2.23.0: Enforce Policies API for invitations and creating accounts; added WeakPassword handling; Fix dialog open/closed states (#439)

* chore: bump version to 2.22.1 and update dependencies

- Updated application version from 2.22.0 to 2.22.1 in package.json.
- Updated various dependencies including @marsidev/react-turnstile to 1.4.1, @stripe/react-stripe-js to 5.4.1, @stripe/stripe-js to 8.6.1, and react-hook-form to 7.70.0.
- Adjusted lucide-react version to be referenced from the catalog across multiple package.json files.
- Enhanced consistency in pnpm-lock.yaml and pnpm-workspace.yaml with updated package versions.

* chore: bump version to 2.23.0 and update dependencies

- Updated application version from 2.22.1 to 2.23.0 in package.json.
- Upgraded turbo dependency from 2.7.1 to 2.7.3 in package.json and pnpm-lock.yaml.
- Enhanced end-to-end testing documentation in AGENTS.md and CLAUDE.md with instructions for running tests.
- Updated AuthPageObject to use a new secret for user creation in auth.po.ts.
- Refactored team ownership transfer and member role update dialogs to close on success.
- Improved error handling for weak passwords in AuthErrorAlert component.
- Adjusted database schemas and tests to reflect changes in invitation policies and role management.

apps/web/supabase/schemas/07-invitations.sql

@@ -96,36 +96,9 @@ select
   to authenticated using (public.has_role_on_account (account_id));
 
 -- INSERT(invitations):
--- Users can create invitations to users of an account they are
--- a member of and have the 'invites.manage' permission AND the target role is not higher than the user's role
-create policy invitations_create_self on public.invitations for insert to authenticated
-with
-  check (
-    public.is_set ('enable_team_accounts')
-    and public.has_permission (
-      (
-        select
-          auth.uid ()
-      ),
-      account_id,
-      'invites.manage'::public.app_permissions
-    )
-    and (public.has_more_elevated_role (
-      (
-        select
-          auth.uid ()
-      ),
-      account_id,
-      role
-    ) or public.has_same_role_hierarchy_level(
-      (
-        select
-          auth.uid ()
-      ),
-      account_id,
-      role
-    ))
-  );
+-- Invitations are created through server actions using admin client.
+-- Permission and role hierarchy checks are enforced in the server action.
+-- No RLS policy needed for INSERT.
 
 -- UPDATE(invitations):
 -- Users can update invitations to users of an account they are a member of and have the 'invites.manage' permission AND
@@ -311,7 +284,8 @@ service_role;
 create
 or replace function public.add_invitations_to_account (
   account_slug text,
-  invitations public.invitation[]
+  invitations public.invitation[],
+  invited_by uuid
 ) returns public.invitations[]
 set
   search_path = '' as $$
@@ -340,7 +314,10 @@ begin
                 from
                     public.accounts
                 where
-                    slug = account_slug), auth.uid(), role, invite_token)
+                    slug = account_slug),
+            invited_by,
+            role,
+            invite_token)
     returning
         * into new_invitation;
 
@@ -355,5 +332,4 @@ end;
 $$ language plpgsql;
 
 grant
-execute on function public.add_invitations_to_account (text, public.invitation[]) to authenticated,
-service_role;
+execute on function public.add_invitations_to_account (text, public.invitation[], uuid) to service_role;