feat(auth): auto-join organizations for self-hosted mode

When running in self-hosted mode with autoJoinOrganizations enabled:
- First user signup creates a 'default' team organization (user becomes owner)
- Subsequent users are automatically added as members to all existing team orgs

The logic is inlined in auth handlers using existing querier methods.

Author: kylecarbs

bun.lock

@@ -302,6 +302,28 @@ async function handleOAuthCallback(
       password: null,
     });
 
+    // Auto-join team organizations (self-hosted mode)
+    if (c.env.autoJoinOrganizations) {
+      const teamOrgs = await db.selectTeamOrganizations();
+      if (teamOrgs.length === 0) {
+        // First user: create default org, make them owner
+        await db.insertOrganizationWithMembership({
+          name: "default",
+          kind: "organization",
+          created_by: user.id,
+        });
+      } else {
+        // Subsequent users: add as member to all existing team orgs
+        for (const org of teamOrgs) {
+          await db.insertOrganizationMembership({
+            organization_id: org.id,
+            user_id: user.id,
+            role: "member",
+          });
+        }
+      }
+    }
+
     // consume single-use invite (mark accepted)
     if (usedInviteId) {
       try {
@@ -926,6 +948,28 @@ export default function mountAuth(server: APIServer) {
         email_verified: emailVerified,
       });
 
+      // Auto-join team organizations (self-hosted mode)
+      if (c.env.autoJoinOrganizations) {
+        const teamOrgs = await db.selectTeamOrganizations();
+        if (teamOrgs.length === 0) {
+          // First user: create default org, make them owner
+          await db.insertOrganizationWithMembership({
+            name: "default",
+            kind: "organization",
+            created_by: user.id,
+          });
+        } else {
+          // Subsequent users: add as member to all existing team orgs
+          for (const org of teamOrgs) {
+            await db.insertOrganizationMembership({
+              organization_id: org.id,
+              user_id: user.id,
+              role: "member",
+            });
+          }
+        }
+      }
+
       // Sync user to telemetry system (async, don't block)
       if (c.env.sendTelemetryEvent) {
         c.env

internal/api/src/routes/auth/auth.server.ts

@@ -236,6 +236,9 @@ export interface Bindings {
 
   readonly serverVersion: string;
 
+  /** When true, auto-add new users to all existing team organizations (self-hosted mode) */
+  readonly autoJoinOrganizations?: boolean;
+
   // Optional AWS credentials used by platform logging to CloudWatch
   readonly AWS_ACCESS_KEY_ID?: string;
   readonly AWS_SECRET_ACCESS_KEY?: string;

internal/api/src/server.ts

@@ -326,6 +326,14 @@ export default class Querier {
   }
 
   // selectOrganizationMembershipsByUserID fetches all organization memberships for a user.
+  // selectTeamOrganizations fetches all team (non-personal) organizations.
+  public async selectTeamOrganizations(): Promise<Organization[]> {
+    return this.db
+      .select()
+      .from(organization)
+      .where(eq(organization.kind, "organization"));
+  }
+
   public async selectOrganizationMembershipsByUserID(userId: string): Promise<
     Array<{
       organization_membership: OrganizationMembership;

internal/database/src/querier.ts

@@ -145,6 +145,7 @@ export async function startServer(options: ServerOptions) {
           {
             AUTH_SECRET: authSecret,
             NODE_ENV: "development",
+            autoJoinOrganizations: true,
             serverVersion: pkg.version,
             ONBOARDING_AGENT_BUNDLE_URL:
               "https://artifacts.blink.host/starter-agent/bundle.tar.gz",