LayoutDashboard} label="Board" active />
+          <NavItem icon={Inbox} label="Cartable" />
+          <NavItem icon={Network} label="Org chart" muted />
+        </nav>
+
+        <Separator className="bg-sidebar-border" />
+
+        <div className="flex items-center justify-between gap-2 p-3">
+          <span className="truncate text-xs text-sidebar-foreground/70">{email ?? 'signed in'}</span>
+          <Button
+            variant="ghost"
+            size="sm"
+            onClick={logout}
+            className="text-sidebar-foreground hover:bg-sidebar-accent hover:text-sidebar-accent-foreground"
+          >
+            <LogOut data-icon="inline-start" />
+            Sign out
+          </Button>
+        </div>
+      </aside>
+
+      <main className="flex-1 overflow-auto">{children}</main>
+    </div>
+  )
+}
+
+function NavItem({
+  icon: Icon,
+  label,
+  active,
+  muted,
+}: {
+  icon: LucideIcon
+  label: string
+  active?: boolean
+  muted?: boolean
+}) {
+  return (
+    <span
+      className={cn(
+        'flex items-center gap-3 rounded-md px-3 py-2 text-sm',
+        active ? 'bg-sidebar-accent font-medium text-sidebar-accent-foreground' : 'text-sidebar-foreground/80',
+        muted && 'opacity-50',
+      )}
+    >
+      <Icon className="size-4" />
+      {label}
+      {muted && <span className="ml-auto text-[10px] uppercase tracking-wide opacity-70">soon</span>}
+    </span>
+  )
+}

client/src/components/StatusDot.tsx

@@ -0,0 +1,17 @@
+import { cn } from '@/lib/utils'
+
+const TONES = {
+  human: 'bg-seat-human',
+  open: 'bg-seat-open',
+  ai: 'bg-seat-ai',
+  approved: 'bg-approved',
+  held: 'bg-held',
+  destructive: 'bg-destructive',
+  idle: 'bg-muted-foreground/40',
+} as const
+
+export type DotTone = keyof typeof TONES
+
+export function StatusDot({ tone, className }: { tone: DotTone; className?: string }) {
+  return <span className={cn('inline-block size-2.5 rounded-full', TONES[tone], className)} aria-hidden />
+}

client/src/components/ui/avatar.tsx

@@ -0,0 +1,112 @@
+"use client"
+
+import * as React from "react"
+import { Avatar as AvatarPrimitive } from "radix-ui"
+
+import { cn } from "@/lib/utils"
+
+function Avatar({
+  className,
+  size = "default",
+  ...props
+}: React.ComponentProps<typeof AvatarPrimitive.Root> & {
+  size?: "default" | "sm" | "lg"
+}) {
+  return (
+    <AvatarPrimitive.Root
+      data-slot="avatar"
+      data-size={size}
+      className={cn(
+        "group/avatar relative flex size-8 shrink-0 rounded-full select-none after:absolute after:inset-0 after:rounded-full after:border after:border-border after:mix-blend-darken data-[size=lg]:size-10 data-[size=sm]:size-6 dark:after:mix-blend-lighten",
+        className
+      )}
+      {...props}
+    />
+  )
+}
+
+function AvatarImage({
+  className,
+  ...props
+}: React.ComponentProps<typeof AvatarPrimitive.Image>) {
+  return (
+    <AvatarPrimitive.Image
+      data-slot="avatar-image"
+      className={cn(
+        "aspect-square size-full rounded-full object-cover",
+        className
+      )}
+      {...props}
+    />
+  )
+}
+
+function AvatarFallback({
+  className,
+  ...props
+}: React.ComponentProps<typeof AvatarPrimitive.Fallback>) {
+  return (
+    <AvatarPrimitive.Fallback
+      data-slot="avatar-fallback"
+      className={cn(
+        "flex size-full items-center justify-center rounded-full bg-muted text-sm text-muted-foreground group-data-[size=sm]/avatar:text-xs",
+        className
+      )}
+      {...props}
+    />
+  )
+}
+
+function AvatarBadge({ className, ...props }: React.ComponentProps<"span">) {
+  return (
+    <span
+      data-slot="avatar-badge"
+      className={cn(
+        "absolute right-0 bottom-0 z-10 inline-flex items-center justify-center rounded-full bg-primary text-primary-foreground bg-blend-color ring-2 ring-background select-none",
+        "group-data-[size=sm]/avatar:size-2 group-data-[size=sm]/avatar:[&>svg]:hidden",
+        "group-data-[size=default]/avatar:size-2.5 group-data-[size=default]/avatar:[&>svg]:size-2",
+        "group-data-[size=lg]/avatar:size-3 group-data-[size=lg]/avatar:[&>svg]:size-2",
+        className
+      )}
+      {...props}
+    />
+  )
+}
+
+function AvatarGroup({ className, ...props }: React.ComponentProps<"div">) {
+  return (
+    <div
+      data-slot="avatar-group"
+      className={cn(
+        "group/avatar-group flex -space-x-2 *:data-[slot=avatar]:ring-2 *:data-[slot=avatar]:ring-background",
+        className
+      )}
+      {...props}
+    />
+  )
+}
+
+function AvatarGroupCount({
+  className,
+  ...props
+}: React.ComponentProps<"div">) {
+  return (
+    <div
+      data-slot="avatar-group-count"
+      className={cn(
+        "relative flex size-8 shrink-0 items-center justify-center rounded-full bg-muted text-sm text-muted-foreground ring-2 ring-background group-has-data-[size=lg]/avatar-group:size-10 group-has-data-[size=sm]/avatar-group:size-6 [&>svg]:size-4 group-has-data-[size=lg]/avatar-group:[&>svg]:size-5 group-has-data-[size=sm]/avatar-group:[&>svg]:size-3",
+        className
+      )}
+      {...props}
+    />
+  )
+}
+
+export {
+  Avatar,
+  AvatarImage,
+  AvatarFallback,
+  AvatarGroup,
+  AvatarGroupCount,
+  AvatarBadge,
+}

client/src/components/ui/badge.tsx

@@ -0,0 +1,49 @@
+import * as React from "react"
+import { cva, type VariantProps } from "class-variance-authority"
+import { Slot } from "radix-ui"
+
+import { cn } from "@/lib/utils"
+
+const badgeVariants = cva(
+  "group/badge inline-flex h-5 w-fit shrink-0 items-center justify-center gap-1 overflow-hidden rounded-4xl border border-transparent px-2 py-0.5 text-xs font-medium whitespace-nowrap transition-all focus-visible:border-ring focus-visible:ring-[3px] focus-visible:ring-ring/50 has-data-[icon=inline-end]:pr-1.5 has-data-[icon=inline-start]:pl-1.5 aria-invalid:border-destructive aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 [&>svg]:pointer-events-none [&>svg]:size-3!",
+  {
+    variants: {
+      variant: {
+        default: "bg-primary text-primary-foreground [a]:hover:bg-primary/80",
+        secondary:
+          "bg-secondary text-secondary-foreground [a]:hover:bg-secondary/80",
+        destructive:
+          "bg-destructive/10 text-destructive focus-visible:ring-destructive/20 dark:bg-destructive/20 dark:focus-visible:ring-destructive/40 [a]:hover:bg-destructive/20",
+        outline:
+          "border-border text-foreground [a]:hover:bg-muted [a]:hover:text-muted-foreground",
+        ghost:
+          "hover:bg-muted hover:text-muted-foreground dark:hover:bg-muted/50",
+        link: "text-primary underline-offset-4 hover:underline",
+      },
+    },
+    defaultVariants: {
+      variant: "default",
+    },
+  }
+)
+
+function Badge({
+  className,
+  variant = "default",
+  asChild = false,
+  ...props
+}: React.ComponentProps<"span"> &
+  VariantProps<typeof badgeVariants> & { asChild?: boolean }) {
+  const Comp = asChild ? Slot.Root : "span"
+
+  return (
+    <Comp
+      data-slot="badge"
+      data-variant={variant}
+      className={cn(badgeVariants({ variant }), className)}
+      {...props}
+    />
+  )
+}
+
+export { Badge, badgeVariants }

client/src/components/ui/button.tsx

@@ -0,0 +1,67 @@
+import * as React from "react"
+import { cva, type VariantProps } from "class-variance-authority"
+import { Slot } from "radix-ui"
+
+import { cn } from "@/lib/utils"
+
+const buttonVariants = cva(
+  "group/button inline-flex shrink-0 items-center justify-center rounded-lg border border-transparent bg-clip-padding text-sm font-medium whitespace-nowrap transition-all outline-none select-none focus-visible:border-ring focus-visible:ring-3 focus-visible:ring-ring/50 active:not-aria-[haspopup]:translate-y-px disabled:pointer-events-none disabled:opacity-50 aria-invalid:border-destructive aria-invalid:ring-3 aria-invalid:ring-destructive/20 dark:aria-invalid:border-destructive/50 dark:aria-invalid:ring-destructive/40 [&_svg]:pointer-events-none [&_svg]:shrink-0 [&_svg:not([class*='size-'])]:size-4",
+  {
+    variants: {
+      variant: {
+        default: "bg-primary text-primary-foreground hover:bg-primary/80",
+        outline:
+          "border-border bg-background hover:bg-muted hover:text-foreground aria-expanded:bg-muted aria-expanded:text-foreground dark:border-input dark:bg-input/30 dark:hover:bg-input/50",
+        secondary:
+          "bg-secondary text-secondary-foreground hover:bg-[color-mix(in_oklch,var(--secondary),var(--foreground)_5%)] aria-expanded:bg-secondary aria-expanded:text-secondary-foreground",
+        ghost:
+          "hover:bg-muted hover:text-foreground aria-expanded:bg-muted aria-expanded:text-foreground dark:hover:bg-muted/50",
+        destructive:
+          "bg-destructive/10 text-destructive hover:bg-destructive/20 focus-visible:border-destructive/40 focus-visible:ring-destructive/20 dark:bg-destructive/20 dark:hover:bg-destructive/30 dark:focus-visible:ring-destructive/40",
+        link: "text-primary underline-offset-4 hover:underline",
+      },
+      size: {
+        default:
+          "h-8 gap-1.5 px-2.5 has-data-[icon=inline-end]:pr-2 has-data-[icon=inline-start]:pl-2",
+        xs: "h-6 gap-1 rounded-[min(var(--radius-md),10px)] px-2 text-xs in-data-[slot=button-group]:rounded-lg has-data-[icon=inline-end]:pr-1.5 has-data-[icon=inline-start]:pl-1.5 [&_svg:not([class*='size-'])]:size-3",
+        sm: "h-7 gap-1 rounded-[min(var(--radius-md),12px)] px-2.5 text-[0.8rem] in-data-[slot=button-group]:rounded-lg has-data-[icon=inline-end]:pr-1.5 has-data-[icon=inline-start]:pl-1.5 [&_svg:not([class*='size-'])]:size-3.5",
+        lg: "h-9 gap-1.5 px-2.5 has-data-[icon=inline-end]:pr-2 has-data-[icon=inline-start]:pl-2",
+        icon: "size-8",
+        "icon-xs":
+          "size-6 rounded-[min(var(--radius-md),10px)] in-data-[slot=button-group]:rounded-lg [&_svg:not([class*='size-'])]:size-3",
+        "icon-sm":
+          "size-7 rounded-[min(var(--radius-md),12px)] in-data-[slot=button-group]:rounded-lg",
+        "icon-lg": "size-9",
+      },
+    },
+    defaultVariants: {
+      variant: "default",
+      size: "default",
+    },
+  }
+)
+
+function Button({
+  className,
+  variant = "default",
+  size = "default",
+  asChild = false,
+  ...props
+}: React.ComponentProps<"button"> &
+  VariantProps<typeof buttonVariants> & {
+    asChild?: boolean
+  }) {
+  const Comp = asChild ? Slot.Root : "button"
+
+  return (
+    <Comp
+      data-slot="button"
+      data-variant={variant}
+      data-size={size}
+      className={cn(buttonVariants({ variant, size, className }))}
+      {...props}
+    />
+  )
+}
+
+export { Button, buttonVariants }

client/src/components/ui/card.tsx

@@ -0,0 +1,103 @@
+import * as React from "react"
+
+import { cn } from "@/lib/utils"
+
+function Card({
+  className,
+  size = "default",
+  ...props
+}: React.ComponentProps<"div"> & { size?: "default" | "sm" }) {
+  return (
+    <div
+      data-slot="card"
+      data-size={size}
+      className={cn(
+        "group/card flex flex-col gap-(--card-spacing) overflow-hidden rounded-xl bg-card py-(--card-spacing) text-sm text-card-foreground ring-1 ring-foreground/10 [--card-spacing:--spacing(4)] has-data-[slot=card-footer]:pb-0 has-[>img:first-child]:pt-0 data-[size=sm]:[--card-spacing:--spacing(3)] data-[size=sm]:has-data-[slot=card-footer]:pb-0 *:[img:first-child]:rounded-t-xl *:[img:last-child]:rounded-b-xl",
+        className
+      )}
+      {...props}
+    />
+  )
+}
+
+function CardHeader({ className, ...props }: React.ComponentProps<"div">) {
+  return (
+    <div
+      data-slot="card-header"
+      className={cn(
+        "group/card-header @container/card-header grid auto-rows-min items-start gap-1 rounded-t-xl px-(--card-spacing) has-data-[slot=card-action]:grid-cols-[1fr_auto] has-data-[slot=card-description]:grid-rows-[auto_auto] [.border-b]:pb-(--card-spacing)",
+        className
+      )}
+      {...props}
+    />
+  )
+}
+
+function CardTitle({ className, ...props }: React.ComponentProps<"div">) {
+  return (
+    <div
+      data-slot="card-title"
+      className={cn(
+        "font-heading text-base leading-snug font-medium group-data-[size=sm]/card:text-sm",
+        className
+      )}
+      {...props}
+    />
+  )
+}
+
+function CardDescription({ className, ...props }: React.ComponentProps<"div">) {
+  return (
+    <div
+      data-slot="card-description"
+      className={cn("text-sm text-muted-foreground", className)}
+      {...props}
+    />
+  )
+}
+
+function CardAction({ className, ...props }: React.ComponentProps<"div">) {
+  return (
+    <div
+      data-slot="card-action"
+      className={cn(
+        "col-start-2 row-span-2 row-start-1 self-start justify-self-end",
+        className
+      )}
+      {...props}
+    />
+  )
+}
+
+function CardContent({ className, ...props }: React.ComponentProps<"div">) {
+  return (
+    <div
+      data-slot="card-content"
+      className={cn("px-(--card-spacing)", className)}
+      {...props}
+    />
+  )
+}
+
+function CardFooter({ className, ...props }: React.ComponentProps<"div">) {
+  return (
+    <div
+      data-slot="card-footer"
+      className={cn(
+        "flex items-center rounded-b-xl border-t bg-muted/50 p-(--card-spacing)",
+        className
+      )}
+      {...props}
+    />
+  )
+}
+
+export {
+  Card,
+  CardHeader,
+  CardFooter,
+  CardTitle,
+  CardAction,
+  CardDescription,
+  CardContent,
+}

client/src/components/ui/input.tsx

@@ -0,0 +1,19 @@
+import * as React from "react"
+
+import { cn } from "@/lib/utils"
+
+function Input({ className, type, ...props }: React.ComponentProps<"input">) {
+  return (
+    <input
+      type={type}
+      data-slot="input"
+      className={cn(
+        "h-8 w-full min-w-0 rounded-lg border border-input bg-transparent px-2.5 py-1 text-base transition-colors outline-none file:inline-flex file:h-6 file:border-0 file:bg-transparent file:text-sm file:font-medium file:text-foreground placeholder:text-muted-foreground focus-visible:border-ring focus-visible:ring-3 focus-visible:ring-ring/50 disabled:pointer-events-none disabled:cursor-not-allowed disabled:bg-input/50 disabled:opacity-50 aria-invalid:border-destructive aria-invalid:ring-3 aria-invalid:ring-destructive/20 md:text-sm dark:bg-input/30 dark:disabled:bg-input/80 dark:aria-invalid:border-destructive/50 dark:aria-invalid:ring-destructive/40",
+        className
+      )}
+      {...props}
+    />
+  )
+}
+
+export { Input }

client/src/components/ui/label.tsx

@@ -0,0 +1,22 @@
+import * as React from "react"
+import { Label as LabelPrimitive } from "radix-ui"
+
+import { cn } from "@/lib/utils"
+
+function Label({
+  className,
+  ...props
+}: React.ComponentProps<typeof LabelPrimitive.Root>) {
+  return (
+    <LabelPrimitive.Root
+      data-slot="label"
+      className={cn(
+        "flex items-center gap-2 text-sm leading-none font-medium select-none group-data-[disabled=true]:pointer-events-none group-data-[disabled=true]:opacity-50 peer-disabled:cursor-not-allowed peer-disabled:opacity-50",
+        className
+      )}
+      {...props}
+    />
+  )
+}
+
+export { Label }

client/src/components/ui/select.tsx

@@ -0,0 +1,192 @@
+"use client"
+
+import * as React from "react"
+import { Select as SelectPrimitive } from "radix-ui"
+
+import { cn } from "@/lib/utils"
+import { ChevronDownIcon, CheckIcon, ChevronUpIcon } from "lucide-react"
+
+function Select({
+  ...props
+}: React.ComponentProps<typeof SelectPrimitive.Root>) {
+  return <SelectPrimitive.Root data-slot="select" {...props} />
+}
+
+function SelectGroup({
+  className,
+  ...props
+}: React.ComponentProps<typeof SelectPrimitive.Group>) {
+  return (
+    <SelectPrimitive.Group
+      data-slot="select-group"
+      className={cn("scroll-my-1 p-1", className)}
+      {...props}
+    />
+  )
+}
+
+function SelectValue({
+  ...props
+}: React.ComponentProps<typeof SelectPrimitive.Value>) {
+  return <SelectPrimitive.Value data-slot="select-value" {...props} />
+}
+
+function SelectTrigger({
+  className,
+  size = "default",
+  children,
+  ...props
+}: React.ComponentProps<typeof SelectPrimitive.Trigger> & {
+  size?: "sm" | "default"
+}) {
+  return (
+    <SelectPrimitive.Trigger
+      data-slot="select-trigger"
+      data-size={size}
+      className={cn(
+        "flex w-fit items-center justify-between gap-1.5 rounded-lg border border-input bg-transparent py-2 pr-2 pl-2.5 text-sm whitespace-nowrap transition-colors outline-none select-none focus-visible:border-ring focus-visible:ring-3 focus-visible:ring-ring/50 disabled:cursor-not-allowed disabled:opacity-50 aria-invalid:border-destructive aria-invalid:ring-3 aria-invalid:ring-destructive/20 data-placeholder:text-muted-foreground data-[size=default]:h-8 data-[size=sm]:h-7 data-[size=sm]:rounded-[min(var(--radius-md),10px)] *:data-[slot=select-value]:line-clamp-1 *:data-[slot=select-value]:flex *:data-[slot=select-value]:items-center *:data-[slot=select-value]:gap-1.5 dark:bg-input/30 dark:hover:bg-input/50 dark:aria-invalid:border-destructive/50 dark:aria-invalid:ring-destructive/40 [&_svg]:pointer-events-none [&_svg]:shrink-0 [&_svg:not([class*='size-'])]:size-4",
+        className
+      )}
+      {...props}
+    >
+      {children}
+      <SelectPrimitive.Icon asChild>
+        <ChevronDownIcon className="pointer-events-none size-4 text-muted-foreground" />
+      </SelectPrimitive.Icon>
+    </SelectPrimitive.Trigger>
+  )
+}
+
+function SelectContent({
+  className,
+  children,
+  position = "item-aligned",
+  align = "center",
+  ...props
+}: React.ComponentProps<typeof SelectPrimitive.Content>) {
+  return (
+    <SelectPrimitive.Portal>
+      <SelectPrimitive.Content
+        data-slot="select-content"
+        data-align-trigger={position === "item-aligned"}
+        className={cn("relative z-50 max-h-(--radix-select-content-available-height) min-w-36 origin-(--radix-select-content-transform-origin) overflow-x-hidden overflow-y-auto rounded-lg bg-popover text-popover-foreground shadow-md ring-1 ring-foreground/10 duration-100 data-[align-trigger=true]:animate-none data-[side=bottom]:slide-in-from-top-2 data-[side=left]:slide-in-from-right-2 data-[side=right]:slide-in-from-left-2 data-[side=top]:slide-in-from-bottom-2 data-open:animate-in data-open:fade-in-0 data-open:zoom-in-95 data-closed:animate-out data-closed:fade-out-0 data-closed:zoom-out-95", position ==="popper"&&"data-[side=bottom]:translate-y-1 data-[side=left]:-translate-x-1 data-[side=right]:translate-x-1 data-[side=top]:-translate-y-1", className )}
+        position={position}
+        align={align}
+        {...props}
+      >
+        <SelectScrollUpButton />
+        <SelectPrimitive.Viewport
+          data-position={position}
+          className={cn(
+            "data-[position=popper]:h-(--radix-select-trigger-height) data-[position=popper]:w-full data-[position=popper]:min-w-(--radix-select-trigger-width)",
+            position === "popper" && ""
+          )}
+        >
+          {children}
+        </SelectPrimitive.Viewport>
+        <SelectScrollDownButton />
+      </SelectPrimitive.Content>
+    </SelectPrimitive.Portal>
+  )
+}
+
+function SelectLabel({
+  className,
+  ...props
+}: React.ComponentProps<typeof SelectPrimitive.Label>) {
+  return (
+    <SelectPrimitive.Label
+      data-slot="select-label"
+      className={cn("px-1.5 py-1 text-xs text-muted-foreground", className)}
+      {...props}
+    />
+  )
+}
+
+function SelectItem({
+  className,
+  children,
+  ...props
+}: React.ComponentProps<typeof SelectPrimitive.Item>) {
+  return (
+    <SelectPrimitive.Item
+      data-slot="select-item"
+      className={cn(
+        "relative flex w-full cursor-default items-center gap-1.5 rounded-md py-1 pr-8 pl-1.5 text-sm outline-hidden select-none focus:bg-accent focus:text-accent-foreground not-data-[variant=destructive]:focus:**:text-accent-foreground data-disabled:pointer-events-none data-disabled:opacity-50 [&_svg]:pointer-events-none [&_svg]:shrink-0 [&_svg:not([class*='size-'])]:size-4 *:[span]:last:flex *:[span]:last:items-center *:[span]:last:gap-2",
+        className
+      )}
+      {...props}
+    >
+      <span className="pointer-events-none absolute right-2 flex size-4 items-center justify-center">
+        <SelectPrimitive.ItemIndicator>
+          <CheckIcon className="pointer-events-none" />
+        </SelectPrimitive.ItemIndicator>
+      </span>
+      <SelectPrimitive.ItemText>{children}</SelectPrimitive.ItemText>
+    </SelectPrimitive.Item>
+  )
+}
+
+function SelectSeparator({
+  className,
+  ...props
+}: React.ComponentProps<typeof SelectPrimitive.Separator>) {
+  return (
+    <SelectPrimitive.Separator
+      data-slot="select-separator"
+      className={cn("pointer-events-none -mx-1 my-1 h-px bg-border", className)}
+      {...props}
+    />
+  )
+}
+
+function SelectScrollUpButton({
+  className,
+  ...props
+}: React.ComponentProps<typeof SelectPrimitive.ScrollUpButton>) {
+  return (
+    <SelectPrimitive.ScrollUpButton
+      data-slot="select-scroll-up-button"
+      className={cn(
+        "z-10 flex cursor-default items-center justify-center bg-popover py-1 [&_svg:not([class*='size-'])]:size-4",
+        className
+      )}
+      {...props}
+    >
+      <ChevronUpIcon
+      />
+    </SelectPrimitive.ScrollUpButton>
+  )
+}
+
+function SelectScrollDownButton({
+  className,
+  ...props
+}: React.ComponentProps<typeof SelectPrimitive.ScrollDownButton>) {
+  return (
+    <SelectPrimitive.ScrollDownButton
+      data-slot="select-scroll-down-button"
+      className={cn(
+        "z-10 flex cursor-default items-center justify-center bg-popover py-1 [&_svg:not([class*='size-'])]:size-4",
+        className
+      )}
+      {...props}
+    >
+      <ChevronDownIcon
+      />
+    </SelectPrimitive.ScrollDownButton>
+  )
+}
+
+export {
+  Select,
+  SelectContent,
+  SelectGroup,
+  SelectItem,
+  SelectLabel,
+  SelectScrollDownButton,
+  SelectScrollUpButton,
+  SelectSeparator,
+  SelectTrigger,
+  SelectValue,
+}

client/src/components/ui/separator.tsx

@@ -0,0 +1,26 @@
+import * as React from "react"
+import { Separator as SeparatorPrimitive } from "radix-ui"
+
+import { cn } from "@/lib/utils"
+
+function Separator({
+  className,
+  orientation = "horizontal",
+  decorative = true,
+  ...props
+}: React.ComponentProps<typeof SeparatorPrimitive.Root>) {
+  return (
+    <SeparatorPrimitive.Root
+      data-slot="separator"
+      decorative={decorative}
+      orientation={orientation}
+      className={cn(
+        "shrink-0 bg-border data-horizontal:h-px data-horizontal:w-full data-vertical:w-px data-vertical:self-stretch",
+        className
+      )}
+      {...props}
+    />
+  )
+}
+
+export { Separator }

client/src/components/ui/skeleton.tsx

@@ -0,0 +1,13 @@
+import { cn } from "@/lib/utils"
+
+function Skeleton({ className, ...props }: React.ComponentProps<"div">) {
+  return (
+    <div
+      data-slot="skeleton"
+      className={cn("animate-pulse rounded-md bg-muted", className)}
+      {...props}
+    />
+  )
+}
+
+export { Skeleton }

client/src/components/ui/sonner.tsx

@@ -0,0 +1,47 @@
+import { useTheme } from "next-themes"
+import { Toaster as Sonner, type ToasterProps } from "sonner"
+import { CircleCheckIcon, InfoIcon, TriangleAlertIcon, OctagonXIcon, Loader2Icon } from "lucide-react"
+
+const Toaster = ({ ...props }: ToasterProps) => {
+  const { theme = "system" } = useTheme()
+
+  return (
+    <Sonner
+      theme={theme as ToasterProps["theme"]}
+      className="toaster group"
+      icons={{
+        success: (
+          <CircleCheckIcon className="size-4" />
+        ),
+        info: (
+          <InfoIcon className="size-4" />
+        ),
+        warning: (
+          <TriangleAlertIcon className="size-4" />
+        ),
+        error: (
+          <OctagonXIcon className="size-4" />
+        ),
+        loading: (
+          <Loader2Icon className="size-4 animate-spin" />
+        ),
+      }}
+      style={
+        {
+          "--normal-bg": "var(--popover)",
+          "--normal-text": "var(--popover-foreground)",
+          "--normal-border": "var(--border)",
+          "--border-radius": "var(--radius)",
+        } as React.CSSProperties
+      }
+      toastOptions={{
+        classNames: {
+          toast: "cn-toast",
+        },
+      }}
+      {...props}
+    />
+  )
+}
+
+export { Toaster }

client/src/index.css

@@ -1,10 +1,151 @@
 @import "tailwindcss";
+@import "tw-animate-css";
+@import "shadcn/tailwind.css";
+@import "@fontsource-variable/hanken-grotesk";
+
+@custom-variant dark (&:is(.dark *));
 
 :root {
-  color-scheme: dark;
+  --radius: 0.625rem;
+
+  /* Light content surface — the "calm command center" body. */
+  --background: oklch(0.99 0.003 280);
+  --foreground: oklch(0.21 0.03 280);
+  --card: oklch(1 0 0);
+  --card-foreground: oklch(0.21 0.03 280);
+  --popover: oklch(1 0 0);
+  --popover-foreground: oklch(0.21 0.03 280);
+
+  /* Brand: indigo, rationed so it always means something. */
+  --primary: oklch(0.511 0.262 276.966);
+  --primary-foreground: oklch(0.985 0 0);
+  --secondary: oklch(0.967 0.012 280);
+  --secondary-foreground: oklch(0.3 0.05 280);
+  --muted: oklch(0.967 0.006 280);
+  --muted-foreground: oklch(0.52 0.03 280);
+  --accent: oklch(0.95 0.03 280);
+  --accent-foreground: oklch(0.4 0.16 277);
+  --destructive: oklch(0.577 0.245 27.325);
+  --border: oklch(0.92 0.01 280);
+  --input: oklch(0.92 0.01 280);
+  --ring: oklch(0.585 0.233 277.117);
+
+  /* Seat-state triad (load-bearing) + status colors. */
+  --seat-human: oklch(0.554 0.046 257.417); /* slate */
+  --seat-open: oklch(0.769 0.188 70.08); /* amber */
+  --seat-ai: oklch(0.585 0.233 277.117); /* indigo */
+  --approved: oklch(0.704 0.14 182.503); /* teal */
+  --held: oklch(0.769 0.188 70.08); /* amber */
+
+  --chart-1: oklch(0.585 0.233 277.117);
+  --chart-2: oklch(0.704 0.14 182.503);
+  --chart-3: oklch(0.769 0.188 70.08);
+  --chart-4: oklch(0.554 0.046 257.417);
+  --chart-5: oklch(0.5 0.13 300);
+
+  /* Deep-indigo command-center sidebar. */
+  --sidebar: oklch(0.257 0.09 281.288);
+  --sidebar-foreground: oklch(0.93 0.02 280);
+  --sidebar-primary: oklch(0.673 0.182 276.935);
+  --sidebar-primary-foreground: oklch(0.985 0 0);
+  --sidebar-accent: oklch(0.359 0.144 278.697);
+  --sidebar-accent-foreground: oklch(0.97 0.01 280);
+  --sidebar-border: oklch(0.45 0.12 278 / 35%);
+  --sidebar-ring: oklch(0.585 0.233 277.117);
 }
 
 body {
   margin: 0;
-  font-family: "Hanken Grotesk", system-ui, sans-serif;
+  font-family: "Hanken Grotesk Variable", system-ui, sans-serif;
+}
+
+@theme inline {
+  --font-sans: "Hanken Grotesk Variable", system-ui, sans-serif;
+  --font-heading: var(--font-sans);
+
+  --color-seat-human: var(--seat-human);
+  --color-seat-open: var(--seat-open);
+  --color-seat-ai: var(--seat-ai);
+  --color-approved: var(--approved);
+  --color-held: var(--held);
+
+  --color-sidebar-ring: var(--sidebar-ring);
+  --color-sidebar-border: var(--sidebar-border);
+  --color-sidebar-accent-foreground: var(--sidebar-accent-foreground);
+  --color-sidebar-accent: var(--sidebar-accent);
+  --color-sidebar-primary-foreground: var(--sidebar-primary-foreground);
+  --color-sidebar-primary: var(--sidebar-primary);
+  --color-sidebar-foreground: var(--sidebar-foreground);
+  --color-sidebar: var(--sidebar);
+  --color-chart-5: var(--chart-5);
+  --color-chart-4: var(--chart-4);
+  --color-chart-3: var(--chart-3);
+  --color-chart-2: var(--chart-2);
+  --color-chart-1: var(--chart-1);
+  --color-ring: var(--ring);
+  --color-input: var(--input);
+  --color-border: var(--border);
+  --color-destructive: var(--destructive);
+  --color-accent-foreground: var(--accent-foreground);
+  --color-accent: var(--accent);
+  --color-muted-foreground: var(--muted-foreground);
+  --color-muted: var(--muted);
+  --color-secondary-foreground: var(--secondary-foreground);
+  --color-secondary: var(--secondary);
+  --color-primary-foreground: var(--primary-foreground);
+  --color-primary: var(--primary);
+  --color-popover-foreground: var(--popover-foreground);
+  --color-popover: var(--popover);
+  --color-card-foreground: var(--card-foreground);
+  --color-card: var(--card);
+  --color-foreground: var(--foreground);
+  --color-background: var(--background);
+  --radius-sm: calc(var(--radius) * 0.6);
+  --radius-md: calc(var(--radius) * 0.8);
+  --radius-lg: var(--radius);
+  --radius-xl: calc(var(--radius) * 1.4);
+  --radius-2xl: calc(var(--radius) * 1.8);
+  --radius-3xl: calc(var(--radius) * 2.2);
+  --radius-4xl: calc(var(--radius) * 2.6);
+}
+
+.dark {
+  --background: oklch(0.205 0.03 280);
+  --foreground: oklch(0.985 0 0);
+  --card: oklch(0.257 0.04 281);
+  --card-foreground: oklch(0.985 0 0);
+  --popover: oklch(0.257 0.04 281);
+  --popover-foreground: oklch(0.985 0 0);
+  --primary: oklch(0.673 0.182 276.935);
+  --primary-foreground: oklch(0.205 0.03 280);
+  --secondary: oklch(0.3 0.04 280);
+  --secondary-foreground: oklch(0.985 0 0);
+  --muted: oklch(0.3 0.04 280);
+  --muted-foreground: oklch(0.72 0.03 280);
+  --accent: oklch(0.32 0.06 280);
+  --accent-foreground: oklch(0.985 0 0);
+  --destructive: oklch(0.704 0.191 22.216);
+  --border: oklch(1 0 0 / 10%);
+  --input: oklch(1 0 0 / 15%);
+  --ring: oklch(0.585 0.233 277.117);
+  --sidebar: oklch(0.21 0.07 281);
+  --sidebar-foreground: oklch(0.93 0.02 280);
+  --sidebar-primary: oklch(0.673 0.182 276.935);
+  --sidebar-primary-foreground: oklch(0.985 0 0);
+  --sidebar-accent: oklch(0.359 0.144 278.697);
+  --sidebar-accent-foreground: oklch(0.97 0.01 280);
+  --sidebar-border: oklch(1 0 0 / 10%);
+  --sidebar-ring: oklch(0.585 0.233 277.117);
+}
+
+@layer base {
+  * {
+    @apply border-border outline-ring/50;
+  }
+  body {
+    @apply bg-background text-foreground;
+  }
+  html {
+    @apply font-sans;
+  }
 }

client/src/lib/api.ts

@@ -0,0 +1,31 @@
+import { useAuth } from '../store/auth'
+
+async function request<T>(method: string, url: string, body?: unknown): Promise<T> {
+  const token = useAuth.getState().token
+  const response = await fetch(url, {
+    method,
+    headers: {
+      'Content-Type': 'application/json',
+      ...(token ? { Authorization: `Bearer ${token}` } : {}),
+    },
+    body: body === undefined ? undefined : JSON.stringify(body),
+  })
+
+  if (response.status === 401) {
+    useAuth.getState().logout()
+  }
+
+  if (!response.ok) {
+    const text = await response.text()
+    throw new Error(`${response.status} ${response.statusText}${text ? `: ${text}` : ''}`)
+  }
+
+  const contentType = response.headers.get('content-type') ?? ''
+  return contentType.includes('application/json') ? ((await response.json()) as T) : (undefined as T)
+}
+
+export const api = {
+  get: <T>(url: string) => request<T>('GET', url),
+  post: <T>(url: string, body?: unknown) => request<T>('POST', url, body),
+  patch: <T>(url: string, body?: unknown) => request<T>('PATCH', url, body),
+}

client/src/lib/utils.ts

@@ -0,0 +1,6 @@
+import { clsx, type ClassValue } from "clsx"
+import { twMerge } from "tailwind-merge"
+
+export function cn(...inputs: ClassValue[]) {
+  return twMerge(clsx(inputs))
+}

client/src/main.tsx

@@ -1,10 +1,13 @@
 import { StrictMode } from 'react'
 import { createRoot } from 'react-dom/client'
+import { BrowserRouter } from 'react-router'
 import './index.css'
 import App from './App.tsx'
 
 createRoot(document.getElementById('root')!).render(
   <StrictMode>
-    <App />
+    <BrowserRouter>
+      <App />
+    </BrowserRouter>
   </StrictMode>,
 )

client/src/pages/BoardPage.tsx

@@ -0,0 +1,317 @@
+import { useCallback, useEffect, useState } from 'react'
+import { Plus, UserPlus } from 'lucide-react'
+import { toast } from 'sonner'
+import { AppShell } from '@/components/AppShell'
+import { StatusDot } from '@/components/StatusDot'
+import { Avatar, AvatarFallback } from '@/components/ui/avatar'
+import { Badge } from '@/components/ui/badge'
+import { Button } from '@/components/ui/button'
+import {
+  Card,
+  CardContent,
+  CardDescription,
+  CardHeader,
+  CardTitle,
+} from '@/components/ui/card'
+import { Input } from '@/components/ui/input'
+import { Label } from '@/components/ui/label'
+import {
+  Select,
+  SelectContent,
+  SelectGroup,
+  SelectItem,
+  SelectTrigger,
+  SelectValue,
+} from '@/components/ui/select'
+import { api } from '@/lib/api'
+import { useAuth } from '@/store/auth'
+
+const COLUMNS = [
+  { value: 'Backlog', label: 'Backlog' },
+  { value: 'InProgress', label: 'In Progress' },
+  { value: 'InReview', label: 'In Review' },
+  { value: 'Done', label: 'Done' },
+] as const
+
+interface Team {
+  id: string
+  organizationId: string
+  name: string
+}
+
+interface Task {
+  id: string
+  teamId: string
+  title: string
+  type: string
+  status: string
+  assigneeKind: string
+  assigneeId?: string | null
+}
+
+interface Board {
+  teamId: string
+  columns: { status: string; items: Task[] }[]
+}
+
+export function BoardPage() {
+  const memberId = useAuth((s) => s.memberId)
+  const email = useAuth((s) => s.email)
+  const organizationId = useAuth((s) => s.organizationId)
+
+  const [orgName, setOrgName] = useState('')
+  const [teams, setTeams] = useState<Team[]>([])
+  const [teamId, setTeamId] = useState<string | null>(null)
+  const [board, setBoard] = useState<Board | null>(null)
+  const [cartable, setCartable] = useState<Task[]>([])
+  const [newTeam, setNewTeam] = useState('')
+  const [newTask, setNewTask] = useState('')
+
+  const loadTeams = useCallback(async () => {
+    if (!organizationId) {
+      return
+    }
+    try {
+      const result = await api.get<Team[]>(`/api/orgboard/teams?organizationId=${organizationId}`)
+      setTeams(result)
+      setTeamId((current) => current ?? result[0]?.id ?? null)
+    } catch (err) {
+      toast.error((err as Error).message)
+    }
+  }, [organizationId])
+
+  const loadBoard = useCallback(async (id: string) => {
+    try {
+      setBoard(await api.get<Board>(`/api/orgboard/board?teamId=${id}`))
+      setCartable(await api.get<Task[]>('/api/orgboard/cartable'))
+    } catch (err) {
+      toast.error((err as Error).message)
+    }
+  }, [])
+
+  useEffect(() => {
+    void loadTeams()
+  }, [loadTeams])
+
+  useEffect(() => {
+    if (teamId) {
+      void loadBoard(teamId)
+    }
+  }, [teamId, loadBoard])
+
+  async function run(action: () => Promise<unknown>) {
+    try {
+      await action()
+    } catch (err) {
+      toast.error((err as Error).message)
+    }
+  }
+
+  const saveOrg = () =>
+    run(async () => {
+      await api.post('/api/orgboard/organizations', { organizationId, name: orgName })
+      toast.success('Organization saved.')
+    })
+
+  const createTeam = () =>
+    run(async () => {
+      const team = await api.post<Team>('/api/orgboard/teams', { organizationId, name: newTeam })
+      setNewTeam('')
+      await loadTeams()
+      setTeamId(team.id)
+    })
+
+  const createTask = () =>
+    run(async () => {
+      if (!teamId) {
+        return
+      }
+      await api.post('/api/orgboard/tasks', { teamId, title: newTask, type: 'Story' })
+      setNewTask('')
+      await loadBoard(teamId)
+    })
+
+  const move = (id: string, status: string) =>
+    run(async () => {
+      await api.patch(`/api/orgboard/tasks/${id}/move`, { status })
+      if (teamId) {
+        await loadBoard(teamId)
+      }
+    })
+
+  const assignToMe = (id: string) =>
+    run(async () => {
+      await api.patch(`/api/orgboard/tasks/${id}/assign`, { memberId })
+      if (teamId) {
+        await loadBoard(teamId)
+      }
+    })
+
+  const initials = (email ?? '?').slice(0, 2).toUpperCase()
+
+  return (
+    <AppShell>
+      <div className="mx-auto flex max-w-7xl flex-col gap-6 p-6">
+        <header>
+          <h1 className="text-2xl font-semibold tracking-tight">Board</h1>
+          <p className="text-sm text-muted-foreground">{orgName || 'Your organization'}</p>
+        </header>
+
+        <Card>
+          <CardHeader>
+            <CardTitle className="text-base">Setup</CardTitle>
+            <CardDescription>Name the org, create a team, and pick one to view its board.</CardDescription>
+          </CardHeader>
+          <CardContent className="flex flex-wrap items-end gap-4">
+            <div className="flex flex-col gap-2">
+              <Label htmlFor="org">Organization name</Label>
+              <div className="flex gap-2">
+                <Input id="org" value={orgName} onChange={(e) => setOrgName(e.target.value)} className="w-48" />
+                <Button variant="outline" onClick={saveOrg}>
+                  Save
+                </Button>
+              </div>
+            </div>
+
+            <div className="flex flex-col gap-2">
+              <Label htmlFor="team">New team</Label>
+              <div className="flex gap-2">
+                <Input id="team" value={newTeam} onChange={(e) => setNewTeam(e.target.value)} className="w-48" />
+                <Button onClick={createTeam}>
+                  <Plus data-icon="inline-start" />
+                  Create
+                </Button>
+              </div>
+            </div>
+
+            <div className="flex flex-col gap-2">
+              <Label>Team</Label>
+              <Select value={teamId ?? ''} onValueChange={(v) => setTeamId(v || null)}>
+                <SelectTrigger className="w-56">
+                  <SelectValue placeholder="Select a team" />
+                </SelectTrigger>
+                <SelectContent>
+                  <SelectGroup>
+                    {teams.map((team) => (
+                      <SelectItem key={team.id} value={team.id}>
+                        {team.name}
+                      </SelectItem>
+                    ))}
+                  </SelectGroup>
+                </SelectContent>
+              </Select>
+            </div>
+          </CardContent>
+        </Card>
+
+        {teamId && (
+          <div className="flex items-center gap-2">
+            <Input
+              value={newTask}
+              onChange={(e) => setNewTask(e.target.value)}
+              placeholder="New task title…"
+              className="max-w-md"
+              onKeyDown={(e) => {
+                if (e.key === 'Enter') {
+                  createTask()
+                }
+              }}
+            />
+            <Button onClick={createTask}>
+              <Plus data-icon="inline-start" />
+              Add task
+            </Button>
+          </div>
+        )}
+
+        <div className="grid grid-cols-1 gap-4 md:grid-cols-2 xl:grid-cols-4">
+          {COLUMNS.map((column) => {
+            const items = board?.columns.find((c) => c.status === column.value)?.items ?? []
+            return (
+              <Card key={column.value} className="bg-muted/30">
+                <CardHeader>
+                  <CardTitle className="flex items-center justify-between text-sm font-semibold uppercase tracking-wide text-muted-foreground">
+                    {column.label}
+                    <Badge variant="secondary">{items.length}</Badge>
+                  </CardTitle>
+                </CardHeader>
+                <CardContent className="flex flex-col gap-3">
+                  {items.map((task) => {
+                    const mine = task.assigneeKind === 'Member' && task.assigneeId === memberId
+                    return (
+                      <Card key={task.id}>
+                        <CardContent className="flex flex-col gap-3">
+                          <div className="flex items-start justify-between gap-2">
+                            <span className="text-sm font-medium leading-snug">{task.title}</span>
+                            <Badge variant="outline">{task.type}</Badge>
+                          </div>
+                          <div className="flex items-center justify-between gap-2">
+                            <Select value={task.status} onValueChange={(v) => move(task.id, v)}>
+                              <SelectTrigger className="h-8 w-[136px] text-xs">
+                                <SelectValue />
+                              </SelectTrigger>
+                              <SelectContent>
+                                <SelectGroup>
+                                  {COLUMNS.map((c) => (
+                                    <SelectItem key={c.value} value={c.value}>
+                                      {c.label}
+                                    </SelectItem>
+                                  ))}
+                                </SelectGroup>
+                              </SelectContent>
+                            </Select>
+
+                            {task.assigneeKind === 'Member' ? (
+                              <span className="flex items-center gap-2 text-xs text-muted-foreground">
+                                <StatusDot tone="human" />
+                                <Avatar className="size-6">
+                                  <AvatarFallback className="text-[10px]">
+                                    {mine ? initials : '··'}
+                                  </AvatarFallback>
+                                </Avatar>
+                                {mine ? 'You' : 'Assigned'}
+                              </span>
+                            ) : (
+                              <Button variant="outline" size="sm" onClick={() => assignToMe(task.id)}>
+                                <UserPlus data-icon="inline-start" />
+                                Assign to me
+                              </Button>
+                            )}
+                          </div>
+                        </CardContent>
+                      </Card>
+                    )
+                  })}
+                  {items.length === 0 && (
+                    <p className="py-6 text-center text-xs text-muted-foreground">No tasks</p>
+                  )}
+                </CardContent>
+              </Card>
+            )
+          })}
+        </div>
+
+        <Card>
+          <CardHeader>
+            <CardTitle className="text-base">My cartable</CardTitle>
+            <CardDescription>Tasks assigned to you across teams.</CardDescription>
+          </CardHeader>
+          <CardContent className="flex flex-col gap-2">
+            {cartable.map((task) => (
+              <div
+                key={task.id}
+                className="flex items-center justify-between rounded-md border px-3 py-2 text-sm"
+              >
+                <span>{task.title}</span>
+                <Badge variant="secondary">{task.status}</Badge>
+              </div>
+            ))}
+            {cartable.length === 0 && (
+              <p className="text-sm text-muted-foreground">Nothing assigned to you yet.</p>
+            )}
+          </CardContent>
+        </Card>
+      </div>
+    </AppShell>
+  )
+}

client/src/pages/LoginPage.tsx

@@ -0,0 +1,123 @@
+import { type FormEvent, useState } from 'react'
+import { toast } from 'sonner'
+import { Button } from '@/components/ui/button'
+import { Card, CardContent, CardDescription, CardHeader, CardTitle } from '@/components/ui/card'
+import { Input } from '@/components/ui/input'
+import { Label } from '@/components/ui/label'
+import { api } from '@/lib/api'
+import { useAuth } from '@/store/auth'
+
+interface AuthResponse {
+  token: string
+  memberId: string
+}
+
+interface BootstrapResponse {
+  token: string
+  memberId: string
+  organizationId: string
+}
+
+interface MeResponse {
+  email: string
+  memberships: { scopeType: string; scopeId: string; role: string }[]
+}
+
+export function LoginPage() {
+  const setAuth = useAuth((state) => state.setAuth)
+  const [mode, setMode] = useState<'login' | 'bootstrap'>('login')
+  const [email, setEmail] = useState('')
+  const [password, setPassword] = useState('')
+  const [displayName, setDisplayName] = useState('')
+  const [orgName, setOrgName] = useState('')
+  const [busy, setBusy] = useState(false)
+
+  async function submit(event: FormEvent) {
+    event.preventDefault()
+    setBusy(true)
+    try {
+      if (mode === 'bootstrap') {
+        const result = await api.post<BootstrapResponse>('/api/identity/bootstrap', {
+          organizationName: orgName,
+          ownerEmail: email,
+          ownerDisplayName: displayName,
+          ownerPassword: password,
+        })
+        setAuth(result.token, result.memberId, result.organizationId, email)
+      } else {
+        const result = await api.post<AuthResponse>('/api/identity/auth/login', { email, password })
+        setAuth(result.token, result.memberId, null, email)
+        const me = await api.get<MeResponse>('/api/identity/me')
+        const org = me.memberships.find((m) => m.scopeType === 'Organization')
+        setAuth(result.token, result.memberId, org?.scopeId ?? null, me.email)
+      }
+    } catch (err) {
+      toast.error((err as Error).message)
+    } finally {
+      setBusy(false)
+    }
+  }
+
+  return (
+    <main className="grid min-h-screen place-items-center bg-sidebar px-6">
+      <Card className="w-full max-w-sm">
+        <CardHeader>
+          <div className="flex items-center gap-3">
+            <span className="grid size-8 place-items-center rounded-md bg-primary font-bold text-primary-foreground">
+              T
+            </span>
+            <CardTitle>TeamUp.AI</CardTitle>
+          </div>
+          <CardDescription>
+            {mode === 'login' ? 'Sign in to your command center.' : 'Create the first owner of a new org.'}
+          </CardDescription>
+        </CardHeader>
+        <CardContent>
+          <form onSubmit={submit} className="flex flex-col gap-4">
+            {mode === 'bootstrap' && (
+              <LabeledInput id="org" label="Organization" value={orgName} onChange={setOrgName} />
+            )}
+            {mode === 'bootstrap' && (
+              <LabeledInput id="name" label="Display name" value={displayName} onChange={setDisplayName} />
+            )}
+            <LabeledInput id="email" label="Email" type="email" value={email} onChange={setEmail} />
+            <LabeledInput id="password" label="Password" type="password" value={password} onChange={setPassword} />
+
+            <Button type="submit" disabled={busy}>
+              {busy ? 'Working…' : mode === 'login' ? 'Sign in' : 'Bootstrap'}
+            </Button>
+            <Button
+              type="button"
+              variant="ghost"
+              size="sm"
+              onClick={() => setMode(mode === 'login' ? 'bootstrap' : 'login')}
+            >
+              {mode === 'login' ? 'First run? Bootstrap the owner' : 'Back to sign in'}
+            </Button>
+          </form>
+        </CardContent>
+      </Card>
+    </main>
+  )
+}
+
+function LabeledInput(props: {
+  id: string
+  label: string
+  value: string
+  onChange: (value: string) => void
+  type?: string
+}) {
+  return (
+    <div className="flex flex-col gap-2">
+      <Label htmlFor={props.id}>{props.label}</Label>
+      <Input
+        id={props.id}
+        type={props.type ?? 'text'}
+        value={props.value}
+        onChange={(event) => props.onChange(event.target.value)}
+        required
+      />
+    </div>
+  )
+}

client/src/store/auth.ts

@@ -0,0 +1,26 @@
+import { create } from 'zustand'
+import { persist } from 'zustand/middleware'
+
+interface AuthState {
+  token: string | null
+  memberId: string | null
+  organizationId: string | null
+  email: string | null
+  setAuth: (token: string, memberId: string, organizationId: string | null, email?: string | null) => void
+  logout: () => void
+}
+
+export const useAuth = create<AuthState>()(
+  persist(
+    (set) => ({
+      token: null,
+      memberId: null,
+      organizationId: null,
+      email: null,
+      setAuth: (token, memberId, organizationId, email = null) =>
+        set({ token, memberId, organizationId, email }),
+      logout: () => set({ token: null, memberId: null, organizationId: null, email: null }),
+    }),
+    { name: 'teamup-auth' },
+  ),
+)

client/tsconfig.app.json

@@ -6,6 +6,9 @@
     "module": "esnext",
     "types": ["vite/client"],
     "skipLibCheck": true,
+    "paths": {
+      "@/*": ["./src/*"]
+    },
 
     /* Bundler mode */
     "moduleResolution": "bundler",

client/tsconfig.json

@@ -3,5 +3,10 @@
   "references": [
     { "path": "./tsconfig.app.json" },
     { "path": "./tsconfig.node.json" }
-  ]
+  ],
+  "compilerOptions": {
+    "paths": {
+      "@/*": ["./src/*"]
+    }
+  }
 }

client/vite.config.ts

@@ -1,3 +1,4 @@
+import { fileURLToPath, URL } from 'node:url'
 import { defineConfig } from 'vite'
 import react from '@vitejs/plugin-react'
 import tailwindcss from '@tailwindcss/vite'
@@ -7,6 +8,11 @@ import tailwindcss from '@tailwindcss/vite'
 // Prod: `npm run build` emits ./dist, which the .NET publish step / Docker copies into wwwroot.
 export default defineConfig({
   plugins: [react(), tailwindcss()],
+  resolve: {
+    alias: {
+      '@': fileURLToPath(new URL('./src', import.meta.url)),
+    },
+  },
   server: {
     port: 5173,
     proxy: {

src/Hosts/TeamUp.Web/Program.cs

@@ -1,3 +1,4 @@
+using System.Text.Json.Serialization;
 using OpenTelemetry.Trace;
 using Serilog;
 using TeamUp.Bootstrap;
@@ -12,6 +13,10 @@ builder.Host.UseSerilog((context, services, configuration) => configuration
 
 builder.Services.AddOpenApi();
 
+// Bind/serialize enums as strings across the API (e.g. ScopeType "Organization", RoleType "Member").
+builder.Services.ConfigureHttpJsonOptions(options =>
+    options.SerializerOptions.Converters.Add(new JsonStringEnumConverter()));
+
 builder.Services.AddTeamUpObservability(
     builder.Configuration,
     serviceName: "teamup-web",
@@ -42,6 +47,9 @@ app.UseSerilogRequestLogging();
 app.UseDefaultFiles();
 app.UseStaticFiles();
 
+app.UseAuthentication();
+app.UseAuthorization();
+
 app.MapHealthChecks("/health");
 app.MapTeamUpModules();
 

src/Hosts/TeamUp.Web/appsettings.json

@@ -5,6 +5,12 @@
   "Database": {
     "ApplyMigrationsOnStartup": false
   },
+  "Jwt": {
+    "Secret": "dev-only-teamup-jwt-signing-secret-change-in-production-0123456789",
+    "Issuer": "teamup",
+    "Audience": "teamup",
+    "ExpiryMinutes": 480
+  },
   "OpenTelemetry": {
     "OtlpEndpoint": ""
   },

src/Hosts/TeamUp.Worker/appsettings.json

@@ -5,6 +5,12 @@
   "Database": {
     "ApplyMigrationsOnStartup": false
   },
+  "Jwt": {
+    "Secret": "dev-only-teamup-jwt-signing-secret-change-in-production-0123456789",
+    "Issuer": "teamup",
+    "Audience": "teamup",
+    "ExpiryMinutes": 480
+  },
   "OpenTelemetry": {
     "OtlpEndpoint": ""
   },

src/Modules/TeamUp.Modules.Governance/Auditing/AuditLog.cs

@@ -0,0 +1,25 @@
+using TeamUp.Modules.Governance.Domain;
+using TeamUp.Modules.Governance.Persistence;
+using TeamUp.SharedKernel.Auditing;
+
+namespace TeamUp.Modules.Governance.Auditing;
+
+/// <summary>
+/// Writes audit events to the governance store. Uses its own DbContext/transaction (best-effort,
+/// decoupled from the acting module's unit of work) — sufficient for M1.
+/// </summary>
+internal sealed class AuditLog(GovernanceDbContext db, TimeProvider clock) : IAuditLog
+{
+    public async Task WriteAsync(AuditEvent auditEvent, CancellationToken cancellationToken = default)
+    {
+        db.AuditEntries.Add(new AuditEntry(
+            auditEvent.Action,
+            auditEvent.EntityType,
+            auditEvent.EntityId,
+            auditEvent.ActorMemberId,
+            auditEvent.Details,
+            clock.GetUtcNow()));
+
+        await db.SaveChangesAsync(cancellationToken);
+    }
+}

src/Modules/TeamUp.Modules.Governance/Domain/AuditEntry.cs

@@ -0,0 +1,34 @@
+using TeamUp.SharedKernel.Domain;
+
+namespace TeamUp.Modules.Governance.Domain;
+
+/// <summary>An immutable audit record. Append-only — never updated or deleted.</summary>
+internal sealed class AuditEntry : Entity
+{
+    public string Action { get; private set; } = null!;
+    public string EntityType { get; private set; } = null!;
+    public Guid EntityId { get; private set; }
+    public Guid? ActorMemberId { get; private set; }
+    public string? Details { get; private set; }
+    public DateTimeOffset OccurredAtUtc { get; private set; }
+
+    private AuditEntry()
+    {
+    }
+
+    public AuditEntry(
+        string action,
+        string entityType,
+        Guid entityId,
+        Guid? actorMemberId,
+        string? details,
+        DateTimeOffset occurredAtUtc)
+    {
+        Action = action;
+        EntityType = entityType;
+        EntityId = entityId;
+        ActorMemberId = actorMemberId;
+        Details = details;
+        OccurredAtUtc = occurredAtUtc;
+    }
+}

src/Modules/TeamUp.Modules.Governance/Endpoints/GovernanceEndpoints.cs

@@ -0,0 +1,49 @@
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Routing;
+using Microsoft.EntityFrameworkCore;
+using TeamUp.Modules.Governance.Persistence;
+using TeamUp.SharedKernel.Access;
+using TeamUp.SharedKernel.Modularity;
+
+namespace TeamUp.Modules.Governance.Endpoints;
+
+internal sealed record AuditEntryResponse(
+    Guid Id,
+    string Action,
+    string EntityType,
+    Guid EntityId,
+    Guid? ActorMemberId,
+    string? Details,
+    DateTimeOffset OccurredAtUtc);
+
+internal static class GovernanceEndpoints
+{
+    public static void Map(IEndpointRouteBuilder endpoints)
+    {
+        var group = endpoints.MapGroup("/api/governance").WithTags("Governance");
+
+        group.MapGet("/ping", () => TypedResults.Ok(new ModulePing("governance")));
+        group.MapGet("/audit", GetAudit).RequireAuthorization();
+    }
+
+    private static async Task<IResult> GetAudit(
+        Guid organizationId, int? take, IPermissionService permissions, GovernanceDbContext db, CancellationToken ct)
+    {
+        // Owner-only. (M1 audit entries are not yet org-scoped — fine for single-org dogfood.)
+        if (!permissions.Has(Capability.ViewAuditLog, ScopeRef.Org(organizationId)))
+        {
+            return Results.Forbid();
+        }
+
+        var limit = Math.Clamp(take ?? 100, 1, 500);
+        var entries = await db.AuditEntries
+            .OrderByDescending(a => a.OccurredAtUtc)
+            .Take(limit)
+            .Select(a => new AuditEntryResponse(
+                a.Id, a.Action, a.EntityType, a.EntityId, a.ActorMemberId, a.Details, a.OccurredAtUtc))
+            .ToListAsync(ct);
+
+        return Results.Ok(entries);
+    }
+}

src/Modules/TeamUp.Modules.Governance/GovernanceModule.cs

@@ -1,27 +1,32 @@
-using Microsoft.AspNetCore.Builder;
-using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Routing;
+using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection.Extensions;
+using TeamUp.Modules.Governance.Auditing;
+using TeamUp.Modules.Governance.Endpoints;
+using TeamUp.Modules.Governance.Persistence;
+using TeamUp.SharedKernel.Auditing;
 using TeamUp.SharedKernel.Modularity;
+using TeamUp.SharedKernel.Persistence;
 
 namespace TeamUp.Modules.Governance;
 
-/// <summary>Autonomy dial, the action gate, the review inbox, the audit log (M5).</summary>
+/// <summary>Autonomy dial, the action gate, the review inbox, the audit log (M5). M1 ships the audit log.</summary>
 public sealed class GovernanceModule : IModule
 {
     public string Name => "governance";
 
     public void Register(IServiceCollection services, IConfiguration configuration)
     {
-        // Skeleton: no services yet. M5 introduces the action gate, ReviewItem context,
+        var connectionString = configuration.GetConnectionString("Postgres")
-        // edit-distance capture, and the immutable audit log here.
+            ?? throw new InvalidOperationException("Missing connection string 'ConnectionStrings:Postgres'.");
+
+        services.AddDbContext<GovernanceDbContext>(options => options.UseNpgsql(connectionString));
+        services.AddScoped<IModuleDbContext>(sp => sp.GetRequiredService<GovernanceDbContext>());
+        services.AddScoped<IAuditLog, AuditLog>();
+        services.TryAddSingleton(TimeProvider.System);
     }
 
-    public void MapEndpoints(IEndpointRouteBuilder endpoints)
+    public void MapEndpoints(IEndpointRouteBuilder endpoints) => GovernanceEndpoints.Map(endpoints);
-    {
-        endpoints.MapGroup($"/api/{Name}")
-            .WithTags("Governance")
-            .MapGet("/ping", () => TypedResults.Ok(new ModulePing(Name)));
-    }
 }

src/Modules/TeamUp.Modules.Governance/Persistence/GovernanceDbContext.cs

@@ -0,0 +1,27 @@
+using Microsoft.EntityFrameworkCore;
+using TeamUp.Modules.Governance.Domain;
+using TeamUp.SharedKernel.Persistence;
+
+namespace TeamUp.Modules.Governance.Persistence;
+
+internal sealed class GovernanceDbContext(DbContextOptions<GovernanceDbContext> options)
+    : DbContext(options), IModuleDbContext
+{
+    public DbSet<AuditEntry> AuditEntries => Set<AuditEntry>();
+
+    protected override void OnModelCreating(ModelBuilder modelBuilder)
+    {
+        modelBuilder.HasDefaultSchema("governance");
+
+        modelBuilder.Entity<AuditEntry>(entry =>
+        {
+            entry.ToTable("audit_entries");
+            entry.HasKey(a => a.Id);
+            entry.Property(a => a.Action).HasMaxLength(100).IsRequired();
+            entry.Property(a => a.EntityType).HasMaxLength(100).IsRequired();
+            entry.Property(a => a.Details).HasMaxLength(2000);
+            entry.HasIndex(a => a.OccurredAtUtc);
+            entry.HasIndex(a => new { a.EntityType, a.EntityId });
+        });
+    }
+}

src/Modules/TeamUp.Modules.Governance/Persistence/GovernanceDbContextFactory.cs

@@ -0,0 +1,21 @@
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Design;
+
+namespace TeamUp.Modules.Governance.Persistence;
+
+/// <summary>Design-time factory so `dotnet ef` can build the internal context without a host.</summary>
+internal sealed class GovernanceDbContextFactory : IDesignTimeDbContextFactory<GovernanceDbContext>
+{
+    public GovernanceDbContext CreateDbContext(string[] args)
+    {
+        var connectionString =
+            Environment.GetEnvironmentVariable("ConnectionStrings__Postgres")
+            ?? "Host=localhost;Port=5432;Database=teamup;Username=teamup;Password=teamup";
+
+        var options = new DbContextOptionsBuilder<GovernanceDbContext>()
+            .UseNpgsql(connectionString)
+            .Options;
+
+        return new GovernanceDbContext(options);
+    }
+}

src/Modules/TeamUp.Modules.Governance/Persistence/Migrations/20260609084417_InitialGovernance.Designer.cs

@@ -0,0 +1,69 @@
+// <auto-generated />
+using System;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
+using TeamUp.Modules.Governance.Persistence;
+
+#nullable disable
+
+namespace TeamUp.Modules.Governance.Persistence.Migrations
+{
+    [DbContext(typeof(GovernanceDbContext))]
+    [Migration("20260609084417_InitialGovernance")]
+    partial class InitialGovernance
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasDefaultSchema("governance")
+                .HasAnnotation("ProductVersion", "10.0.8")
+                .HasAnnotation("Relational:MaxIdentifierLength", 63);
+
+            NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
+
+            modelBuilder.Entity("TeamUp.Modules.Governance.Domain.AuditEntry", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Action")
+                        .IsRequired()
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<Guid?>("ActorMemberId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Details")
+                        .HasMaxLength(2000)
+                        .HasColumnType("character varying(2000)");
+
+                    b.Property<Guid>("EntityId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("EntityType")
+                        .IsRequired()
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<DateTimeOffset>("OccurredAtUtc")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OccurredAtUtc");
+
+                    b.HasIndex("EntityType", "EntityId");
+
+                    b.ToTable("audit_entries", "governance");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}

src/Modules/TeamUp.Modules.Governance/Persistence/Migrations/20260609084417_InitialGovernance.cs

@@ -0,0 +1,56 @@
+using System;
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace TeamUp.Modules.Governance.Persistence.Migrations
+{
+    /// <inheritdoc />
+    public partial class InitialGovernance : Migration
+    {
+        /// <inheritdoc />
+        protected override void Up(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.EnsureSchema(
+                name: "governance");
+
+            migrationBuilder.CreateTable(
+                name: "audit_entries",
+                schema: "governance",
+                columns: table => new
+                {
+                    Id = table.Column<Guid>(type: "uuid", nullable: false),
+                    Action = table.Column<string>(type: "character varying(100)", maxLength: 100, nullable: false),
+                    EntityType = table.Column<string>(type: "character varying(100)", maxLength: 100, nullable: false),
+                    EntityId = table.Column<Guid>(type: "uuid", nullable: false),
+                    ActorMemberId = table.Column<Guid>(type: "uuid", nullable: true),
+                    Details = table.Column<string>(type: "character varying(2000)", maxLength: 2000, nullable: true),
+                    OccurredAtUtc = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_audit_entries", x => x.Id);
+                });
+
+            migrationBuilder.CreateIndex(
+                name: "IX_audit_entries_EntityType_EntityId",
+                schema: "governance",
+                table: "audit_entries",
+                columns: new[] { "EntityType", "EntityId" });
+
+            migrationBuilder.CreateIndex(
+                name: "IX_audit_entries_OccurredAtUtc",
+                schema: "governance",
+                table: "audit_entries",
+                column: "OccurredAtUtc");
+        }
+
+        /// <inheritdoc />
+        protected override void Down(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.DropTable(
+                name: "audit_entries",
+                schema: "governance");
+        }
+    }
+}

src/Modules/TeamUp.Modules.Governance/Persistence/Migrations/GovernanceDbContextModelSnapshot.cs

@@ -0,0 +1,66 @@
+// <auto-generated />
+using System;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
+using TeamUp.Modules.Governance.Persistence;
+
+#nullable disable
+
+namespace TeamUp.Modules.Governance.Persistence.Migrations
+{
+    [DbContext(typeof(GovernanceDbContext))]
+    partial class GovernanceDbContextModelSnapshot : ModelSnapshot
+    {
+        protected override void BuildModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasDefaultSchema("governance")
+                .HasAnnotation("ProductVersion", "10.0.8")
+                .HasAnnotation("Relational:MaxIdentifierLength", 63);
+
+            NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
+
+            modelBuilder.Entity("TeamUp.Modules.Governance.Domain.AuditEntry", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Action")
+                        .IsRequired()
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<Guid?>("ActorMemberId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Details")
+                        .HasMaxLength(2000)
+                        .HasColumnType("character varying(2000)");
+
+                    b.Property<Guid>("EntityId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("EntityType")
+                        .IsRequired()
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<DateTimeOffset>("OccurredAtUtc")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OccurredAtUtc");
+
+                    b.HasIndex("EntityType", "EntityId");
+
+                    b.ToTable("audit_entries", "governance");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}

src/Modules/TeamUp.Modules.Governance/TeamUp.Modules.Governance.csproj

@@ -1,10 +1,15 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
-  <!-- A self-contained module. References SharedKernel ONLY (ASP.NET flows transitively for the
+  <!-- Autonomy, the action gate, the review inbox, and the audit log. In M1 it implements the
-       IModule seam). M1 adds this module's EF/Npgsql/FluentValidation/Mapperly packages when it
+       shared IAuditLog (append-only audit). References SharedKernel only. -->
-       gains an (internal) DbContext and validators. It must never reference another module. -->
   <ItemGroup>
     <ProjectReference Include="..\..\Shared\TeamUp.SharedKernel\TeamUp.SharedKernel.csproj" />
   </ItemGroup>
 
+  <ItemGroup>
+    <PackageReference Include="Microsoft.EntityFrameworkCore" />
+    <PackageReference Include="Microsoft.EntityFrameworkCore.Design" PrivateAssets="all" />
+    <PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" />
+  </ItemGroup>
+
 </Project>

src/Modules/TeamUp.Modules.Identity/Access/CurrentUser.cs

@@ -0,0 +1,52 @@
+using System.Security.Claims;
+using Microsoft.AspNetCore.Http;
+using Microsoft.IdentityModel.JsonWebTokens;
+using TeamUp.Modules.Identity.Auth;
+using TeamUp.SharedKernel.Access;
+
+namespace TeamUp.Modules.Identity.Access;
+
+/// <summary>
+/// Resolves <see cref="ICurrentUser"/> from the request's JWT claims. JWT bearer is configured with
+/// MapInboundClaims=false, so claim names stay raw ("sub", "email", "membership"). In the worker
+/// (no HttpContext) this reports unauthenticated.
+/// </summary>
+internal sealed class CurrentUser(IHttpContextAccessor accessor) : ICurrentUser
+{
+    private ClaimsPrincipal? Principal => accessor.HttpContext?.User;
+
+    public bool IsAuthenticated => Principal?.Identity?.IsAuthenticated == true;
+
+    public Guid MemberId =>
+        Guid.TryParse(Principal?.FindFirstValue(JwtRegisteredClaimNames.Sub), out var id)
+            ? id
+            : throw new InvalidOperationException("No authenticated member on the current request.");
+
+    public string Email => Principal?.FindFirstValue(JwtRegisteredClaimNames.Email) ?? string.Empty;
+
+    public IReadOnlyList<ScopedRole> Memberships
+    {
+        get
+        {
+            if (Principal is null)
+            {
+                return [];
+            }
+
+            var memberships = new List<ScopedRole>();
+            foreach (var claim in Principal.FindAll(JwtTokenService.MembershipClaim))
+            {
+                var parts = claim.Value.Split(':');
+                if (parts.Length == 3
+                    && Enum.TryParse<ScopeType>(parts[0], out var scopeType)
+                    && Guid.TryParse(parts[1], out var scopeId)
+                    && Enum.TryParse<RoleType>(parts[2], out var role))
+                {
+                    memberships.Add(new ScopedRole(new ScopeRef(scopeType, scopeId), role));
+                }
+            }
+
+            return memberships;
+        }
+    }
+}

src/Modules/TeamUp.Modules.Identity/Access/PermissionService.cs

@@ -0,0 +1,29 @@
+using TeamUp.SharedKernel.Access;
+
+namespace TeamUp.Modules.Identity.Access;
+
+/// <summary>
+/// Default <see cref="IPermissionService"/>: the current user has a capability if any of their
+/// memberships sits on a scope in the supplied chain and that role permits the capability.
+/// </summary>
+internal sealed class PermissionService(ICurrentUser currentUser) : IPermissionService
+{
+    public bool Has(Capability capability, params ScopeRef[] scopeChain)
+    {
+        if (!currentUser.IsAuthenticated || scopeChain.Length == 0)
+        {
+            return false;
+        }
+
+        foreach (var membership in currentUser.Memberships)
+        {
+            if (Array.IndexOf(scopeChain, membership.Scope) >= 0
+                && AccessPolicy.Permits(membership.Role, capability))
+            {
+                return true;
+            }
+        }
+
+        return false;
+    }
+}

src/Modules/TeamUp.Modules.Identity/Auth/JwtOptions.cs

@@ -0,0 +1,11 @@
+namespace TeamUp.Modules.Identity.Auth;
+
+internal sealed class JwtOptions
+{
+    public const string SectionName = "Jwt";
+
+    public string Secret { get; set; } = string.Empty;
+    public string Issuer { get; set; } = "teamup";
+    public string Audience { get; set; } = "teamup";
+    public int ExpiryMinutes { get; set; } = 480;
+}

src/Modules/TeamUp.Modules.Identity/Auth/JwtTokenService.cs

@@ -0,0 +1,47 @@
+using System.Security.Claims;
+using System.Text;
+using Microsoft.Extensions.Options;
+using Microsoft.IdentityModel.JsonWebTokens;
+using Microsoft.IdentityModel.Tokens;
+using TeamUp.Modules.Identity.Domain;
+
+namespace TeamUp.Modules.Identity.Auth;
+
+/// <summary>Issues signed JWTs carrying the member id, email, and one claim per membership.</summary>
+internal sealed class JwtTokenService(IOptions<JwtOptions> options, TimeProvider timeProvider)
+{
+    public const string MembershipClaim = "membership";
+
+    private readonly JwtOptions _options = options.Value;
+
+    public string Issue(Member member, IReadOnlyList<Membership> memberships)
+    {
+        var now = timeProvider.GetUtcNow();
+
+        var claims = new List<Claim>
+        {
+            new(JwtRegisteredClaimNames.Sub, member.Id.ToString()),
+            new(JwtRegisteredClaimNames.Email, member.Email),
+            new("name", member.DisplayName),
+        };
+
+        foreach (var membership in memberships)
+        {
+            claims.Add(new Claim(MembershipClaim, $"{membership.ScopeType}:{membership.ScopeId}:{membership.Role}"));
+        }
+
+        var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_options.Secret));
+        var descriptor = new SecurityTokenDescriptor
+        {
+            Issuer = _options.Issuer,
+            Audience = _options.Audience,
+            Subject = new ClaimsIdentity(claims),
+            IssuedAt = now.UtcDateTime,
+            NotBefore = now.UtcDateTime,
+            Expires = now.AddMinutes(_options.ExpiryMinutes).UtcDateTime,
+            SigningCredentials = new SigningCredentials(key, SecurityAlgorithms.HmacSha256),
+        };
+
+        return new JsonWebTokenHandler().CreateToken(descriptor);
+    }
+}

src/Modules/TeamUp.Modules.Identity/Contracts/IMemberDirectory.cs

@@ -0,0 +1,17 @@
+namespace TeamUp.Modules.Identity.Contracts;
+
+/// <summary>Public, non-sensitive member info other modules may display (e.g. board assignees).</summary>
+public sealed record MemberSummary(Guid Id, string Email, string DisplayName);
+
+/// <summary>
+/// The Identity module's public surface for resolving member display info by id. Other modules
+/// depend on this interface — never on Identity's entities or DbContext.
+/// </summary>
+public interface IMemberDirectory
+{
+    Task<MemberSummary?> FindByIdAsync(Guid memberId, CancellationToken cancellationToken = default);
+
+    Task<IReadOnlyDictionary<Guid, MemberSummary>> GetByIdsAsync(
+        IReadOnlyCollection<Guid> memberIds,
+        CancellationToken cancellationToken = default);
+}

src/Modules/TeamUp.Modules.Identity/Domain/Invitation.cs

@@ -0,0 +1,55 @@
+using TeamUp.SharedKernel.Access;
+using TeamUp.SharedKernel.Domain;
+
+namespace TeamUp.Modules.Identity.Domain;
+
+internal enum InvitationStatus
+{
+    Pending,
+    Accepted,
+    Revoked,
+}
+
+/// <summary>An invitation to join at a scope+role. Accepting it creates the member + membership.</summary>
+internal sealed class Invitation : Entity
+{
+    public string Email { get; private set; } = null!;
+    public ScopeType ScopeType { get; private set; }
+    public Guid ScopeId { get; private set; }
+    public RoleType Role { get; private set; }
+    public string Token { get; private set; } = null!;
+    public InvitationStatus Status { get; private set; }
+    public Guid InvitedByMemberId { get; private set; }
+    public DateTimeOffset CreatedAtUtc { get; private set; }
+    public DateTimeOffset? AcceptedAtUtc { get; private set; }
+
+    private Invitation()
+    {
+    }
+
+    public Invitation(
+        string email,
+        ScopeRef scope,
+        RoleType role,
+        string token,
+        Guid invitedByMemberId,
+        DateTimeOffset createdAtUtc)
+    {
+        Email = email;
+        ScopeType = scope.Type;
+        ScopeId = scope.Id;
+        Role = role;
+        Token = token;
+        InvitedByMemberId = invitedByMemberId;
+        Status = InvitationStatus.Pending;
+        CreatedAtUtc = createdAtUtc;
+    }
+
+    public ScopeRef Scope => new(ScopeType, ScopeId);
+
+    public void Accept(DateTimeOffset whenUtc)
+    {
+        Status = InvitationStatus.Accepted;
+        AcceptedAtUtc = whenUtc;
+    }
+}

src/Modules/TeamUp.Modules.Identity/Domain/Member.cs

@@ -0,0 +1,43 @@
+using TeamUp.SharedKernel.Domain;
+
+namespace TeamUp.Modules.Identity.Domain;
+
+internal enum MemberStatus
+{
+    Invited,
+    Active,
+    Disabled,
+}
+
+/// <summary>An invited/active human in the system. Identity owns the credential; other modules
+/// reference a member only by id (via the public member directory).</summary>
+internal sealed class Member : Entity
+{
+    public string Email { get; private set; } = null!;
+    public string DisplayName { get; private set; } = null!;
+    public string PasswordHash { get; private set; } = null!;
+    public MemberStatus Status { get; private set; }
+    public DateTimeOffset CreatedAtUtc { get; private set; }
+
+    private Member()
+    {
+    }
+
+    public Member(
+        string email,
+        string displayName,
+        string passwordHash,
+        DateTimeOffset createdAtUtc,
+        MemberStatus status = MemberStatus.Active)
+    {
+        Email = email;
+        DisplayName = displayName;
+        PasswordHash = passwordHash;
+        CreatedAtUtc = createdAtUtc;
+        Status = status;
+    }
+
+    public void SetPasswordHash(string passwordHash) => PasswordHash = passwordHash;
+
+    public void Activate() => Status = MemberStatus.Active;
+}

src/Modules/TeamUp.Modules.Identity/Domain/Membership.cs

@@ -0,0 +1,29 @@
+using TeamUp.SharedKernel.Access;
+using TeamUp.SharedKernel.Domain;
+
+namespace TeamUp.Modules.Identity.Domain;
+
+/// <summary>A member's role at a scope. Additive — a member may hold several.</summary>
+internal sealed class Membership : Entity
+{
+    public Guid MemberId { get; private set; }
+    public ScopeType ScopeType { get; private set; }
+    public Guid ScopeId { get; private set; }
+    public RoleType Role { get; private set; }
+    public DateTimeOffset CreatedAtUtc { get; private set; }
+
+    private Membership()
+    {
+    }
+
+    public Membership(Guid memberId, ScopeRef scope, RoleType role, DateTimeOffset createdAtUtc)
+    {
+        MemberId = memberId;
+        ScopeType = scope.Type;
+        ScopeId = scope.Id;
+        Role = role;
+        CreatedAtUtc = createdAtUtc;
+    }
+
+    public ScopeRef Scope => new(ScopeType, ScopeId);
+}

src/Modules/TeamUp.Modules.Identity/Endpoints/IdentityDtos.cs

@@ -0,0 +1,34 @@
+using TeamUp.SharedKernel.Access;
+
+namespace TeamUp.Modules.Identity.Endpoints;
+
+internal sealed record BootstrapRequest(
+    string OrganizationName,
+    string OwnerEmail,
+    string OwnerDisplayName,
+    string OwnerPassword);
+
+internal sealed record BootstrapResponse(string Token, Guid MemberId, Guid OrganizationId);
+
+internal sealed record LoginRequest(string Email, string Password);
+
+internal sealed record AuthResponse(string Token, Guid MemberId);
+
+internal sealed record MembershipDto(string ScopeType, Guid ScopeId, string Role);
+
+internal sealed record MeResponse(
+    Guid MemberId,
+    string Email,
+    string DisplayName,
+    IReadOnlyList<MembershipDto> Memberships);
+
+internal sealed record InviteRequest(
+    string Email,
+    ScopeType ScopeType,
+    Guid ScopeId,
+    RoleType Role,
+    Guid OrganizationId);
+
+internal sealed record InviteResponse(Guid InvitationId, string Token);
+
+internal sealed record AcceptInviteRequest(string Token, string DisplayName, string Password);

src/Modules/TeamUp.Modules.Identity/Endpoints/IdentityEndpoints.cs

@@ -0,0 +1,171 @@
+using System.Security.Cryptography;
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.AspNetCore.Routing;
+using Microsoft.EntityFrameworkCore;
+using TeamUp.Modules.Identity.Auth;
+using TeamUp.Modules.Identity.Domain;
+using TeamUp.Modules.Identity.Persistence;
+using TeamUp.SharedKernel.Access;
+using TeamUp.SharedKernel.Auditing;
+using TeamUp.SharedKernel.Modularity;
+
+namespace TeamUp.Modules.Identity.Endpoints;
+
+internal static class IdentityEndpoints
+{
+    public static void Map(IEndpointRouteBuilder endpoints)
+    {
+        var group = endpoints.MapGroup("/api/identity").WithTags("Identity");
+
+        group.MapGet("/ping", () => TypedResults.Ok(new ModulePing("identity")));
+        group.MapPost("/bootstrap", Bootstrap).AllowAnonymous();
+        group.MapPost("/auth/login", Login).AllowAnonymous();
+        group.MapGet("/me", Me).RequireAuthorization();
+        group.MapPost("/invitations", CreateInvitation).RequireAuthorization();
+        group.MapPost("/invitations/accept", AcceptInvitation).AllowAnonymous();
+    }
+
+    private static async Task<IResult> Bootstrap(
+        BootstrapRequest request,
+        IdentityDbContext db,
+        IPasswordHasher<Member> hasher,
+        JwtTokenService tokens,
+        TimeProvider clock,
+        CancellationToken ct)
+    {
+        if (string.IsNullOrWhiteSpace(request.OwnerEmail) || string.IsNullOrWhiteSpace(request.OwnerPassword))
+        {
+            return Results.BadRequest("Owner email and password are required.");
+        }
+
+        if (await db.Members.AnyAsync(ct))
+        {
+            return Results.Conflict("The system is already bootstrapped.");
+        }
+
+        var now = clock.GetUtcNow();
+        var organizationId = Guid.CreateVersion7();
+        var owner = new Member(request.OwnerEmail.Trim(), request.OwnerDisplayName.Trim(), string.Empty, now);
+        owner.SetPasswordHash(hasher.HashPassword(owner, request.OwnerPassword));
+
+        var membership = new Membership(owner.Id, ScopeRef.Org(organizationId), RoleType.Owner, now);
+
+        db.Members.Add(owner);
+        db.Memberships.Add(membership);
+        await db.SaveChangesAsync(ct);
+
+        var token = tokens.Issue(owner, [membership]);
+        return Results.Ok(new BootstrapResponse(token, owner.Id, organizationId));
+    }
+
+    private static async Task<IResult> Login(
+        LoginRequest request,
+        IdentityDbContext db,
+        IPasswordHasher<Member> hasher,
+        JwtTokenService tokens,
+        CancellationToken ct)
+    {
+        var member = await db.Members.FirstOrDefaultAsync(m => m.Email == request.Email, ct);
+        if (member is null || member.Status == MemberStatus.Disabled)
+        {
+            return Results.Unauthorized();
+        }
+
+        var result = hasher.VerifyHashedPassword(member, member.PasswordHash, request.Password);
+        if (result == PasswordVerificationResult.Failed)
+        {
+            return Results.Unauthorized();
+        }
+
+        var memberships = await db.Memberships.Where(m => m.MemberId == member.Id).ToListAsync(ct);
+        return Results.Ok(new AuthResponse(tokens.Issue(member, memberships), member.Id));
+    }
+
+    private static async Task<IResult> Me(ICurrentUser currentUser, IdentityDbContext db, CancellationToken ct)
+    {
+        var member = await db.Members.FirstOrDefaultAsync(m => m.Id == currentUser.MemberId, ct);
+        if (member is null)
+        {
+            return Results.NotFound();
+        }
+
+        var memberships = currentUser.Memberships
+            .Select(m => new MembershipDto(m.Scope.Type.ToString(), m.Scope.Id, m.Role.ToString()))
+            .ToList();
+
+        return Results.Ok(new MeResponse(member.Id, member.Email, member.DisplayName, memberships));
+    }
+
+    private static async Task<IResult> CreateInvitation(
+        InviteRequest request,
+        ICurrentUser currentUser,
+        IPermissionService permissions,
+        IAuditLog audit,
+        IdentityDbContext db,
+        TimeProvider clock,
+        CancellationToken ct)
+    {
+        var targetScope = new ScopeRef(request.ScopeType, request.ScopeId);
+        var orgScope = ScopeRef.Org(request.OrganizationId);
+        var chain = targetScope == orgScope
+            ? new[] { targetScope }
+            : new[] { targetScope, orgScope };
+
+        if (!permissions.Has(Capability.InvitePeople, chain))
+        {
+            return Results.Forbid();
+        }
+
+        if (string.IsNullOrWhiteSpace(request.Email))
+        {
+            return Results.BadRequest("Email is required.");
+        }
+
+        var token = Convert.ToHexString(RandomNumberGenerator.GetBytes(32));
+        var invitation = new Invitation(
+            request.Email.Trim(), targetScope, request.Role, token, currentUser.MemberId, clock.GetUtcNow());
+
+        db.Invitations.Add(invitation);
+        await db.SaveChangesAsync(ct);
+        await audit.WriteAsync(
+            new AuditEvent("invitation.created", "Invitation", invitation.Id, currentUser.MemberId, request.Email.Trim()), ct);
+
+        return Results.Ok(new InviteResponse(invitation.Id, token));
+    }
+
+    private static async Task<IResult> AcceptInvitation(
+        AcceptInviteRequest request,
+        IdentityDbContext db,
+        IPasswordHasher<Member> hasher,
+        JwtTokenService tokens,
+        IAuditLog audit,
+        TimeProvider clock,
+        CancellationToken ct)
+    {
+        var invitation = await db.Invitations.FirstOrDefaultAsync(i => i.Token == request.Token, ct);
+        if (invitation is null || invitation.Status != InvitationStatus.Pending)
+        {
+            return Results.BadRequest("Invitation not found or already used.");
+        }
+
+        if (string.IsNullOrWhiteSpace(request.Password) || string.IsNullOrWhiteSpace(request.DisplayName))
+        {
+            return Results.BadRequest("Display name and password are required.");
+        }
+
+        var now = clock.GetUtcNow();
+        var member = new Member(invitation.Email, request.DisplayName.Trim(), string.Empty, now);
+        member.SetPasswordHash(hasher.HashPassword(member, request.Password));
+        var membership = new Membership(member.Id, invitation.Scope, invitation.Role, now);
+        invitation.Accept(now);
+
+        db.Members.Add(member);
+        db.Memberships.Add(membership);
+        await db.SaveChangesAsync(ct);
+        await audit.WriteAsync(new AuditEvent("member.joined", "Member", member.Id, member.Id, member.Email), ct);
+
+        return Results.Ok(new AuthResponse(tokens.Issue(member, [membership]), member.Id));
+    }
+}

src/Modules/TeamUp.Modules.Identity/IdentityModule.cs

@@ -1,27 +1,65 @@
-using Microsoft.AspNetCore.Builder;
+using System.Text;
-using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Authentication.JwtBearer;
+using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Routing;
+using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection.Extensions;
+using Microsoft.IdentityModel.Tokens;
+using TeamUp.Modules.Identity.Access;
+using TeamUp.Modules.Identity.Auth;
+using TeamUp.Modules.Identity.Contracts;
+using TeamUp.Modules.Identity.Domain;
+using TeamUp.Modules.Identity.Endpoints;
+using TeamUp.Modules.Identity.Persistence;
+using TeamUp.SharedKernel.Access;
 using TeamUp.SharedKernel.Modularity;
+using TeamUp.SharedKernel.Persistence;
 
 namespace TeamUp.Modules.Identity;
 
-/// <summary>Identity &amp; access: members, memberships, roles, permission enforcement (M1).</summary>
+/// <summary>Identity &amp; access: members, memberships, invitations, JWT auth, permission enforcement (M1).</summary>
 public sealed class IdentityModule : IModule
 {
     public string Name => "identity";
 
     public void Register(IServiceCollection services, IConfiguration configuration)
     {
-        // Skeleton: no services yet. M1 introduces this module's (internal) DbContext,
+        var connectionString = configuration.GetConnectionString("Postgres")
-        // FluentValidation validators, and domain services here.
+            ?? throw new InvalidOperationException("Missing connection string 'ConnectionStrings:Postgres'.");
+
+        services.AddDbContext<IdentityDbContext>(options => options.UseNpgsql(connectionString));
+        services.AddScoped<IModuleDbContext>(sp => sp.GetRequiredService<IdentityDbContext>());
+
+        services.TryAddSingleton(TimeProvider.System);
+        services.AddHttpContextAccessor();
+        services.AddScoped<ICurrentUser, CurrentUser>();
+        services.AddScoped<IPermissionService, PermissionService>();
+        services.AddScoped<IMemberDirectory, MemberDirectory>();
+        services.AddScoped<JwtTokenService>();
+        services.AddSingleton<IPasswordHasher<Member>, PasswordHasher<Member>>();
+
+        services.Configure<JwtOptions>(configuration.GetSection(JwtOptions.SectionName));
+        var jwt = configuration.GetSection(JwtOptions.SectionName).Get<JwtOptions>() ?? new JwtOptions();
+
+        services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
+            .AddJwtBearer(options =>
+            {
+                options.MapInboundClaims = false;
+                options.TokenValidationParameters = new TokenValidationParameters
+                {
+                    ValidateIssuer = true,
+                    ValidIssuer = jwt.Issuer,
+                    ValidateAudience = true,
+                    ValidAudience = jwt.Audience,
+                    ValidateIssuerSigningKey = true,
+                    IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(jwt.Secret)),
+                    ValidateLifetime = true,
+                };
+            });
+        services.AddAuthorization();
     }
 
-    public void MapEndpoints(IEndpointRouteBuilder endpoints)
+    public void MapEndpoints(IEndpointRouteBuilder endpoints) => IdentityEndpoints.Map(endpoints);
-    {
-        endpoints.MapGroup($"/api/{Name}")
-            .WithTags("Identity")
-            .MapGet("/ping", () => TypedResults.Ok(new ModulePing(Name)));
-    }
 }

src/Modules/TeamUp.Modules.Identity/Persistence/IdentityDbContext.cs

@@ -0,0 +1,54 @@
+using Microsoft.EntityFrameworkCore;
+using TeamUp.Modules.Identity.Domain;
+using TeamUp.SharedKernel.Persistence;
+
+namespace TeamUp.Modules.Identity.Persistence;
+
+internal sealed class IdentityDbContext(DbContextOptions<IdentityDbContext> options)
+    : DbContext(options), IModuleDbContext
+{
+    public DbSet<Member> Members => Set<Member>();
+    public DbSet<Membership> Memberships => Set<Membership>();
+    public DbSet<Invitation> Invitations => Set<Invitation>();
+
+    protected override void OnModelCreating(ModelBuilder modelBuilder)
+    {
+        modelBuilder.HasDefaultSchema("identity");
+
+        modelBuilder.Entity<Member>(member =>
+        {
+            member.ToTable("members");
+            member.HasKey(m => m.Id);
+            member.Property(m => m.Email).HasMaxLength(256).IsRequired();
+            member.HasIndex(m => m.Email).IsUnique();
+            member.Property(m => m.DisplayName).HasMaxLength(128).IsRequired();
+            member.Property(m => m.PasswordHash).HasMaxLength(512).IsRequired();
+            member.Property(m => m.Status).HasConversion<string>().HasMaxLength(32);
+        });
+
+        modelBuilder.Entity<Membership>(membership =>
+        {
+            membership.ToTable("memberships");
+            membership.HasKey(m => m.Id);
+            membership.Property(m => m.ScopeType).HasConversion<string>().HasMaxLength(32);
+            membership.Property(m => m.Role).HasConversion<string>().HasMaxLength(32);
+            membership.Ignore(m => m.Scope);
+            membership.HasIndex(m => m.MemberId);
+            membership.HasIndex(m => new { m.MemberId, m.ScopeType, m.ScopeId, m.Role }).IsUnique();
+        });
+
+        modelBuilder.Entity<Invitation>(invitation =>
+        {
+            invitation.ToTable("invitations");
+            invitation.HasKey(i => i.Id);
+            invitation.Property(i => i.Email).HasMaxLength(256).IsRequired();
+            invitation.Property(i => i.Token).HasMaxLength(128).IsRequired();
+            invitation.HasIndex(i => i.Token).IsUnique();
+            invitation.HasIndex(i => i.Email);
+            invitation.Property(i => i.ScopeType).HasConversion<string>().HasMaxLength(32);
+            invitation.Property(i => i.Role).HasConversion<string>().HasMaxLength(32);
+            invitation.Property(i => i.Status).HasConversion<string>().HasMaxLength(32);
+            invitation.Ignore(i => i.Scope);
+        });
+    }
+}

src/Modules/TeamUp.Modules.Identity/Persistence/IdentityDbContextFactory.cs

@@ -0,0 +1,21 @@
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Design;
+
+namespace TeamUp.Modules.Identity.Persistence;
+
+/// <summary>Design-time factory so `dotnet ef` can build the internal context without a host.</summary>
+internal sealed class IdentityDbContextFactory : IDesignTimeDbContextFactory<IdentityDbContext>
+{
+    public IdentityDbContext CreateDbContext(string[] args)
+    {
+        var connectionString =
+            Environment.GetEnvironmentVariable("ConnectionStrings__Postgres")
+            ?? "Host=localhost;Port=5432;Database=teamup;Username=teamup;Password=teamup";
+
+        var options = new DbContextOptionsBuilder<IdentityDbContext>()
+            .UseNpgsql(connectionString)
+            .Options;
+
+        return new IdentityDbContext(options);
+    }
+}

src/Modules/TeamUp.Modules.Identity/Persistence/MemberDirectory.cs

@@ -0,0 +1,24 @@
+using Microsoft.EntityFrameworkCore;
+using TeamUp.Modules.Identity.Contracts;
+
+namespace TeamUp.Modules.Identity.Persistence;
+
+internal sealed class MemberDirectory(IdentityDbContext db) : IMemberDirectory
+{
+    public async Task<MemberSummary?> FindByIdAsync(Guid memberId, CancellationToken cancellationToken = default) =>
+        await db.Members
+            .Where(m => m.Id == memberId)
+            .Select(m => new MemberSummary(m.Id, m.Email, m.DisplayName))
+            .FirstOrDefaultAsync(cancellationToken);
+
+    public async Task<IReadOnlyDictionary<Guid, MemberSummary>> GetByIdsAsync(
+        IReadOnlyCollection<Guid> memberIds,
+        CancellationToken cancellationToken = default)
+    {
+        var ids = memberIds.ToHashSet();
+        return await db.Members
+            .Where(m => ids.Contains(m.Id))
+            .Select(m => new MemberSummary(m.Id, m.Email, m.DisplayName))
+            .ToDictionaryAsync(m => m.Id, cancellationToken);
+    }
+}

src/Modules/TeamUp.Modules.Identity/Persistence/Migrations/20260609042521_InitialIdentity.Designer.cs

@@ -0,0 +1,156 @@
+// <auto-generated />
+using System;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
+using TeamUp.Modules.Identity.Persistence;
+
+#nullable disable
+
+namespace TeamUp.Modules.Identity.Persistence.Migrations
+{
+    [DbContext(typeof(IdentityDbContext))]
+    [Migration("20260609042521_InitialIdentity")]
+    partial class InitialIdentity
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasDefaultSchema("identity")
+                .HasAnnotation("ProductVersion", "10.0.8")
+                .HasAnnotation("Relational:MaxIdentifierLength", 63);
+
+            NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
+
+            modelBuilder.Entity("TeamUp.Modules.Identity.Domain.Invitation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset?>("AcceptedAtUtc")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTimeOffset>("CreatedAtUtc")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<Guid>("InvitedByMemberId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Role")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<Guid>("ScopeId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ScopeType")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<string>("Status")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<string>("Token")
+                        .IsRequired()
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Email");
+
+                    b.HasIndex("Token")
+                        .IsUnique();
+
+                    b.ToTable("invitations", "identity");
+                });
+
+            modelBuilder.Entity("TeamUp.Modules.Identity.Domain.Member", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("CreatedAtUtc")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("DisplayName")
+                        .IsRequired()
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("PasswordHash")
+                        .IsRequired()
+                        .HasMaxLength(512)
+                        .HasColumnType("character varying(512)");
+
+                    b.Property<string>("Status")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Email")
+                        .IsUnique();
+
+                    b.ToTable("members", "identity");
+                });
+
+            modelBuilder.Entity("TeamUp.Modules.Identity.Domain.Membership", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("CreatedAtUtc")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("MemberId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Role")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<Guid>("ScopeId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ScopeType")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("MemberId");
+
+                    b.HasIndex("MemberId", "ScopeType", "ScopeId", "Role")
+                        .IsUnique();
+
+                    b.ToTable("memberships", "identity");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}

src/Modules/TeamUp.Modules.Identity/Persistence/Migrations/20260609042521_InitialIdentity.cs

@@ -0,0 +1,122 @@
+using System;
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace TeamUp.Modules.Identity.Persistence.Migrations
+{
+    /// <inheritdoc />
+    public partial class InitialIdentity : Migration
+    {
+        /// <inheritdoc />
+        protected override void Up(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.EnsureSchema(
+                name: "identity");
+
+            migrationBuilder.CreateTable(
+                name: "invitations",
+                schema: "identity",
+                columns: table => new
+                {
+                    Id = table.Column<Guid>(type: "uuid", nullable: false),
+                    Email = table.Column<string>(type: "character varying(256)", maxLength: 256, nullable: false),
+                    ScopeType = table.Column<string>(type: "character varying(32)", maxLength: 32, nullable: false),
+                    ScopeId = table.Column<Guid>(type: "uuid", nullable: false),
+                    Role = table.Column<string>(type: "character varying(32)", maxLength: 32, nullable: false),
+                    Token = table.Column<string>(type: "character varying(128)", maxLength: 128, nullable: false),
+                    Status = table.Column<string>(type: "character varying(32)", maxLength: 32, nullable: false),
+                    InvitedByMemberId = table.Column<Guid>(type: "uuid", nullable: false),
+                    CreatedAtUtc = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: false),
+                    AcceptedAtUtc = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: true)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_invitations", x => x.Id);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "members",
+                schema: "identity",
+                columns: table => new
+                {
+                    Id = table.Column<Guid>(type: "uuid", nullable: false),
+                    Email = table.Column<string>(type: "character varying(256)", maxLength: 256, nullable: false),
+                    DisplayName = table.Column<string>(type: "character varying(128)", maxLength: 128, nullable: false),
+                    PasswordHash = table.Column<string>(type: "character varying(512)", maxLength: 512, nullable: false),
+                    Status = table.Column<string>(type: "character varying(32)", maxLength: 32, nullable: false),
+                    CreatedAtUtc = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_members", x => x.Id);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "memberships",
+                schema: "identity",
+                columns: table => new
+                {
+                    Id = table.Column<Guid>(type: "uuid", nullable: false),
+                    MemberId = table.Column<Guid>(type: "uuid", nullable: false),
+                    ScopeType = table.Column<string>(type: "character varying(32)", maxLength: 32, nullable: false),
+                    ScopeId = table.Column<Guid>(type: "uuid", nullable: false),
+                    Role = table.Column<string>(type: "character varying(32)", maxLength: 32, nullable: false),
+                    CreatedAtUtc = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_memberships", x => x.Id);
+                });
+
+            migrationBuilder.CreateIndex(
+                name: "IX_invitations_Email",
+                schema: "identity",
+                table: "invitations",
+                column: "Email");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_invitations_Token",
+                schema: "identity",
+                table: "invitations",
+                column: "Token",
+                unique: true);
+
+            migrationBuilder.CreateIndex(
+                name: "IX_members_Email",
+                schema: "identity",
+                table: "members",
+                column: "Email",
+                unique: true);
+
+            migrationBuilder.CreateIndex(
+                name: "IX_memberships_MemberId",
+                schema: "identity",
+                table: "memberships",
+                column: "MemberId");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_memberships_MemberId_ScopeType_ScopeId_Role",
+                schema: "identity",
+                table: "memberships",
+                columns: new[] { "MemberId", "ScopeType", "ScopeId", "Role" },
+                unique: true);
+        }
+
+        /// <inheritdoc />
+        protected override void Down(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.DropTable(
+                name: "invitations",
+                schema: "identity");
+
+            migrationBuilder.DropTable(
+                name: "members",
+                schema: "identity");
+
+            migrationBuilder.DropTable(
+                name: "memberships",
+                schema: "identity");
+        }
+    }
+}

src/Modules/TeamUp.Modules.Identity/Persistence/Migrations/IdentityDbContextModelSnapshot.cs

@@ -0,0 +1,153 @@
+// <auto-generated />
+using System;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
+using TeamUp.Modules.Identity.Persistence;
+
+#nullable disable
+
+namespace TeamUp.Modules.Identity.Persistence.Migrations
+{
+    [DbContext(typeof(IdentityDbContext))]
+    partial class IdentityDbContextModelSnapshot : ModelSnapshot
+    {
+        protected override void BuildModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasDefaultSchema("identity")
+                .HasAnnotation("ProductVersion", "10.0.8")
+                .HasAnnotation("Relational:MaxIdentifierLength", 63);
+
+            NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
+
+            modelBuilder.Entity("TeamUp.Modules.Identity.Domain.Invitation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset?>("AcceptedAtUtc")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTimeOffset>("CreatedAtUtc")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<Guid>("InvitedByMemberId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Role")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<Guid>("ScopeId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ScopeType")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<string>("Status")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<string>("Token")
+                        .IsRequired()
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Email");
+
+                    b.HasIndex("Token")
+                        .IsUnique();
+
+                    b.ToTable("invitations", "identity");
+                });
+
+            modelBuilder.Entity("TeamUp.Modules.Identity.Domain.Member", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("CreatedAtUtc")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("DisplayName")
+                        .IsRequired()
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("PasswordHash")
+                        .IsRequired()
+                        .HasMaxLength(512)
+                        .HasColumnType("character varying(512)");
+
+                    b.Property<string>("Status")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Email")
+                        .IsUnique();
+
+                    b.ToTable("members", "identity");
+                });
+
+            modelBuilder.Entity("TeamUp.Modules.Identity.Domain.Membership", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("CreatedAtUtc")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("MemberId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Role")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<Guid>("ScopeId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ScopeType")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("MemberId");
+
+                    b.HasIndex("MemberId", "ScopeType", "ScopeId", "Role")
+                        .IsUnique();
+
+                    b.ToTable("memberships", "identity");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}

src/Modules/TeamUp.Modules.Identity/TeamUp.Modules.Identity.csproj

@@ -1,10 +1,20 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
-  <!-- A self-contained module. References SharedKernel ONLY (ASP.NET flows transitively for the
+  <!-- Identity & access: members, memberships, invitations, JWT auth, permission enforcement.
-       IModule seam). M1 adds this module's EF/Npgsql/FluentValidation/Mapperly packages when it
+       References SharedKernel only; never another module. -->
-       gains an (internal) DbContext and validators. It must never reference another module. -->
   <ItemGroup>
     <ProjectReference Include="..\..\Shared\TeamUp.SharedKernel\TeamUp.SharedKernel.csproj" />
   </ItemGroup>
 
+  <ItemGroup>
+    <PackageReference Include="Microsoft.EntityFrameworkCore" />
+    <PackageReference Include="Microsoft.EntityFrameworkCore.Design" PrivateAssets="all" />
+    <PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" />
+    <PackageReference Include="FluentValidation" />
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" />
+    <PackageReference Include="Microsoft.Extensions.Identity.Core" />
+    <PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" />
+    <PackageReference Include="Microsoft.IdentityModel.Tokens" />
+  </ItemGroup>
+
 </Project>

src/Modules/TeamUp.Modules.OrgBoard/Domain/Enums.cs

@@ -0,0 +1,34 @@
+namespace TeamUp.Modules.OrgBoard.Domain;
+
+/// <summary>The seat-state triad — the load-bearing concept of the UI (human / open / AI).</summary>
+internal enum SeatState
+{
+    Human,
+    Open,
+    Ai,
+}
+
+internal enum WorkItemType
+{
+    Spec,
+    Story,
+    Test,
+    Review,
+    Release,
+}
+
+/// <summary>The board columns: backlog → in progress → in review → done.</summary>
+internal enum WorkItemStatus
+{
+    Backlog,
+    InProgress,
+    InReview,
+    Done,
+}
+
+internal enum AssigneeKind
+{
+    Unassigned,
+    Member,
+    Agent,
+}

src/Modules/TeamUp.Modules.OrgBoard/Domain/Organization.cs

@@ -0,0 +1,23 @@
+using TeamUp.SharedKernel.Domain;
+
+namespace TeamUp.Modules.OrgBoard.Domain;
+
+/// <summary>The company. Its id is the Organization scope that org-level memberships are granted at.</summary>
+internal sealed class Organization : Entity
+{
+    public string Name { get; private set; } = null!;
+    public DateTimeOffset CreatedAtUtc { get; private set; }
+
+    private Organization()
+    {
+    }
+
+    public Organization(Guid id, string name, DateTimeOffset createdAtUtc)
+    {
+        Id = id;
+        Name = name;
+        CreatedAtUtc = createdAtUtc;
+    }
+
+    public void Rename(string name) => Name = name;
+}

src/Modules/TeamUp.Modules.OrgBoard/Domain/Seat.cs

@@ -0,0 +1,41 @@
+using TeamUp.SharedKernel.Domain;
+
+namespace TeamUp.Modules.OrgBoard.Domain;
+
+/// <summary>A role on a team, in one of three states: human / open / AI. AI seats are configured in M3.</summary>
+internal sealed class Seat : Entity
+{
+    public Guid TeamId { get; private set; }
+    public string RoleName { get; private set; } = null!;
+    public SeatState State { get; private set; }
+    public Guid? MemberId { get; private set; }
+    public Guid? AgentId { get; private set; }
+    public DateTimeOffset CreatedAtUtc { get; private set; }
+
+    private Seat()
+    {
+    }
+
+    public Seat(Guid teamId, string roleName, SeatState state, DateTimeOffset createdAtUtc, Guid? memberId = null)
+    {
+        TeamId = teamId;
+        RoleName = roleName;
+        State = state;
+        MemberId = memberId;
+        CreatedAtUtc = createdAtUtc;
+    }
+
+    public void AssignMember(Guid memberId)
+    {
+        MemberId = memberId;
+        AgentId = null;
+        State = SeatState.Human;
+    }
+
+    public void Open()
+    {
+        MemberId = null;
+        AgentId = null;
+        State = SeatState.Open;
+    }
+}

src/Modules/TeamUp.Modules.OrgBoard/Domain/Team.cs

@@ -0,0 +1,22 @@
+using TeamUp.SharedKernel.Domain;
+
+namespace TeamUp.Modules.OrgBoard.Domain;
+
+/// <summary>A team within an organization. Team-level memberships are granted at its id (Team scope).</summary>
+internal sealed class Team : Entity
+{
+    public Guid OrganizationId { get; private set; }
+    public string Name { get; private set; } = null!;
+    public DateTimeOffset CreatedAtUtc { get; private set; }
+
+    private Team()
+    {
+    }
+
+    public Team(Guid organizationId, string name, DateTimeOffset createdAtUtc)
+    {
+        OrganizationId = organizationId;
+        Name = name;
+        CreatedAtUtc = createdAtUtc;
+    }
+}

src/Modules/TeamUp.Modules.OrgBoard/Domain/WorkItem.cs

@@ -0,0 +1,64 @@
+using TeamUp.SharedKernel.Domain;
+
+namespace TeamUp.Modules.OrgBoard.Domain;
+
+/// <summary>A board task. Humans and AI share this one model — the assignee is a member or an agent.</summary>
+internal sealed class WorkItem : Entity
+{
+    public Guid TeamId { get; private set; }
+    public string Title { get; private set; } = null!;
+    public string? Description { get; private set; }
+    public WorkItemType Type { get; private set; }
+    public WorkItemStatus Status { get; private set; }
+    public AssigneeKind AssigneeKind { get; private set; }
+    public Guid? AssigneeId { get; private set; }
+    public Guid? ParentId { get; private set; }
+    public Guid CreatedByMemberId { get; private set; }
+    public DateTimeOffset CreatedAtUtc { get; private set; }
+    public DateTimeOffset UpdatedAtUtc { get; private set; }
+
+    private WorkItem()
+    {
+    }
+
+    public WorkItem(
+        Guid teamId,
+        string title,
+        string? description,
+        WorkItemType type,
+        Guid createdByMemberId,
+        DateTimeOffset nowUtc,
+        Guid? parentId = null)
+    {
+        TeamId = teamId;
+        Title = title;
+        Description = description;
+        Type = type;
+        Status = WorkItemStatus.Backlog;
+        AssigneeKind = AssigneeKind.Unassigned;
+        CreatedByMemberId = createdByMemberId;
+        ParentId = parentId;
+        CreatedAtUtc = nowUtc;
+        UpdatedAtUtc = nowUtc;
+    }
+
+    public void MoveTo(WorkItemStatus status, DateTimeOffset nowUtc)
+    {
+        Status = status;
+        UpdatedAtUtc = nowUtc;
+    }
+
+    public void AssignToMember(Guid memberId, DateTimeOffset nowUtc)
+    {
+        AssigneeKind = AssigneeKind.Member;
+        AssigneeId = memberId;
+        UpdatedAtUtc = nowUtc;
+    }
+
+    public void Unassign(DateTimeOffset nowUtc)
+    {
+        AssigneeKind = AssigneeKind.Unassigned;
+        AssigneeId = null;
+        UpdatedAtUtc = nowUtc;
+    }
+}

src/Modules/TeamUp.Modules.OrgBoard/Endpoints/OrgBoardDtos.cs

@@ -0,0 +1,32 @@
+using TeamUp.Modules.OrgBoard.Domain;
+
+namespace TeamUp.Modules.OrgBoard.Endpoints;
+
+internal sealed record CreateOrganizationRequest(Guid OrganizationId, string Name);
+
+internal sealed record OrganizationResponse(Guid Id, string Name);
+
+internal sealed record CreateTeamRequest(Guid OrganizationId, string Name);
+
+internal sealed record TeamResponse(Guid Id, Guid OrganizationId, string Name);
+
+internal sealed record CreateTaskRequest(Guid TeamId, string Title, string? Description, WorkItemType Type);
+
+internal sealed record MoveTaskRequest(WorkItemStatus Status);
+
+internal sealed record AssignTaskRequest(Guid MemberId);
+
+internal sealed record TaskResponse(
+    Guid Id,
+    Guid TeamId,
+    string Title,
+    string? Description,
+    string Type,
+    string Status,
+    string AssigneeKind,
+    Guid? AssigneeId,
+    Guid? ParentId);
+
+internal sealed record BoardColumn(string Status, IReadOnlyList<TaskResponse> Items);
+
+internal sealed record BoardResponse(Guid TeamId, IReadOnlyList<BoardColumn> Columns);

src/Modules/TeamUp.Modules.OrgBoard/Endpoints/OrgBoardEndpoints.cs

@@ -0,0 +1,228 @@
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Routing;
+using Microsoft.EntityFrameworkCore;
+using TeamUp.Modules.OrgBoard.Domain;
+using TeamUp.Modules.OrgBoard.Persistence;
+using TeamUp.SharedKernel.Access;
+using TeamUp.SharedKernel.Auditing;
+using TeamUp.SharedKernel.Modularity;
+
+namespace TeamUp.Modules.OrgBoard.Endpoints;
+
+internal static class OrgBoardEndpoints
+{
+    public static void Map(IEndpointRouteBuilder endpoints)
+    {
+        var group = endpoints.MapGroup("/api/orgboard").WithTags("OrgBoard");
+
+        group.MapGet("/ping", () => TypedResults.Ok(new ModulePing("orgboard")));
+        group.MapPost("/organizations", CreateOrganization).RequireAuthorization();
+        group.MapPost("/teams", CreateTeam).RequireAuthorization();
+        group.MapGet("/teams", ListTeams).RequireAuthorization();
+        group.MapPost("/tasks", CreateTask).RequireAuthorization();
+        group.MapGet("/board", GetBoard).RequireAuthorization();
+        group.MapPatch("/tasks/{id:guid}/move", MoveTask).RequireAuthorization();
+        group.MapPatch("/tasks/{id:guid}/assign", AssignTask).RequireAuthorization();
+        group.MapGet("/cartable", Cartable).RequireAuthorization();
+    }
+
+    private static TaskResponse ToResponse(WorkItem item) => new(
+        item.Id, item.TeamId, item.Title, item.Description,
+        item.Type.ToString(), item.Status.ToString(), item.AssigneeKind.ToString(),
+        item.AssigneeId, item.ParentId);
+
+    private static async Task<IResult> CreateOrganization(
+        CreateOrganizationRequest request, IPermissionService permissions,
+        OrgBoardDbContext db, TimeProvider clock, CancellationToken ct)
+    {
+        if (!permissions.Has(Capability.CreateProductsAndTeams, ScopeRef.Org(request.OrganizationId)))
+        {
+            return Results.Forbid();
+        }
+
+        if (string.IsNullOrWhiteSpace(request.Name))
+        {
+            return Results.BadRequest("Name is required.");
+        }
+
+        var organization = await db.Organizations.FirstOrDefaultAsync(o => o.Id == request.OrganizationId, ct);
+        if (organization is null)
+        {
+            organization = new Organization(request.OrganizationId, request.Name.Trim(), clock.GetUtcNow());
+            db.Organizations.Add(organization);
+        }
+        else
+        {
+            organization.Rename(request.Name.Trim());
+        }
+
+        await db.SaveChangesAsync(ct);
+        return Results.Ok(new OrganizationResponse(organization.Id, organization.Name));
+    }
+
+    private static async Task<IResult> CreateTeam(
+        CreateTeamRequest request, ICurrentUser user, IPermissionService permissions,
+        IAuditLog audit, OrgBoardDbContext db, TimeProvider clock, CancellationToken ct)
+    {
+        if (!permissions.Has(Capability.CreateProductsAndTeams, ScopeRef.Org(request.OrganizationId)))
+        {
+            return Results.Forbid();
+        }
+
+        if (string.IsNullOrWhiteSpace(request.Name))
+        {
+            return Results.BadRequest("Name is required.");
+        }
+
+        if (!await db.Organizations.AnyAsync(o => o.Id == request.OrganizationId, ct))
+        {
+            return Results.BadRequest("Organization does not exist; create it first.");
+        }
+
+        var team = new Team(request.OrganizationId, request.Name.Trim(), clock.GetUtcNow());
+        db.Teams.Add(team);
+        await db.SaveChangesAsync(ct);
+        await audit.WriteAsync(new AuditEvent("team.created", "Team", team.Id, user.MemberId, team.Name), ct);
+        return Results.Ok(new TeamResponse(team.Id, team.OrganizationId, team.Name));
+    }
+
+    private static async Task<IResult> ListTeams(
+        Guid organizationId, IPermissionService permissions, OrgBoardDbContext db, CancellationToken ct)
+    {
+        if (!permissions.Has(Capability.ViewBoard, ScopeRef.Org(organizationId)))
+        {
+            return Results.Forbid();
+        }
+
+        var teams = await db.Teams
+            .Where(t => t.OrganizationId == organizationId)
+            .OrderBy(t => t.CreatedAtUtc)
+            .Select(t => new TeamResponse(t.Id, t.OrganizationId, t.Name))
+            .ToListAsync(ct);
+
+        return Results.Ok(teams);
+    }
+
+    private static async Task<IResult> CreateTask(
+        CreateTaskRequest request, ICurrentUser user, IPermissionService permissions,
+        IAuditLog audit, OrgBoardDbContext db, TimeProvider clock, CancellationToken ct)
+    {
+        var team = await db.Teams.FirstOrDefaultAsync(t => t.Id == request.TeamId, ct);
+        if (team is null)
+        {
+            return Results.NotFound("Team not found.");
+        }
+
+        if (!permissions.Has(Capability.WorkTasks, ScopeRef.Team(team.Id), ScopeRef.Org(team.OrganizationId)))
+        {
+            return Results.Forbid();
+        }
+
+        if (string.IsNullOrWhiteSpace(request.Title))
+        {
+            return Results.BadRequest("Title is required.");
+        }
+
+        var item = new WorkItem(team.Id, request.Title.Trim(), request.Description, request.Type, user.MemberId, clock.GetUtcNow());
+        db.WorkItems.Add(item);
+        await db.SaveChangesAsync(ct);
+        await audit.WriteAsync(new AuditEvent("task.created", "WorkItem", item.Id, user.MemberId, item.Title), ct);
+        return Results.Ok(ToResponse(item));
+    }
+
+    private static async Task<IResult> GetBoard(
+        Guid teamId, IPermissionService permissions, OrgBoardDbContext db, CancellationToken ct)
+    {
+        var team = await db.Teams.FirstOrDefaultAsync(t => t.Id == teamId, ct);
+        if (team is null)
+        {
+            return Results.NotFound("Team not found.");
+        }
+
+        if (!permissions.Has(Capability.ViewBoard, ScopeRef.Team(team.Id), ScopeRef.Org(team.OrganizationId)))
+        {
+            return Results.Forbid();
+        }
+
+        var items = await db.WorkItems.Where(w => w.TeamId == teamId).OrderBy(w => w.CreatedAtUtc).ToListAsync(ct);
+        var columns = Enum.GetValues<WorkItemStatus>()
+            .Select(status => new BoardColumn(
+                status.ToString(),
+                items.Where(i => i.Status == status).Select(ToResponse).ToList()))
+            .ToList();
+
+        return Results.Ok(new BoardResponse(teamId, columns));
+    }
+
+    private static async Task<IResult> MoveTask(
+        Guid id, MoveTaskRequest request, ICurrentUser user, IPermissionService permissions,
+        IAuditLog audit, OrgBoardDbContext db, TimeProvider clock, CancellationToken ct)
+    {
+        var (item, team, error) = await LoadItemWithTeam(db, id, ct);
+        if (error is not null)
+        {
+            return error;
+        }
+
+        if (!permissions.Has(Capability.WorkTasks, ScopeRef.Team(team!.Id), ScopeRef.Org(team.OrganizationId)))
+        {
+            return Results.Forbid();
+        }
+
+        item!.MoveTo(request.Status, clock.GetUtcNow());
+        await db.SaveChangesAsync(ct);
+        await audit.WriteAsync(new AuditEvent("task.moved", "WorkItem", item.Id, user.MemberId, request.Status.ToString()), ct);
+        return Results.Ok(ToResponse(item));
+    }
+
+    private static async Task<IResult> AssignTask(
+        Guid id, AssignTaskRequest request, ICurrentUser user, IPermissionService permissions,
+        IAuditLog audit, OrgBoardDbContext db, TimeProvider clock, CancellationToken ct)
+    {
+        var (item, team, error) = await LoadItemWithTeam(db, id, ct);
+        if (error is not null)
+        {
+            return error;
+        }
+
+        if (!permissions.Has(Capability.WorkTasks, ScopeRef.Team(team!.Id), ScopeRef.Org(team.OrganizationId)))
+        {
+            return Results.Forbid();
+        }
+
+        item!.AssignToMember(request.MemberId, clock.GetUtcNow());
+        await db.SaveChangesAsync(ct);
+        await audit.WriteAsync(new AuditEvent("task.assigned", "WorkItem", item.Id, user.MemberId, request.MemberId.ToString()), ct);
+        return Results.Ok(ToResponse(item));
+    }
+
+    private static async Task<IResult> Cartable(ICurrentUser user, OrgBoardDbContext db, CancellationToken ct)
+    {
+        var memberId = user.MemberId;
+        var items = await db.WorkItems
+            .Where(w => w.AssigneeKind == AssigneeKind.Member && w.AssigneeId == memberId)
+            .OrderByDescending(w => w.UpdatedAtUtc)
+            .ToListAsync(ct);
+
+        return Results.Ok(items.Select(ToResponse).ToList());
+    }
+
+    private static async Task<(WorkItem? Item, Team? Team, IResult? Error)> LoadItemWithTeam(
+        OrgBoardDbContext db, Guid itemId, CancellationToken ct)
+    {
+        var item = await db.WorkItems.FirstOrDefaultAsync(w => w.Id == itemId, ct);
+        if (item is null)
+        {
+            return (null, null, Results.NotFound("Task not found."));
+        }
+
+        var team = await db.Teams.FirstOrDefaultAsync(t => t.Id == item.TeamId, ct);
+        if (team is null)
+        {
+            return (null, null, Results.NotFound("Team not found."));
+        }
+
+        return (item, team, null);
+    }
+}

src/Modules/TeamUp.Modules.OrgBoard/OrgBoardModule.cs

@@ -1,9 +1,12 @@
-using Microsoft.AspNetCore.Builder;
-using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Routing;
+using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection.Extensions;
+using TeamUp.Modules.OrgBoard.Endpoints;
+using TeamUp.Modules.OrgBoard.Persistence;
 using TeamUp.SharedKernel.Modularity;
+using TeamUp.SharedKernel.Persistence;
 
 namespace TeamUp.Modules.OrgBoard;
 
@@ -14,14 +17,13 @@ public sealed class OrgBoardModule : IModule
 
     public void Register(IServiceCollection services, IConfiguration configuration)
     {
-        // Skeleton: no services yet. M1 introduces this module's (internal) DbContext,
+        var connectionString = configuration.GetConnectionString("Postgres")
-        // FluentValidation validators, and domain services here.
+            ?? throw new InvalidOperationException("Missing connection string 'ConnectionStrings:Postgres'.");
+
+        services.AddDbContext<OrgBoardDbContext>(options => options.UseNpgsql(connectionString));
+        services.AddScoped<IModuleDbContext>(sp => sp.GetRequiredService<OrgBoardDbContext>());
+        services.TryAddSingleton(TimeProvider.System);
     }
 
-    public void MapEndpoints(IEndpointRouteBuilder endpoints)
+    public void MapEndpoints(IEndpointRouteBuilder endpoints) => OrgBoardEndpoints.Map(endpoints);
-    {
-        endpoints.MapGroup($"/api/{Name}")
-            .WithTags("OrgBoard")
-            .MapGet("/ping", () => TypedResults.Ok(new ModulePing(Name)));
-    }
 }

src/Modules/TeamUp.Modules.OrgBoard/Persistence/Migrations/20260609043906_InitialOrgBoard.Designer.cs

@@ -0,0 +1,165 @@
+// <auto-generated />
+using System;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
+using TeamUp.Modules.OrgBoard.Persistence;
+
+#nullable disable
+
+namespace TeamUp.Modules.OrgBoard.Persistence.Migrations
+{
+    [DbContext(typeof(OrgBoardDbContext))]
+    [Migration("20260609043906_InitialOrgBoard")]
+    partial class InitialOrgBoard
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasDefaultSchema("orgboard")
+                .HasAnnotation("ProductVersion", "10.0.8")
+                .HasAnnotation("Relational:MaxIdentifierLength", 63);
+
+            NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
+
+            modelBuilder.Entity("TeamUp.Modules.OrgBoard.Domain.Organization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("CreatedAtUtc")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("organizations", "orgboard");
+                });
+
+            modelBuilder.Entity("TeamUp.Modules.OrgBoard.Domain.Seat", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("AgentId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("CreatedAtUtc")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid?>("MemberId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("RoleName")
+                        .IsRequired()
+                        .HasMaxLength(120)
+                        .HasColumnType("character varying(120)");
+
+                    b.Property<string>("State")
+                        .IsRequired()
+                        .HasMaxLength(16)
+                        .HasColumnType("character varying(16)");
+
+                    b.Property<Guid>("TeamId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("TeamId");
+
+                    b.ToTable("seats", "orgboard");
+                });
+
+            modelBuilder.Entity("TeamUp.Modules.OrgBoard.Domain.Team", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("CreatedAtUtc")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("teams", "orgboard");
+                });
+
+            modelBuilder.Entity("TeamUp.Modules.OrgBoard.Domain.WorkItem", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("AssigneeId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("AssigneeKind")
+                        .IsRequired()
+                        .HasMaxLength(16)
+                        .HasColumnType("character varying(16)");
+
+                    b.Property<DateTimeOffset>("CreatedAtUtc")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("CreatedByMemberId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Description")
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("ParentId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Status")
+                        .IsRequired()
+                        .HasMaxLength(16)
+                        .HasColumnType("character varying(16)");
+
+                    b.Property<Guid>("TeamId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Title")
+                        .IsRequired()
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("Type")
+                        .IsRequired()
+                        .HasMaxLength(16)
+                        .HasColumnType("character varying(16)");
+
+                    b.Property<DateTimeOffset>("UpdatedAtUtc")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("TeamId");
+
+                    b.HasIndex("AssigneeKind", "AssigneeId");
+
+                    b.ToTable("work_items", "orgboard");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}

src/Modules/TeamUp.Modules.OrgBoard/Persistence/Migrations/20260609043906_InitialOrgBoard.cs

@@ -0,0 +1,132 @@
+using System;
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace TeamUp.Modules.OrgBoard.Persistence.Migrations
+{
+    /// <inheritdoc />
+    public partial class InitialOrgBoard : Migration
+    {
+        /// <inheritdoc />
+        protected override void Up(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.EnsureSchema(
+                name: "orgboard");
+
+            migrationBuilder.CreateTable(
+                name: "organizations",
+                schema: "orgboard",
+                columns: table => new
+                {
+                    Id = table.Column<Guid>(type: "uuid", nullable: false),
+                    Name = table.Column<string>(type: "character varying(200)", maxLength: 200, nullable: false),
+                    CreatedAtUtc = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_organizations", x => x.Id);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "seats",
+                schema: "orgboard",
+                columns: table => new
+                {
+                    Id = table.Column<Guid>(type: "uuid", nullable: false),
+                    TeamId = table.Column<Guid>(type: "uuid", nullable: false),
+                    RoleName = table.Column<string>(type: "character varying(120)", maxLength: 120, nullable: false),
+                    State = table.Column<string>(type: "character varying(16)", maxLength: 16, nullable: false),
+                    MemberId = table.Column<Guid>(type: "uuid", nullable: true),
+                    AgentId = table.Column<Guid>(type: "uuid", nullable: true),
+                    CreatedAtUtc = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_seats", x => x.Id);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "teams",
+                schema: "orgboard",
+                columns: table => new
+                {
+                    Id = table.Column<Guid>(type: "uuid", nullable: false),
+                    OrganizationId = table.Column<Guid>(type: "uuid", nullable: false),
+                    Name = table.Column<string>(type: "character varying(200)", maxLength: 200, nullable: false),
+                    CreatedAtUtc = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_teams", x => x.Id);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "work_items",
+                schema: "orgboard",
+                columns: table => new
+                {
+                    Id = table.Column<Guid>(type: "uuid", nullable: false),
+                    TeamId = table.Column<Guid>(type: "uuid", nullable: false),
+                    Title = table.Column<string>(type: "character varying(300)", maxLength: 300, nullable: false),
+                    Description = table.Column<string>(type: "text", nullable: true),
+                    Type = table.Column<string>(type: "character varying(16)", maxLength: 16, nullable: false),
+                    Status = table.Column<string>(type: "character varying(16)", maxLength: 16, nullable: false),
+                    AssigneeKind = table.Column<string>(type: "character varying(16)", maxLength: 16, nullable: false),
+                    AssigneeId = table.Column<Guid>(type: "uuid", nullable: true),
+                    ParentId = table.Column<Guid>(type: "uuid", nullable: true),
+                    CreatedByMemberId = table.Column<Guid>(type: "uuid", nullable: false),
+                    CreatedAtUtc = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: false),
+                    UpdatedAtUtc = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_work_items", x => x.Id);
+                });
+
+            migrationBuilder.CreateIndex(
+                name: "IX_seats_TeamId",
+                schema: "orgboard",
+                table: "seats",
+                column: "TeamId");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_teams_OrganizationId",
+                schema: "orgboard",
+                table: "teams",
+                column: "OrganizationId");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_work_items_AssigneeKind_AssigneeId",
+                schema: "orgboard",
+                table: "work_items",
+                columns: new[] { "AssigneeKind", "AssigneeId" });
+
+            migrationBuilder.CreateIndex(
+                name: "IX_work_items_TeamId",
+                schema: "orgboard",
+                table: "work_items",
+                column: "TeamId");
+        }
+
+        /// <inheritdoc />
+        protected override void Down(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.DropTable(
+                name: "organizations",
+                schema: "orgboard");
+
+            migrationBuilder.DropTable(
+                name: "seats",
+                schema: "orgboard");
+
+            migrationBuilder.DropTable(
+                name: "teams",
+                schema: "orgboard");
+
+            migrationBuilder.DropTable(
+                name: "work_items",
+                schema: "orgboard");
+        }
+    }
+}

src/Modules/TeamUp.Modules.OrgBoard/Persistence/Migrations/OrgBoardDbContextModelSnapshot.cs

@@ -0,0 +1,162 @@
+// <auto-generated />
+using System;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
+using TeamUp.Modules.OrgBoard.Persistence;
+
+#nullable disable
+
+namespace TeamUp.Modules.OrgBoard.Persistence.Migrations
+{
+    [DbContext(typeof(OrgBoardDbContext))]
+    partial class OrgBoardDbContextModelSnapshot : ModelSnapshot
+    {
+        protected override void BuildModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasDefaultSchema("orgboard")
+                .HasAnnotation("ProductVersion", "10.0.8")
+                .HasAnnotation("Relational:MaxIdentifierLength", 63);
+
+            NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
+
+            modelBuilder.Entity("TeamUp.Modules.OrgBoard.Domain.Organization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("CreatedAtUtc")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("organizations", "orgboard");
+                });
+
+            modelBuilder.Entity("TeamUp.Modules.OrgBoard.Domain.Seat", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("AgentId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("CreatedAtUtc")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid?>("MemberId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("RoleName")
+                        .IsRequired()
+                        .HasMaxLength(120)
+                        .HasColumnType("character varying(120)");
+
+                    b.Property<string>("State")
+                        .IsRequired()
+                        .HasMaxLength(16)
+                        .HasColumnType("character varying(16)");
+
+                    b.Property<Guid>("TeamId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("TeamId");
+
+                    b.ToTable("seats", "orgboard");
+                });
+
+            modelBuilder.Entity("TeamUp.Modules.OrgBoard.Domain.Team", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("CreatedAtUtc")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("teams", "orgboard");
+                });
+
+            modelBuilder.Entity("TeamUp.Modules.OrgBoard.Domain.WorkItem", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("AssigneeId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("AssigneeKind")
+                        .IsRequired()
+                        .HasMaxLength(16)
+                        .HasColumnType("character varying(16)");
+
+                    b.Property<DateTimeOffset>("CreatedAtUtc")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("CreatedByMemberId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Description")
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("ParentId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Status")
+                        .IsRequired()
+                        .HasMaxLength(16)
+                        .HasColumnType("character varying(16)");
+
+                    b.Property<Guid>("TeamId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Title")
+                        .IsRequired()
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("Type")
+                        .IsRequired()
+                        .HasMaxLength(16)
+                        .HasColumnType("character varying(16)");
+
+                    b.Property<DateTimeOffset>("UpdatedAtUtc")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("TeamId");
+
+                    b.HasIndex("AssigneeKind", "AssigneeId");
+
+                    b.ToTable("work_items", "orgboard");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}

src/Modules/TeamUp.Modules.OrgBoard/Persistence/OrgBoardDbContext.cs

@@ -0,0 +1,55 @@
+using Microsoft.EntityFrameworkCore;
+using TeamUp.Modules.OrgBoard.Domain;
+using TeamUp.SharedKernel.Persistence;
+
+namespace TeamUp.Modules.OrgBoard.Persistence;
+
+internal sealed class OrgBoardDbContext(DbContextOptions<OrgBoardDbContext> options)
+    : DbContext(options), IModuleDbContext
+{
+    public DbSet<Organization> Organizations => Set<Organization>();
+    public DbSet<Team> Teams => Set<Team>();
+    public DbSet<Seat> Seats => Set<Seat>();
+    public DbSet<WorkItem> WorkItems => Set<WorkItem>();
+
+    protected override void OnModelCreating(ModelBuilder modelBuilder)
+    {
+        modelBuilder.HasDefaultSchema("orgboard");
+
+        modelBuilder.Entity<Organization>(organization =>
+        {
+            organization.ToTable("organizations");
+            organization.HasKey(o => o.Id);
+            organization.Property(o => o.Name).HasMaxLength(200).IsRequired();
+        });
+
+        modelBuilder.Entity<Team>(team =>
+        {
+            team.ToTable("teams");
+            team.HasKey(t => t.Id);
+            team.Property(t => t.Name).HasMaxLength(200).IsRequired();
+            team.HasIndex(t => t.OrganizationId);
+        });
+
+        modelBuilder.Entity<Seat>(seat =>
+        {
+            seat.ToTable("seats");
+            seat.HasKey(s => s.Id);
+            seat.Property(s => s.RoleName).HasMaxLength(120).IsRequired();
+            seat.Property(s => s.State).HasConversion<string>().HasMaxLength(16);
+            seat.HasIndex(s => s.TeamId);
+        });
+
+        modelBuilder.Entity<WorkItem>(workItem =>
+        {
+            workItem.ToTable("work_items");
+            workItem.HasKey(w => w.Id);
+            workItem.Property(w => w.Title).HasMaxLength(300).IsRequired();
+            workItem.Property(w => w.Type).HasConversion<string>().HasMaxLength(16);
+            workItem.Property(w => w.Status).HasConversion<string>().HasMaxLength(16);
+            workItem.Property(w => w.AssigneeKind).HasConversion<string>().HasMaxLength(16);
+            workItem.HasIndex(w => w.TeamId);
+            workItem.HasIndex(w => new { w.AssigneeKind, w.AssigneeId });
+        });
+    }
+}

src/Modules/TeamUp.Modules.OrgBoard/Persistence/OrgBoardDbContextFactory.cs

@@ -0,0 +1,21 @@
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Design;
+
+namespace TeamUp.Modules.OrgBoard.Persistence;
+
+/// <summary>Design-time factory so `dotnet ef` can build the internal context without a host.</summary>
+internal sealed class OrgBoardDbContextFactory : IDesignTimeDbContextFactory<OrgBoardDbContext>
+{
+    public OrgBoardDbContext CreateDbContext(string[] args)
+    {
+        var connectionString =
+            Environment.GetEnvironmentVariable("ConnectionStrings__Postgres")
+            ?? "Host=localhost;Port=5432;Database=teamup;Username=teamup;Password=teamup";
+
+        var options = new DbContextOptionsBuilder<OrgBoardDbContext>()
+            .UseNpgsql(connectionString)
+            .Options;
+
+        return new OrgBoardDbContext(options);
+    }
+}

src/Modules/TeamUp.Modules.OrgBoard/TeamUp.Modules.OrgBoard.csproj

@@ -1,10 +1,17 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
-  <!-- A self-contained module. References SharedKernel ONLY (ASP.NET flows transitively for the
+  <!-- Org, products, teams, seats, and the task/board model (M1). References SharedKernel only;
-       IModule seam). M1 adds this module's EF/Npgsql/FluentValidation/Mapperly packages when it
+       permission checks use ICurrentUser/IPermissionService from SharedKernel (implemented by
-       gains an (internal) DbContext and validators. It must never reference another module. -->
+       Identity), so OrgBoard never references another module. -->
   <ItemGroup>
     <ProjectReference Include="..\..\Shared\TeamUp.SharedKernel\TeamUp.SharedKernel.csproj" />
   </ItemGroup>
 
+  <ItemGroup>
+    <PackageReference Include="Microsoft.EntityFrameworkCore" />
+    <PackageReference Include="Microsoft.EntityFrameworkCore.Design" PrivateAssets="all" />
+    <PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" />
+    <PackageReference Include="FluentValidation" />
+  </ItemGroup>
+
 </Project>

src/Shared/TeamUp.SharedKernel/Access/AccessPolicy.cs

@@ -0,0 +1,26 @@
+namespace TeamUp.SharedKernel.Access;
+
+/// <summary>
+/// The role × capability matrix (docs/PRODUCT.md "Access / RBAC"). Pure policy — no scope logic
+/// here; scope coverage is applied by <see cref="IPermissionService"/>. Owner is org-wide and can
+/// do everything; TeamOwner is scoped to its own team; Member works tasks; Viewer reads only.
+/// </summary>
+public static class AccessPolicy
+{
+    public static bool Permits(RoleType role, Capability capability) => role switch
+    {
+        RoleType.Owner => true,
+        RoleType.TeamOwner => capability is
+            Capability.InvitePeople
+            or Capability.CreateProductsAndTeams
+            or Capability.ConfigureAgents
+            or Capability.SetAutonomy
+            or Capability.ApproveHeldActions
+            or Capability.WorkTasks
+            or Capability.ViewBoard
+            or Capability.ViewAuditLog,
+        RoleType.Member => capability is Capability.WorkTasks or Capability.ViewBoard,
+        RoleType.Viewer => capability is Capability.ViewBoard,
+        _ => false,
+    };
+}

src/Shared/TeamUp.SharedKernel/Access/Capability.cs

@@ -0,0 +1,19 @@
+namespace TeamUp.SharedKernel.Access;
+
+/// <summary>
+/// A permission-checked action, evaluated against a scope. Mirrors the capability rows of the
+/// access matrix in docs/PRODUCT.md ("Access / RBAC").
+/// </summary>
+public enum Capability
+{
+    ManageBilling,
+    ManageApiKeys,
+    InvitePeople,
+    CreateProductsAndTeams,
+    ConfigureAgents,
+    SetAutonomy,
+    ApproveHeldActions,
+    WorkTasks,
+    ViewBoard,
+    ViewAuditLog,
+}

src/Shared/TeamUp.SharedKernel/Access/ICurrentUser.cs

@@ -0,0 +1,20 @@
+namespace TeamUp.SharedKernel.Access;
+
+/// <summary>A role held at a scope.</summary>
+public readonly record struct ScopedRole(ScopeRef Scope, RoleType Role);
+
+/// <summary>
+/// The authenticated principal for the current request — or unauthenticated. Resolved from the
+/// JWT by the Identity module; available to every module via DI.
+/// </summary>
+public interface ICurrentUser
+{
+    bool IsAuthenticated { get; }
+
+    /// <summary>The member id. Throws if not authenticated — guard with <see cref="IsAuthenticated"/>.</summary>
+    Guid MemberId { get; }
+
+    string Email { get; }
+
+    IReadOnlyList<ScopedRole> Memberships { get; }
+}

src/Shared/TeamUp.SharedKernel/Access/IPermissionService.cs

@@ -0,0 +1,12 @@
+namespace TeamUp.SharedKernel.Access;
+
+/// <summary>
+/// Evaluates whether the current user may perform a capability at a scope. The caller passes the
+/// scope chain from most-specific to broadest (e.g. a team, then its org); a covering role at any
+/// link grants the capability. This keeps Identity free of OrgBoard's scope hierarchy — the module
+/// performing the action supplies the chain it already knows.
+/// </summary>
+public interface IPermissionService
+{
+    bool Has(Capability capability, params ScopeRef[] scopeChain);
+}

src/Shared/TeamUp.SharedKernel/Access/RoleType.cs

@@ -0,0 +1,10 @@
+namespace TeamUp.SharedKernel.Access;
+
+/// <summary>A role granted to a member at a scope. Memberships are additive.</summary>
+public enum RoleType
+{
+    Owner,
+    TeamOwner,
+    Member,
+    Viewer,
+}

src/Shared/TeamUp.SharedKernel/Access/Scope.cs

@@ -0,0 +1,18 @@
+namespace TeamUp.SharedKernel.Access;
+
+/// <summary>The kind of scope a role is granted at. V1 uses Organization and Team.</summary>
+public enum ScopeType
+{
+    Organization,
+    Division,
+    Product,
+    Team,
+}
+
+/// <summary>A reference to the scope a role applies to (additive across memberships).</summary>
+public readonly record struct ScopeRef(ScopeType Type, Guid Id)
+{
+    public static ScopeRef Org(Guid id) => new(ScopeType.Organization, id);
+
+    public static ScopeRef Team(Guid id) => new(ScopeType.Team, id);
+}

src/Shared/TeamUp.SharedKernel/Auditing/IAuditLog.cs

@@ -0,0 +1,18 @@
+namespace TeamUp.SharedKernel.Auditing;
+
+/// <summary>An immutable record of a meaningful action. Written by any module via <see cref="IAuditLog"/>.</summary>
+public sealed record AuditEvent(
+    string Action,
+    string EntityType,
+    Guid EntityId,
+    Guid? ActorMemberId,
+    string? Details = null);
+
+/// <summary>
+/// The append-only audit log. Defined in SharedKernel and implemented by Governance, so any module
+/// can record an action without referencing Governance.
+/// </summary>
+public interface IAuditLog
+{
+    Task WriteAsync(AuditEvent auditEvent, CancellationToken cancellationToken = default);
+}

src/Shared/TeamUp.SharedKernel/Metrics/EditDistance.cs

@@ -0,0 +1,56 @@
+namespace TeamUp.SharedKernel.Metrics;
+
+/// <summary>
+/// The product's north-star metric: how much a reviewer changes AI output before approving.
+/// Levenshtein edit distance, available from day one (M1). It is consumed at edit-and-approve in
+/// the review inbox (M5); kept here so the data path and computation exist before there is AI
+/// output to measure.
+/// </summary>
+public static class EditDistance
+{
+    /// <summary>Levenshtein distance — the minimum single-character edits to turn <paramref name="a"/> into <paramref name="b"/>.</summary>
+    public static int Levenshtein(string a, string b)
+    {
+        ArgumentNullException.ThrowIfNull(a);
+        ArgumentNullException.ThrowIfNull(b);
+
+        if (a.Length == 0)
+        {
+            return b.Length;
+        }
+
+        if (b.Length == 0)
+        {
+            return a.Length;
+        }
+
+        var previous = new int[b.Length + 1];
+        var current = new int[b.Length + 1];
+
+        for (var j = 0; j <= b.Length; j++)
+        {
+            previous[j] = j;
+        }
+
+        for (var i = 1; i <= a.Length; i++)
+        {
+            current[0] = i;
+            for (var j = 1; j <= b.Length; j++)
+            {
+                var cost = a[i - 1] == b[j - 1] ? 0 : 1;
+                current[j] = Math.Min(Math.Min(current[j - 1] + 1, previous[j] + 1), previous[j - 1] + cost);
+            }
+
+            (previous, current) = (current, previous);
+        }
+
+        return previous[b.Length];
+    }
+
+    /// <summary>Edit distance normalized to [0,1] by the longer string. 0 = unchanged (accepted as-is).</summary>
+    public static double Normalized(string original, string edited)
+    {
+        var max = Math.Max(original.Length, edited.Length);
+        return max == 0 ? 0d : (double)Levenshtein(original, edited) / max;
+    }
+}

tests/TeamUp.IntegrationTests/BoardFlowTests.cs

@@ -0,0 +1,149 @@
+using System.Net;
+using System.Net.Http.Headers;
+using System.Net.Http.Json;
+using Xunit;
+
+namespace TeamUp.IntegrationTests;
+
+/// <summary>
+/// M1 board acceptance at the API level: an owner sets up the org + a team, creates a task, moves
+/// it across columns, assigns it, and sees it on the board and in the cartable. An invited Member
+/// can view the board but cannot create a team (owner-only).
+/// </summary>
+public sealed class BoardFlowTests(PostgresFixture postgres) : IClassFixture<PostgresFixture>
+{
+    private sealed record BootstrapResponse(string Token, Guid MemberId, Guid OrganizationId);
+
+    private sealed record AuthResponse(string Token, Guid MemberId);
+
+    private sealed record InviteResponse(Guid InvitationId, string Token);
+
+    private sealed record OrganizationResponse(Guid Id, string Name);
+
+    private sealed record TeamResponse(Guid Id, Guid OrganizationId, string Name);
+
+    private sealed record TaskResponse(
+        Guid Id, Guid TeamId, string Title, string? Description, string Type,
+        string Status, string AssigneeKind, Guid? AssigneeId, Guid? ParentId);
+
+    private sealed record BoardColumn(string Status, List<TaskResponse> Items);
+
+    private sealed record BoardResponse(Guid TeamId, List<BoardColumn> Columns);
+
+    private sealed record AuditEntryResponse(
+        Guid Id, string Action, string EntityType, Guid EntityId,
+        Guid? ActorMemberId, string? Details, DateTimeOffset OccurredAtUtc);
+
+    [Fact]
+    public async Task Owner_builds_board_and_member_is_scoped()
+    {
+        await using var factory = new TeamUpWebFactory(postgres.ConnectionString);
+        using var anon = factory.CreateClient();
+
+        var owner = await Bootstrap(anon);
+        using var ownerClient = Authed(factory, owner.Token);
+
+        // Set the organization name (idempotent upsert on the bootstrapped org scope).
+        var org = await PostOk<OrganizationResponse>(ownerClient, "/api/orgboard/organizations",
+            new { organizationId = owner.OrganizationId, name = "AliaSaaS" });
+        Assert.Equal(owner.OrganizationId, org.Id);
+
+        // Create a team and list it.
+        var team = await PostOk<TeamResponse>(ownerClient, "/api/orgboard/teams",
+            new { organizationId = owner.OrganizationId, name = "IPNOPS" });
+        var teams = await ownerClient.GetFromJsonAsync<List<TeamResponse>>(
+            $"/api/orgboard/teams?organizationId={owner.OrganizationId}");
+        Assert.Contains(teams!, t => t.Id == team.Id);
+
+        // Create a task → it lands in Backlog, unassigned.
+        var task = await PostOk<TaskResponse>(ownerClient, "/api/orgboard/tasks",
+            new { teamId = team.Id, title = "Build the login screen", description = "M1", type = "Story" });
+        Assert.Equal("Backlog", task.Status);
+        Assert.Equal("Unassigned", task.AssigneeKind);
+
+        // Move it to In Progress and assign it to the owner.
+        var moved = await PatchOk<TaskResponse>(ownerClient, $"/api/orgboard/tasks/{task.Id}/move",
+            new { status = "InProgress" });
+        Assert.Equal("InProgress", moved.Status);
+
+        var assigned = await PatchOk<TaskResponse>(ownerClient, $"/api/orgboard/tasks/{task.Id}/assign",
+            new { memberId = owner.MemberId });
+        Assert.Equal("Member", assigned.AssigneeKind);
+        Assert.Equal(owner.MemberId, assigned.AssigneeId);
+
+        // The board shows it under In Progress.
+        var board = await ownerClient.GetFromJsonAsync<BoardResponse>($"/api/orgboard/board?teamId={team.Id}");
+        var inProgress = board!.Columns.Single(c => c.Status == "InProgress");
+        Assert.Contains(inProgress.Items, i => i.Id == task.Id);
+
+        // The owner's cartable shows the assigned task.
+        var cartable = await ownerClient.GetFromJsonAsync<List<TaskResponse>>("/api/orgboard/cartable");
+        Assert.Contains(cartable!, i => i.Id == task.Id);
+
+        // The audit log (owner-only) recorded the task actions.
+        var audit = await ownerClient.GetFromJsonAsync<List<AuditEntryResponse>>(
+            $"/api/governance/audit?organizationId={owner.OrganizationId}");
+        Assert.Contains(audit!, e => e.Action == "task.created" && e.EntityId == task.Id);
+        Assert.Contains(audit!, e => e.Action == "task.moved" && e.EntityId == task.Id);
+
+        // Invite a Member at the org scope and accept.
+        var invite = await PostOk<InviteResponse>(ownerClient, "/api/identity/invitations", new
+        {
+            email = "dev@alia.test",
+            scopeType = "Organization",
+            scopeId = owner.OrganizationId,
+            role = "Member",
+            organizationId = owner.OrganizationId,
+        });
+        var member = await PostOk<AuthResponse>(anon, "/api/identity/invitations/accept",
+            new { token = invite.Token, displayName = "Dev", password = "Passw0rd!" });
+
+        using var memberClient = Authed(factory, member.Token);
+
+        // The member can view the board…
+        var memberBoard = await memberClient.GetAsync($"/api/orgboard/board?teamId={team.Id}");
+        Assert.Equal(HttpStatusCode.OK, memberBoard.StatusCode);
+
+        // …but cannot create a team (owner-only).
+        var memberTeam = await memberClient.PostAsJsonAsync("/api/orgboard/teams",
+            new { organizationId = owner.OrganizationId, name = "Nope" });
+        Assert.Equal(HttpStatusCode.Forbidden, memberTeam.StatusCode);
+    }
+
+    private static async Task<BootstrapResponse> Bootstrap(HttpClient client)
+    {
+        var response = await PostOk<BootstrapResponse>(client, "/api/identity/bootstrap", new
+        {
+            organizationName = "AliaSaaS",
+            ownerEmail = "owner@alia.test",
+            ownerDisplayName = "Owner",
+            ownerPassword = "Passw0rd!",
+        });
+        return response;
+    }
+
+    private static HttpClient Authed(TeamUpWebFactory factory, string token)
+    {
+        var client = factory.CreateClient();
+        client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
+        return client;
+    }
+
+    private static async Task<T> PostOk<T>(HttpClient client, string url, object body)
+    {
+        var response = await client.PostAsJsonAsync(url, body);
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+        var value = await response.Content.ReadFromJsonAsync<T>();
+        Assert.NotNull(value);
+        return value!;
+    }
+
+    private static async Task<T> PatchOk<T>(HttpClient client, string url, object body)
+    {
+        var response = await client.PatchAsJsonAsync(url, body);
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+        var value = await response.Content.ReadFromJsonAsync<T>();
+        Assert.NotNull(value);
+        return value!;
+    }
+}

tests/TeamUp.IntegrationTests/BootAndMigrateTests.cs

@@ -10,8 +10,7 @@ namespace TeamUp.IntegrationTests;
 /// extension + the 7 module schemas), health is green, every module endpoint seam is wired, and
 /// the OpenAPI document is served. All tests share one container (sequential, same collection).
 /// </summary>
-[Collection(PostgresCollection.Name)]
+public sealed class BootAndMigrateTests(PostgresFixture postgres) : IClassFixture<PostgresFixture>
-public sealed class BootAndMigrateTests(PostgresFixture postgres)
 {
     private static readonly string[] ExpectedSchemas =
         ["identity", "orgboard", "skills", "integrations", "memory", "assembler", "governance"];

tests/TeamUp.IntegrationTests/EditDistanceTests.cs

@@ -0,0 +1,26 @@
+using TeamUp.SharedKernel.Metrics;
+using Xunit;
+
+namespace TeamUp.IntegrationTests;
+
+/// <summary>Unit coverage for the north-star metric helper (no database).</summary>
+public sealed class EditDistanceTests
+{
+    [Theory]
+    [InlineData("", "", 0)]
+    [InlineData("abc", "abc", 0)]
+    [InlineData("", "abc", 3)]
+    [InlineData("abc", "", 3)]
+    [InlineData("kitten", "sitting", 3)]
+    [InlineData("spec v1", "spec v2", 1)]
+    public void Levenshtein_counts_edits(string a, string b, int expected) =>
+        Assert.Equal(expected, EditDistance.Levenshtein(a, b));
+
+    [Fact]
+    public void Normalized_is_zero_when_unchanged() =>
+        Assert.Equal(0d, EditDistance.Normalized("approved as-is", "approved as-is"));
+
+    [Fact]
+    public void Normalized_is_between_zero_and_one() =>
+        Assert.InRange(EditDistance.Normalized("the AI wrote this", "the human edited this"), 0d, 1d);
+}

tests/TeamUp.IntegrationTests/IdentityFlowTests.cs

@@ -0,0 +1,126 @@
+using System.Net;
+using System.Net.Http.Headers;
+using System.Net.Http.Json;
+using Xunit;
+
+namespace TeamUp.IntegrationTests;
+
+/// <summary>
+/// M1 Identity/access acceptance at the API level: bootstrap the first owner, log in, read /me,
+/// invite a member, accept the invite, and confirm a Member cannot perform an owner-only action.
+/// </summary>
+public sealed class IdentityFlowTests(PostgresFixture postgres) : IClassFixture<PostgresFixture>
+{
+    private sealed record BootstrapResponse(string Token, Guid MemberId, Guid OrganizationId);
+
+    private sealed record AuthResponse(string Token, Guid MemberId);
+
+    private sealed record InviteResponse(Guid InvitationId, string Token);
+
+    private sealed record MembershipDto(string ScopeType, Guid ScopeId, string Role);
+
+    private sealed record MeResponse(Guid MemberId, string Email, string DisplayName, List<MembershipDto> Memberships);
+
+    [Fact]
+    public async Task Bootstrap_login_invite_accept_and_rbac_enforcement()
+    {
+        await using var factory = new TeamUpWebFactory(postgres.ConnectionString);
+        using var client = factory.CreateClient();
+
+        // First owner is created by bootstrap.
+        var bootstrap = await client.PostAsJsonAsync("/api/identity/bootstrap", new
+        {
+            organizationName = "AliaSaaS",
+            ownerEmail = "owner@alia.test",
+            ownerDisplayName = "Owner",
+            ownerPassword = "Passw0rd!",
+        });
+        Assert.Equal(HttpStatusCode.OK, bootstrap.StatusCode);
+        var owner = await bootstrap.Content.ReadFromJsonAsync<BootstrapResponse>();
+        Assert.NotNull(owner);
+
+        // Bootstrapping again is rejected.
+        var second = await client.PostAsJsonAsync("/api/identity/bootstrap", new
+        {
+            organizationName = "x",
+            ownerEmail = "x@x.test",
+            ownerDisplayName = "X",
+            ownerPassword = "Passw0rd!",
+        });
+        Assert.Equal(HttpStatusCode.Conflict, second.StatusCode);
+
+        // /me requires auth.
+        Assert.Equal(HttpStatusCode.Unauthorized, (await client.GetAsync("/api/identity/me")).StatusCode);
+
+        // Owner reads /me and holds an Owner membership.
+        var me = await GetMe(factory, owner!.Token);
+        Assert.Equal("owner@alia.test", me.Email);
+        Assert.Contains(me.Memberships, m => m.Role == "Owner" && m.ScopeId == owner.OrganizationId);
+
+        // Owner invites a Member at the org scope.
+        var invite = await Authed(factory, owner.Token).PostAsJsonAsync("/api/identity/invitations", new
+        {
+            email = "dev@alia.test",
+            scopeType = "Organization",
+            scopeId = owner.OrganizationId,
+            role = "Member",
+            organizationId = owner.OrganizationId,
+        });
+        Assert.Equal(HttpStatusCode.OK, invite.StatusCode);
+        var inviteResponse = await invite.Content.ReadFromJsonAsync<InviteResponse>();
+        Assert.NotNull(inviteResponse);
+
+        // The invitee accepts and gets a token.
+        var accept = await client.PostAsJsonAsync("/api/identity/invitations/accept", new
+        {
+            token = inviteResponse!.Token,
+            displayName = "Dev",
+            password = "Passw0rd!",
+        });
+        Assert.Equal(HttpStatusCode.OK, accept.StatusCode);
+        var member = await accept.Content.ReadFromJsonAsync<AuthResponse>();
+        Assert.NotNull(member);
+
+        // The new member can log in with their credentials.
+        var login = await client.PostAsJsonAsync("/api/identity/auth/login", new
+        {
+            email = "dev@alia.test",
+            password = "Passw0rd!",
+        });
+        Assert.Equal(HttpStatusCode.OK, login.StatusCode);
+
+        // A Member cannot invite (owner-only capability) → 403.
+        var memberInvite = await Authed(factory, member!.Token).PostAsJsonAsync("/api/identity/invitations", new
+        {
+            email = "nope@alia.test",
+            scopeType = "Organization",
+            scopeId = owner.OrganizationId,
+            role = "Member",
+            organizationId = owner.OrganizationId,
+        });
+        Assert.Equal(HttpStatusCode.Forbidden, memberInvite.StatusCode);
+
+        // Bad credentials are rejected.
+        var badLogin = await client.PostAsJsonAsync("/api/identity/auth/login", new
+        {
+            email = "owner@alia.test",
+            password = "wrong",
+        });
+        Assert.Equal(HttpStatusCode.Unauthorized, badLogin.StatusCode);
+    }
+
+    private static HttpClient Authed(TeamUpWebFactory factory, string token)
+    {
+        var client = factory.CreateClient();
+        client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
+        return client;
+    }
+
+    private static async Task<MeResponse> GetMe(TeamUpWebFactory factory, string token)
+    {
+        using var client = Authed(factory, token);
+        var me = await client.GetFromJsonAsync<MeResponse>("/api/identity/me");
+        Assert.NotNull(me);
+        return me!;
+    }
+}

tests/TeamUp.IntegrationTests/PostgresFixture.cs

@@ -19,9 +19,3 @@ public sealed class PostgresFixture : IAsyncLifetime
 
     public async ValueTask DisposeAsync() => await _container.DisposeAsync();
 }
-
-[CollectionDefinition(Name)]
-public sealed class PostgresCollection : ICollectionFixture<PostgresFixture>
-{
-    public const string Name = "postgres";
-}