feat: MyEasyCMS v2 — Full SaaS rebuild

Complete rebuild of 22-year-old PHP CMS as modern SaaS:

Database (15 migrations, 42+ tables):
- Foundation: account_settings, audit_log, GDPR register, cms_files
- Module Engine: modules, fields, records, permissions, relations + RPC
- Members: 45+ field member profiles, departments, roles, honors, SEPA mandates
- Courses: courses, sessions, categories, instructors, locations, attendance
- Bookings: rooms, guests, bookings with availability
- Events: events, registrations, holiday passes
- Finance: SEPA batches/items (pain.008/001 XML), invoices
- Newsletter: campaigns, templates, recipients, subscriptions
- Site Builder: site_pages (Puck JSON), site_settings, cms_posts
- Portal Auth: member_portal_invitations, user linking

Feature Packages (9):
- @kit/module-builder — dynamic low-code CRUD engine
- @kit/member-management — 31 API methods, 21 actions, 8 components
- @kit/course-management, @kit/booking-management, @kit/event-management
- @kit/finance — SEPA XML generator + IBAN validator
- @kit/newsletter — campaigns + dispatch
- @kit/document-generator — PDF/Excel/Word
- @kit/site-builder — Puck visual editor, 15 blocks, public rendering

Pages (60+):
- Dashboard with real stats from all APIs
- Full CRUD for all 8 domains with react-hook-form + Zod
- Recharts statistics
- German i18n throughout
- Member portal with auth + invitation system
- Public club websites via Puck at /club/[slug]

Infrastructure:
- Dockerfile (multi-stage, standalone output)
- docker-compose.yml (Supabase self-hosted + Next.js)
- Kong API gateway config
- .env.production.example

apps/web/supabase/migrations/20260409000001_member_management_parity.sql

@@ -0,0 +1,204 @@
+/*
+ * -------------------------------------------------------
+ * Member Management Parity Migration
+ * Adds missing columns, departments, roles, honors,
+ * SEPA mandates table, dues extensions, duplicate detection
+ * -------------------------------------------------------
+ */
+
+-- =====================================================
+-- A1. Add missing columns to members table
+-- =====================================================
+ALTER TABLE public.members ADD COLUMN IF NOT EXISTS salutation text;
+ALTER TABLE public.members ADD COLUMN IF NOT EXISTS street2 text;
+ALTER TABLE public.members ADD COLUMN IF NOT EXISTS phone2 text;
+ALTER TABLE public.members ADD COLUMN IF NOT EXISTS fax text;
+ALTER TABLE public.members ADD COLUMN IF NOT EXISTS birthplace text;
+ALTER TABLE public.members ADD COLUMN IF NOT EXISTS birth_country text DEFAULT 'DE';
+
+-- Membership lifecycle flags
+ALTER TABLE public.members ADD COLUMN IF NOT EXISTS is_honorary boolean NOT NULL DEFAULT false;
+ALTER TABLE public.members ADD COLUMN IF NOT EXISTS is_founding_member boolean NOT NULL DEFAULT false;
+ALTER TABLE public.members ADD COLUMN IF NOT EXISTS is_youth boolean NOT NULL DEFAULT false;
+ALTER TABLE public.members ADD COLUMN IF NOT EXISTS is_retiree boolean NOT NULL DEFAULT false;
+ALTER TABLE public.members ADD COLUMN IF NOT EXISTS is_probationary boolean NOT NULL DEFAULT false;
+ALTER TABLE public.members ADD COLUMN IF NOT EXISTS is_transferred boolean NOT NULL DEFAULT false;
+ALTER TABLE public.members ADD COLUMN IF NOT EXISTS is_archived boolean NOT NULL DEFAULT false;
+
+-- Youth/Guardian
+ALTER TABLE public.members ADD COLUMN IF NOT EXISTS guardian_name text;
+ALTER TABLE public.members ADD COLUMN IF NOT EXISTS guardian_phone text;
+ALTER TABLE public.members ADD COLUMN IF NOT EXISTS guardian_email text;
+
+-- Dues tracking
+ALTER TABLE public.members ADD COLUMN IF NOT EXISTS dues_year integer;
+ALTER TABLE public.members ADD COLUMN IF NOT EXISTS dues_paid boolean NOT NULL DEFAULT false;
+ALTER TABLE public.members ADD COLUMN IF NOT EXISTS additional_fees numeric(10,2) DEFAULT 0;
+ALTER TABLE public.members ADD COLUMN IF NOT EXISTS exemption_type text;
+ALTER TABLE public.members ADD COLUMN IF NOT EXISTS exemption_reason text;
+ALTER TABLE public.members ADD COLUMN IF NOT EXISTS exemption_amount numeric(10,2);
+
+-- SEPA extras
+ALTER TABLE public.members ADD COLUMN IF NOT EXISTS sepa_mandate_reference text;
+ALTER TABLE public.members ADD COLUMN IF NOT EXISTS sepa_mandate_sequence text DEFAULT 'RCUR';
+ALTER TABLE public.members ADD COLUMN IF NOT EXISTS sepa_bank_name text;
+
+-- GDPR granular
+ALTER TABLE public.members ADD COLUMN IF NOT EXISTS gdpr_newsletter boolean NOT NULL DEFAULT false;
+ALTER TABLE public.members ADD COLUMN IF NOT EXISTS gdpr_internet boolean NOT NULL DEFAULT false;
+ALTER TABLE public.members ADD COLUMN IF NOT EXISTS gdpr_print boolean NOT NULL DEFAULT false;
+ALTER TABLE public.members ADD COLUMN IF NOT EXISTS gdpr_birthday_info boolean NOT NULL DEFAULT false;
+
+-- Online portal
+ALTER TABLE public.members ADD COLUMN IF NOT EXISTS online_access_key text;
+ALTER TABLE public.members ADD COLUMN IF NOT EXISTS online_access_blocked boolean NOT NULL DEFAULT false;
+ALTER TABLE public.members ADD COLUMN IF NOT EXISTS email_confirmed boolean NOT NULL DEFAULT false;
+
+-- Address quality
+ALTER TABLE public.members ADD COLUMN IF NOT EXISTS address_invalid boolean NOT NULL DEFAULT false;
+ALTER TABLE public.members ADD COLUMN IF NOT EXISTS data_reconciliation_needed boolean NOT NULL DEFAULT false;
+
+-- =====================================================
+-- A2. member_departments + assignments
+-- =====================================================
+CREATE TABLE IF NOT EXISTS public.member_departments (
+  id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+  account_id uuid NOT NULL REFERENCES public.accounts(id) ON DELETE CASCADE,
+  name text NOT NULL,
+  description text,
+  sort_order integer NOT NULL DEFAULT 0,
+  created_at timestamptz NOT NULL DEFAULT now()
+);
+CREATE INDEX IF NOT EXISTS ix_member_departments_account ON public.member_departments(account_id);
+ALTER TABLE public.member_departments ENABLE ROW LEVEL SECURITY;
+REVOKE ALL ON public.member_departments FROM authenticated, service_role;
+GRANT SELECT, INSERT, UPDATE, DELETE ON public.member_departments TO authenticated;
+GRANT ALL ON public.member_departments TO service_role;
+CREATE POLICY member_departments_select ON public.member_departments FOR SELECT TO authenticated
+  USING (public.has_role_on_account(account_id));
+CREATE POLICY member_departments_mutate ON public.member_departments FOR ALL TO authenticated
+  USING (public.has_permission(auth.uid(), account_id, 'members.write'::public.app_permissions));
+
+CREATE TABLE IF NOT EXISTS public.member_department_assignments (
+  member_id uuid NOT NULL REFERENCES public.members(id) ON DELETE CASCADE,
+  department_id uuid NOT NULL REFERENCES public.member_departments(id) ON DELETE CASCADE,
+  PRIMARY KEY (member_id, department_id)
+);
+ALTER TABLE public.member_department_assignments ENABLE ROW LEVEL SECURITY;
+REVOKE ALL ON public.member_department_assignments FROM authenticated, service_role;
+GRANT SELECT, INSERT, DELETE ON public.member_department_assignments TO authenticated;
+GRANT ALL ON public.member_department_assignments TO service_role;
+CREATE POLICY mda_select ON public.member_department_assignments FOR SELECT TO authenticated
+  USING (EXISTS (SELECT 1 FROM public.members m WHERE m.id = member_department_assignments.member_id AND public.has_role_on_account(m.account_id)));
+CREATE POLICY mda_mutate ON public.member_department_assignments FOR ALL TO authenticated
+  USING (EXISTS (SELECT 1 FROM public.members m WHERE m.id = member_department_assignments.member_id AND public.has_permission(auth.uid(), m.account_id, 'members.write'::public.app_permissions)));
+
+-- =====================================================
+-- A3. member_roles (board positions / Funktionen)
+-- =====================================================
+CREATE TABLE IF NOT EXISTS public.member_roles (
+  id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+  member_id uuid NOT NULL REFERENCES public.members(id) ON DELETE CASCADE,
+  account_id uuid NOT NULL REFERENCES public.accounts(id) ON DELETE CASCADE,
+  role_name text NOT NULL,
+  from_date date,
+  until_date date,
+  is_active boolean NOT NULL DEFAULT true,
+  created_at timestamptz NOT NULL DEFAULT now()
+);
+CREATE INDEX IF NOT EXISTS ix_member_roles_member ON public.member_roles(member_id);
+ALTER TABLE public.member_roles ENABLE ROW LEVEL SECURITY;
+REVOKE ALL ON public.member_roles FROM authenticated, service_role;
+GRANT SELECT, INSERT, UPDATE, DELETE ON public.member_roles TO authenticated;
+GRANT ALL ON public.member_roles TO service_role;
+CREATE POLICY member_roles_select ON public.member_roles FOR SELECT TO authenticated
+  USING (public.has_role_on_account(account_id));
+CREATE POLICY member_roles_mutate ON public.member_roles FOR ALL TO authenticated
+  USING (public.has_permission(auth.uid(), account_id, 'members.write'::public.app_permissions));
+
+-- =====================================================
+-- A4. member_honors (Ehrungen)
+-- =====================================================
+CREATE TABLE IF NOT EXISTS public.member_honors (
+  id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+  member_id uuid NOT NULL REFERENCES public.members(id) ON DELETE CASCADE,
+  account_id uuid NOT NULL REFERENCES public.accounts(id) ON DELETE CASCADE,
+  honor_name text NOT NULL,
+  honor_date date,
+  description text,
+  created_at timestamptz NOT NULL DEFAULT now()
+);
+CREATE INDEX IF NOT EXISTS ix_member_honors_member ON public.member_honors(member_id);
+ALTER TABLE public.member_honors ENABLE ROW LEVEL SECURITY;
+REVOKE ALL ON public.member_honors FROM authenticated, service_role;
+GRANT SELECT, INSERT, UPDATE, DELETE ON public.member_honors TO authenticated;
+GRANT ALL ON public.member_honors TO service_role;
+CREATE POLICY member_honors_select ON public.member_honors FOR SELECT TO authenticated
+  USING (public.has_role_on_account(account_id));
+CREATE POLICY member_honors_mutate ON public.member_honors FOR ALL TO authenticated
+  USING (public.has_permission(auth.uid(), account_id, 'members.write'::public.app_permissions));
+
+-- =====================================================
+-- A5. sepa_mandates (proper sub-table)
+-- =====================================================
+CREATE TABLE IF NOT EXISTS public.sepa_mandates (
+  id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+  member_id uuid NOT NULL REFERENCES public.members(id) ON DELETE CASCADE,
+  account_id uuid NOT NULL REFERENCES public.accounts(id) ON DELETE CASCADE,
+  mandate_reference text NOT NULL,
+  iban text NOT NULL,
+  bic text,
+  account_holder text NOT NULL,
+  mandate_date date NOT NULL,
+  status public.sepa_mandate_status NOT NULL DEFAULT 'active',
+  sequence text NOT NULL DEFAULT 'RCUR' CHECK (sequence IN ('FRST','RCUR','FNAL','OOFF')),
+  is_primary boolean NOT NULL DEFAULT true,
+  has_error boolean NOT NULL DEFAULT false,
+  last_used_at timestamptz,
+  notes text,
+  created_at timestamptz NOT NULL DEFAULT now(),
+  updated_at timestamptz NOT NULL DEFAULT now()
+);
+CREATE INDEX IF NOT EXISTS ix_sepa_mandates_member ON public.sepa_mandates(member_id);
+CREATE INDEX IF NOT EXISTS ix_sepa_mandates_account ON public.sepa_mandates(account_id);
+ALTER TABLE public.sepa_mandates ENABLE ROW LEVEL SECURITY;
+REVOKE ALL ON public.sepa_mandates FROM authenticated, service_role;
+GRANT SELECT, INSERT, UPDATE, DELETE ON public.sepa_mandates TO authenticated;
+GRANT ALL ON public.sepa_mandates TO service_role;
+CREATE POLICY sepa_mandates_select ON public.sepa_mandates FOR SELECT TO authenticated
+  USING (public.has_role_on_account(account_id));
+CREATE POLICY sepa_mandates_mutate ON public.sepa_mandates FOR ALL TO authenticated
+  USING (public.has_permission(auth.uid(), account_id, 'members.write'::public.app_permissions));
+
+CREATE TRIGGER trg_sepa_mandates_updated_at
+  BEFORE UPDATE ON public.sepa_mandates
+  FOR EACH ROW EXECUTE FUNCTION public.update_account_settings_timestamp();
+
+-- =====================================================
+-- A6. Extend dues_categories
+-- =====================================================
+ALTER TABLE public.dues_categories ADD COLUMN IF NOT EXISTS is_youth boolean NOT NULL DEFAULT false;
+ALTER TABLE public.dues_categories ADD COLUMN IF NOT EXISTS is_exit boolean NOT NULL DEFAULT false;
+
+-- =====================================================
+-- A7. Duplicate detection function
+-- =====================================================
+CREATE OR REPLACE FUNCTION public.check_duplicate_member(
+  p_account_id uuid,
+  p_first_name text,
+  p_last_name text,
+  p_date_of_birth date DEFAULT NULL
+)
+RETURNS TABLE(id uuid, member_number text, first_name text, last_name text, date_of_birth date, status public.membership_status)
+LANGUAGE sql STABLE SECURITY DEFINER
+SET search_path = ''
+AS $$
+  SELECT m.id, m.member_number, m.first_name, m.last_name, m.date_of_birth, m.status
+  FROM public.members m
+  WHERE m.account_id = p_account_id
+    AND lower(m.first_name) = lower(p_first_name)
+    AND lower(m.last_name) = lower(p_last_name)
+    AND (p_date_of_birth IS NULL OR m.date_of_birth = p_date_of_birth);
+$$;
+
+GRANT EXECUTE ON FUNCTION public.check_duplicate_member(uuid, text, text, date) TO authenticated, service_role;

apps/web/supabase/migrations/20260410000001_site_builder.sql

@@ -0,0 +1,176 @@
+/*
+ * Site Builder Migration
+ * Tables: site_pages, site_settings, cms_posts, newsletter_subscriptions
+ * Public read via anon + RLS
+ */
+
+-- =====================================================
+-- 1. site_pages — Puck JSON per page
+-- =====================================================
+CREATE TABLE IF NOT EXISTS public.site_pages (
+  id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+  account_id uuid NOT NULL REFERENCES public.accounts(id) ON DELETE CASCADE,
+  slug text NOT NULL,
+  title text NOT NULL,
+  puck_data jsonb NOT NULL DEFAULT '{}'::jsonb,
+  is_published boolean NOT NULL DEFAULT false,
+  is_homepage boolean NOT NULL DEFAULT false,
+  sort_order integer NOT NULL DEFAULT 0,
+  meta_description text,
+  meta_image text,
+  created_by uuid REFERENCES auth.users(id),
+  updated_by uuid REFERENCES auth.users(id),
+  created_at timestamptz NOT NULL DEFAULT now(),
+  updated_at timestamptz NOT NULL DEFAULT now(),
+  published_at timestamptz,
+  UNIQUE(account_id, slug)
+);
+
+CREATE INDEX idx_site_pages_account ON public.site_pages(account_id);
+CREATE INDEX idx_site_pages_published ON public.site_pages(account_id, is_published);
+
+ALTER TABLE public.site_pages ENABLE ROW LEVEL SECURITY;
+REVOKE ALL ON public.site_pages FROM authenticated, service_role;
+GRANT SELECT, INSERT, UPDATE, DELETE ON public.site_pages TO authenticated;
+GRANT SELECT ON public.site_pages TO anon;
+GRANT ALL ON public.site_pages TO service_role;
+
+CREATE POLICY site_pages_public_read ON public.site_pages
+  FOR SELECT TO anon USING (is_published = true);
+
+CREATE POLICY site_pages_auth_read ON public.site_pages
+  FOR SELECT TO authenticated USING (
+    is_published = true OR public.has_role_on_account(account_id)
+  );
+
+CREATE POLICY site_pages_admin_write ON public.site_pages
+  FOR ALL TO authenticated USING (
+    public.has_permission(auth.uid(), account_id, 'settings.manage'::public.app_permissions)
+  );
+
+CREATE TRIGGER trg_site_pages_updated
+  BEFORE UPDATE ON public.site_pages
+  FOR EACH ROW EXECUTE FUNCTION public.update_account_settings_timestamp();
+
+-- =====================================================
+-- 2. site_settings — Per-club branding
+-- =====================================================
+CREATE TABLE IF NOT EXISTS public.site_settings (
+  account_id uuid PRIMARY KEY REFERENCES public.accounts(id) ON DELETE CASCADE,
+  site_name text,
+  site_logo text,
+  primary_color text DEFAULT '#2563eb',
+  secondary_color text DEFAULT '#64748b',
+  font_family text DEFAULT 'Inter',
+  custom_css text,
+  navigation jsonb NOT NULL DEFAULT '[]'::jsonb,
+  footer_text text,
+  contact_email text,
+  contact_phone text,
+  contact_address text,
+  social_links jsonb DEFAULT '{}'::jsonb,
+  impressum text,
+  datenschutz text,
+  custom_domain text,
+  is_public boolean NOT NULL DEFAULT false,
+  created_at timestamptz NOT NULL DEFAULT now(),
+  updated_at timestamptz NOT NULL DEFAULT now()
+);
+
+ALTER TABLE public.site_settings ENABLE ROW LEVEL SECURITY;
+REVOKE ALL ON public.site_settings FROM authenticated, service_role;
+GRANT SELECT, INSERT, UPDATE ON public.site_settings TO authenticated;
+GRANT SELECT ON public.site_settings TO anon;
+GRANT ALL ON public.site_settings TO service_role;
+
+CREATE POLICY site_settings_public_read ON public.site_settings
+  FOR SELECT TO anon USING (is_public = true);
+
+CREATE POLICY site_settings_auth_read ON public.site_settings
+  FOR SELECT TO authenticated USING (
+    is_public = true OR public.has_role_on_account(account_id)
+  );
+
+CREATE POLICY site_settings_admin_write ON public.site_settings
+  FOR ALL TO authenticated USING (
+    public.has_permission(auth.uid(), account_id, 'settings.manage'::public.app_permissions)
+  );
+
+CREATE TRIGGER trg_site_settings_updated
+  BEFORE UPDATE ON public.site_settings
+  FOR EACH ROW EXECUTE FUNCTION public.update_account_settings_timestamp();
+
+-- =====================================================
+-- 3. cms_posts — News/blog per club
+-- =====================================================
+CREATE TABLE IF NOT EXISTS public.cms_posts (
+  id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+  account_id uuid NOT NULL REFERENCES public.accounts(id) ON DELETE CASCADE,
+  title text NOT NULL,
+  slug text NOT NULL,
+  content text,
+  excerpt text,
+  cover_image text,
+  author_id uuid REFERENCES auth.users(id),
+  status text NOT NULL DEFAULT 'draft' CHECK (status IN ('draft','published','archived')),
+  published_at timestamptz,
+  created_at timestamptz NOT NULL DEFAULT now(),
+  updated_at timestamptz NOT NULL DEFAULT now(),
+  UNIQUE(account_id, slug)
+);
+
+CREATE INDEX idx_cms_posts_account ON public.cms_posts(account_id);
+CREATE INDEX idx_cms_posts_published ON public.cms_posts(account_id, status);
+
+ALTER TABLE public.cms_posts ENABLE ROW LEVEL SECURITY;
+REVOKE ALL ON public.cms_posts FROM authenticated, service_role;
+GRANT SELECT, INSERT, UPDATE, DELETE ON public.cms_posts TO authenticated;
+GRANT SELECT ON public.cms_posts TO anon;
+GRANT ALL ON public.cms_posts TO service_role;
+
+CREATE POLICY cms_posts_public_read ON public.cms_posts
+  FOR SELECT TO anon USING (status = 'published');
+
+CREATE POLICY cms_posts_auth_read ON public.cms_posts
+  FOR SELECT TO authenticated USING (
+    status = 'published' OR public.has_role_on_account(account_id)
+  );
+
+CREATE POLICY cms_posts_admin_write ON public.cms_posts
+  FOR ALL TO authenticated USING (
+    public.has_permission(auth.uid(), account_id, 'settings.manage'::public.app_permissions)
+  );
+
+CREATE TRIGGER trg_cms_posts_updated
+  BEFORE UPDATE ON public.cms_posts
+  FOR EACH ROW EXECUTE FUNCTION public.update_account_settings_timestamp();
+
+-- =====================================================
+-- 4. newsletter_subscriptions — Public signup
+-- =====================================================
+CREATE TABLE IF NOT EXISTS public.newsletter_subscriptions (
+  id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+  account_id uuid NOT NULL REFERENCES public.accounts(id) ON DELETE CASCADE,
+  email text NOT NULL,
+  name text,
+  subscribed_at timestamptz NOT NULL DEFAULT now(),
+  unsubscribed_at timestamptz,
+  is_active boolean NOT NULL DEFAULT true,
+  confirmation_token text,
+  confirmed_at timestamptz,
+  UNIQUE(account_id, email)
+);
+
+CREATE INDEX idx_newsletter_subs_account ON public.newsletter_subscriptions(account_id);
+
+ALTER TABLE public.newsletter_subscriptions ENABLE ROW LEVEL SECURITY;
+REVOKE ALL ON public.newsletter_subscriptions FROM authenticated, service_role;
+GRANT SELECT, INSERT, UPDATE, DELETE ON public.newsletter_subscriptions TO authenticated;
+GRANT INSERT ON public.newsletter_subscriptions TO anon;
+GRANT ALL ON public.newsletter_subscriptions TO service_role;
+
+CREATE POLICY newsletter_sub_public_insert ON public.newsletter_subscriptions
+  FOR INSERT TO anon WITH CHECK (true);
+
+CREATE POLICY newsletter_sub_admin ON public.newsletter_subscriptions
+  FOR ALL TO authenticated USING (public.has_role_on_account(account_id));

apps/web/supabase/migrations/20260410000002_anon_grants.sql

@@ -0,0 +1,5 @@
+-- Fix: Grant anon USAGE on public schema for public page reads
+GRANT USAGE ON SCHEMA public TO anon;
+
+-- Ensure anon can read accounts table (needed to resolve club slugs)
+GRANT SELECT ON public.accounts TO anon;

apps/web/supabase/migrations/20260411000001_member_portal_auth.sql

@@ -0,0 +1,93 @@
+/*
+ * Member Portal Auth + Invitations
+ * Links members to auth.users, adds invitation system
+ */
+
+-- Add user_id to members (links to Supabase Auth)
+ALTER TABLE public.members ADD COLUMN IF NOT EXISTS user_id uuid REFERENCES auth.users(id) ON DELETE SET NULL;
+CREATE INDEX IF NOT EXISTS ix_members_user ON public.members(user_id);
+
+-- Member portal invitations
+CREATE TABLE IF NOT EXISTS public.member_portal_invitations (
+  id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+  account_id uuid NOT NULL REFERENCES public.accounts(id) ON DELETE CASCADE,
+  member_id uuid NOT NULL REFERENCES public.members(id) ON DELETE CASCADE,
+  email text NOT NULL,
+  invite_token text NOT NULL DEFAULT gen_random_uuid()::text,
+  status text NOT NULL DEFAULT 'pending' CHECK (status IN ('pending','accepted','expired','revoked')),
+  invited_by uuid REFERENCES auth.users(id),
+  accepted_at timestamptz,
+  expires_at timestamptz NOT NULL DEFAULT (now() + interval '30 days'),
+  created_at timestamptz NOT NULL DEFAULT now()
+);
+
+CREATE INDEX IF NOT EXISTS ix_portal_invitations_token ON public.member_portal_invitations(invite_token);
+CREATE INDEX IF NOT EXISTS ix_portal_invitations_member ON public.member_portal_invitations(member_id);
+
+ALTER TABLE public.member_portal_invitations ENABLE ROW LEVEL SECURITY;
+REVOKE ALL ON public.member_portal_invitations FROM authenticated, service_role;
+GRANT SELECT, INSERT, UPDATE ON public.member_portal_invitations TO authenticated;
+GRANT ALL ON public.member_portal_invitations TO service_role;
+
+-- Admins can manage invitations for their account
+CREATE POLICY portal_invitations_admin ON public.member_portal_invitations
+  FOR ALL TO authenticated
+  USING (public.has_permission(auth.uid(), account_id, 'members.write'::public.app_permissions));
+
+-- Anon can read invitation by token (for the accept flow)
+GRANT SELECT ON public.member_portal_invitations TO anon;
+CREATE POLICY portal_invitations_anon_read ON public.member_portal_invitations
+  FOR SELECT TO anon
+  USING (status = 'pending' AND expires_at > now());
+
+-- RLS: Members can read their own portal data
+-- Allow authenticated users to read their own member record via user_id
+CREATE POLICY members_portal_self_read ON public.members
+  FOR SELECT TO authenticated
+  USING (user_id = auth.uid());
+
+-- Allow members to update their own contact/gdpr fields
+CREATE POLICY members_portal_self_update ON public.members
+  FOR UPDATE TO authenticated
+  USING (user_id = auth.uid());
+
+-- Add is_members_only flag to site_pages for member-only content
+ALTER TABLE public.site_pages ADD COLUMN IF NOT EXISTS is_members_only boolean NOT NULL DEFAULT false;
+
+-- Function: Link member to auth user after signup
+CREATE OR REPLACE FUNCTION public.link_member_to_user(
+  p_invite_token text,
+  p_user_id uuid
+) RETURNS uuid
+LANGUAGE plpgsql
+SECURITY DEFINER
+SET search_path = ''
+AS $$
+DECLARE
+  v_member_id uuid;
+  v_account_id uuid;
+BEGIN
+  -- Find and validate invitation
+  SELECT member_id, account_id INTO v_member_id, v_account_id
+  FROM public.member_portal_invitations
+  WHERE invite_token = p_invite_token
+    AND status = 'pending'
+    AND expires_at > now();
+
+  IF v_member_id IS NULL THEN
+    RAISE EXCEPTION 'Invalid or expired invitation';
+  END IF;
+
+  -- Link member to user
+  UPDATE public.members SET user_id = p_user_id WHERE id = v_member_id;
+
+  -- Mark invitation as accepted
+  UPDATE public.member_portal_invitations
+  SET status = 'accepted', accepted_at = now()
+  WHERE invite_token = p_invite_token;
+
+  RETURN v_member_id;
+END;
+$$;
+
+GRANT EXECUTE ON FUNCTION public.link_member_to_user(text, uuid) TO authenticated, service_role;