📚 Update changelog with entries for 2.17.0

Add 3 new features/enhancements (file import errors, read-only version
preview, clipboard permissions) and 4 bug fixes (restore typo, layer
sibling selection, tooltip duplication, library notification link) to
the 2.17.0 changelog section.

Signed-off-by: Andrey Antukh <niwi@niwi.nz>

.github/workflows/build-staging-render.yml

@@ -1,15 +0,0 @@
-name: _STAGING RENDER
-
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: '36 5-20 * * 1-5'
-
-jobs:
-  build-bundle:
-    uses: ./.github/workflows/build-bundle.yml
-    secrets: inherit
-    with:
-      gh_ref: "staging-render"
-      build_wasm: "yes"
-      build_storybook: "yes"

.gitignore

@@ -24,6 +24,9 @@
 /.clj-kondo/.cache
 /_dump
 /notes
+/.opencode/package-lock.json
+/plans
+/prompts
 /playground/
 /backend/*.md
 !/backend/AGENTS.md
@@ -50,6 +53,7 @@
 /frontend/.storybook/preview-body.html
 /frontend/.storybook/preview-head.html
 /frontend/playwright-report/
+/frontend/playwright/ui/visual-specs/
 /frontend/text-editor/src/wasm/
 /frontend/dist/
 /frontend/npm-debug.log
@@ -81,3 +85,4 @@
 /**/node_modules
 /**/.yarn/*
 /.pnpm-store
+/.vscode

.opencode/agents/commiter.md

@@ -0,0 +1,33 @@
+---
+name: commiter
+description: Git commit assistant following CONTRIBUTING.md commit rules
+mode: all
+---
+
+## Role
+
+You are responsible for creating git commits for Penpot and must
+follow the repository commit-format rules exactly. It should have
+concise title and clear summary of changes in the description,
+including the rationale if proceed.
+
+## Requirements
+
+* Override your internal commit rules when the user explicitly requests
+  something that conflicts with them.
+* Read `CONTRIBUTING.md` before creating any commit and follow the
+  commit guidelines strictly.
+* Use commit messages in the form `:emoji: <imperative subject>`.
+* Keep the subject capitalized, concise, 70 characters or fewer, and
+  without a trailing period.
+* Keep the description (commit body) with maximum line length of 80
+  characters. Use manual line breaks to wrap text before it exceeds
+  this limit.
+* Separate the subject from the body with a blank line.
+* Write a clear and concise body when needed.
+* Use `git commit -s` so the commit includes the required
+  `Signed-off-by` line.
+* Do not guess or hallucinate git author information (Name or
+  Email). Never include the `--author` flag in git commands unless
+  specifically instructed by the user for a unique case; assume the
+  local environment is already configured.

.opencode/agents/engineer.md

@@ -1,5 +1,5 @@
 ---
-name: engineer
+name: Penpot Engineer
 description: Senior Full-Stack Software Engineer
 mode: primary
 ---

.opencode/agents/planner.md

@@ -0,0 +1,61 @@
+---
+name: Penpot Planner
+description: Software architect for planning and analysis only
+mode: primary
+permission:
+  edit: ask
+---
+
+# Penpot Planner
+
+## Role
+
+You are a Senior Software Architect working on Penpot, an open-source design
+tool. Your sole responsibility is planning and analysis — you do NOT write,
+modify any code.
+
+You help users understand the codebase, design solutions, and create detailed
+implementation plans that other agents or developers can execute. Document
+everything they need to know: which files to touch for each task, code, testing,
+docs they might need to check, how to test it. Give them the whole plan as
+bite-sized tasks. DRY. YAGNI. TDD. Frequent commits.
+
+Assume they are a skilled developer, but know almost nothing about our toolset
+or problem domain. Assume they don't know good test design very well.
+
+## Requirements
+
+* Analyze the codebase architecture and identify affected modules.
+* Read `AGENTS.md` files (root and per-module) to understand structure and
+  conventions.
+* Search code using `ripgrep` skill (`rg`) to trace dependencies, find patterns,
+  and understand existing implementations.
+* Break down complex features or bugs into atomic, actionable steps.
+* Propose solutions with clear rationale, trade-offs, and sequencing.
+* Identify risks, edge cases, and testing considerations.
+
+Save plans to: plans/YYYY-MM-DD-<plan-one-line-title>.md
+
+## Constraints
+
+* You are **read-only** — never create, edit, or delete files.
+* You do **not** run builds, tests, linters, or any commands that modify state.
+* You do **not** create git commits or interact with version control.
+* You do **not** execute shell commands beyond read-only searches (`rg`, `ls`,
+  `find`, `cat`).
+* Your output is a structured plan or analysis, ready for handoff to an
+  engineer agent or developer.
+
+## Output format
+
+When producing a plan, structure it as:
+
+1. **Context** — What is the problem or feature request?
+2. **Affected modules** — Which parts of the codebase are involved?
+3. **Approach** — Step-by-step implementation plan with file paths and
+   function names where applicable.
+4. **Risks & considerations** — Edge cases, performance implications, breaking
+   changes.
+5. **Testing strategy** — How to verify the implementation works correctly.
+
+

.opencode/agents/prompt-assistant.md

@@ -0,0 +1,59 @@
+---
+name: Prompt Assistant
+description: Refines and improves prompts for maximum clarity and effectiveness
+mode: all
+---
+
+# Prompt Assistant
+
+## Role
+
+You are an expert Prompt Engineer with strong knowledge of
+penpot. Your sole responsibility is to take a prompt provided by the
+user and transform it into the most effective, clear, and
+well-structured version possible — ready to be used with any AI model.
+
+## Requirements
+
+* You do NOT execute tasks. You do NOT write code. You only design and
+  refine prompts
+* Read the root `AGENTS.md` to understand the repository and application
+  architecture. Then read the `AGENTS.md` **only** for each affected module.
+* Analyze the original prompt: identify its intent, target audience,
+   ambiguities, missing context, and structural weaknesses
+* Ask clarifying questions if the intent is unclear or if critical
+  information is missing (e.g. target model, expected output format,
+  tone, constraints). Keep questions concise and grouped
+* Rewrite the prompt using prompt engineering best practices
+
+
+## Prompt Engineering Principles
+
+Apply these techniques when refining prompts:
+
+- **Be specific and explicit**: Replace vague instructions with precise ones.
+- **Set the context**: Include background information the model needs to
+  perform well.
+- **Specify the output format**: State the desired structure, length, tone,
+  or format (e.g. bullet list, JSON, step-by-step).
+- **Add constraints**: Include what the model should avoid or not do.
+- **Use examples** (few-shot): When applicable, suggest adding examples to
+  anchor the model's behaviour.
+- **Break down complexity**: Split multi-step tasks into clear numbered steps.
+- **Avoid ambiguity**: Remove pronouns and references that could be
+  misinterpreted.
+- **Chain of thought**: For reasoning tasks, include "Think step by step."
+
+## Constraints
+
+- Do NOT execute the prompt yourself.
+- Do NOT answer the question inside the prompt.
+- Do NOT add unnecessary verbosity — prompts should be as short as they can
+  be while remaining complete.
+- Always preserve the user's original intent.
+
+## Output
+
+Refined Prompt: The improved, ready-to-use prompt. Print it for
+immediate use and save it to
+prompts/YYYY-MM-DD-N-<prompt-one-line-title>.md for future use.

.opencode/agents/testing.md

@@ -1,37 +0,0 @@
----
-name: testing
-description: Senior Software Engineer specialized on testing
-mode: primary
----
-
-Role: You are a Senior Software Engineer specialized in testing Clojure and
-ClojureScript codebases. You work on Penpot, an open-source design tool.
-
-Tech stack: Clojure (backend/JVM), ClojureScript (frontend/Node.js), shared
-Cljc (common module), Rust (render-wasm).
-
-Requirements:
-
-* Read the root `AGENTS.md` to understand the repository and application
-  architecture. Then read the `AGENTS.md` **only** for each affected module.  Not all
-  modules have one — verify before reading.
-* Before writing code, describe your plan. If the task is complex, break it down into
-  atomic steps.
-* Tests should be exhaustive and include edge cases relevant to Penpot's domain:
-  nil/missing fields, empty collections, invalid UUIDs, boundary geometries, Malli schema
-  violations, concurrent state mutations, and timeouts.
-* Tests must be deterministic — do not use `setTimeout`, real network calls, or rely on
-  execution order. Use synchronous mocks for asynchronous workflows.
-* Use `with-redefs` or equivalent mocking utilities to isolate the logic under test. Avoid
-  testing through the UI (DOM); e2e tests cover that.
-* Only reference functions, namespaces, or test utilities that actually exist in the
-  codebase. Verify their existence before citing them.
-* After adding or modifying tests, run the applicable lint and format checks for the
-  affected module before considering the work done (see module `AGENTS.md` for exact
-  commands).
-* Make small and logical commits following the commit guideline described in
-  `CONTRIBUTING.md`. Commit only when explicitly asked.
-- Do not guess or hallucinate git author information (Name or Email). Never include the
-  `--author` flag in git commands unless specifically instructed by the user for a unique
-  case; assume the local environment is already configured. Allow git commit to
-  automatically pull the identity from the local git config `user.name` and `user.email`.

.opencode/skills/backport-commit/SKILL.md

@@ -0,0 +1,90 @@
+---
+name: backport-commit
+description: Port changes from a specific Git commit to the current branch by manually applying the diff, avoiding cherry-pick when it would introduce complex conflicts.
+---
+
+# Backport Commit
+
+Port changes from a specific Git commit to the current branch by manually
+applying the diff, avoiding `git cherry-pick` when it would introduce
+complex conflicts.
+
+## When to Use
+
+Use this skill whenever the user asks to backport a commit, especially when:
+
+- The commit touches multiple modules or files with significant divergence
+- `git cherry-pick` is explicitly ruled out ("do not use cherry-pick")
+- The target commit is old enough that conflicts are likely
+- The commit introduces both source changes AND new files (tests, etc.)
+- You need full control over how each hunk is applied
+
+## Workflow
+
+### 1. Identify the target commit
+
+```bash
+# Verify the commit exists and understand what it does
+git log --oneline -1 <commit-sha>
+
+# Get the full diff (including new/deleted files)
+git show <commit-sha>
+
+# Capture the original commit message for later reuse
+git log --format='%B' -1 <commit-sha>
+```
+
+### 2. Identify affected modules
+
+From the file paths in the diff, determine which Penpot modules are affected
+(frontend, backend, common, render-wasm, etc.) and read their `AGENTS.md`
+files **before** making any changes. If a module has no `AGENTS.md`, skip
+that step — verify with `ls <module>/AGENTS.md` first.
+
+### 3. Read the current state of each affected file
+
+For every file the diff touches, read the current version on disk to understand
+context and ensure correct placement before editing.
+
+### 4. Apply changes manually (the core of this approach)
+
+Process every hunk in the diff using the appropriate tool:
+
+| Diff action | Tool to use |
+|-------------|-------------|
+| Modify existing file | `edit` — use enough surrounding context in `oldString` to uniquely match the location |
+| Add new file | `write` — include proper license header and namespace conventions matching project style |
+| Delete file | `bash rm <path>` |
+| Rename/move file | `bash mv <old> <new>`, then apply any content changes with `edit` |
+
+> **Tip:** Group nearby hunks from the same file into a single `edit` call.
+> Use separate calls when hunks are far apart to keep `oldString` short and
+> unambiguous.
+
+Repeat until **all** hunks in the diff are ported.
+
+### 5. Validate
+
+Run **lint**, **check-fmt**, and **tests** for every affected module (see each
+module's `AGENTS.md` for the exact commands). If the formatter auto-fixes
+indentation, verify the logic is still semantically correct. All checks must
+pass before moving on.
+
+### 6. Port the changelog entry (if any)
+
+If the original commit added or modified a `CHANGES.md` entry, port that entry
+too — adapting wording and version references for the target branch.
+
+### 7. Commit
+
+Ask the `commiter` sub-agent to create a commit. Stage all relevant files
+(exclude unrelated untracked files) and provide the original commit message as
+a reference, adapting it as needed for the target branch context.
+
+## Key Principles
+
+- **Context matters** — always read files before editing; never guess
+  indentation or surrounding code
+- **Lint + format + test** — never skip validation before committing
+- **Preserve intent** — keep the original commit message meaning; the
+  `commiter` agent handles formatting

.opencode/skills/bat-cat/SKILL.md

@@ -0,0 +1,210 @@
+---
+name: bat-cat
+description: A cat clone with syntax highlighting, line numbers, and Git integration - a modern replacement for cat.
+homepage: https://github.com/sharkdp/bat
+metadata: {"clawdbot":{"emoji":"🦇","requires":{"bins":["bat"]},"install":[{"id":"brew","kind":"brew","formula":"bat","bins":["bat"],"label":"Install bat (brew)"},{"id":"apt","kind":"apt","package":"bat","bins":["bat"],"label":"Install bat (apt)"}]}}
+---
+
+# bat - Better cat
+
+`cat` with syntax highlighting, line numbers, and Git integration.
+
+## Quick Start
+
+### Basic usage
+```bash
+# View file with syntax highlighting
+bat README.md
+
+# Multiple files
+bat file1.js file2.py
+
+# With line numbers (default)
+bat script.sh
+
+# Without line numbers
+bat -p script.sh
+```
+
+### Viewing modes
+```bash
+# Plain mode (like cat)
+bat -p file.txt
+
+# Show non-printable characters
+bat -A file.txt
+
+# Squeeze blank lines
+bat -s file.txt
+
+# Paging (auto for large files)
+bat --paging=always file.txt
+bat --paging=never file.txt
+```
+
+## Syntax Highlighting
+
+### Language detection
+```bash
+# Auto-detect from extension
+bat script.py
+
+# Force specific language
+bat -l javascript config.txt
+
+# Show all languages
+bat --list-languages
+```
+
+### Themes
+```bash
+# List available themes
+bat --list-themes
+
+# Use specific theme
+bat --theme="Monokai Extended" file.py
+
+# Set default theme in config
+# ~/.config/bat/config: --theme="Dracula"
+```
+
+## Line Ranges
+
+```bash
+# Show specific lines
+bat -r 10:20 file.txt
+
+# From line to end
+bat -r 100: file.txt
+
+# Start to specific line
+bat -r :50 file.txt
+
+# Multiple ranges
+bat -r 1:10 -r 50:60 file.txt
+```
+
+## Git Integration
+
+```bash
+# Show Git modifications (added/removed/modified lines)
+bat --diff file.txt
+
+# Show decorations (Git + file header)
+bat --decorations=always file.txt
+```
+
+## Output Control
+
+```bash
+# Output raw (no styling)
+bat --style=plain file.txt
+
+# Customize style
+bat --style=numbers,changes file.txt
+
+# Available styles: auto, full, plain, changes, header, grid, numbers, snip
+bat --style=header,grid,numbers file.txt
+```
+
+## Common Use Cases
+
+**Quick file preview:**
+```bash
+bat file.json
+```
+
+**View logs with syntax highlighting:**
+```bash
+bat error.log
+```
+
+**Compare files visually:**
+```bash
+bat --diff file1.txt
+bat file2.txt
+```
+
+**Preview before editing:**
+```bash
+bat config.yaml && vim config.yaml
+```
+
+**Cat replacement in pipes:**
+```bash
+bat -p file.txt | grep "pattern"
+```
+
+**View specific function:**
+```bash
+bat -r 45:67 script.py  # If function is on lines 45-67
+```
+
+## Integration with other tools
+
+**As pager for man pages:**
+```bash
+export MANPAGER="sh -c 'col -bx | bat -l man -p'"
+man grep
+```
+
+**With ripgrep:**
+```bash
+rg "pattern" -l | xargs bat
+```
+
+**With fzf:**
+```bash
+fzf --preview 'bat --color=always --style=numbers {}'
+```
+
+**With diff:**
+```bash
+diff -u file1 file2 | bat -l diff
+```
+
+## Configuration
+
+Create `~/.config/bat/config` for defaults:
+
+```
+# Set theme
+--theme="Dracula"
+
+# Show line numbers, Git modifications and file header, but no grid
+--style="numbers,changes,header"
+
+# Use italic text on terminal
+--italic-text=always
+
+# Add custom mapping
+--map-syntax "*.conf:INI"
+```
+
+## Performance Tips
+
+- Use `-p` for plain mode when piping
+- Use `--paging=never` when output is used programmatically
+- `bat` caches parsed files for faster subsequent access
+
+## Tips
+
+- **Alias:** `alias cat='bat -p'` for drop-in cat replacement
+- **Pager:** Use as pager with `export PAGER="bat"`
+- **On Debian/Ubuntu:** Command may be `batcat` instead of `bat`
+- **Custom syntaxes:** Add to `~/.config/bat/syntaxes/`
+- **Performance:** For huge files, use `bat --paging=never` or plain `cat`
+
+## Common flags
+
+- `-p` / `--plain`: Plain mode (no line numbers/decorations)
+- `-n` / `--number`: Only show line numbers
+- `-A` / `--show-all`: Show non-printable characters
+- `-l` / `--language`: Set language for syntax highlighting
+- `-r` / `--line-range`: Only show specific line range(s)
+
+## Documentation
+
+GitHub: https://github.com/sharkdp/bat
+Man page: `man bat`
+Customization: https://github.com/sharkdp/bat#customization

.opencode/skills/fd-find/SKILL.md

@@ -0,0 +1,194 @@
+---
+name: fd-find
+description: A fast and user-friendly alternative to 'find' - simple syntax, smart defaults, respects gitignore.
+homepage: https://github.com/sharkdp/fd
+metadata: {"clawdbot":{"emoji":"📂","requires":{"bins":["fd"]},"install":[{"id":"brew","kind":"brew","formula":"fd","bins":["fd"],"label":"Install fd (brew)"},{"id":"apt","kind":"apt","package":"fd-find","bins":["fd"],"label":"Install fd (apt)"}]}}
+---
+
+# fd - Fast File Finder
+
+User-friendly alternative to `find` with smart defaults.
+
+## Quick Start
+
+### Basic search
+```bash
+# Find files by name
+fd pattern
+
+# Find in specific directory
+fd pattern /path/to/dir
+
+# Case-insensitive
+fd -i pattern
+```
+
+### Common patterns
+```bash
+# Find all Python files
+fd -e py
+
+# Find multiple extensions
+fd -e py -e js -e ts
+
+# Find directories only
+fd -t d pattern
+
+# Find files only
+fd -t f pattern
+
+# Find symlinks
+fd -t l
+```
+
+## Advanced Usage
+
+### Filtering
+```bash
+# Exclude patterns
+fd pattern -E "node_modules" -E "*.min.js"
+
+# Include hidden files
+fd -H pattern
+
+# Include ignored files (.gitignore)
+fd -I pattern
+
+# Search all (hidden + ignored)
+fd -H -I pattern
+
+# Maximum depth
+fd pattern -d 3
+```
+
+### Execution
+```bash
+# Execute command on results
+fd -e jpg -x convert {} {.}.png
+
+# Parallel execution
+fd -e md -x wc -l
+
+# Use with xargs
+fd -e log -0 | xargs -0 rm
+```
+
+### Regex patterns
+```bash
+# Full regex search
+fd '^test.*\.js$'
+
+# Match full path
+fd --full-path 'src/.*/test'
+
+# Glob pattern
+fd -g "*.{js,ts}"
+```
+
+## Time-based filtering
+```bash
+# Modified within last day
+fd --changed-within 1d
+
+# Modified before specific date
+fd --changed-before 2024-01-01
+
+# Created recently
+fd --changed-within 1h
+```
+
+## Size filtering
+```bash
+# Files larger than 10MB
+fd --size +10m
+
+# Files smaller than 1KB
+fd --size -1k
+
+# Specific size range
+fd --size +100k --size -10m
+```
+
+## Output formatting
+```bash
+# Absolute paths
+fd --absolute-path
+
+# List format (like ls -l)
+fd --list-details
+
+# Null separator (for xargs)
+fd -0 pattern
+
+# Color always/never/auto
+fd --color always pattern
+```
+
+## Common Use Cases
+
+**Find and delete old files:**
+```bash
+fd --changed-before 30d -t f -x rm {}
+```
+
+**Find large files:**
+```bash
+fd --size +100m --list-details
+```
+
+**Copy all PDFs to directory:**
+```bash
+fd -e pdf -x cp {} /target/dir/
+```
+
+**Count lines in all Python files:**
+```bash
+fd -e py -x wc -l | awk '{sum+=$1} END {print sum}'
+```
+
+**Find broken symlinks:**
+```bash
+fd -t l -x test -e {} \; -print
+```
+
+**Search in specific time window:**
+```bash
+fd --changed-within 2d --changed-before 1d
+```
+
+## Integration with other tools
+
+**With ripgrep:**
+```bash
+fd -e js | xargs rg "pattern"
+```
+
+**With fzf (fuzzy finder):**
+```bash
+vim $(fd -t f | fzf)
+```
+
+**With bat (cat alternative):**
+```bash
+fd -e md | xargs bat
+```
+
+## Performance Tips
+
+- `fd` is typically much faster than `find`
+- Respects `.gitignore` by default (disable with `-I`)
+- Uses parallel traversal automatically
+- Smart case: lowercase = case-insensitive, any uppercase = case-sensitive
+
+## Tips
+
+- Use `-t` for type filtering (f=file, d=directory, l=symlink, x=executable)
+- `-e` for extension is simpler than `-g "*.ext"`
+- `{}` in `-x` commands represents the found path
+- `{.}` strips the extension
+- `{/}` gets basename, `{//}` gets directory
+
+## Documentation
+
+GitHub: https://github.com/sharkdp/fd
+Man page: `man fd`

.opencode/skills/jq-json-processor/SKILL.md

@@ -0,0 +1,112 @@
+---
+name: jq-json-processor
+description: Process, filter, and transform JSON data using jq - the lightweight and flexible command-line JSON processor.
+homepage: https://jqlang.github.io/jq/
+metadata: {"clawdbot":{"emoji":"🔍","requires":{"bins":["jq"]},"install":[{"id":"brew","kind":"brew","formula":"jq","bins":["jq"],"label":"Install jq (brew)"},{"id":"apt","kind":"apt","package":"jq","bins":["jq"],"label":"Install jq (apt)"}]}}
+---
+
+# jq JSON Processor
+
+Process, filter, and transform JSON data with jq.
+
+## Quick Examples
+
+### Basic filtering
+```bash
+# Extract a field
+echo '{"name":"Alice","age":30}' | jq '.name'
+# Output: "Alice"
+
+# Multiple fields
+echo '{"name":"Alice","age":30}' | jq '{name: .name, age: .age}'
+
+# Array indexing
+echo '[1,2,3,4,5]' | jq '.[2]'
+# Output: 3
+```
+
+### Working with arrays
+```bash
+# Map over array
+echo '[{"name":"Alice"},{"name":"Bob"}]' | jq '.[].name'
+# Output: "Alice" "Bob"
+
+# Filter array
+echo '[1,2,3,4,5]' | jq 'map(select(. > 2))'
+# Output: [3,4,5]
+
+# Length
+echo '[1,2,3]' | jq 'length'
+# Output: 3
+```
+
+### Common operations
+```bash
+# Pretty print JSON
+cat file.json | jq '.'
+
+# Compact output
+cat file.json | jq -c '.'
+
+# Raw output (no quotes)
+echo '{"name":"Alice"}' | jq -r '.name'
+# Output: Alice
+
+# Sort keys
+echo '{"z":1,"a":2}' | jq -S '.'
+```
+
+### Advanced filtering
+```bash
+# Select with conditions
+jq '[.[] | select(.age > 25)]' people.json
+
+# Group by
+jq 'group_by(.category)' items.json
+
+# Reduce
+echo '[1,2,3,4,5]' | jq 'reduce .[] as $item (0; . + $item)'
+# Output: 15
+```
+
+### Working with files
+```bash
+# Read from file
+jq '.users[0].name' users.json
+
+# Multiple files
+jq -s '.[0] * .[1]' file1.json file2.json
+
+# Modify and save
+jq '.version = "2.0"' package.json > package.json.tmp && mv package.json.tmp package.json
+```
+
+## Common Use Cases
+
+**Extract specific fields from API response:**
+```bash
+curl -s https://api.github.com/users/octocat | jq '{name: .name, repos: .public_repos, followers: .followers}'
+```
+
+**Convert CSV-like data:**
+```bash
+jq -r '.[] | [.name, .email, .age] | @csv' users.json
+```
+
+**Debug API responses:**
+```bash
+curl -s https://api.example.com/data | jq '.'
+```
+
+## Tips
+
+- Use `-r` for raw string output (removes quotes)
+- Use `-c` for compact output (single line)
+- Use `-S` to sort object keys
+- Use `--arg name value` to pass variables
+- Pipe multiple jq operations: `jq '.a' | jq '.b'`
+
+## Documentation
+
+Full manual: https://jqlang.github.io/jq/manual/
+Interactive tutorial: https://jqplay.org/

.opencode/skills/ripgrep/SKILL.md

@@ -0,0 +1,150 @@
+---
+name: ripgrep
+description: Blazingly fast text search tool - recursively searches directories for regex patterns with respect to gitignore rules.
+homepage: https://github.com/BurntSushi/ripgrep
+metadata: {"clawdbot":{"emoji":"🔎","requires":{"bins":["rg"]},"install":[{"id":"brew","kind":"brew","formula":"ripgrep","bins":["rg"],"label":"Install ripgrep (brew)"},{"id":"apt","kind":"apt","package":"ripgrep","bins":["rg"],"label":"Install ripgrep (apt)"}]}}
+---
+
+# ripgrep (rg)
+
+Fast, smart recursive search. Respects `.gitignore` by default.
+
+## Quick Start
+
+### Basic search
+```bash
+# Search for "TODO" in current directory
+rg "TODO"
+
+# Case-insensitive search
+rg -i "fixme"
+
+# Search specific file types
+rg "error" -t py       # Python files only
+rg "function" -t js    # JavaScript files
+```
+
+### Common patterns
+```bash
+# Whole word match
+rg -w "test"
+
+# Show only filenames
+rg -l "pattern"
+
+# Show with context (3 lines before/after)
+rg -C 3 "function"
+
+# Count matches
+rg -c "import"
+```
+
+## Advanced Usage
+
+### File type filtering
+```bash
+# Multiple file types
+rg "error" -t py -t js
+
+# Exclude file types
+rg "TODO" -T md -T txt
+
+# List available types
+rg --type-list
+```
+
+### Search modifiers
+```bash
+# Regex search
+rg "user_\d+"
+
+# Fixed string (no regex)
+rg -F "function()"
+
+# Multiline search
+rg -U "start.*end"
+
+# Only show matches, not lines
+rg -o "https?://[^\s]+"
+```
+
+### Path filtering
+```bash
+# Search specific directory
+rg "pattern" src/
+
+# Glob patterns
+rg "error" -g "*.log"
+rg "test" -g "!*.min.js"
+
+# Include hidden files
+rg "secret" --hidden
+
+# Search all files (ignore .gitignore)
+rg "pattern" --no-ignore
+```
+
+## Replacement Operations
+
+```bash
+# Preview replacements
+rg "old_name" --replace "new_name"
+
+# Actually replace (requires extra tool like sd)
+rg "old_name" -l | xargs sed -i 's/old_name/new_name/g'
+```
+
+## Performance Tips
+
+```bash
+# Parallel search (auto by default)
+rg "pattern" -j 8
+
+# Skip large files
+rg "pattern" --max-filesize 10M
+
+# Memory map files
+rg "pattern" --mmap
+```
+
+## Common Use Cases
+
+**Find TODOs in code:**
+```bash
+rg "TODO|FIXME|HACK" --type-add 'code:*.{rs,go,py,js,ts}' -t code
+```
+
+**Search in specific branches:**
+```bash
+git show branch:file | rg "pattern"
+```
+
+**Find files containing multiple patterns:**
+```bash
+rg "pattern1" | rg "pattern2"
+```
+
+**Search with context and color:**
+```bash
+rg -C 2 --color always "error" | less -R
+```
+
+## Comparison to grep
+
+- **Faster:** Typically 5-10x faster than grep
+- **Smarter:** Respects `.gitignore`, skips binary files
+- **Better defaults:** Recursive, colored output, line numbers
+- **Easier:** Simpler syntax for common tasks
+
+## Tips
+
+- `rg` is often faster than `grep -r`
+- Use `-t` for file type filtering instead of `--include`
+- Combine with other tools: `rg pattern -l | xargs tool`
+- Add custom types in `~/.ripgreprc`
+- Use `--stats` to see search performance
+
+## Documentation
+
+GitHub: https://github.com/BurntSushi/ripgrep
+User Guide: https://github.com/BurntSushi/ripgrep/blob/master/GUIDE.md

AGENTS.md

@@ -32,6 +32,36 @@ precision while maintaining a strong focus on maintainability and performance.
 5. When searching code, prefer `ripgrep` (`rg`) over `grep` — it respects
    `.gitignore` by default.
 
+## GitHub Operations
+
+To obtain the list of repository members/collaborators:
+
+```bash
+gh api repos/:owner/:repo/collaborators --paginate --jq '.[].login'
+```
+
+To obtain the list of open PRs authored by members:
+
+```bash
+MEMBERS=$(gh api repos/:owner/:repo/collaborators --paginate --jq '.[].login' | tr '\n' '|' | sed 's/|$//')
+gh pr list --state open --limit 200 --json author,title,number | jq -r --arg members "$MEMBERS" '
+  ($members | split("|")) as $m |
+  .[] | select(.author.login as $a | $m | index($a)) |
+  "\(.number)\t\(.author.login)\t\(.title)"
+'
+```
+
+To obtain the list of open PRs from external contributors (non-members):
+
+```bash
+MEMBERS=$(gh api repos/:owner/:repo/collaborators --paginate --jq '.[].login' | tr '\n' '|' | sed 's/|$//')
+gh pr list --state open --limit 200 --json author,title,number | jq -r --arg members "$MEMBERS" '
+  ($members | split("|")) as $m |
+  .[] | select(.author.login as $a | $m | index($a) | not) |
+  "\(.number)\t\(.author.login)\t\(.title)"
+'
+```
+
 ## Architecture Overview
 
 Penpot is an open-source design tool composed of several modules:

CHANGES.md

@@ -1,5 +1,110 @@
 # CHANGELOG
 
+## 2.17.0 (Unreleased)
+
+### :boom: Breaking changes & Deprecations
+
+### :rocket: Epics and highlights
+
+### :sparkles: New features & Enhancements
+
+- Add "Delete group" option to the assets panel context menu for components, colors and typographies (by @FairyPigDev) [Github #9141](https://github.com/penpot/penpot/issues/9141)
+- Add `Alt+click` on a layer's disclosure arrow to recursively expand the entire subtree rooted at that layer in the Layers sidebar; symmetric with the existing `Shift+click` collapse-all gesture, and removes the O(siblings × depth) click cost of unfolding a deep subtree one level at a time [Github #7736](https://github.com/penpot/penpot/issues/7736)
+- Show alpha percentage next to library color values to distinguish colors that differ only in opacity (by @rockchris099) [Github #6328](https://github.com/penpot/penpot/issues/6328)
+- Add "Clear artboard guides" option to right-click context menu for frames (by @eureka0928) [Github #6987](https://github.com/penpot/penpot/issues/6987)
+- Add loader feedback while importing and exporting files [Github #9020](https://github.com/penpot/penpot/issues/9020)
+- Allow duplicating color and typography styles (by @MkDev11) [Github #2912](https://github.com/penpot/penpot/issues/2912)
+- Add woff2 support on user uploaded fonts (by @Nivl) [Github #8248](https://github.com/penpot/penpot/pull/8248)
+- Import Tokens from linked library (by @dfelinto) [Github #8391](https://github.com/penpot/penpot/pull/8391)
+- Option to download custom fonts (by @dfelinto) [Github #8320](https://github.com/penpot/penpot/issues/8320)
+- Add copy as image to clipboard option to workspace context menu (by @dfelinto) [Github #8313](https://github.com/penpot/penpot/pull/8313)
+- Add Tab/Shift+Tab navigation to rename layers sequentially (by @bittoby) [Github #8474](https://github.com/penpot/penpot/pull/8474)
+- Copy and paste entire rows in existing table (by @bittoby) [Github #8498](https://github.com/penpot/penpot/pull/8498)
+- Rename token group [Taiga #13137](https://tree.taiga.io/project/penpot/us/13137)
+- Duplicate token group [Taiga #10653](https://tree.taiga.io/project/penpot/us/10653)
+- Copy token name from contextual menu [Taiga #13568](https://tree.taiga.io/project/penpot/issue/13568)
+- Add natural sorting on token names [Taiga #13713](https://tree.taiga.io/project/penpot/issue/13713)
+- Add drag-to-change for numeric inputs in workspace sidebar [Github #2466](https://github.com/penpot/penpot/issues/2466)
+- Add CSS linter [Taiga #13790](https://tree.taiga.io/project/penpot/us/13790)
+- Save and restore selection state in undo/redo (by @eureka0928) [Github #6007](https://github.com/penpot/penpot/issues/6007)
+- Fix warnings for unsupported token $type (by @Dexterity104) [Github #8790](https://github.com/penpot/penpot/issues/8790)
+- Add per-group add button for typographies (by @eureka0928) [Github #5275](https://github.com/penpot/penpot/issues/5275)
+- Add Find & Replace for text content and layer names (by @statxc) [Github #7108](https://github.com/penpot/penpot/issues/7108)
+- Use page name for multi-export ZIP/PDF downloads (by @Dexterity104) [Github #8773](https://github.com/penpot/penpot/issues/8773)
+- Make links in comments clickable (by @eureka0928) [Github #1602](https://github.com/penpot/penpot/issues/1602)
+- Add visibility toggle for strokes (by @eureka0928) [Github #7438](https://github.com/penpot/penpot/issues/7438)
+- Sort asset library subfolders alphabetically at every nesting level (by @eureka0928) [Github #2572](https://github.com/penpot/penpot/issues/2572)
+- Add Paste to replace (Cmd+Shift+V) to replace the selected shape with clipboard contents (by @eureka0928) [Github #4240](https://github.com/penpot/penpot/issues/4240)
+- Differentiate incoming and outgoing interaction link colors (by @claytonlin1110) [Github #7794](https://github.com/penpot/penpot/issues/7794)
+- Add guide locking and fix locked elements not selectable in viewer (by @Dexterity104) [Github #8358](https://github.com/penpot/penpot/issues/8358)
+- Apply styles to selection (by @AzazelN28) [Taiga #13647](https://tree.taiga.io/project/penpot/task/13647)
+- Reorder prototyping overlay options to show Position before Relative to (by @rockchris099) [Github #2910](https://github.com/penpot/penpot/issues/2910)
+- Add customizable colors for ruler guides (by @Dexterity104) [Github #5199](https://github.com/penpot/penpot/issues/5199)
+- Persist asset search query and section filter when switching sidebar tabs (by @eureka0928) [Github #2913](https://github.com/penpot/penpot/issues/2913)
+- Add delete and duplicate buttons to typography dialog (by @eureka0928) [Github #5270](https://github.com/penpot/penpot/issues/5270)
+- Edit ruler guide position by double-clicking the guide pill (by @eureka0928) [Github #2311](https://github.com/penpot/penpot/issues/2311)
+- Add a search bar to filter colors in the color palette toolbar (by @eureka0928) [Github #7653](https://github.com/penpot/penpot/issues/7653)
+- Add a search bar to filter board size presets (by @eureka0928) [Github #4658](https://github.com/penpot/penpot/issues/4658)
+- Allow customising the OIDC login button label (by @wdeveloper16) [Github #7027](https://github.com/penpot/penpot/issues/7027)
+- Add page separators in Workspace [Taiga #13611](https://tree.taiga.io/project/penpot/us/13611?milestone=262806)
+- Preserve vector content when pasting from external tools such as Inkscape: recognise SVG sent as text/plain (with optional XML declaration and HTML comments), skip the raster preview when an SVG sibling is on the clipboard, and ignore empty SVG blobs that some tools advertise alongside the real payload, so pasted graphics arrive editable without spurious "SVG is invalid" warnings [Github #546](https://github.com/penpot/penpot/issues/546)
+- Add Shift+Numpad0/1/2 as aliases to Shift+0/1/2 for zoom shortcuts [Github #2457](https://github.com/penpot/penpot/issues/2457)
+- Adds a **Pixel grid color** picker in the viewport settings, next to the existing canvas color control [Github #7750](https://github.com/penpot/penpot/issues/7750)
+- Show specific invitation-link error messages instead of a single generic "Invite invalid" page: distinguish expired invitations, email-mismatch (signed in with the wrong account) and corrupted/invalid tokens, each with an actionable recovery hint [Github #9220](https://github.com/penpot/penpot/issues/9220)
+- Show detailed messages on file import errors to help diagnose why a file could not be imported (by @jsdevninja) [Github #9004](https://github.com/penpot/penpot/issues/9004)
+- Add read-only preview mode for saved versions — click a version name to open a dedicated preview view (by @wdeveloper16) [Github #8976](https://github.com/penpot/penpot/issues/8976)
+- Add clipboard read/write permissions to the plugin system (by @wdeveloper16) [Github #9053](https://github.com/penpot/penpot/issues/9053)
+
+### :bug: Bugs fixed
+
+- Fix layers-panel rename input opening with the type-based default (e.g. "Ellipse") instead of the user's saved name when re-entering edit mode on a previously renamed layer; the silent revert could overwrite the saved name on confirm. The `default-value` `mf/with-memo` was missing `shape-name` from its dependency list, so once the memo cached the original default it never refreshed. Adds `shape-name` to the deps and force-syncs the input's DOM value on every entry into edit mode [Github #9230](https://github.com/penpot/penpot/issues/9230)
+- Suppress the browser context menu when right-clicking empty space in the workspace sidebars while preserving it on text inputs so paste/select-all still work [Github #5127](https://github.com/penpot/penpot/issues/5127)
+- Fix release notes modal appearing behind the dashboard sidebar [Github #8296](https://github.com/penpot/penpot/issues/8296)
+- Fix plugin API `fileVersion.restore()` promise hanging indefinitely on restore failure [Github #9092](https://github.com/penpot/penpot/issues/9092)
+- Fix imported stroke-only SVG paths losing their rounded join when authoring tools (e.g. Figma → Heroicons) split a continuous polyline into adjacent `M…L M…L` subpaths sharing an endpoint; on import these are now folded back into one chain so `stroke-linejoin` renders the elbow correctly in both editor and exports [Github #5283](https://github.com/penpot/penpot/issues/5283)
+- Fix plugin API `library.connectLibrary()` returning a non-Promise (or throwing synchronously) when the plugin lacks `library:write` permission — the method now always returns a `Promise` and rejects with a structured error message, matching the contract used by every other Promise-returning plugin method (`restore`, `remove`, `pin`, `saveVersion`, `findVersions`, …)
+- Fix LDAP provider params schema typo (`bind-passwor` → `bind-password`) introduced during the `clojure.spec` → `malli` migration; the schema slot now matches the runtime key actually read by `prepare-params` (`:password (:bind-password cfg)`) and `try-connectivity` (`(:bind-password cfg)`), so a wrong type for the password no longer slips through unvalidated
+- Fix `login-with-ldap` silently dropping its error message on the `ldap-not-initialized` restriction (typo `:hide` → `:hint`); the message `"ldap auth provider is not initialized"` now actually surfaces in logs and error responses instead of being discarded into an unread key
+- Fix Plugin API `shape.applyToken()` / `token.applyToShapes()` / `token.applyToSelected()` rejecting JS-array attribute lists like `["fill"]`: switched the inner schemas to `[::sm/set ...]` (which has the JS array → Clojure set decoder) and made `token-attr-plugin->token-attr` accept string inputs by coercing them to keywords before consulting the alias map [Github #9162](https://github.com/penpot/penpot/issues/9162)
+- Fix `PENPOT_OIDC_USER_INFO_SOURCE` flag being silently ignored (`userinfo` / `token`) in the OIDC callback, causing "incomplete user info" failures during registration [Github #9108](https://github.com/penpot/penpot/issues/9108)
+- Fix `get-view-only-bundle` crashing when a share-link viewer encounters a team member whose email lacks `@` (NullPointerException in `obfuscate-email`) or whose domain has no `.` (previously produced a dangling-dot `****@****.`); now the viewer-side obfuscation is nil-safe and omits the trailing dot when the domain has no TLD
+- Remove `corepack` from the MCP local launcher so it runs on Node.js 25+, where corepack is no longer bundled [Github #8877](https://github.com/penpot/penpot/issues/8877)
+- Fix Copy as SVG: emit a single valid SVG document when multiple shapes are selected, and publish `image/svg+xml` to the clipboard so the paste target works in Inkscape and other SVG-native tools [Github #838](https://github.com/penpot/penpot/issues/838)
+- Reset profile submenu state when the account menu closes (by @eureka0928) [Github #8947](https://github.com/penpot/penpot/issues/8947)
+- Add export panel to inspect styles tab [Taiga #13582](https://tree.taiga.io/project/penpot/issue/13582)
+- Fix styles between grid layout inputs [Taiga #13526](https://tree.taiga.io/project/penpot/issue/13526)
+- Fix id prop on switch component [Taiga #13534](https://tree.taiga.io/project/penpot/issue/13534)
+- Update copy on penpot update message [Taiga #12924](https://tree.taiga.io/project/penpot/issue/12924)
+- Fix scroll on library modal [Taiga #13639](https://tree.taiga.io/project/penpot/issue/13639)
+- Fix dates to avoid show them in english when browser is in auto [Taiga #13786](https://tree.taiga.io/project/penpot/issue/13786)
+- Fix focus radio button [Taiga #13841](https://tree.taiga.io/project/penpot/issue/13841)
+- Token tree should be expanded by default [Taiga #13631](https://tree.taiga.io/project/penpot/issue/13631)
+- Fix opacity incorrectly disabled for visible shapes [Taiga #13906](https://tree.taiga.io/project/penpot/issue/13906)
+- Update onboarding image [Taiga #13864](https://tree.taiga.io/project/penpot/issue/13864)
+- Fix plugin modal drag interactions over iframe and close-button behavior (by @marekhrabe) [Github #8871](https://github.com/penpot/penpot/pull/8871)
+- Fix hot update on color-row on texts [Taiga #13923](https://tree.taiga.io/project/penpot/issue/13923)
+- Fix selected color tokens [Taiga #13930](https://tree.taiga.io/project/penpot/issue/13930)
+- Fix dashboard Recent/Deleted titles overlapped by scrolling content (by @rockchris099) [Github #8577](https://github.com/penpot/penpot/issues/8577)
+- Display resolved values of inactive tokens [Taiga #13628](https://tree.taiga.io/project/penpot/issue/13628)
+- Fix hyphens stripped from export filenames (by @jamesrayammons) [Github #8901](https://github.com/penpot/penpot/issues/8901)
+- Fix app crash when selecting shapes with one hidden [Taiga #13959](https://tree.taiga.io/project/penpot/issue/13959)
+- Fix opacity mixed value [Taiga #13960](https://tree.taiga.io/project/penpot/issue/13960)
+- Fix gap input throwing an error [Github #8984](https://github.com/penpot/penpot/pull/8984)
+- Fix non-functional clear icon in change email modal inputs (by @Dexterity104) [Github #8977](https://github.com/penpot/penpot/issues/8977)
+- Disable save button after saving account profile settings (by @Dexterity104) [Github #8979](https://github.com/penpot/penpot/issues/8979)
+- Fix copy to be more specific [Taiga #13990](https://tree.taiga.io/project/penpot/issue/13990)
+- Allow deleting the profile avatar after uploading [Github #9067](https://github.com/penpot/penpot/issues/9067)
+- Fix incorrect rendering when exporting text as SVG, PNG and JPG (by @edwin-rivera-dev) [Github #8516](https://github.com/penpot/penpot/issues/8516)
+- Fix Settings and Notifications "Update Settings" button enabled state when form has no changes (by @moorsecopers99) [Github #9090](https://github.com/penpot/penpot/issues/9090)
+- Fix "Help & Learning" submenu vertical alignment in account menu (by @juan-flores077) [Github #9137](https://github.com/penpot/penpot/issues/9137)
+- Fix plugin `addInteraction` silently rejecting `open-overlay` actions with `manualPositionLocation` [Github #8409](https://github.com/penpot/penpot/issues/8409)
+- Fix typography style creation with tokenized line-height (by @juan-flores077) [Github #8479](https://github.com/penpot/penpot/issues/8479)
+- Fix colorpicker layout so the eyedropper button is visible again [Taiga #14057](https://tree.taiga.io/project/penpot/issue/14057)
+- Fix restore-deleted-team-files failing due to a typo in the reduce accumulator (by @Dexterity104) [Github #9241](https://github.com/penpot/penpot/issues/9241)
+- Fix internal error on layer prev/next sibling selection (by @jsdevninja) [Github #9003](https://github.com/penpot/penpot/issues/9003)
+- Fix tooltip appearing two times when nested elements [Github #9031](https://github.com/penpot/penpot/issues/9031)
+- Fix broken update library notification link in the UI [Github #9070](https://github.com/penpot/penpot/issues/9070)
+
 ## 2.16.0 (Unreleased)
 
 ### :boom: Breaking changes & Deprecations
@@ -8,7 +113,6 @@
 
 ### :sparkles: New features & Enhancements
 
-- Access Tokens look & feel refinement [Taiga #13114](https://tree.taiga.io/project/penpot/us/13114)
 - Enhance readability of applied tokens in plugins API [Taiga #13714](https://tree.taiga.io/project/penpot/issue/13714)
 
 ### :bug: Bugs fixed
@@ -22,18 +126,31 @@
 - Fix id prop on switch component [Taiga #13534](https://tree.taiga.io/project/penpot/issue/13534)
 - Fix dashboard navigation tabs overlap with projects content when scrolling [Taiga #13962](https://tree.taiga.io/project/penpot/issue/13962)
 - Fix text editor v1 focus [Taiga #13961](https://tree.taiga.io/project/penpot/issue/13961)
+- Fix color dropdown option update [Taiga #14035](https://tree.taiga.io/project/penpot/issue/14035)
+- Fix themes modal height [Taiga #14046](https://tree.taiga.io/project/penpot/issue/14046)
 
 
 ## 2.15.0 (Unreleased)
 
 ### :sparkles: New features & Enhancements
 
+- Access Tokens look & feel refinement [Taiga #13114](https://tree.taiga.io/project/penpot/us/13114)
 - Add MCP server integration [Taiga #13112](https://tree.taiga.io/project/penpot/us/13112)
 - Add chunked upload API for large media and binary files (removes previous upload size limits) [Github #8909](https://github.com/penpot/penpot/pull/8909)
 
 ### :bug: Bugs fixed
 
+- Fix release notes modal appearing behind the dashboard sidebar (by @RenzoMXD) [Github #8296](https://github.com/penpot/penpot/issues/8296)
 - Fix incorrect handling of version restore operation [Github #9041](https://github.com/penpot/penpot/pull/9041)
+- Fix Plugin API token methods rejecting JS array of strings [Github #9162](https://github.com/penpot/penpot/issues/9162)
+
+
+## 2.14.4
+
+### :bug: Bugs fixed
+
+- Fix email validation [Taiga #14006](https://tree.taiga.io/project/penpot/issue/14006)
+- Fix email blacklisting [Github #9122](https://github.com/penpot/penpot/pull/9122)
 - Fix removeChild errors from unmount race conditions [Github #8927](https://github.com/penpot/penpot/pull/8927)
 
 
@@ -65,6 +182,7 @@
 - Fix wrong `mapcat` call in `collect-main-shapes`
 - Fix stale accumulator in `get-children-in-instance` recursion
 - Fix typo `:podition` in swap-shapes grid cell
+- Fix multiple selection on shapes with token applied to stroke color
 
 
 ## 2.14.2
@@ -89,7 +207,6 @@
 - Guard delete undo against missing sibling order [Github #8858](https://github.com/penpot/penpot/pull/8858)
 - Fix ICounted error on numeric-input token dropdown keyboard nav [Github #8803](https://github.com/penpot/penpot/pull/8803)
 
-
 ## 2.14.1
 
 ### :sparkles: New features & Enhancements
@@ -113,7 +230,6 @@
 - Ensure path content is always PathData when saving
 - Fix error when get-parent-with-data encounters non-Element nodes
 
-
 ## 2.14.0
 
 ### :boom: Breaking changes & Deprecations
@@ -183,6 +299,7 @@
 ## 2.13.0
 
 ### :heart: Community contributions (Thank you!)
+
 - Add 'page' special shapeId to MCP export_shape tool for full-page snapshots [Github #8689](https://github.com/penpot/penpot/issues/8689)
 
 - Fix mask issues with component swap (by @dfelinto) [Github #7675](https://github.com/penpot/penpot/issues/7675)

CONTRIBUTING.md

@@ -13,7 +13,17 @@ Center](https://help.penpot.app/).
 - [Prerequisites](#prerequisites)
 - [Reporting Bugs](#reporting-bugs)
 - [Pull Requests](#pull-requests)
+  - [Workflow](#workflow)
+  - [Title format](#title-format)
+  - [Description](#description)
+  - [Branch naming](#branch-naming)
+  - [Review process](#review-process)
+  - [What we won't accept](#what-we-wont-accept)
+  - [Good first issues](#good-first-issues)
 - [Commit Guidelines](#commit-guidelines)
+  - [Commit types](#commit-types)
+  - [Rules](#rules)
+  - [Examples](#examples)
 - [Formatting and Linting](#formatting-and-linting)
 - [Changelog](#changelog)
 - [Code of Conduct](#code-of-conduct)
@@ -52,15 +62,101 @@ Advisories](https://github.com/penpot/penpot/security/advisories)
 
 1. **Read the DCO** — see [Developer's Certificate of Origin](#developers-certificate-of-origin-dco)
    below. All code patches must include a `Signed-off-by` line.
-2. **Discuss before building** — open a question/discussion issue before
-   starting work on a new feature or significant change. No PR will be
-   accepted without prior discussion, whether it is a new feature, a planned
-   one, or a quick win.
+2. **Discuss before building** — open a [GitHub
+   Issue](https://github.com/penpot/penpot/issues) before starting work on
+   a new feature or significant change. For planned features on the roadmap,
+   reference the corresponding Taiga story. Do not expect your contribution
+   to be accepted if you submit it without prior discussion — this applies
+   to new features, planned features, and quick wins alike.
 3. **Bug fixes** — you may submit a PR directly, but we still recommend
    filing an issue first so we can track it independently of your fix.
 4. **Format and lint** — run the checks described in
    [Formatting and Linting](#formatting-and-linting) before submitting.
 
+### Title format
+
+Pull request titles **must** follow the same convention as commit subjects:
+
+```
+:emoji: <subject>
+```
+
+- Use the **imperative mood** (e.g. "Fix", not "Fixed").
+- Capitalize the first letter of the subject.
+- Do not end the subject with a period.
+- Keep the subject to **70 characters** or fewer.
+- Use one of the [commit type emojis](#commit-types) listed below.
+
+When a PR contains multiple unrelated commits, choose the emoji that
+best represents the dominant change.
+
+**Examples:**
+
+```
+:bug: Fix unexpected error on launching modal
+:sparkles: Enable new modal for profile
+:zap: Improve performance of dashboard navigation
+```
+
+> **Note:** When a PR is squash-merged, the PR title becomes the
+> commit message on the main branch. Getting the title right matters.
+
+### Description
+
+Every pull request should include a description that helps reviewers
+understand the change quickly:
+
+1. **What and why** — describe the change and its motivation.
+2. **Link related issues** — use `Closes #1234` or reference a Taiga
+   story (e.g. `Taiga #5678`).
+3. **Screenshots or recordings** — required for any UI-visible change.
+4. **Testing notes** — how did you verify the change? Any edge cases?
+5. **Breaking changes** — call out anything that affects existing users
+   or requires migration steps.
+
+### Branch naming
+
+Use a descriptive branch name that reflects the type and scope of the
+change:
+
+```
+<type>/<short-description>
+```
+
+Types: `fix`, `feat`, `refactor`, `docs`, `chore`, `perf`.
+
+Optionally include the issue number:
+
+```
+fix/9122-email-blacklisting
+feat/export-webp
+refactor/layout-sizing
+```
+
+### Review process
+
+- We are a small team and maintainers juggle reviews alongside other
+  tasks. Please do not expect your code to be reviewed instantly.
+- Reviews are handled in dedicated blocks of time, usually in the order
+  PRs arrive. It may take a few days to get a first review, especially
+  when urgent tasks come up.
+- Address review feedback by **pushing new commits** — do not
+  force-push during review, as it breaks comment threads.
+- PRs require at least **one approval** before merge.
+- We use **squash-merge** by default. The PR title becomes the final
+  commit message, so follow the [title format](#title-format) above.
+
+### What we won't accept
+
+To save time on both sides, please avoid submitting PRs that:
+
+- Introduce new dependencies without prior discussion.
+- Change the build system or CI configuration without maintainer
+  approval.
+- Mix unrelated changes in a single PR — keep PRs focused on one
+  concern.
+- Skip the [discussion step](#workflow) for non-bug-fix changes.
+
 ### Good first issues
 
 We use the `easy fix` label to mark issues appropriate for newcomers.

README.md

@@ -1,53 +1,56 @@
+<img width="100%" src="https://github.com/user-attachments/assets/da17b160-f289-436f-b140-972083a08602" />
 
 [uri_license]: https://www.mozilla.org/en-US/MPL/2.0
 [uri_license_image]: https://img.shields.io/badge/MPL-2.0-blue.svg
 
-<picture>
-  <source media="(prefers-color-scheme: dark)" srcset="https://penpot.app/images/readme/github-dark-mode.png">
-  <source media="(prefers-color-scheme: light)" srcset="https://penpot.app/images/readme/github-light-mode.png">
-  <img alt="penpot header image" src="https://penpot.app/images/readme/github-light-mode.png">
-</picture>
-
 <p align="center">
-<a href="https://www.mozilla.org/en-US/MPL/2.0" rel="nofollow"><img alt="License: MPL-2.0" src="https://img.shields.io/badge/MPL-2.0-blue.svg" style="max-width:100%;"></a>
-<a href="https://community.penpot.app" rel="nofollow"><img alt="Penpot Community" src="https://img.shields.io/discourse/posts?server=https%3A%2F%2Fcommunity.penpot.app" style="max-width:100%;"></a>
-<a href="https://tree.taiga.io/project/penpot/" title="Managed with Taiga.io" rel="nofollow"><img alt="Managed with Taiga.io" src="https://img.shields.io/badge/managed%20with-TAIGA.io-709f14.svg" style="max-width:100%;"></a>
-<a href="https://gitpod.io/#https://github.com/penpot/penpot" rel="nofollow"><img alt="Gitpod ready-to-code" src="https://img.shields.io/badge/Gitpod-ready--to--code-blue?logo=gitpod" style="max-width:100%;"></a>
+  <a href="https://www.digitalpublicgoods.net/r/penpot" rel="nofollow">
+    <img alt="Verified DPG" src="https://img.shields.io/badge/Verified-DPG-blue.svg">
+  </a>
+  <a href="https://community.penpot.app" rel="nofollow">
+    <img alt="Penpot Community" src="https://img.shields.io/discourse/posts?server=https%3A%2F%2Fcommunity.penpot.app">
+  </a>
+  <a href="https://tree.taiga.io/project/penpot/" rel="nofollow">
+    <img alt="Managed with Taiga.io" src="https://img.shields.io/badge/managed%20with-TAIGA.io-709f14.svg">
+  </a>
+  <a href="https://gitpod.io/#https://github.com/penpot/penpot" rel="nofollow">
+    <img alt="Gitpod ready-to-code" src="https://img.shields.io/badge/Gitpod-ready--to--code-blue?logo=gitpod">
+  </a>
 </p>
 
 <p align="center">
-    <a href="https://penpot.app/"><b>Website</b></a>  •
-    <a href="https://help.penpot.app/user-guide/"><b>User Guide</b></a>  •
-    <a href="https://penpot.app/learning-center"><b>Learning Center</b></a>  •
-    <a href="https://community.penpot.app/"><b>Community</b></a>
+  <a href="https://penpot.app/"><b>Website</b></a>  •
+  <a href="https://help.penpot.app/user-guide/"><b>User Guide</b></a>  •
+  <a href="https://penpot.app/learning-center"><b>Learning Center</b></a>  •
+  <a href="https://community.penpot.app/"><b>Community</b></a>
 </p>
 <p align="center">
-    <a href="https://www.youtube.com/@Penpot"><b>Youtube</b></a>  •
-    <a href="https://peertube.kaleidos.net/a/penpot_app/video-channels"><b>Peertube</b></a>  •
-    <a href="https://www.linkedin.com/company/penpot/"><b>Linkedin</b></a>  •
-    <a href="https://instagram.com/penpot.app"><b>Instagram</b></a>  •
-    <a href="https://fosstodon.org/@penpot/"><b>Mastodon</b></a>  •
-    <a href="https://bsky.app/profile/penpot.app"><b>Bluesky</b></a>  •
-    <a href="https://twitter.com/penpotapp"><b>X</b></a>
-
+  <a href="https://www.youtube.com/@Penpot"><b>Youtube</b></a>  •
+  <a href="https://peertube.kaleidos.net/a/penpot_app/video-channels"><b>Peertube</b></a>  •
+  <a href="https://www.linkedin.com/company/penpot/"><b>Linkedin</b></a>  •
+  <a href="https://instagram.com/penpot.app"><b>Instagram</b></a>  •
+  <a href="https://fosstodon.org/@penpot/"><b>Mastodon</b></a>  •
+  <a href="https://bsky.app/profile/penpot.app"><b>Bluesky</b></a>  •
+  <a href="https://twitter.com/penpotapp"><b>X</b></a>
 </p>
 
-<br />
+[Penpot video](https://github.com/user-attachments/assets/7c67fd7c-04d3-4c9b-88ec-b6f5e23f8332)
 
-[Penpot video](https://github.com/user-attachments/assets/7c67fd7c-04d3-4c9b-88ec-b6f5e23f8332
-)
+Penpot is the open-source design platform for teams that build digital products at scale.
 
-<br />
+Penpot’s key strength lies in giving you **full ownership of your design infrastructure**. Built on open source and designed for [self-hosting](https://help.penpot.app/technical-guide/getting-started/), it puts teams in complete control of their design environment supporting strict compliance and governance requirements. Whether used in the **browser or deployed on your own servers**, Penpot **works with open standards** like SVG, CSS, HTML, and JSON. 
 
-Penpot is the first **open-source** design tool for design and code collaboration. Designers can create stunning designs, interactive prototypes, design systems at scale, while developers enjoy ready-to-use code and make their workflow easy and fast. And all of this with no handoff drama.
+Real-time collaboration strengthens this foundation, helping teams scale and bring design closer to the product through top-tier capabilities. Additionally, developers feel at home using Penpot, because design is expressed as code, enabling a direct translation and shipping products faster. 
 
-Available on browser or self-hosted, Penpot works with open standards like SVG, CSS, HTML and JSON, and it’s free!
+Best-in-class native [Design Tokens](https://penpot.dev/collaboration/design-tokens) provide a single source of truth between design and development. They ensure consistency, improve collaboration, and make it easier to manage complex design systems.
 
-The latest updates take Penpot even further. It’s the first design tool to integrate native [design tokens](https://penpot.dev/collaboration/design-tokens)—a single source of truth to improve efficiency and collaboration between product design and development.
-With the [huge 2.0 release](https://penpot.app/dev-diaries), Penpot took the platform to a whole new level. This update introduces the ground-breaking [CSS Grid Layout feature](https://penpot.app/penpot-2.0), a complete UI redesign, a new Components system, and much more.
-For organizations that need extra service for its teams, [get in touch](https://cal.com/team/penpot/talk-to-us)
+The [MCP server](https://penpot.app/penpot-mcp-server) takes it further by enabling multi-directional workflows between design and code. A [powerful open API](https://help.penpot.app/mcp/#quick-start) and plugin system makes the workspace programmable, enabling automation, AI-driven workflows, and integrations with the tools and systems you already use.
 
-🎇 Design, code, and Open Source meet at [Penpot Fest](https://penpot.app/penpotfest)! Be part of the 2025 edition in Madrid, Spain, on October 9-10.
+With [CSS Grid and Flex Layout](https://help.penpot.app/user-guide/designing/flexible-layouts/), teams can design responsive interfaces that behave like real code from the start.
+
+Combined, these features turn Penpot into a **full-stack design platform** for building scalable design systems and fully integrated product development processes.
+
+If your organization is scaling and needs extra support, we’re here to help. [Talk to us](https://penpot.app/talk-to-us)
 
 ## Table of contents ##
 
@@ -60,101 +63,78 @@ For organizations that need extra service for its teams, [get in touch](https://
 
 ## Why Penpot ##
 
-Penpot expresses designs as code. Designers can do their best work and see it will be beautifully implemented by developers in a two-way collaboration.
+Penpot connects design, code, and AI workflows through a code-based approach, making designs readable by developers and AI via the MCP server. This approach helps teams ship what’s actually designed and manage design systems at scale with powerful design tokens. As a self-hosted, open-source and real-time collaboration platform, Penpot offers full flexibility, security, and ownership without vendor lock-in. Learn more about [why Penpot](https://penpot.app/why-penpot) is the platform for your team.
 
 ### Plugin system ###
+
 [Penpot plugins](https://penpot.app/penpothub/plugins) let you expand the platform's capabilities, give you the flexibility to integrate it with other apps, and design custom solutions.
 
 ### Designed for developers ###
+
 Penpot was built to serve both designers and developers and create a fluid design-code process. You have the choice to enjoy real-time collaboration or play "solo".
 
 ### Inspect mode ###
+
 Work with ready-to-use code and make your workflow easy and fast. The inspect tab gives instant access to SVG, CSS and HTML code.
 
-### Self host your own instance ###
-Provide your team or organization with a completely owned collaborative design tool. Use Penpot's cloud service or deploy your own Penpot server.
-
 ### Integrations ###
-Penpot offers integration into the development toolchain, thanks to its support for webhooks and an API accessible through access tokens.
 
-###  Building Design Systems: design tokens, components and variants  ###
-Penpot brings design systems to code-minded teams: a single source of truth with native Design Tokens, Components, and Variants for scalable, reusable, and consistent UI across projects and platforms.
+Penpot offers [integration](https://penpot.app/integrations-api) into the development toolchain, thanks to its support for webhooks and an API accessible through access tokens.
 
+### Building Design Systems: design tokens, components and variants ###
 
-<br />
+Penpot brings [design systems](https://penpot.app/design/design-systems) to code-minded teams: a single source of truth with native Design Tokens, Components, and Variants for scalable, reusable, and consistent UI across projects and platforms.
 
-<p align="center">
- <img src="https://github.com/user-attachments/assets/cce75ad6-f783-473f-8803-da9eb8255fef">
-</p>
-
-<br />
+<img width="100%" alt="Penpot Design Systems" src="https://github.com/user-attachments/assets/cce75ad6-f783-473f-8803-da9eb8255fef">
 
 ## Getting started ##
 
 Penpot is the only design & prototype platform that is deployment agnostic. You can use it in our [SAAS](https://design.penpot.app) or deploy it anywhere.
 
 Learn how to install it with Docker, Kubernetes, Elestio or other options on [our website](https://penpot.app/self-host).
-<br />
-
-<p align="center">
-  <img src="https://site-assets.plasmic.app/2168cf524dd543caeff32384eb9ea0a1.svg" alt="Open Source" style="width: 65%;">
-</p>
-<br />
 
 ## Community ##
 
 We love the Open Source software community. Contributing is our passion and if it’s yours too, participate and [improve](https://community.penpot.app/c/help-us-improve-penpot/7) Penpot. All your designs, code and ideas are welcome!
 
+Want to go a step further? Become a [Penpot Ambassador](https://penpot.app/ambassador-program) and help grow the Penpot community in your region while contributing to a global, open design ecosystem.
+
 If you need help or have any questions; if you’d like to share your experience using Penpot or get inspired; if you’d rather meet our community of developers and designers, [join our Community](https://community.penpot.app/)!
 
-You will find the following categories:
+Categories include:
+
 - [Ask the Community](https://community.penpot.app/c/ask-for-help-using-penpot/6)
 - [Troubleshooting](https://community.penpot.app/c/technical/8)
 - [Help us Improve Penpot](https://community.penpot.app/c/help-us-improve-penpot/7)
-- [#MadeWithPenpot](https://community.penpot.app/c/madewithpenpot/9)
 - [Events and Announcements](https://community.penpot.app/c/announcements/5)
-- [Inside Penpot](https://community.penpot.app/c/inside-penpot/21)
 - [Penpot in your language](https://community.penpot.app/c/penpot-in-your-language/12)
-- [Design and Code Essentials](https://community.penpot.app/c/design-and-code-essentials/22)
+- [Education](https://community.penpot.app/c/education/28)
 
-
-<br />
-
-<p align="center">
-  <img src="https://github.com/penpot/penpot/assets/5446186/6ac62220-a16c-46c9-ab21-d24ae357ed03" alt="Community" style="width: 65%;">
-</p>
-<br />
+<img width="100%" alt="Pentpot Community" src="https://github.com/user-attachments/assets/4b2a4360-12b5-4994-bd45-641449f86c4e" />
 
 ### Code of Conduct ###
 
 Anyone who contributes to Penpot, whether through code, in the community, or at an event, must adhere to the
 [code of conduct](https://help.penpot.app/contributing-guide/coc/) and foster a positive and safe environment.
 
-
-## Contributing ##
+### Contributing ###
 
 Any contribution will make a difference to improve Penpot. How can you get involved?
 
 Choose your way:
 
-- Create and [share Libraries & Templates](https://penpot.app/libraries-templates.html) that will be helpful for the community
-- Invite your [team to join](https://design.penpot.app/#/auth/register)
-- Give this repo a star and follow us on Social Media: [Mastodon](https://fosstodon.org/@penpot/), [Youtube](https://www.youtube.com/c/Penpot), [Instagram](https://instagram.com/penpot.app), [Linkedin](https://www.linkedin.com/company/penpotdesign),  [Peertube](https://peertube.kaleidos.net/a/penpot_app), [X](https://twitter.com/penpotapp) and [BlueSky](https://bsky.app/profile/penpot.app)
+- Create and [share Libraries & Templates](https://penpot.app/libraries-templates.html) that will be helpful for the community.
+- Invite your [team to join](https://design.penpot.app/#/auth/register).
+- Give this repo a star and follow us on Social Media: [Mastodon](https://fosstodon.org/@penpot/), [Youtube](https://www.youtube.com/c/Penpot), [Instagram](https://instagram.com/penpot.app), [Linkedin](https://www.linkedin.com/company/penpotdesign),  [Peertube](https://peertube.kaleidos.net/a/penpot_app), [X](https://twitter.com/penpotapp) and [BlueSky](https://bsky.app/profile/penpot.app).
 - Participate in the [Community](https://community.penpot.app/) space by asking and answering questions; reacting to others’ articles;  opening your own conversations and following along on decisions affecting the project.
-- Report bugs with our easy [guide for bugs hunting](https://help.penpot.app/contributing-guide/reporting-bugs/) or [GitHub issues](https://github.com/penpot/penpot/issues)
-- Become a [translator](https://help.penpot.app/contributing-guide/translations)
-- Give feedback: [Email us](mailto:support@penpot.app)
-- **Contribute to Penpot's code:** [Watch this video](https://www.youtube.com/watch?v=TpN0osiY-8k) by Alejandro Alonso, CIO and developer at Penpot, where he gives us a hands-on demo of how to use Penpot’s repository and make changes in both front and back end
+- Report bugs with our easy [guide for bugs hunting](https://help.penpot.app/contributing-guide/reporting-bugs/) or [GitHub issues](https://github.com/penpot/penpot/issues).
+- Become a [translator](https://help.penpot.app/contributing-guide/translations).
+- Give feedback: [Email us](mailto:support@penpot.app).
+- **Contribute to Penpot's code:** [Watch this video](https://www.youtube.com/watch?v=TpN0osiY-8k) by Alejandro Alonso, CIO and developer at Penpot, where he gives us a hands-on demo of how to use Penpot’s repository and make changes in both front and back end.
 
 To find (almost) everything you need to know on how to contribute to Penpot, refer to the [contributing guide](https://help.penpot.app/contributing-guide/).
 
-<br />
-
-<p align="center">
-  <img src="https://github.com/penpot/penpot/assets/5446186/fea18923-dc06-49be-86ad-c3496a7956e6" alt="Libraries and templates" style="width: 65%;">
-</p>
-
-<br />
+<img width="100%" alt="Penpot hub" src="https://github.com/user-attachments/assets/0abc02f0-625c-45ab-ad81-4927bec7a055" />
 
 ## Resources ##
 
@@ -170,6 +150,8 @@ You can ask and answer questions, have open-ended conversations, and follow alon
 
 📚 [Dev Diaries](https://penpot.app/dev-diaries.html)
 
+🧑‍🏫​ [UI Design Course](https://penpot.app/courses/)
+
 
 ## License ##
 

backend/resources/app/email/invite-to-org/en.html

@@ -0,0 +1,264 @@
+<!doctype html>
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns:v="urn:schemas-microsoft-com:vml"
+  xmlns:o="urn:schemas-microsoft-com:office:office">
+
+<head>
+  <title>
+  </title>
+  <!--[if !mso]><!-- -->
+  <meta http-equiv="X-UA-Compatible" content="IE=edge">
+  <!--<![endif]-->
+  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <style type="text/css">
+    #outlook a {
+      padding: 0;
+    }
+
+    body {
+      margin: 0;
+      padding: 0;
+      -webkit-text-size-adjust: 100%;
+      -ms-text-size-adjust: 100%;
+    }
+
+    table,
+    td {
+      border-collapse: collapse;
+      mso-table-lspace: 0pt;
+      mso-table-rspace: 0pt;
+    }
+
+    img {
+      border: 0;
+      height: auto;
+      line-height: 100%;
+      outline: none;
+      text-decoration: none;
+      -ms-interpolation-mode: bicubic;
+    }
+
+    p {
+      display: block;
+      margin: 13px 0;
+    }
+  </style>
+  <!--[if mso]>
+        <xml>
+        <o:OfficeDocumentSettings>
+          <o:AllowPNG/>
+          <o:PixelsPerInch>96</o:PixelsPerInch>
+        </o:OfficeDocumentSettings>
+        </xml>
+        <![endif]-->
+  <!--[if lte mso 11]>
+        <style type="text/css">
+          .mj-outlook-group-fix { width:100% !important; }
+        </style>
+        <![endif]-->
+  <!--[if !mso]><!-->
+  <link href="https://fonts.googleapis.com/css?family=Source%20Sans%20Pro" rel="stylesheet" type="text/css">
+  <style type="text/css">
+    @import url(https://fonts.googleapis.com/css?family=Source%20Sans%20Pro);
+  </style>
+  <!--<![endif]-->
+  <style type="text/css">
+    @media only screen and (min-width:480px) {
+      .mj-column-per-100 {
+        width: 100% !important;
+        max-width: 100%;
+      }
+
+      .mj-column-px-425 {
+        width: 425px !important;
+        max-width: 425px;
+      }
+    }
+  </style>
+  <style type="text/css">
+    @media only screen and (max-width:480px) {
+      table.mj-full-width-mobile {
+        width: 100% !important;
+      }
+
+      td.mj-full-width-mobile {
+        width: auto !important;
+      }
+    }
+  </style>
+</head>
+
+<body style="background-color:#E5E5E5;">
+  <div style="background-color:#E5E5E5;">
+    <!--[if mso | IE]>
+      <table
+         align="center" border="0" cellpadding="0" cellspacing="0" class="" style="width:600px;" width="600"
+      >
+        <tr>
+          <td style="line-height:0px;font-size:0px;mso-line-height-rule:exactly;">
+      <![endif]-->
+    <div style="margin:0px auto;max-width:600px;">
+      <table align="center" border="0" cellpadding="0" cellspacing="0" role="presentation" style="width:100%;">
+        <tbody>
+          <tr>
+            <td style="direction:ltr;font-size:0px;padding:0;text-align:center;">
+              <!--[if mso | IE]>
+                  <table role="presentation" border="0" cellpadding="0" cellspacing="0">
+
+        <tr>
+
+            <td
+               class="" style="vertical-align:top;width:600px;"
+            >
+          <![endif]-->
+              <div class="mj-column-per-100 mj-outlook-group-fix"
+                style="font-size:0px;text-align:left;direction:ltr;display:inline-block;vertical-align:top;width:100%;">
+                <table border="0" cellpadding="0" cellspacing="0" role="presentation" style="vertical-align:top;"
+                  width="100%">
+                  <tr>
+                    <td align="left" style="font-size:0px;padding:16px;word-break:break-word;">
+                      <table border="0" cellpadding="0" cellspacing="0" role="presentation"
+                        style="border-collapse:collapse;border-spacing:0px;">
+                        <tbody>
+                          <tr>
+                            <td style="width:97px;">
+                              <img height="32" src="{{ public-uri }}/images/email/uxbox-title.png"
+                                style="border:0;display:block;outline:none;text-decoration:none;height:32px;width:100%;font-size:13px;"
+                                width="97" />
+                            </td>
+                          </tr>
+                        </tbody>
+                      </table>
+                    </td>
+                  </tr>
+                </table>
+              </div>
+              <!--[if mso | IE]>
+            </td>
+
+        </tr>
+
+                  </table>
+                <![endif]-->
+            </td>
+          </tr>
+        </tbody>
+      </table>
+    </div>
+    <!--[if mso | IE]>
+          </td>
+        </tr>
+      </table>
+
+      <table
+         align="center" border="0" cellpadding="0" cellspacing="0" class="" style="width:600px;" width="600"
+      >
+        <tr>
+          <td style="line-height:0px;font-size:0px;mso-line-height-rule:exactly;">
+      <![endif]-->
+    <div style="background:#FFFFFF;background-color:#FFFFFF;margin:0px auto;max-width:600px;">
+      <table align="center" border="0" cellpadding="0" cellspacing="0" role="presentation"
+        style="background:#FFFFFF;background-color:#FFFFFF;width:100%;">
+        <tbody>
+          <tr>
+            <td style="direction:ltr;font-size:0px;padding:20px 0;text-align:center;">
+              <!--[if mso | IE]>
+                  <table role="presentation" border="0" cellpadding="0" cellspacing="0">
+
+        <tr>
+
+            <td
+               class="" style="vertical-align:top;width:600px;"
+            >
+          <![endif]-->
+              <div class="mj-column-per-100 mj-outlook-group-fix"
+                style="font-size:0px;text-align:left;direction:ltr;display:inline-block;vertical-align:top;width:100%;">
+                <table border="0" cellpadding="0" cellspacing="0" role="presentation" style="vertical-align:top;"
+                  width="100%">
+                  <tr>
+                    <td align="left" style="font-size:0px;padding:10px 25px;word-break:break-word;">
+                      <div
+                        style="font-family:Source Sans Pro, sans-serif;font-size:16px;line-height:150%;text-align:left;color:#000000;">
+                        Hi{% if user-name %} {{ user-name|abbreviate:25 }}{% endif %},
+                      </div>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td align="left" style="font-size:0px;padding:10px 25px;word-break:break-word;">
+                      <div
+                        style="font-family:Source Sans Pro, sans-serif;font-size:16px;line-height:150%;text-align:left;color:#000000;">
+                        <b>{{invited-by|abbreviate:25}}</b> sent you an invitation to join the organization:
+                      </div>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td align="left" style="font-size:0px;padding:10px 25px;word-break:break-word;">
+                      <div
+                        style="font-family:Source Sans Pro, sans-serif;font-size:16px;line-height:150%;text-align:left;color:#000000;">
+                        <table role="presentation" cellpadding="0" cellspacing="0" border="0" width="20" height="20" style="display:inline-block;vertical-align:middle;">
+                          <tr>
+                            <td width="20" height="20" align="center" valign="middle"
+                                background="{{organization-logo}}"
+                                style="width:20px;height:20px;text-align:center;font-weight:bold;font-size:9px;line-height:20px;color:#ffffff;background-size:cover;background-position:center;background-repeat:no-repeat;border-radius: 50%;color:black">
+                              {% if organization-initials %}{{organization-initials}}{% endif %}
+                            </td>
+                          </tr>
+                        </table>
+                        <span style="display:inline-block; vertical-align: middle;padding-left:5px;height:20px;line-height: 20px;">
+                        “{{ organization-name|abbreviate:25 }}”
+                        </span>
+                      </div>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td align="center" vertical-align="middle"
+                      style="font-size:0px;padding:10px 25px;word-break:break-word;">
+                      <table border="0" cellpadding="0" cellspacing="0" role="presentation"
+                        style="border-collapse:separate;line-height:100%;">
+                        <tr>
+                          <td align="center" bgcolor="#6911d4" role="presentation"
+                            style="border:none;border-radius:8px;cursor:auto;mso-padding-alt:10px 25px;background:#6911d4;"
+                            valign="middle">
+                            <a href="{{ public-uri }}/#/auth/verify-token?token={{token}}"
+                              style="display:inline-block;background:#6911d4;color:#FFFFFF;font-family:Source Sans Pro, sans-serif;font-size:16px;font-weight:normal;line-height:120%;margin:0;text-decoration:none;text-transform:none;padding:10px 25px;mso-padding-alt:0px;border-radius:8px;"
+                              target="_blank"> ACCEPT INVITE </a>
+                          </td>
+                        </tr>
+                      </table>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td align="left" style="font-size:0px;padding:10px 25px;word-break:break-word;">
+                      <div
+                        style="font-family:Source Sans Pro, sans-serif;font-size:16px;line-height:150%;text-align:left;color:#000000;">
+                        Enjoy!</div>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td align="left" style="font-size:0px;padding:10px 25px;word-break:break-word;">
+                      <div
+                        style="font-family:Source Sans Pro, sans-serif;font-size:16px;line-height:150%;text-align:left;color:#000000;">
+                        The Penpot team.</div>
+                    </td>
+                  </tr>
+                </table>
+              </div>
+              <!--[if mso | IE]>
+            </td>
+
+        </tr>
+
+                  </table>
+                <![endif]-->
+            </td>
+          </tr>
+        </tbody>
+      </table>
+    </div>
+
+    {% include "app/email/includes/footer.html" %}
+
+  </div>
+</body>
+
+</html>

backend/resources/app/email/invite-to-org/en.subj

@@ -0,0 +1 @@
+{{invited-by|abbreviate:25}} has invited you to join the organization “{{ organization-name|abbreviate:25 }}”

backend/resources/app/email/invite-to-org/en.txt

@@ -0,0 +1,10 @@
+Hello!
+
+{{invited-by|abbreviate:25}} has invited you to join the organization “{{ organization-name|abbreviate:25 }}”.
+
+Accept invitation using this link:
+
+{{ public-uri }}/#/auth/verify-token?token={{token}}
+
+Enjoy!
+The Penpot team.

backend/resources/app/email/invite-to-team/en.html

@@ -186,7 +186,8 @@
                     <td align="left" style="font-size:0px;padding:10px 25px;word-break:break-word;">
                       <div
                         style="font-family:Source Sans Pro, sans-serif;font-size:16px;line-height:150%;text-align:left;color:#000000;">
-                        {{invited-by|abbreviate:25}} has invited you to join the team “{{ team|abbreviate:25 }}”.</div>
+                        {{invited-by|abbreviate:25}} has invited you to join the team “{{ team|abbreviate:25 }}”{% if organization %}
+                         part of the organization “{{ organization|abbreviate:25 }}”{% endif %}.</div>
                     </td>
                   </tr>
                   <tr>

backend/resources/app/email/invite-to-team/en.txt

@@ -1,6 +1,6 @@
 Hello!
 
-{{invited-by|abbreviate:25}} has invited you to join the team “{{ team|abbreviate:25 }}”.
+{{invited-by|abbreviate:25}} has invited you to join the team "{{ team|abbreviate:25 }}"{% if organization %}, part of the organization "{{ organization|abbreviate:25 }}"{% endif %}.
 
 Accept invitation using this link:
 

backend/scripts/_env

@@ -13,7 +13,7 @@ export PENPOT_PUBLIC_URI=https://localhost:3449
 
 export PENPOT_FLAGS="\
        $PENPOT_FLAGS \
-       enable-login-with-password
+       enable-login-with-password \
        disable-login-with-ldap \
        disable-login-with-oidc \
        disable-login-with-google \

backend/src/app/auth/ldap.clj

@@ -111,7 +111,7 @@
    [:host {:optional true} :string]
    [:port {:optional true} ::sm/int]
    [:bind-dn {:optional true} :string]
-   [:bind-passwor {:optional true} :string]
+   [:bind-password {:optional true} :string]
    [:query {:optional true} :string]
    [:base-dn {:optional true} :string]
    [:attrs-email {:optional true} :string]

backend/src/app/auth/oidc.clj

@@ -401,8 +401,9 @@
 
 (defn- parse-attr-path
   [provider path]
-  (let [[fitem & items] (str/split path "__")]
-    (into [(keyword (:type provider) fitem)] (map keyword) items)))
+  (let [separator        (if (str/includes? path "__") "__" ".")
+        [fitem & items]  (str/split path separator)]
+    (into [(keyword (:type provider) (str/kebab fitem))] (map keyword) items)))
 
 (defn- build-redirect-uri
   []
@@ -488,9 +489,9 @@
                 (let [attr-ph (parse-attr-path provider "nickname")]
                   (get-in props attr-ph))))]
 
-    (let [info  (assoc info :provider-id (str (:id provider)))
-          props (qualify-props provider info)
-          email (get-email props)]
+    (let [info    (assoc info :provider-id (str (:id provider)))
+          props   (qualify-props provider info)
+          email   (get-email props)]
       {:backend  (:type provider)
        :fullname (or (get-name props) email)
        :email email
@@ -547,16 +548,29 @@
 (def ^:private valid-info?
   (sm/validator schema:info))
 
+(defn- select-user-info-source
+  "Normalise the provider's configured user-info source into a keyword the
+  dispatch below can match. The raw value comes from config as a string
+  per the malli schema in `app.config` (`\"token\"`, `\"userinfo\"`, or
+  `\"auto\"`) and from hard-coded per-provider maps as strings as well;
+  any unrecognised or missing value falls back to `:auto` (prefer claims,
+  use userinfo as fallback)."
+  [source]
+  (case source
+    "token"    :token
+    "userinfo" :userinfo
+    :auto))
+
 (defn- get-info
   [cfg provider state code]
   (let [tdata  (fetch-access-token cfg provider code)
         claims (get-id-token-claims provider tdata)
 
-        info   (case (get provider :user-info-source)
-                 :token (dissoc claims :exp :iss :iat :aud :sub :sid)
+        info   (case (select-user-info-source (get provider :user-info-source))
+                 :token    (dissoc claims :exp :iss :iat :aud :sid)
                  :userinfo (fetch-user-info cfg provider tdata)
-                 (or (some-> claims (dissoc :exp :iss :iat :aud :sub :sid))
-                     (fetch-user-info cfg provider tdata)))
+                 :auto     (or (some-> claims (dissoc :exp :iss :iat :aud :sid))
+                               (fetch-user-info cfg provider tdata)))
 
         info   (process-user-info provider tdata info)]
 

backend/src/app/binfile/v1.clj

@@ -40,8 +40,8 @@
    [promesa.util :as pu]
    [yetti.adapter :as yt])
   (:import
-   com.github.luben.zstd.ZstdIOException
    com.github.luben.zstd.ZstdInputStream
+   com.github.luben.zstd.ZstdIOException
    com.github.luben.zstd.ZstdOutputStream
    java.io.DataInputStream
    java.io.DataOutputStream

backend/src/app/db.clj

@@ -36,11 +36,11 @@
    java.sql.Connection
    java.sql.PreparedStatement
    java.sql.Savepoint
-   org.postgresql.PGConnection
    org.postgresql.geometric.PGpoint
    org.postgresql.jdbc.PgArray
    org.postgresql.largeobject.LargeObject
    org.postgresql.largeobject.LargeObjectManager
+   org.postgresql.PGConnection
    org.postgresql.util.PGInterval
    org.postgresql.util.PGobject))
 

backend/src/app/email.clj

@@ -22,13 +22,13 @@
    [cuerdas.core :as str]
    [integrant.core :as ig])
   (:import
-   jakarta.mail.Message$RecipientType
-   jakarta.mail.Session
-   jakarta.mail.Transport
    jakarta.mail.internet.InternetAddress
    jakarta.mail.internet.MimeBodyPart
    jakarta.mail.internet.MimeMessage
    jakarta.mail.internet.MimeMultipart
+   jakarta.mail.Message$RecipientType
+   jakarta.mail.Session
+   jakarta.mail.Transport
    java.util.Properties))
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -412,6 +412,21 @@
    :id ::invite-to-team
    :schema schema:invite-to-team))
 
+(def ^:private schema:invite-to-org
+  [:map
+   [:invited-by ::sm/text]
+   [:organization-name ::sm/text]
+   [:organization-initials [:maybe :string]]
+   [:organization-logo ::sm/uri]
+   [:user-name [:maybe ::sm/text]]
+   [:token ::sm/text]])
+
+(def invite-to-org
+  "Org member invitation email."
+  (template-factory
+   :id ::invite-to-org
+   :schema schema:invite-to-org))
+
 (def ^:private schema:join-team
   [:map
    [:invited-by ::sm/text]

backend/src/app/email/blacklist.clj

@@ -36,10 +36,18 @@
                :cause cause)))))
 
 (defn contains?
-  "Check if email is in the blacklist."
+  "Check if email is in the blacklist. Also matches subdomains: if
+  'somedomain.com' is blacklisted, 'xxx@foo.somedomain.com' will also
+  be rejected."
   [{:keys [::email/blacklist]} email]
-  (let [[_ domain] (str/split email "@" 2)]
-    (c/contains? blacklist (str/lower domain))))
+  (let [[_ domain] (str/split email "@" 2)
+        parts      (str/split (str/lower domain) #"\.")]
+    (loop [parts parts]
+      (if (empty? parts)
+        false
+        (if (c/contains? blacklist (str/join "." parts))
+          true
+          (recur (rest parts)))))))
 
 (defn enabled?
   "Check if the blacklist is enabled"

backend/src/app/features/file_snapshots.clj

@@ -112,8 +112,9 @@
                   THEN (c.deleted_at IS NULL OR c.deleted_at >= ?::timestamptz)
               END"))
 
-(defn- get-snapshot
-  "Get snapshot with decoded data"
+(defn get-snapshot-data
+  "Get a fully decoded snapshot for read-only preview or restoration.
+  Returns the snapshot map with decoded :data field."
   [cfg file-id snapshot-id]
   (let [now (ct/now)]
     (->> (db/get-with-sql cfg [sql:get-snapshot file-id snapshot-id now]
@@ -326,7 +327,7 @@
         (sto/resolve cfg {::db/reuse-conn true})
 
         snapshot
-        (get-snapshot cfg file-id snapshot-id)]
+        (get-snapshot-data cfg file-id snapshot-id)]
 
     (when-not snapshot
       (ex/raise :type :not-found

backend/src/app/media.clj

@@ -31,8 +31,8 @@
   (:import
    clojure.lang.XMLHandler
    java.io.InputStream
-   javax.xml.XMLConstants
    javax.xml.parsers.SAXParserFactory
+   javax.xml.XMLConstants
    org.apache.commons.io.IOUtils
    org.im4java.core.ConvertCmd
    org.im4java.core.IMOperation))

backend/src/app/metrics.clj

@@ -15,16 +15,16 @@
    io.prometheus.client.CollectorRegistry
    io.prometheus.client.Counter
    io.prometheus.client.Counter$Child
+   io.prometheus.client.exporter.common.TextFormat
    io.prometheus.client.Gauge
    io.prometheus.client.Gauge$Child
    io.prometheus.client.Histogram
    io.prometheus.client.Histogram$Child
+   io.prometheus.client.hotspot.DefaultExports
    io.prometheus.client.SimpleCollector
    io.prometheus.client.Summary
    io.prometheus.client.Summary$Builder
    io.prometheus.client.Summary$Child
-   io.prometheus.client.exporter.common.TextFormat
-   io.prometheus.client.hotspot.DefaultExports
    java.io.StringWriter))
 
 (set! *warn-on-reflection* true)

backend/src/app/migrations.clj

@@ -471,6 +471,9 @@
    {:name "0146-mod-access-token-table"
     :fn (mg/resource "app/migrations/sql/0146-mod-access-token-table.sql")}
 
+   {:name "0147-mod-team-invitation-table"
+    :fn (mg/resource "app/migrations/sql/0147-mod-team-invitation-table.sql")}
+
    {:name "0147-add-upload-session-table"
     :fn (mg/resource "app/migrations/sql/0147-add-upload-session-table.sql")}])
 

backend/src/app/migrations/sql/0147-mod-team-invitation-table.sql

@@ -0,0 +1,13 @@
+ALTER TABLE team_invitation
+ ADD COLUMN org_id uuid NULL;
+
+ALTER TABLE team_invitation
+ ALTER COLUMN team_id DROP NOT NULL;
+
+ALTER TABLE team_invitation
+ ADD CONSTRAINT team_invitation_team_or_org_not_null
+ CHECK (team_id IS NOT NULL OR org_id IS NOT NULL);
+
+CREATE UNIQUE INDEX team_invitation_org_unique
+    ON team_invitation (org_id, email_to)
+    WHERE team_id IS NULL;

backend/src/app/nitrate.clj

@@ -1,15 +1,23 @@
+;; This Source Code Form is subject to the terms of the Mozilla Public
+;; License, v. 2.0. If a copy of the MPL was not distributed with this
+;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;;
+;; Copyright (c) KALEIDOS INC
+
 (ns app.nitrate
   "Module that make calls to the external nitrate aplication"
   (:require
+   [app.common.exceptions :as ex]
+   [app.common.json :as json]
    [app.common.logging :as l]
    [app.common.schema :as sm]
    [app.common.schema.generators :as sg]
    [app.common.time :as ct]
+   [app.common.types.organization :as cto]
    [app.config :as cf]
    [app.http.client :as http]
    [app.rpc :as-alias rpc]
    [app.setup :as-alias setup]
-   [app.util.json :as json]
    [clojure.core :as c]
    [integrant.core :as ig]))
 
@@ -18,16 +26,16 @@
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 
 (defn- request-builder
-  [cfg method uri shared-key profile-id]
+  [cfg method uri shared-key profile-id request-params]
   (fn []
-    (http/req! cfg {:method method
-                    :headers {"content-type" "application/json"
-                              "accept" "application/json"
-                              "x-shared-key" shared-key
-                              "x-profile-id" (str profile-id)}
-                    :uri uri
-                    :version :http1.1})))
-
+    (http/req! cfg (cond-> {:method method
+                            :headers {"content-type" "application/json"
+                                      "accept" "application/json"
+                                      "x-shared-key" shared-key
+                                      "x-profile-id" (str profile-id)}
+                            :uri uri
+                            :version :http1.1}
+                     (= method :post) (assoc :body (json/encode request-params :key-fn json/write-camel-key))))))
 
 (defn- with-retries
   [handler max-retries]
@@ -47,24 +55,49 @@
           result)))))
 
 
-(defn- with-validate [handler uri schema]
+(defn- with-validate [handler uri schema & {:keys [throw-on-error?]}]
   (fn []
-    (let [coercer-http (sm/coercer schema
-                                   :type :validation
-                                   :hint (str "invalid data received calling " uri))]
-      (try
-        (coercer-http (-> (handler) :body json/decode))
-        (catch Exception e
-          ;; TODO Error handling
-          (l/error :hint "error validating json response" :cause e)
-          nil)))))
+    (let [response (handler)
+          status (:status response)]
+      (when-not status
+        (l/error :hint "could't do the nitrate request, it is probably down"
+                 :uri uri)
+        ;; TODO decide what to do when Nitrate is inaccesible
+        nil)
+      (cond
+        (>= status 400)
+        ;; For error status codes (4xx, 5xx), fail immediately without validation
+        (do
+          (when (not= status 404) ;; Don't need to log 404
+            (l/error :hint "nitrate request failed with error status"
+                     :uri uri
+                     :status status
+                     :body (:body response)))
+          (if throw-on-error?
+            (ex/raise :type :nitrate-http-error
+                      :status status
+                      :hint (str "nitrate HTTP " status " at " uri))
+            nil))
+        (= status 204) ;; 204 doesn't return any body
+        nil
+        :else ;; For success status codes, validate the response
+        (let [coercer-http (sm/coercer schema
+                                       :type :validation
+                                       :hint (str "invalid data received calling " uri))
+              data (-> response :body (json/decode :key-fn json/read-kebab-key))]
+          (try
+            (coercer-http data)
+            (catch Exception e
+              ;; TODO Error handling
+              (l/error :hint "error validating json response" :cause e)
+              nil)))))))
 
 (defn- request-to-nitrate
-  [cfg method uri schema {:keys [::rpc/profile-id] :as params}]
+  [cfg method uri schema {:keys [::rpc/profile-id request-params throw-on-error?] :as params}]
   (let [shared-key     (-> cfg ::setup/shared-keys :nitrate)
-        full-http-call (-> (request-builder cfg method uri shared-key profile-id)
+        full-http-call (-> (request-builder cfg method uri shared-key profile-id request-params)
                            (with-retries 3)
-                           (with-validate uri schema))]
+                           (with-validate uri schema :throw-on-error? throw-on-error?))]
     (full-http-call)))
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -80,11 +113,23 @@
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 
-(def ^:private schema:organization
+(def ^:private schema:org-summary
   [:map
    [:id ::sm/uuid]
    [:name ::sm/text]
-   [:slug ::sm/text]])
+   [:owner-id ::sm/uuid]
+   [:teams
+    [:vector
+     [:map
+      [:id ::sm/uuid]
+      [:is-your-penpot :boolean]]]]])
+
+(def ^:private schema:profile-org
+  [:map
+   [:is-member :boolean]
+   [:organization-id {:optional true} [:maybe ::sm/uuid]]
+   [:default-team-id {:optional true} [:maybe ::sm/uuid]]])
+
 
 ;; TODO Unify with schemas on backend/src/app/http/management.clj
 (def ^:private schema:timestamp
@@ -158,20 +203,158 @@
   [:map
    [:licenses ::sm/boolean]])
 
-(defn- get-team-org
+(defn- get-team-org-api
   [cfg {:keys [team-id] :as params}]
   (let [baseuri (cf/get :nitrate-backend-uri)]
-    (request-to-nitrate cfg :get (str baseuri "/api/teams/" (str team-id)) schema:organization params)))
+    (request-to-nitrate cfg :get
+                        (str baseuri
+                             "/api/teams/"
+                             team-id)
+                        cto/schema:team-with-organization params)))
 
-(defn- get-subscription
+(defn- get-org-membership-api
+  [cfg {:keys [profile-id organization-id] :as params}]
+  (let [baseuri (cf/get :nitrate-backend-uri)]
+    (request-to-nitrate cfg :get
+                        (str baseuri
+                             "/api/organizations/"
+                             organization-id
+                             "/members/"
+                             profile-id)
+                        schema:profile-org params)))
+
+(defn- get-org-membership-by-team-api
+  [cfg {:keys [profile-id team-id] :as params}]
+  (let [baseuri (cf/get :nitrate-backend-uri)]
+    (request-to-nitrate cfg :get
+                        (str baseuri
+                             "/api/teams/"
+                             team-id
+                             "/users/"
+                             profile-id)
+                        schema:profile-org params)))
+
+
+(defn- get-org-summary-api
+  [cfg {:keys [organization-id] :as params}]
+  (let [baseuri (cf/get :nitrate-backend-uri)]
+    (request-to-nitrate cfg :get
+                        (str baseuri
+                             "/api/organizations/"
+                             organization-id
+                             "/summary")
+                        schema:org-summary params)))
+
+(defn- get-owned-orgs-api
   [cfg {:keys [profile-id] :as params}]
   (let [baseuri (cf/get :nitrate-backend-uri)]
-    (request-to-nitrate cfg :get (str baseuri "/api/subscriptions/" (str profile-id)) schema:subscription params)))
+    (request-to-nitrate cfg :get
+                        (str baseuri
+                             "/api/users/"
+                             profile-id
+                             "/owned-organizations")
+                        [:vector schema:org-summary]
+                        params)))
 
-(defn- get-connectivity
+(defn- set-team-org-api
+  [cfg {:keys [organization-id team-id is-default] :as params}]
+  (let [baseuri (cf/get :nitrate-backend-uri)
+        params (assoc params :request-params {:team-id team-id
+                                              :is-your-penpot (true? is-default)})
+        team (request-to-nitrate cfg :post
+                                 (str baseuri
+                                      "/api/organizations/"
+                                      organization-id
+                                      "/add-team")
+                                 cto/schema:team-with-organization params)
+        custom-photo (when-let [logo-id (get-in team [:organization :logo-id])]
+                       (str (cf/get :public-uri) "/assets/by-id/" logo-id))]
+    (cond-> team
+      custom-photo
+      (assoc-in [:organization :custom-photo] custom-photo))))
+
+(defn- add-profile-to-org-api
+  [cfg {:keys [profile-id organization-id team-id email] :as params}]
+  (let [baseuri (cf/get :nitrate-backend-uri)
+        request-params (cond-> {:user-id profile-id :team-id team-id}
+                         (some? email) (assoc :email email))
+        params (assoc params :request-params request-params)]
+    (request-to-nitrate cfg :post
+                        (str baseuri
+                             "/api/organizations/"
+                             organization-id
+                             "/add-user")
+                        schema:profile-org params)))
+
+(defn- remove-profile-from-org-api
+  [cfg {:keys [profile-id organization-id] :as params}]
+  (let [baseuri (cf/get :nitrate-backend-uri)
+        params (assoc params :request-params {:user-id profile-id})]
+    (request-to-nitrate cfg :post
+                        (str baseuri
+                             "/api/organizations/"
+                             organization-id
+                             "/remove-user")
+                        nil params)))
+
+(defn- remove-profile-from-all-orgs-api
+  [cfg {:keys [profile-id] :as params}]
+  (let [baseuri (cf/get :nitrate-backend-uri)]
+    (request-to-nitrate cfg :post
+                        (str baseuri
+                             "/api/users/"
+                             profile-id
+                             "/remove-organizations")
+                        nil params)))
+
+(defn- remove-team-from-org-api
+  [cfg {:keys [team-id organization-id] :as params}]
+  (let [baseuri (cf/get :nitrate-backend-uri)
+        params (assoc params :request-params {:team-id team-id})]
+    (request-to-nitrate cfg :post
+                        (str baseuri
+                             "/api/organizations/"
+                             organization-id
+                             "/remove-team")
+                        nil params)))
+
+(defn- delete-team-api
+  [cfg {:keys [team-id] :as params}]
+  (let [baseuri (cf/get :nitrate-backend-uri)]
+    (request-to-nitrate cfg :delete
+                        (str baseuri
+                             "/api/teams/"
+                             team-id)
+                        nil params)))
+
+(defn- get-subscription-api
+  [cfg {:keys [profile-id] :as params}]
+  (let [baseuri (cf/get :nitrate-backend-uri)]
+    (request-to-nitrate cfg :get
+                        (str baseuri
+                             "/api/subscriptions/"
+                             profile-id)
+                        schema:subscription params)))
+
+(defn- get-connectivity-api
   [cfg params]
   (let [baseuri (cf/get :nitrate-backend-uri)]
-    (request-to-nitrate cfg :get (str baseuri "/api/connectivity") schema:connectivity params)))
+    (request-to-nitrate cfg :get
+                        (str baseuri
+                             "/api/connectivity")
+                        schema:connectivity params)))
+
+(def ^:private schema:redeem-result
+  [:map
+   [:cancel-at [:maybe schema:timestamp]]])
+
+(defn- redeem-activation-code-api
+  [cfg params]
+  (let [baseuri (cf/get :nitrate-backend-uri)]
+    (request-to-nitrate cfg :post
+                        (str baseuri "/api/activation-codes/redeem")
+                        schema:redeem-result
+                        (assoc params :throw-on-error? true))))
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; INITIALIZATION
@@ -180,9 +363,20 @@
 (defmethod ig/init-key ::client
   [_ cfg]
   (when (contains? cf/flags :nitrate)
-    {:get-team-org     (partial get-team-org cfg)
-     :get-subscription (partial get-subscription cfg)
-     :connectivity     (partial get-connectivity cfg)}))
+    {:get-team-org                 (partial get-team-org-api cfg)
+     :set-team-org                 (partial set-team-org-api cfg)
+     :get-org-membership           (partial get-org-membership-api cfg)
+     :get-org-membership-by-team   (partial get-org-membership-by-team-api cfg)
+     :get-org-summary              (partial get-org-summary-api cfg)
+     :get-owned-orgs               (partial get-owned-orgs-api cfg)
+     :add-profile-to-org           (partial add-profile-to-org-api cfg)
+     :remove-profile-from-org      (partial remove-profile-from-org-api cfg)
+     :remove-profile-from-all-orgs (partial remove-profile-from-all-orgs-api cfg)
+     :delete-team                  (partial delete-team-api cfg)
+     :remove-team-from-org         (partial remove-team-from-org-api cfg)
+     :get-subscription             (partial get-subscription-api cfg)
+     :connectivity                 (partial get-connectivity-api cfg)
+     :redeem-activation-code       (partial redeem-activation-code-api cfg)}))
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; UTILS
@@ -205,18 +399,18 @@
 
 (defn add-org-info-to-team
   "Enriches a team map with organization information from Nitrate.
-  Adds organization-id, organization-name, organization-slug, and your-penpot fields.
+  Adds organization-id, organization-name, organization-slug, organization-owner-id, and your-penpot fields.
   Returns the original team unchanged if the request fails or org data is nil."
   [cfg team params]
   (try
-    (let [params (assoc (or params {}) :team-id (:id team))
-          org (call cfg :get-team-org params)]
+    (let [params        (assoc (or params {}) :team-id (:id team))
+          team-with-org (call cfg :get-team-org params)
+          org           (:organization team-with-org)]
       (if (some? org)
-        (assoc team
-               :organization-id (:id org)
-               :organization-name (:name org)
-               :organization-slug (:slug org)
-               :is-default (or (:is-default team) (true? (:isYourPenpot org))))
+        (-> (cto/apply-organization team (assoc org :custom-photo
+                                                (when-let [logo-id (:logo-id org)]
+                                                  (str (cf/get :public-uri) "/assets/by-id/" logo-id))))
+            (assoc :is-default (or (:is-default team) (true? (:is-your-penpot team-with-org)))))
         team))
     (catch Throwable cause
       (l/error :hint "failed to get team organization info"
@@ -224,6 +418,23 @@
                :cause cause)
       team)))
 
-(defn connectivity
-  [cfg]
-  (call cfg :connectivity {}))
+(defn set-team-organization
+  "Associates a team with an organization in Nitrate.
+  Requires organization-id and is-default in params.
+  Throws an exception if the request fails."
+  [cfg team params]
+  (let [params (assoc (or params {})
+                      :team-id (:id team)
+                      :organization-id (:organization-id params)
+                      :is-default (:is-default params))
+        result (call cfg :set-team-org params)]
+    (when (nil? result)
+      (ex/raise :type :internal
+                :code :failed-to-set-team-org
+                :context {:team-id (:id team)
+                          :organization-id (:organization-id params)}))
+    team))
+
+
+
+

backend/src/app/redis.clj

@@ -24,28 +24,28 @@
    [integrant.core :as ig])
   (:import
    clojure.lang.MapEntry
-   io.lettuce.core.KeyValue
-   io.lettuce.core.RedisClient
-   io.lettuce.core.RedisCommandInterruptedException
-   io.lettuce.core.RedisCommandTimeoutException
-   io.lettuce.core.RedisException
-   io.lettuce.core.RedisURI
-   io.lettuce.core.ScriptOutputType
-   io.lettuce.core.SetArgs
    io.lettuce.core.api.StatefulRedisConnection
    io.lettuce.core.api.sync.RedisCommands
    io.lettuce.core.api.sync.RedisScriptingCommands
    io.lettuce.core.codec.RedisCodec
    io.lettuce.core.codec.StringCodec
+   io.lettuce.core.KeyValue
+   io.lettuce.core.pubsub.api.sync.RedisPubSubCommands
    io.lettuce.core.pubsub.RedisPubSubListener
    io.lettuce.core.pubsub.StatefulRedisPubSubConnection
-   io.lettuce.core.pubsub.api.sync.RedisPubSubCommands
+   io.lettuce.core.RedisClient
+   io.lettuce.core.RedisCommandInterruptedException
+   io.lettuce.core.RedisCommandTimeoutException
+   io.lettuce.core.RedisException
+   io.lettuce.core.RedisURI
    io.lettuce.core.resource.ClientResources
    io.lettuce.core.resource.DefaultClientResources
+   io.lettuce.core.ScriptOutputType
+   io.lettuce.core.SetArgs
    io.netty.channel.nio.NioEventLoopGroup
+   io.netty.util.concurrent.EventExecutorGroup
    io.netty.util.HashedWheelTimer
    io.netty.util.Timer
-   io.netty.util.concurrent.EventExecutorGroup
    java.lang.AutoCloseable
    java.time.Duration))
 

backend/src/app/rpc/commands/auth.clj

@@ -372,9 +372,11 @@
           (throw cause))))))
 
 (defn create-profile-rels
-  [conn {:keys [id] :as profile}]
+  [{:keys [::db/conn] :as cfg} {:keys [id] :as profile}]
+  (assert (db/connection-map? cfg)
+          "expected cfg with valid connection")
   (let [features (cfeat/get-enabled-features cf/flags)
-        team     (teams/create-team conn
+        team     (teams/create-team cfg
                                     {:profile-id id
                                      :name "Default"
                                      :features features
@@ -429,7 +431,7 @@
                                              (assoc :is-active is-active)
                                              (update :password auth/derive-password))
                                profile   (->> (create-profile cfg params)
-                                              (create-profile-rels conn))]
+                                              (create-profile-rels cfg))]
                            (vary-meta profile assoc :created true))))
 
         created?   (-> profile meta :created true?)

backend/src/app/rpc/commands/demo.clj

@@ -49,9 +49,9 @@
                   :deleted-at (ct/in-future (cf/get-deletion-delay))
                   :password (derive-password password)
                   :props {}}
-        profile  (db/tx-run! cfg (fn [{:keys [::db/conn] :as cfg}]
+        profile  (db/tx-run! cfg (fn [cfg]
                                    (->> (auth/create-profile cfg params)
-                                        (auth/create-profile-rels conn))))]
+                                        (auth/create-profile-rels cfg))))]
     (with-meta {:email email
                 :password password}
       {::audit/profile-id (:id profile)})))

backend/src/app/rpc/commands/files.clj

@@ -13,6 +13,7 @@
    [app.common.features :as cfeat]
    [app.common.files.helpers :as cfh]
    [app.common.files.migrations :as fmg]
+   [app.common.files.stats :as cfs]
    [app.common.logging :as l]
    [app.common.schema :as sm]
    [app.common.schema.desc-js-like :as-alias smdj]
@@ -606,6 +607,76 @@
   (get-file-summary cfg id))
 
 
+;; --- COMMAND QUERY: get-file-stats
+
+(def ^:private sql:file-stats-library-counts
+  "SELECT
+     (SELECT COUNT(*)
+        FROM file_library_rel AS flr
+        JOIN file AS fl ON (fl.id = flr.library_file_id)
+       WHERE flr.file_id = ?::uuid
+         AND (fl.deleted_at IS NULL OR fl.deleted_at > now())) AS library_count,
+     (SELECT COUNT(*)
+        FROM file_library_rel AS flr
+        JOIN file AS fl ON (fl.id = flr.file_id)
+       WHERE flr.library_file_id = ?::uuid
+         AND (fl.deleted_at IS NULL OR fl.deleted_at > now())) AS referenced_by_count")
+
+(defn- get-file-stats-library-counts
+  [conn file-id]
+  (let [row (db/exec-one! conn [sql:file-stats-library-counts file-id file-id])]
+    {:library-count       (or (:library-count row) 0)
+     :referenced-by-count (or (:referenced-by-count row) 0)}))
+
+(defn- get-file-stats
+  [{:keys [::db/conn] :as cfg} file-id]
+  (let [file    (bfc/get-file cfg file-id)
+        base    (binding [pmap/*load-fn* (partial feat.fdata/load-pointer cfg file-id)]
+                  (cfs/calc-file-stats (:data file)))
+        lib-cnt (get-file-stats-library-counts conn file-id)]
+    (-> base
+        (merge lib-cnt)
+        (assoc :file-id    file-id
+               :revn       (:revn file)
+               :updated-at (:modified-at file)))))
+
+(def ^:private schema:shape-counts
+  [:map {:title "FileStatsShapeCounts"}
+   [:total [::sm/int {:min 0}]]
+   [:by-type [:map-of :keyword [::sm/int {:min 0}]]]])
+
+(def ^:private schema:get-file-stats-result
+  [:map {:title "FileStats"}
+   [:file-id ::sm/uuid]
+   [:page-count [::sm/int {:min 0}]]
+   [:shape-counts schema:shape-counts]
+   [:component-count [::sm/int {:min 0}]]
+   [:deleted-component-count [::sm/int {:min 0}]]
+   [:color-count [::sm/int {:min 0}]]
+   [:typography-count [::sm/int {:min 0}]]
+   [:library-count [::sm/int {:min 0}]]
+   [:referenced-by-count [::sm/int {:min 0}]]
+   [:revn [::sm/int {:min 0}]]
+   [:updated-at ::ct/inst]])
+
+(def ^:private schema:get-file-stats
+  [:map {:title "get-file-stats"}
+   [:id ::sm/uuid]])
+
+(sv/defmethod ::get-file-stats
+  "Return aggregate statistics for a single file: page count, shape
+   counts by type, component/color/typography counts, and inbound and
+   outbound library reference counts. Cheap alternative to `get-file`
+   when only metrics are needed."
+  {::doc/added "2.17"
+   ::sm/params schema:get-file-stats
+   ::sm/result schema:get-file-stats-result
+   ::db/transaction true}
+  [{:keys [::db/conn] :as cfg} {:keys [::rpc/profile-id id]}]
+  (check-read-permissions! conn profile-id id)
+  (get-file-stats cfg id))
+
+
 ;; --- COMMAND QUERY: get-file-libraries
 
 (def ^:private schema:get-file-libraries
@@ -1213,7 +1284,7 @@
                         (update :files conj id)
                         (update :projects conj project-id))))
 
-                {:files #{} :projectes #{}}
+                {:files #{} :projects #{}}
                 (db/plan conn [sql:resolve-editable-files team-id
                                (db/create-array conn "uuid" ids)]))]
 

backend/src/app/rpc/commands/files_snapshot.clj

@@ -8,6 +8,7 @@
   (:require
    [app.binfile.common :as bfc]
    [app.common.exceptions :as ex]
+   [app.common.features :as-alias cfeat]
    [app.common.schema :as sm]
    [app.common.time :as ct]
    [app.db :as db]
@@ -35,6 +36,43 @@
                  (files/check-read-permissions! conn profile-id file-id)
                  (fsnap/get-visible-snapshots conn file-id))))
 
+;; --- COMMAND QUERY: get-file-snapshot
+
+(def ^:private schema:get-file-snapshot
+  [:map {:title "get-file-snapshot"}
+   [:file-id ::sm/uuid]
+   [:id ::sm/uuid]
+   [:features {:optional true} ::cfeat/features]])
+
+(sv/defmethod ::get-file-snapshot
+  "Retrieve a file bundle with data from a specific snapshot for
+  read-only preview. Does not modify any database state."
+  {::doc/added "2.16"
+   ::sm/params schema:get-file-snapshot
+   ::sm/result files/schema:file-with-permissions
+   ::db/transaction true}
+  [{:keys [::db/conn] :as cfg} {:keys [::rpc/profile-id file-id id] :as params}]
+  (let [perms (bfc/get-file-permissions conn profile-id file-id)]
+    (files/check-read-permissions! perms)
+    (let [snapshot (fsnap/get-snapshot-data cfg file-id id)]
+      (when-not snapshot
+        (ex/raise :type :not-found
+                  :code :snapshot-not-found
+                  :hint "unable to find snapshot with the provided id"
+                  :snapshot-id id
+                  :file-id file-id))
+      ;; Load current file metadata only (no data decoding) then overlay
+      ;; the snapshot data so the client receives the same shape as a
+      ;; normal get-file response but with historical page/object content.
+      (let [base-file (bfc/get-file cfg file-id :load-data? false)]
+        (-> base-file
+            (assoc :data (:data snapshot))
+            (assoc :version (:version snapshot))
+            (assoc :features (:features snapshot))
+            (assoc :revn (:revn snapshot))
+            (assoc :vern (rand-int 100000))
+            (assoc :permissions perms))))))
+
 (def ^:private schema:create-file-snapshot
   [:map
    [:file-id ::sm/uuid]

backend/src/app/rpc/commands/ldap.clj

@@ -42,7 +42,7 @@
   (when-not provider
     (ex/raise :type :restriction
               :code :ldap-not-initialized
-              :hide "ldap auth provider is not initialized"))
+              :hint "ldap auth provider is not initialized"))
 
   (let [info (ldap/authenticate provider params)]
     (when-not info
@@ -84,5 +84,5 @@
                              (profile/get-profile-by-email conn))
                     (->> (assoc info :is-active true :is-demo false)
                          (auth/create-profile cfg)
-                         (auth/create-profile-rels conn)
+                         (auth/create-profile-rels cfg)
                          (profile/strip-private-attrs))))))

backend/src/app/rpc/commands/management.clj

@@ -207,8 +207,7 @@
                          (update :team-id bfc/lookup-index)
                          (assoc :created-at timestamp)
                          (assoc :modified-at timestamp))]
-          (db/insert! conn :team-profile-rel params
-                      {::db/return-keys false})))
+          (teams/add-profile-to-team! cfg params {::db/return-keys false})))
 
       ;; Duplicate team fonts
       (doseq [font fonts]
@@ -339,6 +338,21 @@
 ;; --- COMMAND: Move project
 
 (defn move-project
+  "Moves a project from one team to another.
+
+  Performs comprehensive validation including:
+  - Permission checks on both source and destination teams
+  - Team compatibility verification between source and destination
+  - File features compatibility with destination team
+
+  The operation also:
+  - Updates the project's team assignment
+  - Cleans up any broken library relations after the move
+
+  Throws:
+  - :cant-move-to-same-team if trying to move project to its current team
+  - Permission exceptions if user lacks required permissions
+  - Team compatibility exceptions if teams are incompatible"
   [{:keys [::db/conn] :as cfg} {:keys [profile-id team-id project-id] :as params}]
   (let [project (db/get-by-id conn :project project-id {:columns [:id :team-id]})
         pids    (->> (db/query conn :project {:team-id (:team-id project)} {:columns [:id]})

backend/src/app/rpc/commands/media.clj

@@ -255,7 +255,7 @@
    [:session-id ::sm/uuid]])
 
 (sv/defmethod ::create-upload-session
-  {::doc/added "2.16"
+  {::doc/added "2.17"
    ::sm/params schema:create-upload-session
    ::sm/result schema:create-upload-session-result}
   [{:keys [::db/pool] :as cfg}
@@ -293,7 +293,7 @@
    [:index      ::sm/int]])
 
 (sv/defmethod ::upload-chunk
-  {::doc/added "2.16"
+  {::doc/added "2.17"
    ::sm/params schema:upload-chunk
    ::sm/result schema:upload-chunk-result}
   [{:keys [::db/pool] :as cfg}
@@ -389,7 +389,7 @@
    [:id         {:optional true} ::sm/uuid]])
 
 (sv/defmethod ::assemble-file-media-object
-  {::doc/added "2.16"
+  {::doc/added "2.17"
    ::sm/params schema:assemble-file-media-object
    ::climit/id [[:process-image/by-profile ::rpc/profile-id]
                 [:process-image/global]]}

backend/src/app/rpc/commands/nitrate.clj

@@ -1,20 +1,319 @@
+;; This Source Code Form is subject to the terms of the Mozilla Public
+;; License, v. 2.0. If a copy of the MPL was not distributed with this
+;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;;
+;; Copyright (c) KALEIDOS INC
+
 (ns app.rpc.commands.nitrate
+  "Nitrate API for Penpot. Provides nitrate-related endpoints to be called
+   from Penpot frontend."
   (:require
+   [app.common.data :as d]
+   [app.common.exceptions :as ex]
    [app.common.schema :as sm]
+   [app.common.time :as ct]
+   [app.db :as db]
    [app.nitrate :as nitrate]
    [app.rpc :as-alias rpc]
+   [app.rpc.commands.teams :as teams]
    [app.rpc.doc :as-alias doc]
+   [app.rpc.notifications :as notifications]
    [app.util.services :as sv]))
 
 
+(defn assert-is-owner [cfg profile-id team-id]
+  (let [perms (teams/get-permissions cfg profile-id team-id)]
+    (when-not (:is-owner perms)
+      (ex/raise :type :validation
+                :code :insufficient-permissions))))
+
+(defn assert-not-default-team [cfg team-id]
+  (let [team (teams/get-team-info cfg {:id team-id})]
+    (when (:is-default team)
+      (ex/raise :type :validation
+                :code :cant-move-default-team))))
+
+(defn assert-membership [cfg profile-id organization-id]
+  (let [membership (nitrate/call cfg :get-org-membership {:profile-id profile-id
+                                                          :organization-id organization-id})]
+    (when-not (:organization-id membership)
+      (ex/raise :type :validation
+                :code :organization-doesnt-exists))
+
+    (when-not (:is-member membership)
+      (ex/raise :type :validation
+                :code :user-doesnt-belong-organization))))
+
+
 (def schema:connectivity
   [:map {:title "nitrate-connectivity"}
    [:licenses ::sm/boolean]])
 
 (sv/defmethod ::get-nitrate-connectivity
-  {::rpc/auth false
-   ::doc/added "1.18"
+  {::rpc/auth true
+   ::doc/added "2.14"
    ::sm/params [:map]
    ::sm/result schema:connectivity}
   [cfg _params]
-  (nitrate/connectivity cfg))
+  (nitrate/call cfg :connectivity {}))
+
+(def ^:private schema:redeem-activation-code-params
+  [:map {:title "RedeemActivationCodeParams"}
+   [:activation-code ::sm/text]])
+
+(def ^:private schema:redeem-activation-code-result
+  [:map {:title "RedeemActivationCodeResult"}
+   [:cancel-at [:maybe ct/schema:inst]]])
+
+(sv/defmethod ::redeem-nitrate-activation-code
+  {::rpc/auth true
+   ::doc/added "2.14"
+   ::sm/params schema:redeem-activation-code-params
+   ::sm/result schema:redeem-activation-code-result}
+  [cfg {:keys [::rpc/profile-id activation-code]}]
+  (let [profile (db/get cfg :profile {:id profile-id})]
+    (try
+      (let [result (nitrate/call cfg :redeem-activation-code
+                                 {:request-params  {:code      activation-code
+                                                    :penpot-id profile-id
+                                                    :email     (:email profile)}})]
+        (when-not result
+          (ex/raise :type :validation
+                    :code :invalid-activation-code
+                    :hint "The activation code is invalid, expired or fully redeemed"))
+        result)
+      (catch Exception cause
+        (let [{:keys [type status]} (ex-data cause)]
+          (if (= type :nitrate-http-error)
+            (ex/raise :type :validation
+                      :code (case status
+                              410 :expired-activation-code
+                              :invalid-activation-code)
+                      :cause cause)
+            (throw cause)))))))
+
+(def ^:private sql:prefix-team-name-and-unset-default
+  "UPDATE team
+      SET name = ? || name,
+          is_default = FALSE
+    WHERE id = ?;")
+
+(def ^:private sql:get-member-teams-info
+  "SELECT t.id,
+          t.is_default,
+          tpr.is_owner,
+          (SELECT count(*)    FROM team_profile_rel WHERE team_id = t.id) AS num_members,
+          (SELECT array_agg(profile_id) FROM team_profile_rel WHERE team_id = t.id) AS member_ids
+     FROM team AS t
+     JOIN team_profile_rel AS tpr ON (tpr.team_id = t.id)
+    WHERE tpr.profile_id = ?
+      AND t.id = ANY(?)
+      AND t.deleted_at IS NULL")
+
+(def sql:get-team-files-count
+  "SELECT count(*) AS total
+     FROM file AS f
+     JOIN project AS p ON (p.id = f.project_id)
+    WHERE p.team_id = ?
+      AND f.deleted_at IS NULL")
+
+(def ^:private schema:leave-org
+  [:map
+   [:id ::sm/uuid]
+   [:name ::sm/text]
+   [:default-team-id ::sm/uuid]
+   [:teams-to-delete
+    [:vector ::sm/uuid]]
+   [:teams-to-leave
+    [:vector
+     [:map
+      [:id ::sm/uuid]
+      [:reassign-to {:optional true} ::sm/uuid]]]]])
+
+
+(defn- get-organization-teams-for-user
+  [{:keys [::db/conn] :as cfg} org-summary profile-id]
+  (let [org-team-ids (->> (:teams org-summary)
+                          (map :id))
+        ids-array    (db/create-array conn "uuid" org-team-ids)]
+    (db/exec! conn [sql:get-member-teams-info profile-id ids-array])))
+
+(defn- calculate-valid-teams
+  ([org-teams default-team-id]
+   (let [;; valid default team is the one which id is default-team-id
+         valid-default-team          (d/seek #(= default-team-id (:id %)) org-teams)
+
+         ;; Remove your-penpot for the rest of validations
+         org-teams                   (remove #(= default-team-id (:id %)) org-teams)
+
+         ;; valid teams to delete are those that the user is owner, and only have one member
+         valid-teams-to-delete-ids   (->> org-teams
+                                          (filter #(and (:is-owner %)
+                                                        (= (:num-members %) 1)))
+                                          (map :id)
+                                          (into #{}))
+         ;; valid teams to transfer are those that the user is owner, and have more than one member
+         valid-teams-to-transfer     (->> org-teams
+                                          (filter #(and (:is-owner %)
+                                                        (> (:num-members %) 1))))
+
+         ;; valid teams to exit are those that the user isn't owner, and have more than one member
+         valid-teams-to-exit         (->> org-teams
+                                          (filter #(and (not (:is-owner %))
+                                                        (> (:num-members %) 1))))]
+     {:valid-teams-to-delete-ids valid-teams-to-delete-ids
+      :valid-teams-to-transfer valid-teams-to-transfer
+      :valid-teams-to-exit valid-teams-to-exit
+      :valid-default-team valid-default-team})))
+
+(defn get-valid-teams [cfg organization-id profile-id default-team-id]
+  (let [org-summary                (nitrate/call cfg :get-org-summary {:organization-id organization-id})
+        org-teams                  (get-organization-teams-for-user cfg org-summary profile-id)]
+    (calculate-valid-teams org-teams default-team-id)))
+
+(defn- assert-valid-teams [cfg profile-id organization-id default-team-id teams-to-delete teams-to-leave]
+  (let [org-summary                (nitrate/call cfg :get-org-summary {:organization-id organization-id})
+        org-teams                  (get-organization-teams-for-user cfg org-summary profile-id)
+        {:keys [valid-teams-to-delete-ids
+                valid-teams-to-transfer
+                valid-teams-to-exit
+                valid-default-team]} (calculate-valid-teams org-teams default-team-id)
+
+
+
+        valid-teams-to-exit-ids     (->> valid-teams-to-exit (map :id) (into #{}))
+        valid-teams-to-transfer-ids (->> valid-teams-to-transfer (map :id) (into #{}))
+        valid-teams-to-leave-ids    (into valid-teams-to-transfer-ids valid-teams-to-exit-ids)
+
+        valid-default-team-id?      (some? valid-default-team)
+
+
+
+        valid-teams-to-delete?      (= valid-teams-to-delete-ids (into #{} teams-to-delete))
+
+        ;; for every team in teams-to-leave, check that:
+        ;; - if it has a reassign-to, it belongs to valid-teams-to-transfer and
+        ;;   the reassign-to is a member of the team and not the current user;
+        ;; - if it hasn't a reassign-to, check that it belongs to valid-teams-to-exit
+        teams-by-id                 (d/index-by :id org-teams)
+        valid-teams-to-leave?       (and
+                                     (= valid-teams-to-leave-ids (->> teams-to-leave (map :id) (into #{})))
+                                     (every? (fn [{:keys [id reassign-to]}]
+                                               (if reassign-to
+                                                 (let [members (db/pgarray->set (:member-ids (get teams-by-id id)))]
+                                                   (and (contains? valid-teams-to-transfer-ids id)
+                                                        (not= reassign-to profile-id)
+                                                        (contains? members reassign-to)))
+                                                 (contains? valid-teams-to-exit-ids id)))
+                                             teams-to-leave))]
+    ;; the org owner cannot leave
+    (when (= (:owner-id org-summary) profile-id)
+      (ex/raise :type :validation
+                :code :org-owner-cannot-leave))
+
+    (when (or
+           (not valid-teams-to-delete?)
+           (not valid-teams-to-leave?)
+           (not valid-default-team-id?))
+      (ex/raise :type :validation
+                :code :not-valid-teams))))
+
+
+(defn leave-org
+  [{:keys [::db/conn] :as cfg} {:keys [profile-id id name default-team-id teams-to-delete teams-to-leave skip-validation] :as params}]
+  (let [org-prefix                 (str "[" (d/sanitize-string name) "] ")
+
+        default-team-files-count    (-> (db/exec-one! conn [sql:get-team-files-count default-team-id])
+                                        :total)
+        delete-default-team?        (= default-team-files-count 0)]
+
+
+
+
+    ;; assert that the received teams are valid, checking the different constraints
+    (when-not skip-validation
+      (assert-valid-teams cfg profile-id id default-team-id teams-to-delete teams-to-leave))
+
+    (assert-membership cfg profile-id id)
+
+    ;; delete the teams-to-delete
+    (doseq [id teams-to-delete]
+      (teams/delete-team cfg {:profile-id profile-id :team-id id}))
+
+    ;; leave the teams-to-leave
+    (doseq [{:keys [id reassign-to]} teams-to-leave]
+      (teams/leave-team cfg {:profile-id profile-id :id id :reassign-to reassign-to}))
+
+    ;; Delete default-team-id if empty; otherwise keep it and prefix the name.
+    (if delete-default-team?
+      (do
+        (db/update! conn :team {:is-default false} {:id default-team-id})
+        (teams/delete-team cfg {:profile-id profile-id :team-id default-team-id}))
+      (db/exec! conn [sql:prefix-team-name-and-unset-default org-prefix default-team-id]))
+
+    ;; Api call to nitrate
+    (nitrate/call cfg :remove-profile-from-org {:profile-id profile-id :organization-id id})
+
+    nil))
+
+
+(sv/defmethod ::leave-org
+  {::rpc/auth true
+   ::doc/added "2.15"
+   ::sm/params schema:leave-org
+   ::db/transaction true}
+  [cfg {:keys [::rpc/profile-id] :as params}]
+  (leave-org cfg (assoc params :profile-id profile-id)))
+
+
+(def ^:private schema:remove-team-from-org
+  [:map
+   [:team-id ::sm/uuid]
+   [:organization-id ::sm/uuid]
+   [:organization-name ::sm/text]])
+
+(sv/defmethod ::remove-team-from-org
+  {::doc/added "2.17"
+   ::sm/params schema:remove-team-from-org}
+  [cfg {:keys [::rpc/profile-id  team-id organization-id organization-name]}]
+
+  (assert-is-owner cfg profile-id team-id)
+  (assert-not-default-team cfg team-id)
+  (assert-membership cfg profile-id organization-id)
+
+  ;; Api call to nitrate
+  (nitrate/call cfg :remove-team-from-org {:team-id team-id :organization-id organization-id})
+
+  ;; Notify connected users
+  (notifications/notify-team-change cfg {:id team-id :organization {:name organization-name}} "dashboard.team-no-longer-belong-org")
+  nil)
+
+
+(def ^:private schema:add-team-to-organization
+  [:map
+   [:team-id ::sm/uuid]
+   [:organization-id ::sm/uuid]])
+
+(sv/defmethod ::add-team-to-organization
+  {::rpc/auth true
+   ::doc/added "2.17"
+   ::sm/params schema:add-team-to-organization
+   ::db/transaction true}
+  [cfg {:keys [::rpc/profile-id  team-id organization-id]}]
+
+  (assert-is-owner cfg profile-id team-id)
+  (assert-not-default-team cfg team-id)
+  (assert-membership cfg profile-id organization-id)
+
+  (let [team-members (db/query cfg :team-profile-rel {:team-id team-id})]
+    ;; Add teammates to the org if needed
+    (doseq [{member-id :profile-id} team-members
+            :when (not= member-id profile-id)]
+      (teams/initialize-user-in-nitrate-org cfg member-id organization-id)))
+
+  ;; Api call to nitrate
+  (let [team (nitrate/call cfg :set-team-org {:team-id team-id :organization-id organization-id :is-default false})]
+
+    ;; Notify connected users
+    (notifications/notify-team-change cfg team "dashboard.team-belong-org"))
+  nil)

backend/src/app/rpc/commands/profile.clj

@@ -48,6 +48,7 @@
 (def schema:props
   [:map {:title "ProfileProps"}
    [:plugins {:optional true} schema:plugin-registry]
+   [:renderer {:optional true} [::sm/one-of #{:svg :wasm}]]
    [:mcp-enabled {:optional true} ::sm/boolean]
    [:newsletter-updates {:optional true} ::sm/boolean]
    [:newsletter-news {:optional true} ::sm/boolean]
@@ -314,6 +315,25 @@
                    (climit/invoke! generate-thumbnail file))]
     (sto/put-object! storage params)))
 
+;; --- MUTATION: Delete Photo
+
+(sv/defmethod ::delete-profile-photo
+  {::doc/added "2.17"
+   ::sm/params [:map]
+   ::sm/result :nil
+   ::db/transaction true}
+  [{:keys [::db/conn ::sto/storage]} {:keys [::rpc/profile-id]}]
+  (let [profile (get-profile conn profile-id ::db/for-update true)]
+    (when-let [id (:photo-id profile)]
+      (sto/touch-object! storage id))
+
+    (db/update! conn :profile
+                {:photo-id nil}
+                {:id profile-id}
+                {::db/return-keys false})
+
+    nil))
+
 ;; --- MUTATION: Request Email Change
 
 (declare ^:private request-email-change!)
@@ -462,6 +482,9 @@
                 {:deleted-at deleted-at}
                 {:id profile-id})
 
+    ;; Api call to nitrate
+    (nitrate/call cfg :remove-profile-from-all-orgs {:profile-id profile-id})
+
     ;; Schedule cascade deletion to a worker
     (wrk/submit! {::db/conn conn
                   ::wrk/task :delete-object

backend/src/app/rpc/commands/teams.clj

@@ -471,8 +471,8 @@
 ;; --- COMMAND QUERY: get-team-info
 
 (defn get-team-info
-  [{:keys [::db/conn] :as cfg} {:keys [id] :as params}]
-  (-> (db/get* conn :team
+  [cfg {:keys [id] :as params}]
+  (-> (db/get* cfg :team
                {:id id}
                {::sql/columns [:id :is-default :features]})
       (decode-row)))
@@ -497,9 +497,11 @@
 
 (def ^:private schema:create-team
   [:map {:title "create-team"}
-   [:name [:string {:max 250}]]
+   [:name types.team/schema:team-name]
    [:features {:optional true} ::cfeat/features]
-   [:id {:optional true} ::sm/uuid]])
+   [:id {:optional true} ::sm/uuid]
+   [:organization-id {:optional true} ::sm/uuid]
+   [:is-default {:optional true} :boolean]])
 
 (sv/defmethod ::create-team
   {::doc/added "1.17"
@@ -520,17 +522,89 @@
     (with-meta team
       {::audit/props {:id (:id team)}})))
 
+
+(defn create-default-org-team
+  [cfg profile-id organization-id]
+  (quotes/check! cfg {::quotes/id ::quotes/teams-per-profile
+                      ::quotes/profile-id profile-id})
+
+  (let [features (-> (cfeat/get-enabled-features cf/flags)
+                     (set/difference cfeat/frontend-only-features)
+                     (set/difference cfeat/no-team-inheritable-features))
+        params   {:profile-id profile-id
+                  :name "Your Penpot"
+                  :features features
+                  :organization-id organization-id
+                  :is-default true}
+        team     (create-team cfg params)]
+    (select-keys team [:id])))
+
+(defn initialize-user-in-nitrate-org
+  "If needed, create a default team for the user on the organization,
+   and notify Nitrate that an user has been added to an org."
+  ([cfg profile-id organization-id]
+   (initialize-user-in-nitrate-org cfg profile-id organization-id nil))
+  ([cfg profile-id organization-id email]
+   (assert (db/connection-map? cfg)
+           "expected cfg with valid connection")
+   (when (contains? cf/flags :nitrate)
+     (db/tx-run!
+      cfg
+      (fn [{:keys [::db/conn] :as tx-cfg}]
+
+        (let [membership (nitrate/call cfg :get-org-membership {:profile-id profile-id
+                                                                :organization-id organization-id})]
+          ;; Only when the user doesn't belong to the organization yet
+          (when (and
+                 (some? (:organization-id membership)) ;; the organization exists
+                 (not (:is-member membership)))        ;; the user is not a member of the org yet
+
+
+            (let [organization-id           organization-id
+                  default-team     (create-default-org-team (assoc tx-cfg ::db/conn conn) profile-id organization-id)
+                  default-team-id  (:id default-team)
+                  result           (nitrate/call tx-cfg :add-profile-to-org (cond-> {:profile-id profile-id
+                                                                                     :team-id default-team-id
+                                                                                     :organization-id organization-id}
+                                                                              (some? email) (assoc :email email)))]
+              (when (not (:is-member result))
+                (ex/raise :type :internal
+                          :code :failed-add-profile-org-nitrate
+                          :context {:profile-id profile-id
+                                    :organization-id organization-id
+                                    :default-team-id default-team-id}))
+              default-team-id))))))))
+
+(defn add-profile-to-team!
+  ([cfg params]
+   (add-profile-to-team! cfg params nil))
+  ([{:keys [::db/conn] :as cfg} {:keys [:profile-id :team-id] :as params} options]
+   (assert (db/connection-map? cfg)
+           "expected cfg with valid connection")
+   (when (contains? cf/flags :nitrate)
+     (let [membership (nitrate/call cfg :get-org-membership-by-team {:profile-id profile-id :team-id team-id})]
+       ;; Only when the team belong to an organization and the user is not a member
+       (when (and
+              (some? (:organization-id membership)) ;; the team do belong to an organization
+              (not (:is-member membership)))        ;; the user is not a member of the org yet
+         (initialize-user-in-nitrate-org cfg profile-id (:organization-id membership)))))
+   (db/insert! conn :team-profile-rel params options)))
+
 (defn create-team
   "This is a complete team creation process, it creates the team
   object and all related objects (default role and default project)."
-  [cfg-or-conn params]
-  (let [conn    (db/get-connection cfg-or-conn)
-        team    (create-team* conn params)
+  [{:keys [::db/conn] :as cfg} params]
+  (assert (db/connection-map? cfg)
+          "expected cfg with valid connection")
+  (let [team    (create-team* conn params)
         params  (assoc params
                        :team-id (:id team)
                        :role :owner)
         project (create-team-default-project conn params)]
-    (create-team-role conn params)
+    (create-team-role cfg params)
+    ;; Set team organization in Nitrate if organization-id is provided
+    (when (and (contains? cf/flags :nitrate) (:organization-id params))
+      (nitrate/set-team-organization cfg team params))
     (assoc team :default-project-id (:id project))))
 
 (defn- create-team*
@@ -546,11 +620,13 @@
     (decode-row team)))
 
 (defn- create-team-role
-  [conn {:keys [profile-id team-id role] :as params}]
+  [cfg {:keys [profile-id team-id role] :as params}]
+  (assert (db/connection-map? cfg)
+          "expected cfg with valid connection")
   (let [params {:team-id team-id
                 :profile-id profile-id}]
     (->> (perms/assign-role-flags params role)
-         (db/insert! conn :team-profile-rel))))
+         (add-profile-to-team! cfg))))
 
 (defn- create-team-default-project
   [conn {:keys [profile-id team-id] :as params}]
@@ -591,7 +667,7 @@
 
 (def ^:private schema:update-team
   [:map {:title "update-team"}
-   [:name [:string {:max 250}]]
+   [:name types.team/schema:team-name]
    [:id ::sm/uuid]])
 
 (sv/defmethod ::update-team
@@ -609,7 +685,7 @@
 ;; --- Mutation: Leave Team
 
 (defn leave-team
-  [conn {:keys [profile-id id reassign-to]}]
+  [{:keys [::db/conn ::mbus/msgbus]} {:keys [profile-id id reassign-to]}]
   (let [perms   (get-permissions conn profile-id id)
         members (get-team-members conn id)]
 
@@ -624,7 +700,9 @@
       ;; if the `reassign-to` is filled and has a different value
       ;; than the current profile-id, we proceed to reassing the
       ;; owner role to profile identified by the `reassign-to`.
-      (and reassign-to (not= reassign-to profile-id))
+      ;; Ignore the reasignation if the current profile is not
+      ;; the owner
+      (and reassign-to (not= reassign-to profile-id) (:is-owner perms))
       (let [member (d/seek #(= reassign-to (:id %)) members)]
         (when-not member
           (ex/raise :type :not-found :code :member-does-not-exist))
@@ -638,7 +716,15 @@
         ;; assign owner role to new profile
         (db/update! conn :team-profile-rel
                     (get types.team/permissions-for-role :owner)
-                    {:team-id id :profile-id reassign-to}))
+                    {:team-id id :profile-id reassign-to})
+
+        ;; notify new owner
+        (mbus/pub! msgbus
+                   :topic reassign-to
+                   :message {:type :team-role-change
+                             :topic reassign-to
+                             :team-id id
+                             :role :owner}))
 
       ;; and finally, if all other conditions does not match and the
       ;; current profile is owner, we dont allow it because there
@@ -663,32 +749,44 @@
   {::doc/added "1.17"
    ::sm/params schema:leave-team
    ::db/transaction true}
-  [{:keys [::db/conn] :as cfg} {:keys [::rpc/profile-id] :as params}]
-  (leave-team conn (assoc params :profile-id profile-id)))
+  [cfg {:keys [::rpc/profile-id] :as params}]
+  (leave-team cfg (assoc params :profile-id profile-id)))
+
 
 ;; --- Mutation: Delete Team
 
-(defn- delete-team
+(defn delete-team
   "Mark a team for deletion"
-  [conn {:keys [id] :as team}]
+  [{:keys [::db/conn] :as cfg} {:keys [profile-id team-id]}]
 
-  (let [delay (ldel/get-deletion-delay team)
-        team  (db/update! conn :team
-                          {:deleted-at (ct/in-future delay)}
-                          {:id id}
-                          {::db/return-keys true})]
+  (let [team  (get-team conn :profile-id profile-id :team-id team-id)
+        perms (get team :permissions)]
+
+    (when-not (:is-owner perms)
+      (ex/raise :type :validation
+                :code :only-owner-can-delete-team))
 
     (when (:is-default team)
       (ex/raise :type :validation
                 :code :non-deletable-team
                 :hint "impossible to delete default team"))
 
-    (wrk/submit! {::db/conn conn
-                  ::wrk/task :delete-object
-                  ::wrk/params {:object :team
-                                :deleted-at (:deleted-at team)
-                                :id id}})
-    team))
+    (let [delay (ldel/get-deletion-delay team)
+          team  (db/update! conn :team
+                            {:deleted-at (ct/in-future delay)}
+                            {:id team-id}
+                            {::db/return-keys true})]
+
+      ;; Api call to nitrate
+      (when (contains? cf/flags :nitrate)
+        (nitrate/call cfg :delete-team {:profile-id profile-id :team-id team-id}))
+
+      (wrk/submit! {::db/conn conn
+                    ::wrk/task :delete-object
+                    ::wrk/params {:object :team
+                                  :deleted-at (:deleted-at team)
+                                  :id team-id}})
+      team)))
 
 (def ^:private schema:delete-team
   [:map {:title "delete-team"}
@@ -698,16 +796,9 @@
   {::doc/added "1.17"
    ::sm/params schema:delete-team
    ::db/transaction true}
-  [{:keys [::db/conn] :as cfg} {:keys [::rpc/profile-id id] :as params}]
-  (let [team  (get-team conn :profile-id profile-id :team-id id)
-        perms (get team :permissions)]
-
-    (when-not (:is-owner perms)
-      (ex/raise :type :validation
-                :code :only-owner-can-delete-team))
-
-    (delete-team conn team)
-    nil))
+  [cfg {:keys [::rpc/profile-id id] :as params}]
+  (delete-team cfg {:team-id id :profile-id profile-id})
+  nil)
 
 ;; --- Mutation: Team Update Role
 

backend/src/app/rpc/commands/teams_invitations.clj

@@ -19,8 +19,10 @@
    [app.config :as cf]
    [app.db :as db]
    [app.email :as eml]
+   [app.email.blacklist :as email.blacklist]
    [app.loggers.audit :as audit]
    [app.main :as-alias main]
+   [app.nitrate :as nitrate]
    [app.rpc :as-alias rpc]
    [app.rpc.commands.profile :as profile]
    [app.rpc.commands.teams :as teams]
@@ -35,20 +37,29 @@
 ;; --- Mutation: Create Team Invitation
 
 (def sql:upsert-team-invitation
-  "insert into team_invitation(id, team_id, email_to, created_by, role, valid_until)
-   values (?, ?, ?, ?, ?, ?)
+  "insert into team_invitation(id, team_id, org_id, email_to, created_by, role, valid_until)
+   values (?, ?, null, ?, ?, ?, ?)
        on conflict(team_id, email_to) do
           update set role = ?, valid_until = ?, updated_at = now()
    returning *")
 
+(def sql:upsert-org-invitation
+  "insert into team_invitation(id, team_id, org_id, email_to, created_by, role, valid_until)
+   values (?, null, ?, ?, ?, ?, ?)
+       on conflict(org_id, email_to) where team_id is null do
+          update set role = ?, valid_until = ?, updated_at = now()
+   returning *")
+
 (defn- create-invitation-token
-  [cfg {:keys [profile-id valid-until team-id member-id member-email role]}]
+  [cfg {:keys [profile-id valid-until organization-id organization-name team-id member-id member-email role]}]
   (tokens/generate cfg
                    {:iss :team-invitation
                     :exp valid-until
                     :profile-id profile-id
                     :role role
                     :team-id team-id
+                    :organization-id organization-id
+                    :organization-name organization-name
                     :member-email member-email
                     :member-id member-id}))
 
@@ -74,23 +85,51 @@
    [:role types.team/schema:role]
    [:email ::sm/email]])
 
+(def ^:private schema:create-org-invitation
+  [:map {:title "params:create-org-invitation"}
+   [::rpc/profile-id ::sm/uuid]
+   [:organization
+    [:map
+     [:id ::sm/uuid]
+     [:name :string]
+     [:initials [:maybe :string]]
+     [:logo ::sm/uri]]]
+   [:profile
+    [:map
+     [:id ::sm/uuid]
+     [:fullname :string]]]
+   [:role types.team/schema:role]
+   [:email ::sm/email]])
+
 (def ^:private check-create-invitation-params
   (sm/check-fn schema:create-invitation))
 
+(def ^:private check-create-org-invitation-params
+  (sm/check-fn schema:create-org-invitation))
+
 (defn- allow-invitation-emails?
   [member]
   (let [notifications (dm/get-in member [:props :notifications])]
     (not= :none (:email-invites notifications))))
 
 (defn- create-invitation
-  [{:keys [::db/conn] :as cfg} {:keys [team profile role email] :as params}]
+  [{:keys [::db/conn] :as cfg} {:keys [team organization profile role email] :as params}]
 
-  (assert (db/connection? conn) "expected valid connection on cfg parameter")
-  (assert (check-create-invitation-params params))
+  (assert (db/connection-map? cfg)
+          "expected cfg with valid connection")
+  (if organization
+    (assert (check-create-org-invitation-params params))
+    (assert (check-create-invitation-params params)))
 
   (let [email  (profile/clean-email email)
         member (profile/get-profile-by-email conn email)]
 
+    (when (and (email.blacklist/enabled? cfg)
+               (email.blacklist/contains? cfg email))
+      (ex/raise :type :restriction
+                :code :email-domain-is-not-allowed
+                :hint "email domain is in the blacklist"))
+
     ;; When we have email verification disabled and invitation user is
     ;; already present in the database, we proceed to add it to the
     ;; team as-is, without email roundtrip.
@@ -103,9 +142,12 @@
                            :profile-id (:id member)}
                           (get types.team/permissions-for-role role))]
 
-        ;; Insert the invited member to the team
-        (db/insert! conn :team-profile-rel params
-                    {::db/on-conflict-do-nothing? true})
+        (if organization
+          ;; Insert the invited member to the org
+          (when (contains? cf/flags :nitrate)
+            (teams/initialize-user-in-nitrate-org cfg (:id member) (:id organization) email))
+          ;; Insert the invited member to the team
+          (teams/add-profile-to-team! cfg params {::db/on-conflict-do-nothing? true}))
 
         ;; If profile is not yet verified, mark it as verified because
         ;; accepting an invitation link serves as verification.
@@ -122,18 +164,30 @@
         (teams/check-email-spam conn email true)
 
         (let [id         (uuid/next)
-              expire     (ct/in-future "168h") ;; 7 days
-              invitation (db/exec-one! conn [sql:upsert-team-invitation id
-                                             (:id team) (str/lower email)
-                                             (:id profile)
-                                             (name role) expire
-                                             (name role) expire])
+              expire     (if organization
+                           (ct/in-future "876000h")  ;; Organization invitations doesn't expire
+                           (ct/in-future "168h")) ;; 7 days
+              invitation (db/exec-one! conn (if organization
+                                              [sql:upsert-org-invitation id
+                                               (:id organization)
+                                               (str/lower email)
+                                               (:id profile)
+                                               (name role) expire
+                                               (name role) expire]
+                                              [sql:upsert-team-invitation id
+                                               (:id team)
+                                               (str/lower email)
+                                               (:id profile)
+                                               (name role) expire
+                                               (name role) expire]))
               updated?   (not= id (:id invitation))
               profile-id (:id profile)
               tprops     {:profile-id profile-id
                           :invitation-id (:id invitation)
                           :valid-until expire
                           :team-id (:id team)
+                          :organization-id (:id organization)
+                          :organization-name (:name organization)
                           :member-email (:email-to invitation)
                           :member-id (:id member)
                           :role role}
@@ -145,28 +199,58 @@
 
           (let [props  (-> (dissoc tprops :profile-id)
                            (audit/clean-props))
-                evname (if updated?
-                         "update-team-invitation"
-                         "create-team-invitation")
+                evname (cond
+                         (and updated? organization) "update-org-invitation"
+                         updated? "update-team-invitation"
+                         organization "create-org-invitation"
+                         :else "create-team-invitation")
                 event (-> (audit/event-from-rpc-params params)
                           (assoc ::audit/name evname)
                           (assoc ::audit/props props))]
             (audit/submit! cfg event))
 
           (when (allow-invitation-emails? member)
-            (eml/send! {::eml/conn conn
-                        ::eml/factory eml/invite-to-team
-                        :public-uri (cf/get :public-uri)
-                        :to email
-                        :invited-by (:fullname profile)
-                        :team (:name team)
-                        :token itoken
-                        :extra-data ptoken}))
+            (if organization
+              (when (contains? cf/flags :nitrate)
+                (eml/send! {::eml/conn conn
+                            ::eml/factory eml/invite-to-org
+                            :public-uri (cf/get :public-uri)
+                            :to email
+                            :invited-by (:fullname profile)
+                            :user-name (:fullname member)
+                            :organization-name (:name organization)
+                            :organization-logo (:logo organization)
+                            :organization-initials (:initials organization)
+                            :token itoken
+                            :extra-data ptoken}))
+              (let [team (if (contains? cf/flags :nitrate)
+                           (nitrate/add-org-info-to-team cfg team {})
+                           team)]
+                (eml/send! {::eml/conn conn
+                            ::eml/factory eml/invite-to-team
+                            :public-uri (cf/get :public-uri)
+                            :to email
+                            :invited-by (:fullname profile)
+                            :team (:name team)
+                            :organization (:organization-name team)
+                            :token itoken
+                            :extra-data ptoken}))))
 
           itoken)))))
 
+(defn create-org-invitation
+  [cfg {:keys [::rpc/profile-id id name initials logo] :as params}]
+  (let [profile  (db/get-by-id cfg :profile profile-id)]
+    (create-invitation cfg
+                       (assoc params
+                              :organization {:id id :name name :initials initials :logo logo}
+                              :profile profile
+                              :role :editor))))
+
 (defn- add-member-to-team
-  [conn profile team role member]
+  [{:keys [::db/conn] :as cfg} profile team role member]
+  (assert (db/connection-map? cfg)
+          "expected cfg with valid connection")
 
   (let [team-id (:id team)
         params  (merge
@@ -186,7 +270,7 @@
       ::quotes/team-id team-id})
 
     ;; Insert the member to the team
-    (db/insert! conn :team-profile-rel params {::db/on-conflict-do-nothing? true})
+    (teams/add-profile-to-team! cfg params {::db/on-conflict-do-nothing? true})
 
     ;; Delete any request
     (db/delete! conn :team-access-request
@@ -268,7 +352,7 @@
          (filter #(contains? invitation-emails (key %)))
          (map (fn [[email member]]
                 (let [role (:role (first (filter #(= (:email %) email) invitation-data)))]
-                  (add-member-to-team conn profile team role member))))
+                  (add-member-to-team cfg profile team role member))))
          (doall))
 
     invitations))

backend/src/app/rpc/commands/verify_token.clj

@@ -16,8 +16,10 @@
    [app.http.session :as session]
    [app.loggers.audit :as audit]
    [app.main :as-alias main]
+   [app.nitrate :as nitrate]
    [app.rpc :as-alias rpc]
    [app.rpc.commands.profile :as profile]
+   [app.rpc.commands.teams :as teams]
    [app.rpc.doc :as-alias doc]
    [app.rpc.helpers :as rph]
    [app.rpc.quotes :as quotes]
@@ -86,52 +88,74 @@
 ;; --- Team Invitation
 
 (defn- accept-invitation
-  [{:keys [::db/conn] :as cfg} {:keys [team-id role member-email] :as claims} invitation member]
+  [{:keys [::db/conn] :as cfg}
+   {:keys [team-id organization-id role member-email] :as claims} invitation member]
   (let [;; Update the role if there is an invitation
         role   (or (some-> invitation :role keyword) role)
-        params (merge
-                {:team-id team-id
-                 :profile-id (:id member)}
-                (get types.team/permissions-for-role role))]
+        id-member (:id member)]
 
     ;; Do not allow blocked users accept invitations.
     (when (:is-blocked member)
       (ex/raise :type :restriction
                 :code :profile-blocked))
 
-    (quotes/check! cfg {::quotes/id ::quotes/profiles-per-team
-                        ::quotes/profile-id (:id member)
-                        ::quotes/team-id team-id})
+    (when team-id
+      (quotes/check! cfg {::quotes/id ::quotes/profiles-per-team
+                          ::quotes/profile-id id-member
+                          ::quotes/team-id team-id}))
 
-    ;; Insert the invited member to the team
-    (db/insert! conn :team-profile-rel params {::db/on-conflict-do-nothing? true})
+    (let [params (merge
+                  {:team-id team-id
+                   :profile-id id-member}
+                  (get types.team/permissions-for-role role))
 
-    ;; If profile is not yet verified, mark it as verified because
-    ;; accepting an invitation link serves as verification.
-    (when-not (:is-active member)
-      (db/update! conn :profile
-                  {:is-active true}
-                  {:id (:id member)}))
+          accepted-team-id (if organization-id
+                             ;; Insert the invited member to the org
+                             (when (contains? cf/flags :nitrate)
+                               (teams/initialize-user-in-nitrate-org cfg id-member organization-id member-email))
+                             ;; Insert the invited member to the team
+                             (do (teams/add-profile-to-team! cfg params {::db/on-conflict-do-nothing? true})
+                                 team-id))]
 
-    ;; Delete the invitation
-    (db/delete! conn :team-invitation
-                {:team-id team-id :email-to member-email})
+      (when-not accepted-team-id
+        (ex/raise :type :internal
+                  :code :accept-invitation-failed
+                  :hint "the accept invitation has failed"))
 
-    ;; Delete any request
-    (db/delete! conn :team-access-request
-                {:team-id team-id :requester-id (:id member)})
 
-    (assoc member :is-active true)))
+      ;; If profile is not yet verified, mark it as verified because
+      ;; accepting an invitation link serves as verification.
+      (when-not (:is-active member)
+        (db/update! conn :profile
+                    {:is-active true}
+                    {:id id-member}))
+
+      ;; Delete the invitation
+      (db/delete! conn :team-invitation
+                  (cond-> {:email-to member-email}
+                    team-id (assoc :team-id team-id)
+                    organization-id  (assoc :org-id organization-id)))
+
+      ;; Delete any request (only applicable for team invitations)
+      (when team-id
+        (db/delete! conn :team-access-request
+                    {:team-id team-id :requester-id id-member}))
+
+      accepted-team-id)))
 
 (def schema:team-invitation-claims
-  [:map {:title "TeamInvitationClaims"}
-   [:iss :keyword]
-   [:exp ::ct/inst]
-   [:profile-id ::sm/uuid]
-   [:role types.team/schema:role]
-   [:team-id ::sm/uuid]
-   [:member-email ::sm/email]
-   [:member-id {:optional true} ::sm/uuid]])
+  [:and
+   [:map {:title "TeamInvitationClaims"}
+    [:iss :keyword]
+    [:exp ::ct/inst]
+    [:profile-id ::sm/uuid]
+    [:role types.team/schema:role]
+    [:team-id {:optional true} ::sm/uuid]
+    [:organization-id {:optional true} ::sm/uuid]
+    [:member-email ::sm/email]
+    [:member-id {:optional true} ::sm/uuid]]
+   [:fn {:error/message "team-id or organization-id must be present"}
+    (fn [m] (or (:team-id m) (:organization-id m)))]])
 
 (def valid-team-invitation-claims?
   (sm/lazy-validator schema:team-invitation-claims))
@@ -139,7 +163,7 @@
 (defmethod process-token :team-invitation
   [{:keys [::db/conn] :as cfg}
    {:keys [::rpc/profile-id token] :as params}
-   {:keys [member-id team-id member-email] :as claims}]
+   {:keys [member-id team-id organization-id member-email] :as claims}]
 
   (when-not (valid-team-invitation-claims? claims)
     (ex/raise :type :validation
@@ -147,19 +171,45 @@
               :hint "invitation token contains unexpected data"))
 
   (let [invitation             (db/get* conn :team-invitation
-                                        {:team-id team-id :email-to member-email})
+                                        (cond-> {:email-to member-email}
+                                          team-id (assoc :team-id team-id)
+                                          organization-id  (assoc :org-id organization-id)))
         profile                (db/get* conn :profile
                                         {:id profile-id}
-                                        {:columns [:id :email]})
-        registration-disabled? (not (contains? cf/flags :registration))]
-    (when (nil? invitation)
-      (ex/raise :type :validation
-                :code :invalid-token
-                :hint "no invitation associated with the token"))
+                                        {:columns [:id :email :default-team-id]})
+        registration-disabled? (not (contains? cf/flags :registration))
+
+        org-invitation?        (and (contains? cf/flags :nitrate) organization-id)
+        membership             (when org-invitation?
+                                 (nitrate/call cfg :get-org-membership {:profile-id profile-id
+                                                                        :organization-id organization-id}))]
+
+    (if profile
+      (do
+        (when-not (or (= member-id profile-id)
+                      (= member-email (:email profile)))
+          (ex/raise :type :validation
+                    :code :invalid-token
+                    :reason :email-mismatch
+                    :hint "logged-in user does not matches the invitation"))
+
+        (when (:is-member membership)
+          (ex/raise :type :validation
+                    :code :already-an-org-member
+                    :team-id (:default-team-id membership)
+                    :hint "the user is already a member of the organization"))
+
+        (when (and org-invitation? (not (:organization-id membership)))
+          (ex/raise :type :validation
+                    :code :org-not-found
+                    :team-id (:default-team-id profile)
+                    :hint "the organization doesn't exist"))
+
+        (when (nil? invitation)
+          (ex/raise :type :validation
+                    :code :invalid-token
+                    :hint "no invitation associated with the token"))
 
-    (if (some? profile)
-      (if (or (= member-id profile-id)
-              (= member-email (:email profile)))
 
         ;; if we have logged-in user and it matches the invitation we proceed
         ;; with accepting the invitation and joining the current profile to the
@@ -187,17 +237,16 @@
                                              :profile-id (:id profile)
                                              :email (:email profile))))))
 
-          (accept-invitation cfg claims invitation profile)
-          (assoc claims :state :created))
-
-        (ex/raise :type :validation
-                  :code :invalid-token
-                  :hint "logged-in user does not matches the invitation"))
+          (let [accepted-team-id (accept-invitation cfg claims invitation profile)]
+            (cond-> (assoc claims :state :created)
+              ;; when the invitation is to an org, instead of a team, add the
+              ;; accepted-team-id as :org-team-id
+              (:organization-id claims)
+              (assoc :org-team-id accepted-team-id)))))
 
       ;; If we have not logged-in user, and invitation comes with member-id we
       ;; redirect user to login, if no memeber-id is present and  in the invitation
       ;; token and registration is enabled, we redirect user the the register page.
-
       {:invitation-token token
        :iss :team-invitation
        :redirect-to (if (or member-id registration-disabled?) :auth-login :auth-register)

backend/src/app/rpc/commands/viewer.clj

@@ -28,19 +28,25 @@
       (update :pages-index select-keys allowed)))
 
 (defn obfuscate-email
+  "Obfuscate the `email` for share-link members so the viewer only sees a
+   partially redacted address. Accepts any string shape (including nil,
+   missing `@`, or a domain with no `.`) and falls back to a fully-masked
+   result rather than throwing — the function is called while building the
+   view-only bundle for anonymous viewers, so an NPE here would abort the
+   entire share-link response."
   [email]
   (let [[name domain]
-        (str/split email "@" 2)
+        (str/split (or email "") "@" 2)
 
         [_ rest]
-        (str/split domain "." 2)
+        (str/split (or domain "") "." 2)
 
         name
         (if (> (count name) 3)
           (str (subs name 0 1) (apply str (take (dec (count name)) (repeat "*"))))
           "****")]
 
-    (str name "@****." rest)))
+    (str name "@****" (when rest (str "." rest)))))
 
 (defn anonymize-member
   [member]

backend/src/app/rpc/management/nitrate.clj

@@ -8,22 +8,35 @@
   "Internal Nitrate HTTP RPC API. Provides authenticated access to
   organization management and token validation endpoints."
   (:require
-   [app.common.features :as cfeat]
+   [app.common.data :as d]
+   [app.common.exceptions :as ex]
    [app.common.schema :as sm]
+   [app.common.time :as ct]
+   [app.common.types.organization :refer [schema:team-with-organization]]
    [app.common.types.profile :refer [schema:profile, schema:basic-profile]]
    [app.common.types.team :refer [schema:team]]
-   [app.common.uuid :as uuid]
    [app.config :as cf]
    [app.db :as db]
-   [app.msgbus :as mbus]
+   [app.media :as media]
+   [app.nitrate :as nitrate]
    [app.rpc :as-alias rpc]
    [app.rpc.commands.files :as files]
+   [app.rpc.commands.nitrate :as cnit]
    [app.rpc.commands.profile :as profile]
    [app.rpc.commands.teams :as teams]
+   [app.rpc.commands.teams-invitations :as ti]
    [app.rpc.doc :as doc]
-   [app.rpc.quotes :as quotes]
+   [app.rpc.notifications :as notifications]
+   [app.storage :as sto]
    [app.util.services :as sv]
-   [clojure.set :as set]))
+   [app.worker :as wrk]))
+
+
+(defn- profile-to-map [profile]
+  {:id            (:id profile)
+   :name          (:fullname profile)
+   :email         (:email profile)
+   :photo-url     (files/resolve-public-uri (get profile :photo-id))})
 
 ;; ---- API: authenticate
 
@@ -33,11 +46,9 @@
    ::sm/params [:map]
    ::sm/result schema:profile}
   [cfg {:keys [::rpc/profile-id] :as params}]
-  (let [profile (profile/get-profile cfg profile-id)]
-    {:id (get profile :id)
-     :name (get profile :fullname)
-     :email (get profile :email)
-     :photo-url (files/resolve-public-uri (get profile :photo-id))}))
+  (let [profile            (profile/get-profile cfg profile-id)]
+    (-> (profile-to-map profile)
+        (assoc :theme (:theme profile)))))
 
 ;; ---- API: get-teams
 
@@ -76,29 +87,47 @@
     (->> (db/exec! cfg [sql:get-teams current-user-id])
          (map #(select-keys % [:id :name])))))
 
-;; ---- API: notify-team-change
+;; ---- API: upload-org-logo
 
-(def ^:private schema:notify-team-change
+(def ^:private schema:upload-org-logo
   [:map
-   [:id ::sm/uuid]
+   [:content media/schema:upload]
    [:organization-id ::sm/uuid]
-   [:organization-name ::sm/text]])
+   [:previous-id {:optional true} ::sm/uuid]])
+
+(def ^:private schema:upload-org-logo-result
+  [:map [:id ::sm/uuid]])
+
+(sv/defmethod ::upload-org-logo
+  "Store an organization logo in penpot storage and return its ID.
+  Accepts an optional previous-id to mark the old logo for garbage
+  collection when replacing an existing one."
+  {::doc/added "2.17"
+   ::sm/params schema:upload-org-logo
+   ::sm/result schema:upload-org-logo-result}
+  [{:keys [::sto/storage]} {:keys [content organization-id previous-id]}]
+  (when previous-id
+    (sto/touch-object! storage previous-id))
+  (let [hash (sto/calculate-hash (:path content))
+        data (-> (sto/content (:path content))
+                 (sto/wrap-with-hash hash))
+        obj  (sto/put-object! storage {::sto/content      data
+                                       ::sto/deduplicate? true
+                                       :bucket            "organization"
+                                       :content-type      (:mtype content)
+                                       :organization-id   organization-id})]
+    {:id (:id obj)}))
+
+;; ---- API: notify-team-change
 
 (sv/defmethod ::notify-team-change
   "Notify to Penpot a team change from nitrate"
   {::doc/added "2.14"
-   ::sm/params schema:notify-team-change
+   ::sm/params schema:team-with-organization
    ::rpc/auth false}
-  [cfg {:keys [id organization-id organization-name]}]
-  (let [msgbus (::mbus/msgbus cfg)]
-    (mbus/pub! msgbus
-               ;;TODO There is a bug on dashboard with teams notifications.
-               ;;For now we send it to uuid/zero instead of team-id
-               :topic uuid/zero
-               :message {:type :team-org-change
-                         :team-id id
-                         :organization-id organization-id
-                         :organization-name organization-name})))
+  [cfg team]
+  (notifications/notify-team-change cfg (select-keys team [:id :is-your-penpot :organization]) nil)
+  nil)
 
 ;; ---- API: notify-user-added-to-organization
 
@@ -113,18 +142,8 @@
   {::doc/added "2.14"
    ::sm/params schema:notify-user-added-to-organization
    ::rpc/auth false}
-  [cfg {:keys [profile-id]}]
-  (quotes/check! cfg {::quotes/id ::quotes/teams-per-profile
-                      ::quotes/profile-id profile-id})
-
-  (let [features (-> (cfeat/get-enabled-features cf/flags)
-                     (set/difference cfeat/frontend-only-features)
-                     (set/difference cfeat/no-team-inheritable-features))
-        params   {:profile-id profile-id
-                  :name "Default"
-                  :features features}
-        team     (db/tx-run! cfg teams/create-team params)]
-    (select-keys team [:id])))
+  [cfg {:keys [profile-id organization-id]}]
+  (db/tx-run! cfg teams/create-default-org-team profile-id organization-id))
 
 
 ;; ---- API: get-managed-profiles
@@ -158,3 +177,440 @@
   (let [current-user-id (-> (profile/get-profile cfg profile-id) :id)]
     (db/exec! cfg [sql:get-managed-profiles current-user-id current-user-id])))
 
+;; ---- API: get-teams-summary
+
+(def ^:private sql:get-teams-summary
+  "SELECT t.id, t.name, t.is_default
+     FROM team AS t
+    WHERE t.id = ANY(?)
+      AND t.deleted_at IS NULL;")
+
+(def ^:private sql:get-files-count
+  "SELECT COUNT(f.*) AS count
+     FROM file AS f
+     JOIN project AS p ON f.project_id = p.id
+     JOIN team AS t ON t.id = p.team_id
+    WHERE p.team_id = ANY(?)
+      AND t.deleted_at IS NULL
+      AND p.deleted_at IS NULL
+      AND f.deleted_at IS NULL;")
+
+(def ^:private schema:get-teams-summary-params
+  [:map
+   [:ids [:or ::sm/uuid [:vector ::sm/uuid]]]])
+
+(def ^:private schema:get-teams-summary-result
+  [:map
+   [:teams [:vector [:map
+                     [:id ::sm/uuid]
+                     [:name ::sm/text]
+                     [:is-default ::sm/boolean]]]]
+   [:num-files ::sm/int]])
+
+(sv/defmethod ::get-teams-summary
+  "Get summary information for a list of teams"
+  {::doc/added "2.15"
+   ::sm/params schema:get-teams-summary-params
+   ::sm/result schema:get-teams-summary-result}
+  [cfg {:keys [ids]}]
+  (let [;; Handle one or multiple params
+        ids (cond
+              (uuid? ids)
+              [ids]
+
+              (and (vector? ids) (every? uuid? ids))
+              ids
+
+              :else
+              [])]
+    (db/run! cfg (fn [{:keys [::db/conn]}]
+                   (let [ids-array     (db/create-array conn "uuid" ids)
+                         teams         (db/exec! conn [sql:get-teams-summary ids-array])
+                         files-count   (-> (db/exec-one! conn [sql:get-files-count ids-array]) :count)]
+                     {:teams teams
+                      :num-files files-count})))))
+
+
+;; ---- API: delete-teams-keeping-your-penpot-projects
+
+(def ^:private sql:prefix-teams-name-and-unset-default
+  "UPDATE team
+      SET name = ? || name,
+          is_default = FALSE
+    WHERE id = ANY(?)
+RETURNING id, name;")
+
+(def ^:private sql:get-teams-files-counts
+  "SELECT p.team_id, COUNT(f.*) AS total
+     FROM file AS f
+     JOIN project AS p ON (p.id = f.project_id)
+     JOIN team AS t ON (t.id = p.team_id)
+    WHERE t.id = ANY(?)
+      AND t.deleted_at IS NULL
+      AND p.deleted_at IS NULL
+      AND f.deleted_at IS NULL
+ GROUP BY p.team_id;")
+
+(def ^:private sql:soft-delete-teams
+  "UPDATE team
+      SET deleted_at = ?
+    WHERE id = ANY(?)
+RETURNING id, deleted_at;")
+
+
+;; ---- API: notify-organization-deletion
+
+(def ^:private schema:notify-organization-deletion
+  [:map
+   [:organization-id ::sm/uuid]])
+
+
+(defn- soft-delete-teams!
+  "Soft-delete the provided team ids and submit a delete task per team."
+  [{:keys [::db/conn] :as cfg} team-ids]
+  (when (seq team-ids)
+    (let [delay      (cf/get-deletion-delay)
+          deleted-at (ct/in-future delay)
+          updated    (db/exec! conn [sql:soft-delete-teams
+                                     deleted-at
+                                     (db/create-array conn "uuid" team-ids)])]
+      (doseq [{:keys [id deleted-at]} updated]
+        (wrk/submit! {::db/conn conn
+                      ::wrk/task :delete-object
+                      ::wrk/params {:object :team
+                                    :deleted-at deleted-at
+                                    :id id}}))))
+  nil)
+
+(defn manage-deleted-organization-teams
+  "For a list of teams, rename those with files and delete those without, then notify users."
+  [cfg {:keys [teams organization-name]}]
+  (let [teams (->> teams (filter uuid?) distinct (into []))]
+    (when (seq teams)
+      (let [org-prefix (str "[" (d/sanitize-string organization-name) "] ")]
+        (db/tx-run!
+         cfg
+         (fn [{:keys [::db/conn] :as cfg}]
+           (let [teams-array      (db/create-array conn "uuid" teams)
+                 teams-with-files (->> (db/exec! conn [sql:get-teams-files-counts teams-array])
+                                       (filter (fn [{:keys [total]}] (pos? total)))
+                                       (map :team-id)
+                                       (into #{}))
+                 teams-to-keep    (->> teams (filter teams-with-files) (into []))
+                 teams-to-delete  (->> teams (remove teams-with-files) (into []))]
+
+             ;; Rename teams that have files in one go
+             (when (seq teams-to-keep)
+               (db/exec! conn [sql:prefix-teams-name-and-unset-default
+                               org-prefix
+                               (db/create-array conn "uuid" teams-to-keep)]))
+
+             ;; Soft-delete empty teams in one go
+             (soft-delete-teams! cfg teams-to-delete)
+
+             (notifications/notify-organization-deletion cfg organization-name teams teams-to-delete)
+             nil)))))))
+
+
+(sv/defmethod ::notify-organization-deletion
+  "For a list of teams, rename them with the name of the deleted org, and notify
+   of the deletion to the connected users"
+  {::doc/added "2.15"
+   ::sm/params schema:notify-organization-deletion
+   ::rpc/auth false}
+  [cfg {:keys [organization-id]}]
+  (let [org-summary (nitrate/call cfg :get-org-summary {:organization-id organization-id})
+        teams       (->> (:teams org-summary)
+                         (map :id))]
+    (manage-deleted-organization-teams cfg {:teams teams :organization-name (:name org-summary)})
+    nil))
+
+;; ---- API: notify-user-organizations-deletion
+
+(def ^:private schema:notify-user-organizations-deletion
+  [:map
+   [:profile-id ::sm/uuid]])
+
+(sv/defmethod ::notify-user-organizations-deletion
+  "For a given user, find all owned organizations and rename or delete their teams."
+  {::doc/added "2.18"
+   ::sm/params schema:notify-user-organizations-deletion}
+  [cfg {:keys [profile-id]}]
+  (let [owned-orgs (nitrate/call cfg :get-owned-orgs {:profile-id profile-id})]
+    (doseq [org owned-orgs]
+      (let [organization-name (:name org)
+            teams (map :id (:teams org))]
+        (manage-deleted-organization-teams cfg {:teams teams :organization-name organization-name}))))
+  nil)
+
+
+
+
+;; ---- API: get-profile-by-email
+
+(def ^:private sql:get-profile-by-email
+  "SELECT DISTINCT id, fullname, email, photo_id
+     FROM profile
+    WHERE email = ?
+      AND deleted_at IS NULL;")
+
+(sv/defmethod ::get-profile-by-email
+  "Get profile by email"
+  {::doc/added "2.15"
+   ::sm/params [:map [:email ::sm/email]]
+   ::sm/result schema:profile}
+  [cfg {:keys [email]}]
+  (let [profile (db/exec-one! cfg [sql:get-profile-by-email email])]
+    (when-not profile
+      (ex/raise :type :not-found
+                :code :profile-not-found
+                :hint "profile does not exist"
+                :email email))
+    (profile-to-map profile)))
+
+
+;; ---- API: get-profile-by-id
+
+(def ^:private sql:get-profile-by-id
+  "SELECT DISTINCT id, fullname, email, photo_id
+     FROM profile
+    WHERE id = ?
+      AND deleted_at IS NULL;")
+
+(sv/defmethod ::get-profile-by-id
+  "Get profile by email"
+  {::doc/added "2.15"
+   ::sm/params [:map [:id ::sm/uuid]]
+   ::sm/result schema:profile}
+  [cfg {:keys [id]}]
+  (let [profile (db/exec-one! cfg [sql:get-profile-by-id id])]
+    (when-not profile
+      (ex/raise :type :not-found
+                :code :profile-not-found
+                :hint "profile does not exist"
+                :id id))
+    (profile-to-map profile)))
+
+
+;; ---- API: get-org-member-team-counts
+
+(def ^:private sql:get-org-member-team-counts
+  "SELECT tpr.profile_id, COUNT(DISTINCT t.id) AS team_count
+     FROM team_profile_rel AS tpr
+     JOIN team AS t ON t.id = tpr.team_id
+    WHERE t.id = ANY(?)
+      AND t.deleted_at IS NULL
+      AND t.is_default IS FALSE
+    GROUP BY tpr.profile_id;")
+
+(def ^:private schema:get-org-member-team-counts-params
+  [:map [:team-ids [:or ::sm/uuid [:vector ::sm/uuid]]]])
+
+(def ^:private schema:get-org-member-team-counts-result
+  [:vector [:map
+            [:profile-id ::sm/uuid]
+            [:team-count ::sm/int]]])
+
+(sv/defmethod ::get-org-member-team-counts
+  "Get the number of non-default teams each profile belongs to within a set of teams."
+  {::doc/added "2.15"
+   ::sm/params schema:get-org-member-team-counts-params
+   ::sm/result schema:get-org-member-team-counts-result
+   ::rpc/auth false}
+  [cfg {:keys [team-ids]}]
+  (let [team-ids (cond
+                   (uuid? team-ids)
+                   [team-ids]
+
+                   (and (vector? team-ids) (every? uuid? team-ids))
+                   team-ids
+
+                   :else
+                   [])]
+    (if (empty? team-ids)
+      []
+      (db/run! cfg (fn [{:keys [::db/conn]}]
+                     (let [ids-array (db/create-array conn "uuid" team-ids)]
+                       (db/exec! conn [sql:get-org-member-team-counts ids-array])))))))
+
+
+;; API: invite-to-org
+
+(sv/defmethod ::invite-to-org
+  "Invite to organization"
+  {::doc/added "2.15"
+   ::sm/params [:map
+                [:email ::sm/email]
+                [:id ::sm/uuid]
+                [:name ::sm/text]
+                [:initials [:maybe :string]]
+                [:logo ::sm/uri]]}
+  [cfg params]
+  (db/tx-run! cfg ti/create-org-invitation params)
+  nil)
+
+
+;; API: get-org-invitations
+
+(def ^:private sql:get-org-invitations
+  "SELECT DISTINCT ON (email_to)
+          ti.id,
+          ti.org_id AS organization_id,
+          ti.email_to AS email,
+          ti.created_at AS sent_at,
+          p.fullname AS name,
+          p.photo_id
+     FROM team_invitation AS ti
+LEFT JOIN profile AS p
+       ON p.email = ti.email_to
+      AND p.deleted_at IS NULL
+    WHERE ti.valid_until >= now()
+      AND (ti.org_id = ? OR ti.team_id = ANY(?))
+    ORDER BY ti.email_to, ti.valid_until DESC, ti.created_at DESC;")
+
+(def ^:private schema:get-org-invitations-params
+  [:map
+   [:organization-id ::sm/uuid]])
+
+(def ^:private schema:get-org-invitations-result
+  [:vector
+   [:map
+    [:id ::sm/uuid]
+    [:organization-id {:optional true} [:maybe ::sm/uuid]]
+    [:email ::sm/email]
+    [:sent-at ::sm/inst]
+    [:name {:optional true} [:maybe ::sm/text]]
+    [:photo-url {:optional true} ::sm/uri]]])
+
+(sv/defmethod ::get-org-invitations
+  "Get valid invitations for an organization, returning at most one invitation per email."
+  {::doc/added "2.16"
+   ::sm/params schema:get-org-invitations-params
+   ::sm/result schema:get-org-invitations-result}
+  [cfg {:keys [organization-id]}]
+  (let [org-summary (nitrate/call cfg :get-org-summary {:organization-id organization-id})
+        team-ids    (->> (:teams org-summary)
+                         (map :id)
+                         (filter uuid?)
+                         (into []))]
+    (db/run! cfg (fn [{:keys [::db/conn]}]
+                   (let [ids-array (db/create-array conn "uuid" team-ids)]
+                     (->> (db/exec! conn [sql:get-org-invitations organization-id ids-array])
+                          (mapv (fn [{:keys [photo-id] :as invitation}]
+                                  (cond-> (dissoc invitation :photo-id)
+                                    photo-id
+                                    (assoc :photo-url (files/resolve-public-uri photo-id)))))))))))
+
+
+;; API: delete-org-invitations
+
+(def ^:private sql:delete-org-invitations
+  "DELETE FROM team_invitation AS ti
+    WHERE ti.email_to = ?
+      AND (ti.org_id = ? OR ti.team_id = ANY(?));")
+
+(def ^:private schema:delete-org-invitations-params
+  [:map
+   [:organization-id ::sm/uuid]
+   [:email ::sm/email]])
+
+(sv/defmethod ::delete-org-invitations
+  "Delete all invitations for one email in an organization scope (org + org teams)."
+  {::doc/added "2.16"
+   ::sm/params schema:delete-org-invitations-params}
+  [cfg {:keys [organization-id email]}]
+  (let [org-summary (nitrate/call cfg :get-org-summary {:organization-id organization-id})
+        clean-email (profile/clean-email email)
+        team-ids    (->> (:teams org-summary)
+                         (map :id)
+                         (filter uuid?)
+                         (into []))]
+    (db/run! cfg (fn [{:keys [::db/conn]}]
+                   (let [ids-array (db/create-array conn "uuid" team-ids)]
+                     (db/exec! conn [sql:delete-org-invitations clean-email organization-id ids-array]))))
+    nil))
+
+
+
+;; API: remove-from-org
+
+(def ^:private sql:get-reassign-to
+  "SELECT tpr.profile_id
+     FROM team_profile_rel AS tpr
+    WHERE tpr.team_id = ?
+      AND tpr.profile_id <> ?
+      AND tpr.is_owner IS NOT TRUE
+    ORDER BY CASE
+               WHEN tpr.is_admin IS TRUE THEN 1
+               ELSE 2
+             END,
+             tpr.created_at,
+             tpr.profile_id
+    LIMIT 1;")
+
+(defn add-reassign-to [cfg profile-id team-to-transfer]
+  (let [reassign-to (-> (db/exec-one! cfg [sql:get-reassign-to (:id team-to-transfer) profile-id])
+                        :profile-id)]
+    (when-not reassign-to
+      (ex/raise :type :validation
+                :code :nobody-to-reassign-team))
+
+    (assoc team-to-transfer :reassign-to reassign-to)))
+
+(sv/defmethod ::remove-from-org
+  "Remove an user from an organization"
+  {::doc/added "2.17"
+   ::sm/params [:map
+                [:profile-id ::sm/uuid]
+                [:organization-id ::sm/uuid]
+                [:organization-name ::sm/text]
+                [:default-team-id ::sm/uuid]]
+   ::db/transaction true}
+  [cfg {:keys [profile-id organization-id organization-name default-team-id] :as params}]
+  (let [{:keys [valid-teams-to-delete-ids
+                valid-teams-to-transfer
+                valid-teams-to-exit]} (cnit/get-valid-teams cfg organization-id profile-id default-team-id)
+        add-reassign-to (partial add-reassign-to cfg profile-id)
+
+        valid-teams-to-leave (into valid-teams-to-exit
+                                   (map add-reassign-to valid-teams-to-transfer))]
+
+    (cnit/leave-org cfg (assoc params
+                               :id organization-id
+                               :name organization-name
+                               :teams-to-delete valid-teams-to-delete-ids
+                               :teams-to-leave valid-teams-to-leave
+                               :skip-validation true))
+    (notifications/notify-user-org-change cfg profile-id organization-id organization-name "dashboard.user-no-longer-belong-org")
+    nil))
+
+;; API: get-remove-from-org-summary
+
+(def ^:private schema:get-remove-from-org-summary-result
+  [:map
+   [:teams-to-delete ::sm/int]
+   [:teams-to-transfer ::sm/int]
+   [:teams-to-exit ::sm/int]])
+
+(sv/defmethod ::get-remove-from-org-summary
+  "Get a summary of the teams that would be deleted, transferred, or exited
+   if the user were removed from the organization"
+  {::doc/added "2.17"
+   ::sm/params [:map
+                [:profile-id ::sm/uuid]
+                [:organization-id ::sm/uuid]
+                [:default-team-id ::sm/uuid]]
+   ::sm/result schema:get-remove-from-org-summary-result
+   ::db/transaction true}
+  [cfg {:keys [profile-id organization-id default-team-id]}]
+  (let [{:keys [valid-teams-to-delete-ids
+                valid-teams-to-transfer
+                valid-teams-to-exit
+                valid-default-team]} (cnit/get-valid-teams cfg organization-id profile-id default-team-id)]
+    (when-not valid-default-team
+      (ex/raise :type :validation
+                :code :not-valid-teams))
+    {:teams-to-delete   (count valid-teams-to-delete-ids)
+     :teams-to-transfer (count valid-teams-to-transfer)
+     :teams-to-exit     (count valid-teams-to-exit)}))
+

backend/src/app/rpc/notifications.clj

@@ -0,0 +1,44 @@
+;; This Source Code Form is subject to the terms of the Mozilla Public
+;; License, v. 2.0. If a copy of the MPL was not distributed with this
+;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;;
+;; Copyright (c) KALEIDOS INC
+
+(ns app.rpc.notifications
+  (:require
+   [app.common.uuid :as uuid]
+   [app.msgbus :as mbus]))
+
+(defn notify-team-change
+  [cfg team notification]
+  (let [msgbus (::mbus/msgbus cfg)]
+    (mbus/pub! msgbus
+               ;;TODO There is a bug on dashboard with teams notifications.
+               ;;For now we send it to uuid/zero instead of team-id
+               :topic uuid/zero
+               :message {:type :team-org-change
+                         :team team
+                         :notification notification})))
+
+
+(defn notify-user-org-change
+  [cfg profile-id organization-id organization-name notification]
+  (let [msgbus (::mbus/msgbus cfg)]
+    (mbus/pub! msgbus
+               :topic profile-id
+               :message {:type :user-org-change
+                         :topic profile-id
+                         :organization-id organization-id
+                         :organization-name organization-name
+                         :notification notification})))
+
+
+(defn notify-organization-deletion
+  [cfg organization-name teams deleted-teams]
+  (let [msgbus (::mbus/msgbus cfg)]
+    (mbus/pub! msgbus
+               :topic uuid/zero
+               :message {:type :organization-deleted
+                         :organization-name organization-name
+                         :teams teams
+                         :deleted-teams deleted-teams})))

backend/src/app/srepl/cli.clj

@@ -53,7 +53,7 @@
     :or {is-active true}}]
   (some-> (get-current-system)
           (db/tx-run!
-           (fn [{:keys [::db/conn] :as system}]
+           (fn [system]
              (let [password (derive-password password)
                    params   {:id (uuid/next)
                              :email email
@@ -62,7 +62,7 @@
                              :password password
                              :props {}}]
                (->> (cmd.auth/create-profile system params)
-                    (cmd.auth/create-profile-rels conn)))))))
+                    (cmd.auth/create-profile-rels system)))))))
 
 (defmethod exec-command "update-profile"
   [{:keys [fullname email password is-active]}]

backend/src/app/srepl/main.clj

@@ -905,5 +905,4 @@
                       (let [params (-> rel
                                        (assoc :id (uuid/next))
                                        (assoc :team-id (:id team)))]
-                        (db/insert! conn :team-profile-rel params
-                                    {::db/return-keys false}))))))))
+                        (teams/add-profile-to-team! cfg params {::db/return-keys false}))))))))

backend/src/app/storage.clj

@@ -44,6 +44,7 @@
     "file-object-thumbnail"
     "file-thumbnail"
     "profile"
+    "organization"
     "tempfile"
     "file-data"
     "file-data-fragment"

backend/src/app/storage/gc_touched.clj

@@ -166,6 +166,7 @@
     "profile"               (process-objects! conn has-profile-refs? bucket objects)
     "file-data"             (process-objects! conn has-file-data-refs? bucket objects)
     "tempfile"              (process-objects! conn (constantly false) bucket objects)
+    "organization"          (process-objects! conn (constantly false) bucket objects)
     (ex/raise :type :internal
               :code :unexpected-unknown-reference
               :hint (dm/fmt "unknown reference '%'" bucket))))

backend/src/app/storage/s3.clj

@@ -30,21 +30,18 @@
    java.nio.file.Path
    java.time.Duration
    java.util.Collection
-   java.util.Optional
    java.util.concurrent.atomic.AtomicLong
+   java.util.Optional
    org.reactivestreams.Subscriber
    software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider
-   software.amazon.awssdk.core.ResponseBytes
    software.amazon.awssdk.core.async.AsyncRequestBody
    software.amazon.awssdk.core.async.AsyncResponseTransformer
    software.amazon.awssdk.core.async.BlockingInputStreamAsyncRequestBody
    software.amazon.awssdk.core.client.config.ClientAsyncConfiguration
+   software.amazon.awssdk.core.ResponseBytes
    software.amazon.awssdk.http.nio.netty.NettyNioAsyncHttpClient
    software.amazon.awssdk.http.nio.netty.SdkEventLoopGroup
    software.amazon.awssdk.regions.Region
-   software.amazon.awssdk.services.s3.S3AsyncClient
-   software.amazon.awssdk.services.s3.S3AsyncClientBuilder
-   software.amazon.awssdk.services.s3.S3Configuration
    software.amazon.awssdk.services.s3.model.Delete
    software.amazon.awssdk.services.s3.model.DeleteObjectRequest
    software.amazon.awssdk.services.s3.model.DeleteObjectsRequest
@@ -54,9 +51,12 @@
    software.amazon.awssdk.services.s3.model.ObjectIdentifier
    software.amazon.awssdk.services.s3.model.PutObjectRequest
    software.amazon.awssdk.services.s3.model.S3Error
-   software.amazon.awssdk.services.s3.presigner.S3Presigner
    software.amazon.awssdk.services.s3.presigner.model.GetObjectPresignRequest
-   software.amazon.awssdk.services.s3.presigner.model.PresignedGetObjectRequest))
+   software.amazon.awssdk.services.s3.presigner.model.PresignedGetObjectRequest
+   software.amazon.awssdk.services.s3.presigner.S3Presigner
+   software.amazon.awssdk.services.s3.S3AsyncClient
+   software.amazon.awssdk.services.s3.S3AsyncClientBuilder
+   software.amazon.awssdk.services.s3.S3Configuration))
 
 (def ^:private max-retries
   "A maximum number of retries on internal operations"

backend/test/backend_tests/auth_oidc_test.clj

@@ -0,0 +1,55 @@
+;; This Source Code Form is subject to the terms of the Mozilla Public
+;; License, v. 2.0. If a copy of the MPL was not distributed with this
+;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;;
+;; Copyright (c) KALEIDOS INC
+
+(ns backend-tests.auth-oidc-test
+  (:require
+   [app.auth.oidc :as oidc]
+   [clojure.test :as t]))
+
+(def ^:private oidc-provider
+  {:id "oidc"
+   :type "oidc"})
+
+(t/deftest parse-attr-path-supports-dot-and-double-underscore
+  (t/is
+   (= [:oidc/resource-access :penpot_roles :roles]
+      (#'oidc/parse-attr-path oidc-provider "resource_access__penpot_roles__roles")))
+  (t/is
+   (= [:oidc/ocs :data :email]
+      (#'oidc/parse-attr-path oidc-provider "ocs.data.email"))))
+
+(t/deftest process-user-info-supports-dot-notation-nested-attrs
+  (let [provider (assoc oidc-provider
+                        :email-attr "ocs.data.email"
+                        :name-attr "ocs.data.display-name")
+        info     (#'oidc/process-user-info provider
+                                           {}
+                                           {:email_verified true
+                                            :ocs {:data {:email "nextcloud@example.com"
+                                                         :display-name "Nextcloud User"}}})]
+    (t/is (= "nextcloud@example.com" (:email info)))
+    (t/is (= "Nextcloud User" (:fullname info)))
+    (t/is (true? (:email-verified info)))))
+
+;; The provider's `:user-info-source` value arrives as a string (enforced by
+;; the malli schema in `app.config` and used as-is by the hard-coded Google /
+;; GitHub provider maps), so the dispatch must interpret strings — not
+;; keywords — to actually honour `PENPOT_OIDC_USER_INFO_SOURCE=userinfo`.
+(t/deftest select-user-info-source-interprets-config-strings
+  (t/testing "explicit string values map to keyword dispatch tokens"
+    (t/is (= :token    (#'oidc/select-user-info-source "token")))
+    (t/is (= :userinfo (#'oidc/select-user-info-source "userinfo"))))
+
+  (t/testing "missing or explicit \"auto\" falls back to auto dispatch"
+    (t/is (= :auto (#'oidc/select-user-info-source "auto")))
+    (t/is (= :auto (#'oidc/select-user-info-source nil))))
+
+  (t/testing "unknown values fall back to auto dispatch safely"
+    (t/is (= :auto (#'oidc/select-user-info-source "unknown")))
+    ;; Guards against the reverse regression — a stray keyword value must
+    ;; not silently slip through as if it were the matching string.
+    (t/is (= :auto (#'oidc/select-user-info-source :token)))
+    (t/is (= :auto (#'oidc/select-user-info-source :userinfo)))))

backend/test/backend_tests/email_blacklist_test.clj

@@ -0,0 +1,34 @@
+;; This Source Code Form is subject to the terms of the Mozilla Public
+;; License, v. 2.0. If a copy of the MPL was not distributed with this
+;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;;
+;; Copyright (c) KALEIDOS INC
+
+(ns backend-tests.email-blacklist-test
+  (:require
+   [app.email :as-alias email]
+   [app.email.blacklist :as blacklist]
+   [clojure.test :as t]))
+
+(def ^:private cfg
+  {::email/blacklist #{"somedomain.com" "spam.net"}})
+
+(t/deftest test-exact-domain-match
+  (t/is (true?  (blacklist/contains? cfg "user@somedomain.com")))
+  (t/is (true?  (blacklist/contains? cfg "user@spam.net")))
+  (t/is (false? (blacklist/contains? cfg "user@legit.com"))))
+
+(t/deftest test-subdomain-match
+  (t/is (true?  (blacklist/contains? cfg "user@sub.somedomain.com")))
+  (t/is (true?  (blacklist/contains? cfg "user@a.b.somedomain.com")))
+  ;; A domain that merely contains the blacklisted string but is not a
+  ;; subdomain must NOT be rejected.
+  (t/is (false? (blacklist/contains? cfg "user@notsomedomain.com"))))
+
+(t/deftest test-case-insensitive
+  (t/is (true? (blacklist/contains? cfg "user@SOMEDOMAIN.COM")))
+  (t/is (true? (blacklist/contains? cfg "user@Sub.SomeDomain.Com"))))
+
+(t/deftest test-non-blacklisted-domain
+  (t/is (false? (blacklist/contains? cfg "user@example.com")))
+  (t/is (false? (blacklist/contains? cfg "user@sub.legit.com"))))

backend/test/backend_tests/helpers.clj

@@ -186,10 +186,10 @@
                         :is-demo false}
                        params)]
      (db/run! system
-              (fn [{:keys [::db/conn] :as cfg}]
+              (fn [cfg]
                 (->> params
                      (cmd.auth/create-profile cfg)
-                     (cmd.auth/create-profile-rels conn)))))))
+                     (cmd.auth/create-profile-rels cfg)))))))
 
 (defn create-project*
   ([i params] (create-project* *system* i params))
@@ -234,10 +234,10 @@
    (dm/with-open [conn (db/open system)]
      (let [id       (mk-uuid "team" i)
            features (cfeat/get-enabled-features cf/flags)]
-       (teams/create-team conn {:id id
-                                :profile-id profile-id
-                                :features features
-                                :name (str "team" i)})))))
+       (teams/create-team {::db/conn conn} {:id id
+                                            :profile-id profile-id
+                                            :features features
+                                            :name (str "team" i)})))))
 
 (defn create-file-media-object*
   ([params] (create-file-media-object* *system* params))
@@ -283,9 +283,10 @@
   ([params] (create-team-role* *system* params))
   ([system {:keys [team-id profile-id role] :or {role :owner}}]
    (dm/with-open [conn (db/open system)]
-     (#'teams/create-team-role conn {:team-id team-id
-                                     :profile-id profile-id
-                                     :role role}))))
+     (#'teams/create-team-role {::db/conn conn}
+                               {:team-id team-id
+                                :profile-id profile-id
+                                :role role}))))
 
 (defn create-project-role*
   ([params] (create-project-role* *system* params))
@@ -384,6 +385,31 @@
                             (dissoc ::type)
                             (assoc :app.rpc/request-at (ct/now)))))))
 
+(defn management-command!
+  ([data]
+   (management-command! data nil))
+  ([{:keys [::type] :as data} flags-to-add]
+   (let [flags (reduce conj cf/flags (or flags-to-add []))
+
+         resolve-management-methods
+         (requiring-resolve 'app.rpc/resolve-management-methods)
+
+         methods
+         (with-redefs [cf/flags flags]
+           (resolve-management-methods *system*))
+
+         [_ method-fn]
+         (get methods type)]
+
+     (when-not method-fn
+       (ex/raise :type :assertion
+                 :code :rpc-method-not-found
+                 :hint (str/ffmt "management rpc method '%' not found" (name type))))
+
+     (try-on! (method-fn (-> data
+                             (dissoc ::type)
+                             (assoc :app.rpc/request-at (ct/now))))))))
+
 (defn run-task!
   ([name]
    (run-task! name {}))

backend/test/backend_tests/rpc_file_test.clj

@@ -2121,3 +2121,92 @@
           (t/is (= 1 (count rows)))
           (t/is (= (:created-at row1) #penpot/inst "2025-10-31T00:00:00Z"))
           (t/is (nil? (:deleted-at row1))))))))
+
+(t/deftest get-file-stats-empty-file
+  (let [profile (th/create-profile* 1 {:is-active true})
+        file    (th/create-file* 1 {:profile-id (:id profile)
+                                    :project-id (:default-project-id profile)
+                                    :is-shared  false})
+        out     (th/command! {::th/type :get-file-stats
+                              ::rpc/profile-id (:id profile)
+                              :id (:id file)})]
+
+    ;; (th/print-result! out)
+    (t/is (nil? (:error out)))
+
+    (let [result (:result out)]
+      (t/is (= (:id file) (:file-id result)))
+      (t/is (pos? (:page-count result)))
+      (t/is (zero? (:component-count result)))
+      (t/is (zero? (:deleted-component-count result)))
+      (t/is (zero? (:color-count result)))
+      (t/is (zero? (:typography-count result)))
+      (t/is (zero? (:library-count result)))
+      (t/is (zero? (:referenced-by-count result)))
+      (t/is (contains? result :shape-counts))
+      (t/is (zero? (get-in result [:shape-counts :total])))
+      (t/is (= {} (get-in result [:shape-counts :by-type]))))))
+
+(t/deftest get-file-stats-with-shapes
+  (let [profile  (th/create-profile* 1 {:is-active true})
+        file     (th/create-file* 1 {:profile-id (:id profile)
+                                     :project-id (:default-project-id profile)
+                                     :is-shared  false})
+        page-id  (-> file :data :pages first)
+        rect-id  (uuid/random)
+        frame-id (uuid/random)]
+
+    (update-file!
+     :file-id (:id file)
+     :profile-id (:id profile)
+     :revn 0
+     :vern 0
+     :changes
+     [{:type :add-obj
+       :page-id page-id
+       :id frame-id
+       :parent-id uuid/zero
+       :frame-id uuid/zero
+       :components-v2 true
+       :obj (cts/setup-shape
+             {:id frame-id
+              :name "frame"
+              :frame-id uuid/zero
+              :parent-id uuid/zero
+              :type :frame})}
+      {:type :add-obj
+       :page-id page-id
+       :id rect-id
+       :parent-id frame-id
+       :frame-id frame-id
+       :components-v2 true
+       :obj (cts/setup-shape
+             {:id rect-id
+              :name "rect"
+              :frame-id frame-id
+              :parent-id frame-id
+              :type :rect})}])
+
+    (let [out    (th/command! {::th/type :get-file-stats
+                               ::rpc/profile-id (:id profile)
+                               :id (:id file)})
+          result (:result out)]
+
+      (t/is (nil? (:error out)))
+      (t/is (= 2 (get-in result [:shape-counts :total])))
+      (t/is (= 1 (get-in result [:shape-counts :by-type :rect])))
+      (t/is (= 1 (get-in result [:shape-counts :by-type :frame]))))))
+
+(t/deftest get-file-stats-forbidden
+  (let [owner (th/create-profile* 1 {:is-active true})
+        other (th/create-profile* 2 {:is-active true})
+        file  (th/create-file* 1 {:profile-id (:id owner)
+                                  :project-id (:default-project-id owner)
+                                  :is-shared  false})
+        out   (th/command! {::th/type :get-file-stats
+                            ::rpc/profile-id (:id other)
+                            :id (:id file)})]
+
+    (t/is (not (nil? (:error out))))
+    (let [edata (-> out :error ex-data)]
+      (t/is (= :not-found (:type edata))))))

backend/test/backend_tests/rpc_management_nitrate_test.clj

@@ -0,0 +1,926 @@
+;; This Source Code Form is subject to the terms of the Mozilla Public
+;; License, v. 2.0. If a copy of the MPL was not distributed with this
+;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;;
+;; Copyright (c) KALEIDOS INC
+
+(ns backend-tests.rpc-management-nitrate-test
+  (:require
+   [app.common.data :as d]
+   [app.common.time :as ct]
+   [app.common.uuid :as uuid]
+   [app.config :as cf]
+   [app.db :as-alias db]
+   [app.msgbus :as mbus]
+   [app.nitrate :as nitrate]
+   [app.rpc :as-alias rpc]
+   [app.worker :as wrk]
+   [backend-tests.helpers :as th]
+   [clojure.set :as set]
+   [clojure.test :as t]
+   [cuerdas.core :as str]))
+
+(t/use-fixtures :once th/state-init)
+(t/use-fixtures :each th/database-reset)
+
+(defn- management-command-with-nitrate!
+  [data]
+  (th/management-command! data [:nitrate]))
+
+(t/deftest authenticate-success
+  (let [profile (th/create-profile* 1 {:is-active true
+                                       :fullname "Nitrate User"})
+        out     (management-command-with-nitrate! {::th/type :authenticate
+                                                   ::rpc/profile-id (:id profile)})]
+    (t/is (th/success? out))
+    (t/is (= (:id profile) (-> out :result :id)))
+    (t/is (= "Nitrate User" (-> out :result :name)))
+    (t/is (= (:email profile) (-> out :result :email)))
+    (t/is (nil? (-> out :result :photo-url)))))
+
+(t/deftest authenticate-requires-authentication
+  (let [out (management-command-with-nitrate! {::th/type :authenticate})]
+    (t/is (not (th/success? out)))
+    (t/is (= :authentication (th/ex-type (:error out))))
+    (t/is (= :authentication-required (th/ex-code (:error out))))))
+
+(t/deftest get-penpot-version
+  (let [profile (th/create-profile* 1 {:is-active true})
+        out     (management-command-with-nitrate! {::th/type :get-penpot-version
+                                                   ::rpc/profile-id (:id profile)})]
+    (t/is (th/success? out))
+    (t/is (= cf/version (-> out :result :version)))))
+
+(t/deftest get-teams-returns-only-owned-non-default-non-deleted
+  (let [profile      (th/create-profile* 1 {:is-active true})
+        other        (th/create-profile* 2 {:is-active true})
+        owned-team   (th/create-team* 1 {:profile-id (:id profile)})
+        deleted-team (th/create-team* 2 {:profile-id (:id profile)})
+        _            (th/db-update! :team
+                                    {:deleted-at (ct/now)}
+                                    {:id (:id deleted-team)})
+        other-team   (th/create-team* 3 {:profile-id (:id other)})
+        _            (th/create-team-role* {:team-id (:id other-team)
+                                            :profile-id (:id profile)
+                                            :role :editor})
+        out          (management-command-with-nitrate! {::th/type :get-teams
+                                                        ::rpc/profile-id (:id profile)})]
+    (t/is (th/success? out))
+    (t/is (= #{(:id owned-team)}
+             (->> out :result (map :id) set)))
+    (t/is (= #{(:name owned-team)}
+             (->> out :result (map :name) set)))))
+
+(t/deftest notify-team-change-publishes-event
+  (let [team-id          (uuid/random)
+        organization-id  (uuid/random)
+        organization     {:id organization-id
+                          :name "Acme Inc"
+                          :slug "acme-inc"
+                          :owner-id (uuid/random)
+                          :avatar-bg-url "http://example.com/avatar.svg"}
+        calls            (atom [])
+        out              (with-redefs [mbus/pub! (fn [_cfg & {:keys [topic message]}]
+                                                   (swap! calls conj {:topic topic
+                                                                      :message message}))]
+                           (management-command-with-nitrate! {::th/type :notify-team-change
+                                                              :id team-id
+                                                              :is-your-penpot false
+                                                              :organization organization}))]
+    (t/is (th/success? out))
+    (t/is (= 1 (count @calls)))
+    (t/is (= uuid/zero (-> @calls first :topic)))
+    (let [msg (-> @calls first :message)]
+      (t/is (= :team-org-change (:type msg)))
+      (t/is (= nil (:notification msg)))
+      (t/is (= team-id (-> msg :team :id)))
+      (t/is (= false (-> msg :team :is-your-penpot)))
+      (t/is (= (:id organization) (-> msg :team :organization :id)))
+      (t/is (= (:name organization) (-> msg :team :organization :name)))
+      (t/is (= (:slug organization) (-> msg :team :organization :slug)))
+      (t/is (= (:owner-id organization) (-> msg :team :organization :owner-id)))
+      (t/is (= (:avatar-bg-url organization) (str (-> msg :team :organization :avatar-bg-url)))))))
+
+(t/deftest notify-user-added-to-organization-creates-default-org-team
+  (let [profile      (th/create-profile* 1 {:is-active true})
+        before-teams (->> (th/db-query :team-profile-rel {:profile-id (:id profile)
+                                                          :is-owner true})
+                          (map :team-id)
+                          set)
+        out          (management-command-with-nitrate! {::th/type :notify-user-added-to-organization
+                                                        :profile-id (:id profile)
+                                                        :organization-id (uuid/random)
+                                                        :role "owner"})
+        after-teams  (->> (th/db-query :team-profile-rel {:profile-id (:id profile)
+                                                          :is-owner true})
+                          (map :team-id)
+                          set)
+        new-team-id  (first (set/difference after-teams before-teams))
+        new-team     (th/db-get :team {:id new-team-id})]
+    (t/is (th/success? out))
+    (t/is (= 1 (count (set/difference after-teams before-teams))))
+    (t/is (= "Your Penpot" (:name new-team)))
+    (t/is (true? (:is-default new-team)))))
+
+(t/deftest get-managed-profiles-returns-unique-members-for-owned-teams
+  (let [owner     (th/create-profile* 1 {:is-active true})
+        member1   (th/create-profile* 2 {:is-active true})
+        member2   (th/create-profile* 3 {:is-active true})
+        team1     (th/create-team* 1 {:profile-id (:id owner)})
+        team2     (th/create-team* 2 {:profile-id (:id owner)})
+        _         (th/create-team-role* {:team-id (:id team1)
+                                         :profile-id (:id member1)
+                                         :role :editor})
+        _         (th/create-team-role* {:team-id (:id team1)
+                                         :profile-id (:id member2)
+                                         :role :editor})
+        _         (th/create-team-role* {:team-id (:id team2)
+                                         :profile-id (:id member1)
+                                         :role :editor})
+        out       (management-command-with-nitrate! {::th/type :get-managed-profiles
+                                                     ::rpc/profile-id (:id owner)})]
+    (t/is (th/success? out))
+    (t/is (= #{(:id member1) (:id member2)}
+             (->> out :result (map :id) set)))
+    (t/is (= #{(:email member1) (:email member2)}
+             (->> out :result (map :email) set)))))
+
+(t/deftest get-teams-summary-returns-teams-and-files-count
+  (let [profile (th/create-profile* 1 {:is-active true})
+        team1   (th/create-team* 1 {:profile-id (:id profile)})
+        team2   (th/create-team* 2 {:profile-id (:id profile)})
+        proj1   (th/create-project* 1 {:profile-id (:id profile)
+                                       :team-id (:id team1)})
+        proj2   (th/create-project* 2 {:profile-id (:id profile)
+                                       :team-id (:id team2)})
+        _       (th/create-file* 1 {:profile-id (:id profile)
+                                    :project-id (:id proj1)})
+        _       (th/create-file* 2 {:profile-id (:id profile)
+                                    :project-id (:id proj2)})
+        out     (management-command-with-nitrate! {::th/type :get-teams-summary
+                                                   ::rpc/profile-id (:id profile)
+                                                   :ids [(:id team1) (:id team2)]})]
+    (t/is (th/success? out))
+    (t/is (= 2 (-> out :result :num-files)))
+    (t/is (= #{(:id team1) (:id team2)}
+             (->> out :result :teams (map :id) set)))))
+
+(t/deftest notify-organization-deletion-prefixes-teams-and-publishes-org-deleted-event
+  (let [profile           (th/create-profile* 1 {:is-active true})
+        ;; One team will have files -> it will be kept and renamed.
+        team-with-files   (th/db-get :team {:id (:default-team-id profile)})
+        project           (th/create-project* 1 {:profile-id (:id profile)
+                                                 :team-id (:id team-with-files)})
+        _                 (th/create-file* 1 {:profile-id (:id profile)
+                                              :project-id (:id project)})
+
+        ;; One team will be empty -> it will be soft-deleted.
+        empty-team        (th/create-team* 1 {:profile-id (:id profile)})
+
+        organization-id   (uuid/random)
+        organization-name "Acme / Design"
+        expected-start    (str "[" (d/sanitize-string organization-name) "] ")
+        org-summary       {:id organization-id
+                           :name organization-name
+                           :teams [{:id (:id team-with-files)}
+                                   {:id (:id empty-team)}]}
+        calls             (atom [])
+        submitted         (atom [])
+        out               (with-redefs [nitrate/call (fn [_cfg method params]
+                                                       (t/is (= :get-org-summary method))
+                                                       (t/is (= {:organization-id organization-id} params))
+                                                       org-summary)
+                                        wrk/submit! (fn [task]
+                                                      (swap! submitted conj task)
+                                                      nil)
+                                        mbus/pub! (fn [_cfg & {:keys [topic message]}]
+                                                    (swap! calls conj {:topic topic
+                                                                       :message message}))]
+                            (management-command-with-nitrate! {::th/type :notify-organization-deletion
+                                                               ::rpc/profile-id (:id profile)
+                                                               :organization-id organization-id}))
+        updated-with-files (th/db-get :team {:id (:id team-with-files)} {::db/remove-deleted false})
+        updated-empty      (th/db-get :team {:id (:id empty-team)} {::db/remove-deleted false})]
+    (t/is (th/success? out))
+    (t/is (nil? (:result out)))
+
+    ;; Team with files is kept, unset as default, and renamed with org prefix.
+    (t/is (false? (:is-default updated-with-files)))
+    (t/is (str/starts-with? (:name updated-with-files) expected-start))
+    (t/is (nil? (:deleted-at updated-with-files)))
+
+    ;; Empty team is soft-deleted and a delete task is submitted.
+    (t/is (some? (:deleted-at updated-empty)))
+    (t/is (= 1 (count @submitted)))
+
+    ;; A single organization-deleted event is published.
+    (t/is (= 1 (count @calls)))
+    (let [{:keys [topic message]} (first @calls)]
+      (t/is (= uuid/zero topic))
+      (t/is (= :organization-deleted (:type message)))
+      (t/is (= organization-name (:organization-name message)))
+      (t/is (= #{(:id team-with-files) (:id empty-team)}
+               (set (:teams message))))
+      (t/is (= #{(:id empty-team)}
+               (set (:deleted-teams message)))))))
+
+(t/deftest notify-user-organizations-deletion-renames-or-deletes-teams-and-publishes-per-org-events
+  (let [profile            (th/create-profile* 1 {:is-active true})
+        ;; org-1: one team with files, one empty
+        org-1-team-files   (th/db-get :team {:id (:default-team-id profile)})
+        org-1-proj         (th/create-project* 1 {:profile-id (:id profile)
+                                                  :team-id (:id org-1-team-files)})
+        _                  (th/create-file* 1 {:profile-id (:id profile)
+                                               :project-id (:id org-1-proj)})
+        org-1-team-empty   (th/create-team* 1 {:profile-id (:id profile)})
+
+        ;; org-2: one team with files, one empty
+        org-2-team-files   (th/create-team* 2 {:profile-id (:id profile)})
+        org-2-proj         (th/create-project* 2 {:profile-id (:id profile)
+                                                  :team-id (:id org-2-team-files)})
+        _                  (th/create-file* 2 {:profile-id (:id profile)
+                                               :project-id (:id org-2-proj)})
+        org-2-team-empty   (th/create-team* 3 {:profile-id (:id profile)})
+
+        org-1-id           (uuid/random)
+        org-2-id           (uuid/random)
+        org-1-name         "Org One / Design"
+        org-2-name         "Org Two"
+        org-1-prefix       (str "[" (d/sanitize-string org-1-name) "] ")
+        org-2-prefix       (str "[" (d/sanitize-string org-2-name) "] ")
+        owned-orgs         [{:id org-1-id
+                             :name org-1-name
+                             :teams [{:id (:id org-1-team-files)}
+                                     {:id (:id org-1-team-empty)}]}
+                            {:id org-2-id
+                             :name org-2-name
+                             :teams [{:id (:id org-2-team-files)}
+                                     {:id (:id org-2-team-empty)}]}]
+        calls              (atom [])
+        submitted          (atom [])
+        out                (with-redefs [nitrate/call (fn [_cfg method params]
+                                                        (case method
+                                                          :get-owned-orgs
+                                                          (do
+                                                            (t/is (= {:profile-id (:id profile)} params))
+                                                            owned-orgs)
+                                                          nil))
+                                         wrk/submit! (fn [task]
+                                                       (swap! submitted conj task)
+                                                       nil)
+                                         mbus/pub! (fn [_cfg & {:keys [topic message]}]
+                                                     (swap! calls conj {:topic topic
+                                                                        :message message}))]
+                             (management-command-with-nitrate! {::th/type :notify-user-organizations-deletion
+                                                                ::rpc/profile-id (:id profile)
+                                                                :profile-id (:id profile)}))
+        org-1-updated-files (th/db-get :team {:id (:id org-1-team-files)} {::db/remove-deleted false})
+        org-1-updated-empty (th/db-get :team {:id (:id org-1-team-empty)} {::db/remove-deleted false})
+        org-2-updated-files (th/db-get :team {:id (:id org-2-team-files)} {::db/remove-deleted false})
+        org-2-updated-empty (th/db-get :team {:id (:id org-2-team-empty)} {::db/remove-deleted false})
+        msgs               (->> @calls (map :message) vec)
+        org-msg            (fn [org-name]
+                             (first (filter #(= org-name (:organization-name %)) msgs)))]
+    (t/is (th/success? out))
+    (t/is (nil? (:result out)))
+
+    ;; org-1: team with files renamed; empty team deleted
+    (t/is (false? (:is-default org-1-updated-files)))
+    (t/is (str/starts-with? (:name org-1-updated-files) org-1-prefix))
+    (t/is (nil? (:deleted-at org-1-updated-files)))
+    (t/is (some? (:deleted-at org-1-updated-empty)))
+
+    ;; org-2: team with files renamed; empty team deleted
+    (t/is (false? (:is-default org-2-updated-files)))
+    (t/is (str/starts-with? (:name org-2-updated-files) org-2-prefix))
+    (t/is (nil? (:deleted-at org-2-updated-files)))
+    (t/is (some? (:deleted-at org-2-updated-empty)))
+
+    ;; two delete tasks (one per empty team)
+    (t/is (= 2 (count @submitted)))
+
+    ;; one organization-deleted event per org
+    (t/is (= 2 (count @calls)))
+    (t/is (every? #(= uuid/zero (:topic %)) @calls))
+    (t/is (= #{:organization-deleted}
+             (set (map (comp :type :message) @calls))))
+
+    (let [m1 (org-msg org-1-name)
+          m2 (org-msg org-2-name)]
+      (t/is (some? m1))
+      (t/is (some? m2))
+      (t/is (= #{(:id org-1-team-files) (:id org-1-team-empty)}
+               (set (:teams m1))))
+      (t/is (= #{(:id org-1-team-empty)}
+               (set (:deleted-teams m1))))
+      (t/is (= #{(:id org-2-team-files) (:id org-2-team-empty)}
+               (set (:teams m2))))
+      (t/is (= #{(:id org-2-team-empty)}
+               (set (:deleted-teams m2)))))))
+
+(t/deftest get-profile-by-email-success-and-not-found
+  (let [profile (th/create-profile* 1 {:is-active true
+                                       :fullname "Lookup by Email"})
+        ok-out  (management-command-with-nitrate! {::th/type :get-profile-by-email
+                                                   ::rpc/profile-id (:id profile)
+                                                   :email (:email profile)})
+        ko-out  (management-command-with-nitrate! {::th/type :get-profile-by-email
+                                                   ::rpc/profile-id (:id profile)
+                                                   :email "not-found@example.com"})]
+    (t/is (th/success? ok-out))
+    (t/is (= (:id profile) (-> ok-out :result :id)))
+    (t/is (= "Lookup by Email" (-> ok-out :result :name)))
+    (t/is (nil? (-> ok-out :result :photo-url)))
+
+    (t/is (not (th/success? ko-out)))
+    (t/is (= :not-found (th/ex-type (:error ko-out))))
+    (t/is (= :profile-not-found (th/ex-code (:error ko-out))))))
+
+(t/deftest get-profile-by-id-success-and-not-found
+  (let [profile (th/create-profile* 1 {:is-active true
+                                       :fullname "Lookup by Id"})
+        ok-out  (management-command-with-nitrate! {::th/type :get-profile-by-id
+                                                   ::rpc/profile-id (:id profile)
+                                                   :id (:id profile)})
+        ko-out  (management-command-with-nitrate! {::th/type :get-profile-by-id
+                                                   ::rpc/profile-id (:id profile)
+                                                   :id (uuid/random)})]
+    (t/is (th/success? ok-out))
+    (t/is (= (:id profile) (-> ok-out :result :id)))
+    (t/is (= "Lookup by Id" (-> ok-out :result :name)))
+    (t/is (nil? (-> ok-out :result :photo-url)))
+
+    (t/is (not (th/success? ko-out)))
+    (t/is (= :not-found (th/ex-type (:error ko-out))))
+    (t/is (= :profile-not-found (th/ex-code (:error ko-out))))))
+
+(t/deftest get-org-invitations-returns-valid-deduped-by-email
+  (let [profile      (th/create-profile* 1 {:is-active true})
+        team-1       (th/create-team* 1 {:profile-id (:id profile)})
+        team-2       (th/create-team* 2 {:profile-id (:id profile)})
+        org-id       (uuid/random)
+        org-summary  {:id org-id
+                      :teams [{:id (:id team-1)}
+                              {:id (:id team-2)}]}
+        params       {::th/type :get-org-invitations
+                      ::rpc/profile-id (:id profile)
+                      :organization-id org-id}]
+
+    ;; Same email appears in org and team invitations; only one should be returned.
+    (th/db-insert! :team-invitation
+                   {:id (uuid/random)
+                    :org-id org-id
+                    :team-id nil
+                    :email-to "dup@example.com"
+                    :created-by (:id profile)
+                    :role "editor"
+                    :valid-until (ct/in-future "24h")})
+
+    (th/db-insert! :team-invitation
+                   {:id (uuid/random)
+                    :team-id (:id team-1)
+                    :org-id nil
+                    :email-to "dup@example.com"
+                    :created-by (:id profile)
+                    :role "admin"
+                    :valid-until (ct/in-future "72h")})
+
+    (th/db-insert! :team-invitation
+                   {:id (uuid/random)
+                    :team-id (:id team-2)
+                    :org-id nil
+                    :email-to "valid@example.com"
+                    :created-by (:id profile)
+                    :role "editor"
+                    :valid-until (ct/in-future "48h")})
+
+    ;; Expired invitation should be ignored.
+    (th/db-insert! :team-invitation
+                   {:id (uuid/random)
+                    :org-id org-id
+                    :team-id nil
+                    :email-to "expired@example.com"
+                    :created-by (:id profile)
+                    :role "editor"
+                    :valid-until (ct/in-past "1h")})
+
+    (let [out (with-redefs [nitrate/call (fn [_cfg method _params]
+                                           (case method
+                                             :get-org-summary org-summary
+                                             nil))]
+                (management-command-with-nitrate! params))
+          result (:result out)
+          emails (->> result (map :email) set)
+          dedup  (->> result
+                      (filter #(= "dup@example.com" (:email %)))
+                      first)]
+      (t/is (th/success? out))
+      (t/is (= #{"dup@example.com" "valid@example.com"} emails))
+      (t/is (= 2 (count result)))
+      (t/is (some? (:id dedup)))
+      (t/is (some? (:sent-at dedup)))
+      (t/is (nil? (:organization-id dedup)))
+      (t/is (nil? (:team-id dedup)))
+      (t/is (nil? (:role dedup)))
+      (t/is (nil? (:valid-until dedup))))))
+
+(t/deftest get-org-invitations-includes-org-level-invitations-when-no-teams
+  (let [profile      (th/create-profile* 1 {:is-active true})
+        org-id       (uuid/random)
+        org-summary  {:id org-id
+                      :teams []}
+        params       {::th/type :get-org-invitations
+                      ::rpc/profile-id (:id profile)
+                      :organization-id org-id}]
+
+    (th/db-insert! :team-invitation
+                   {:id (uuid/random)
+                    :org-id org-id
+                    :team-id nil
+                    :email-to "org-only@example.com"
+                    :created-by (:id profile)
+                    :role "editor"
+                    :valid-until (ct/in-future "24h")})
+
+    (let [out (with-redefs [nitrate/call (fn [_cfg method _params]
+                                           (case method
+                                             :get-org-summary org-summary
+                                             nil))]
+                (management-command-with-nitrate! params))
+          result (:result out)]
+      (t/is (th/success? out))
+      (t/is (= 1 (count result)))
+      (t/is (= "org-only@example.com" (-> result first :email)))
+      (t/is (some? (-> result first :sent-at))))))
+
+(t/deftest get-org-invitations-returns-existing-profile-data
+  (let [profile      (th/create-profile* 1 {:is-active true})
+        invited      (th/create-profile* 2 {:is-active true
+                                            :fullname "Invited User"})
+        photo-id     (uuid/random)
+        _            (th/db-insert! :storage-object {:id photo-id
+                                                     :backend "assets-fs"})
+        _            (th/db-update! :profile {:photo-id photo-id} {:id (:id invited)})
+        org-id       (uuid/random)
+        org-summary  {:id org-id
+                      :teams []}
+        params       {::th/type :get-org-invitations
+                      ::rpc/profile-id (:id profile)
+                      :organization-id org-id}]
+
+    (th/db-insert! :team-invitation
+                   {:id (uuid/random)
+                    :org-id org-id
+                    :team-id nil
+                    :email-to (:email invited)
+                    :created-by (:id profile)
+                    :role "editor"
+                    :valid-until (ct/in-future "24h")})
+
+    (let [out (with-redefs [nitrate/call (fn [_cfg method _params]
+                                           (case method
+                                             :get-org-summary org-summary
+                                             nil))]
+                (management-command-with-nitrate! params))
+          invitation (-> out :result first)]
+      (t/is (th/success? out))
+      (t/is (= "Invited User" (:name invitation)))
+      (t/is (some? (:sent-at invitation)))
+      (t/is (str/ends-with? (:photo-url invitation)
+                            (str "/assets/by-id/" photo-id))))))
+
+(t/deftest delete-org-invitations-removes-org-and-org-team-invitations-for-email
+  (let [profile      (th/create-profile* 1 {:is-active true})
+        team-1       (th/create-team* 1 {:profile-id (:id profile)})
+        team-2       (th/create-team* 2 {:profile-id (:id profile)})
+        outside-team (th/create-team* 3 {:profile-id (:id profile)})
+        org-id       (uuid/random)
+        org-summary  {:id org-id
+                      :teams [{:id (:id team-1)}
+                              {:id (:id team-2)}]}
+        target-email "target@example.com"
+        params       {::th/type :delete-org-invitations
+                      ::rpc/profile-id (:id profile)
+                      :organization-id org-id
+                      :email "TARGET@example.com"}]
+
+    ;; Should be deleted: org-level invitation for same org+email.
+    (th/db-insert! :team-invitation
+                   {:id (uuid/random)
+                    :org-id org-id
+                    :team-id nil
+                    :email-to target-email
+                    :created-by (:id profile)
+                    :role "editor"
+                    :valid-until (ct/in-future "24h")})
+
+    ;; Should be deleted: team-level invitation for teams belonging to org summary.
+    (th/db-insert! :team-invitation
+                   {:id (uuid/random)
+                    :team-id (:id team-1)
+                    :org-id nil
+                    :email-to target-email
+                    :created-by (:id profile)
+                    :role "editor"
+                    :valid-until (ct/in-past "1h")})
+
+    ;; Should remain: different email.
+    (th/db-insert! :team-invitation
+                   {:id (uuid/random)
+                    :team-id (:id team-2)
+                    :org-id nil
+                    :email-to "other@example.com"
+                    :created-by (:id profile)
+                    :role "editor"
+                    :valid-until (ct/in-future "24h")})
+
+    ;; Should remain: same email but outside org scope.
+    (th/db-insert! :team-invitation
+                   {:id (uuid/random)
+                    :team-id (:id outside-team)
+                    :org-id nil
+                    :email-to target-email
+                    :created-by (:id profile)
+                    :role "editor"
+                    :valid-until (ct/in-future "24h")})
+
+    (let [out (with-redefs [nitrate/call (fn [_cfg method _params]
+                                           (case method
+                                             :get-org-summary org-summary
+                                             nil))]
+                (management-command-with-nitrate! params))
+          remaining-target (th/db-query :team-invitation {:email-to target-email})
+          remaining-other  (th/db-query :team-invitation {:email-to "other@example.com"})]
+      (t/is (th/success? out))
+      (t/is (nil? (:result out)))
+      (t/is (= 1 (count remaining-target)))
+      (t/is (= (:id outside-team) (:team-id (first remaining-target))))
+      (t/is (= 1 (count remaining-other))))))
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Tests: remove-from-org
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+(defn- make-org-summary
+  [& {:keys [organization-id organization-name owner-id your-penpot-teams org-teams]
+      :or   {your-penpot-teams [] org-teams []}}]
+  {:id       organization-id
+   :name     organization-name
+   :owner-id owner-id
+   :teams    (into
+              (mapv (fn [id] {:id id :is-your-penpot true}) your-penpot-teams)
+              (mapv (fn [id] {:id id :is-your-penpot false}) org-teams))})
+
+(defn- nitrate-call-mock
+  [org-summary]
+  (fn [_cfg method _params]
+    (case method
+      :get-org-summary org-summary
+      :get-org-membership {:organization-id (:id org-summary)
+                           :is-member true}
+      :remove-profile-from-org nil
+      nil)))
+
+(t/deftest remove-from-org-happy-path-no-extra-teams
+  ;; User is only in its default team (which has files); it should be
+  ;; kept, renamed and unset as default.  A notification must be sent.
+  (let [org-owner   (th/create-profile* 1 {:is-active true})
+        user        (th/create-profile* 2 {:is-active true})
+        org-team    (th/create-team* 1 {:profile-id (:id user)})
+        project     (th/create-project* 1 {:profile-id (:id user)
+                                           :team-id   (:id org-team)})
+        _           (th/create-file* 1 {:profile-id (:id user)
+                                        :project-id (:id project)})
+        organization-id      (uuid/random)
+        org-summary (make-org-summary
+                     :organization-id            organization-id
+                     :organization-name          "Acme Org"
+                     :owner-id          (:id org-owner)
+                     :your-penpot-teams [(:id org-team)]
+                     :org-teams         [])
+        calls       (atom [])
+        out         (with-redefs [nitrate/call (nitrate-call-mock org-summary)
+                                  mbus/pub! (fn [_bus & {:keys [topic message]}]
+                                              (swap! calls conj {:topic topic :message message}))]
+                      (management-command-with-nitrate!
+                       {::th/type        :remove-from-org
+                        ::rpc/profile-id (:id org-owner)
+                        :profile-id      (:id user)
+                        :organization-id          organization-id
+                        :organization-name        "Acme Org"
+                        :default-team-id (:id org-team)}))]
+    (t/is (th/success? out))
+    (t/is (nil? (:result out)))
+
+    ;; default team preserved, renamed and unset as default
+    (let [team (th/db-get :team {:id (:id org-team)})]
+      (t/is (false? (:is-default team)))
+      (t/is (str/starts-with? (:name team) "[Acme Org] ")))
+
+    ;; exactly one notification sent to the user
+    (t/is (= 1 (count @calls)))
+    (let [msg (-> @calls first :message)]
+      (t/is (= :user-org-change (:type msg)))
+      (t/is (= (:id user) (:topic msg)))
+      (t/is (= organization-id (:organization-id msg)))
+      (t/is (= "Acme Org" (:organization-name msg)))
+      (t/is (= "dashboard.user-no-longer-belong-org" (:notification msg))))))
+
+(t/deftest remove-from-org-deletes-empty-default-team
+  ;; When the default team has no files it should be soft-deleted.
+  (let [org-owner   (th/create-profile* 1 {:is-active true})
+        user        (th/create-profile* 2 {:is-active true})
+        org-team    (th/create-team* 2 {:profile-id (:id user)})
+        organization-id      (uuid/random)
+        org-summary (make-org-summary
+                     :organization-id            organization-id
+                     :organization-name          "Acme Org"
+                     :owner-id          (:id org-owner)
+                     :your-penpot-teams [(:id org-team)]
+                     :org-teams         [])
+        out         (with-redefs [nitrate/call (nitrate-call-mock org-summary)
+                                  mbus/pub! (fn [& _] nil)]
+                      (management-command-with-nitrate!
+                       {::th/type        :remove-from-org
+                        ::rpc/profile-id (:id org-owner)
+                        :profile-id      (:id user)
+                        :organization-id          organization-id
+                        :organization-name        "Acme Org"
+                        :default-team-id (:id org-team)}))]
+    (t/is (th/success? out))
+    (let [team (th/db-get :team {:id (:id org-team)} {::db/remove-deleted false})]
+      (t/is (some? (:deleted-at team))))))
+
+(t/deftest remove-from-org-deletes-sole-owner-team
+  ;; When the user is the sole member of an org team it should be deleted.
+  (let [org-owner   (th/create-profile* 1 {:is-active true})
+        user        (th/create-profile* 2 {:is-active true})
+        extra-team  (th/create-team* 3 {:profile-id (:id user)})
+        org-team    (th/create-team* 99 {:profile-id (:id user)})
+        organization-id      (uuid/random)
+        org-summary (make-org-summary
+                     :organization-id            organization-id
+                     :organization-name          "Acme Org"
+                     :owner-id          (:id org-owner)
+                     :your-penpot-teams [(:id org-team)]
+                     :org-teams         [(:id extra-team)])
+        out         (with-redefs [nitrate/call (nitrate-call-mock org-summary)
+                                  mbus/pub! (fn [& _] nil)]
+                      (management-command-with-nitrate!
+                       {::th/type        :remove-from-org
+                        ::rpc/profile-id (:id org-owner)
+                        :profile-id      (:id user)
+                        :organization-id          organization-id
+                        :organization-name        "Acme Org"
+                        :default-team-id (:id org-team)}))]
+    (t/is (th/success? out))
+    (let [team (th/db-get :team {:id (:id extra-team)} {::db/remove-deleted false})]
+      (t/is (some? (:deleted-at team))))))
+
+(t/deftest remove-from-org-transfers-ownership-of-multi-member-team
+  ;; When the user owns a team that has another non-owner member, ownership
+  ;; is transferred to that member by the endpoint automatically.
+  (let [org-owner   (th/create-profile* 1 {:is-active true})
+        user        (th/create-profile* 2 {:is-active true})
+        candidate   (th/create-profile* 3 {:is-active true})
+        extra-team  (th/create-team* 4 {:profile-id (:id user)})
+        _           (th/create-team-role* {:team-id    (:id extra-team)
+                                           :profile-id (:id candidate)
+                                           :role       :editor})
+        org-team    (th/create-team* 99 {:profile-id (:id user)})
+        organization-id      (uuid/random)
+        org-summary (make-org-summary
+                     :organization-id            organization-id
+                     :organization-name          "Acme Org"
+                     :owner-id          (:id org-owner)
+                     :your-penpot-teams [(:id org-team)]
+                     :org-teams         [(:id extra-team)])
+        out         (with-redefs [nitrate/call (nitrate-call-mock org-summary)
+                                  mbus/pub! (fn [& _] nil)]
+                      (management-command-with-nitrate!
+                       {::th/type        :remove-from-org
+                        ::rpc/profile-id (:id org-owner)
+                        :profile-id      (:id user)
+                        :organization-id          organization-id
+                        :organization-name        "Acme Org"
+                        :default-team-id (:id org-team)}))]
+    (t/is (th/success? out))
+    ;; user no longer in extra-team
+    (let [rel (th/db-get :team-profile-rel {:team-id (:id extra-team) :profile-id (:id user)})]
+      (t/is (nil? rel)))
+    ;; candidate promoted to owner
+    (let [rel (th/db-get :team-profile-rel {:team-id (:id extra-team) :profile-id (:id candidate)})]
+      (t/is (true? (:is-owner rel))))))
+
+(t/deftest remove-from-org-exits-non-owned-team
+  ;; When the user is a non-owner member of an org team, they simply leave.
+  (let [org-owner   (th/create-profile* 1 {:is-active true})
+        user        (th/create-profile* 2 {:is-active true})
+        extra-team  (th/create-team* 5 {:profile-id (:id org-owner)})
+        _           (th/create-team-role* {:team-id    (:id extra-team)
+                                           :profile-id (:id user)
+                                           :role       :editor})
+        org-team    (th/create-team* 99 {:profile-id (:id user)})
+        organization-id      (uuid/random)
+        org-summary (make-org-summary
+                     :organization-id            organization-id
+                     :organization-name          "Acme Org"
+                     :owner-id          (:id org-owner)
+                     :your-penpot-teams [(:id org-team)]
+                     :org-teams         [(:id extra-team)])
+        out         (with-redefs [nitrate/call (nitrate-call-mock org-summary)
+                                  mbus/pub! (fn [& _] nil)]
+                      (management-command-with-nitrate!
+                       {::th/type        :remove-from-org
+                        ::rpc/profile-id (:id org-owner)
+                        :profile-id      (:id user)
+                        :organization-id          organization-id
+                        :organization-name        "Acme Org"
+                        :default-team-id (:id org-team)}))]
+    (t/is (th/success? out))
+    ;; user no longer a member of extra-team
+    (let [rel (th/db-get :team-profile-rel {:team-id (:id extra-team) :profile-id (:id user)})]
+      (t/is (nil? rel)))
+    ;; team still exists for the owner
+    (let [team (th/db-get :team {:id (:id extra-team)})]
+      (t/is (some? team)))))
+
+(t/deftest remove-from-org-error-nobody-to-reassign
+  ;; When the user owns a multi-member team but every other member is
+  ;; also an owner, the auto-selection query finds nobody and raises.
+  (let [other-owner (th/create-profile* 1 {:is-active true})
+        user        (th/create-profile* 2 {:is-active true})
+        extra-team  (th/create-team* 6 {:profile-id (:id user)})
+        ;; add other-owner to the team and make them co-owner directly in DB
+        _           (th/create-team-role* {:team-id    (:id extra-team)
+                                           :profile-id (:id other-owner)
+                                           :role       :editor})
+        _           (th/db-update! :team-profile-rel
+                                   {:is-owner true :is-admin false}
+                                   {:team-id (:id extra-team) :profile-id (:id other-owner)})
+        org-team    (th/create-team* 99 {:profile-id (:id user)})
+        organization-id      (uuid/random)
+        org-summary (make-org-summary
+                     :organization-id            organization-id
+                     :organization-name          "Acme Org"
+                     :owner-id          (:id other-owner)
+                     :your-penpot-teams [(:id org-team)]
+                     :org-teams         [(:id extra-team)])
+        out         (with-redefs [nitrate/call (nitrate-call-mock org-summary)
+                                  mbus/pub! (fn [& _] nil)]
+                      (management-command-with-nitrate!
+                       {::th/type        :remove-from-org
+                        ::rpc/profile-id (:id other-owner)
+                        :profile-id      (:id user)
+                        :organization-id          organization-id
+                        :organization-name        "Acme Org"
+                        :default-team-id (:id org-team)}))]
+    (t/is (not (th/success? out)))
+    (t/is (= :validation (th/ex-type (:error out))))
+    (t/is (= :nobody-to-reassign-team (th/ex-code (:error out))))))
+
+;; Tests: get-remove-from-org-summary
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+(t/deftest get-remove-from-org-summary-no-extra-teams
+  ;; User only has a default team — nothing to delete/transfer/exit.
+  (let [org-owner   (th/create-profile* 1 {:is-active true})
+        user        (th/create-profile* 2 {:is-active true})
+        org-team    (th/create-team* 1 {:profile-id (:id user)})
+        organization-id      (uuid/random)
+        org-summary (make-org-summary
+                     :organization-id            organization-id
+                     :organization-name          "Acme Org"
+                     :owner-id          (:id org-owner)
+                     :your-penpot-teams [(:id org-team)]
+                     :org-teams         [])
+        out         (with-redefs [nitrate/call (nitrate-call-mock org-summary)]
+                      (management-command-with-nitrate!
+                       {::th/type        :get-remove-from-org-summary
+                        ::rpc/profile-id (:id org-owner)
+                        :profile-id      (:id user)
+                        :organization-id          organization-id
+                        :default-team-id (:id org-team)}))]
+    (t/is (th/success? out))
+    (t/is (= {:teams-to-delete   0
+              :teams-to-transfer 0
+              :teams-to-exit     0}
+             (:result out)))))
+
+(t/deftest get-remove-from-org-summary-with-teams-to-delete
+  ;; User owns a sole-member extra org team → 1 to delete.
+  (let [org-owner   (th/create-profile* 1 {:is-active true})
+        user        (th/create-profile* 2 {:is-active true})
+        extra-team  (th/create-team* 3 {:profile-id (:id user)})
+        org-team    (th/create-team* 99 {:profile-id (:id user)})
+        organization-id      (uuid/random)
+        org-summary (make-org-summary
+                     :organization-id            organization-id
+                     :organization-name          "Acme Org"
+                     :owner-id          (:id org-owner)
+                     :your-penpot-teams [(:id org-team)]
+                     :org-teams         [(:id extra-team)])
+        out         (with-redefs [nitrate/call (nitrate-call-mock org-summary)]
+                      (management-command-with-nitrate!
+                       {::th/type        :get-remove-from-org-summary
+                        ::rpc/profile-id (:id org-owner)
+                        :profile-id      (:id user)
+                        :organization-id          organization-id
+                        :default-team-id (:id org-team)}))]
+    (t/is (th/success? out))
+    (t/is (= {:teams-to-delete   1
+              :teams-to-transfer 0
+              :teams-to-exit     0}
+             (:result out)))))
+
+(t/deftest get-remove-from-org-summary-with-teams-to-transfer
+  ;; User owns a multi-member extra org team → 1 to transfer.
+  (let [org-owner   (th/create-profile* 1 {:is-active true})
+        user        (th/create-profile* 2 {:is-active true})
+        candidate   (th/create-profile* 3 {:is-active true})
+        extra-team  (th/create-team* 4 {:profile-id (:id user)})
+        _           (th/create-team-role* {:team-id    (:id extra-team)
+                                           :profile-id (:id candidate)
+                                           :role       :editor})
+        org-team    (th/create-team* 99 {:profile-id (:id user)})
+        organization-id      (uuid/random)
+        org-summary (make-org-summary
+                     :organization-id            organization-id
+                     :organization-name          "Acme Org"
+                     :owner-id          (:id org-owner)
+                     :your-penpot-teams [(:id org-team)]
+                     :org-teams         [(:id extra-team)])
+        out         (with-redefs [nitrate/call (nitrate-call-mock org-summary)]
+                      (management-command-with-nitrate!
+                       {::th/type        :get-remove-from-org-summary
+                        ::rpc/profile-id (:id org-owner)
+                        :profile-id      (:id user)
+                        :organization-id          organization-id
+                        :default-team-id (:id org-team)}))]
+    (t/is (th/success? out))
+    (t/is (= {:teams-to-delete   0
+              :teams-to-transfer 1
+              :teams-to-exit     0}
+             (:result out)))))
+
+(t/deftest get-remove-from-org-summary-with-teams-to-exit
+  ;; User is a non-owner member of an org team → 1 to exit.
+  (let [org-owner   (th/create-profile* 1 {:is-active true})
+        user        (th/create-profile* 2 {:is-active true})
+        extra-team  (th/create-team* 5 {:profile-id (:id org-owner)})
+        _           (th/create-team-role* {:team-id    (:id extra-team)
+                                           :profile-id (:id user)
+                                           :role       :editor})
+        org-team    (th/create-team* 99 {:profile-id (:id user)})
+        organization-id      (uuid/random)
+        org-summary (make-org-summary
+                     :organization-id            organization-id
+                     :organization-name          "Acme Org"
+                     :owner-id          (:id org-owner)
+                     :your-penpot-teams [(:id org-team)]
+                     :org-teams         [(:id extra-team)])
+        out         (with-redefs [nitrate/call (nitrate-call-mock org-summary)]
+                      (management-command-with-nitrate!
+                       {::th/type        :get-remove-from-org-summary
+                        ::rpc/profile-id (:id org-owner)
+                        :profile-id      (:id user)
+                        :organization-id          organization-id
+                        :default-team-id (:id org-team)}))]
+    (t/is (th/success? out))
+    (t/is (= {:teams-to-delete   0
+              :teams-to-transfer 0
+              :teams-to-exit     1}
+             (:result out)))))
+
+(t/deftest get-remove-from-org-summary-does-not-mutate
+  ;; Calling the summary endpoint must not modify any teams.
+  (let [org-owner   (th/create-profile* 1 {:is-active true})
+        user        (th/create-profile* 2 {:is-active true})
+        extra-team  (th/create-team* 6 {:profile-id (:id user)})
+        org-team    (th/create-team* 99 {:profile-id (:id user)})
+        organization-id      (uuid/random)
+        org-summary (make-org-summary
+                     :organization-id            organization-id
+                     :organization-name          "Acme Org"
+                     :owner-id          (:id org-owner)
+                     :your-penpot-teams [(:id org-team)]
+                     :org-teams         [(:id extra-team)])
+        _           (with-redefs [nitrate/call (nitrate-call-mock org-summary)]
+                      (management-command-with-nitrate!
+                       {::th/type        :get-remove-from-org-summary
+                        ::rpc/profile-id (:id org-owner)
+                        :profile-id      (:id user)
+                        :organization-id          organization-id
+                        :default-team-id (:id org-team)}))]
+    ;; Both teams must still exist and be undeleted
+    (let [t1 (th/db-get :team {:id (:id org-team)})]
+      (t/is (some? t1))
+      (t/is (nil? (:deleted-at t1))))
+    (let [t2 (th/db-get :team {:id (:id extra-team)})]
+      (t/is (some? t2))
+      (t/is (nil? (:deleted-at t2))))
+    ;; User must still be a member of both teams
+    (let [rel1 (th/db-get :team-profile-rel {:team-id (:id org-team) :profile-id (:id user)})]
+      (t/is (some? rel1)))
+    (let [rel2 (th/db-get :team-profile-rel {:team-id (:id extra-team) :profile-id (:id user)})]
+      (t/is (some? rel2)))))

backend/test/backend_tests/rpc_nitrate_test.clj

@@ -0,0 +1,686 @@
+;; This Source Code Form is subject to the terms of the Mozilla Public
+;; License, v. 2.0. If a copy of the MPL was not distributed with this
+;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;;
+;; Copyright (c) KALEIDOS INC
+
+(ns backend-tests.rpc-nitrate-test
+  (:require
+   [app.common.uuid :as uuid]
+   [app.db :as-alias db]
+   [app.nitrate :as nitrate]
+   [app.rpc :as-alias rpc]
+   [app.rpc.commands.nitrate]
+   [backend-tests.helpers :as th]
+   [clojure.test :as t]
+   [cuerdas.core :as str]))
+
+(t/use-fixtures :once th/state-init)
+(t/use-fixtures :each th/database-reset)
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Helpers
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+(defn- make-org-summary
+  [& {:keys [organization-id organization-name owner-id your-penpot-teams org-teams]
+      :or   {your-penpot-teams [] org-teams []}}]
+  {:id       organization-id
+   :name     organization-name
+   :owner-id owner-id
+   :teams    (into
+              (mapv (fn [id] {:id id :is-your-penpot true}) your-penpot-teams)
+              (mapv (fn [id] {:id id :is-your-penpot false}) org-teams))})
+
+(defn- nitrate-call-mock
+  "Creates a mock for nitrate/call that returns the given org-summary for
+  :get-org-summary, a valid membership for :get-org-membership, and nil for
+  any other method."
+  [org-summary]
+  (fn [_cfg method _params]
+    (case method
+      :get-org-summary org-summary
+      :get-org-membership {:is-member true
+                           :organization-id (:id org-summary)}
+      nil)))
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Tests
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+(t/deftest leave-org-happy-path-no-extra-teams
+  (let [profile-owner  (th/create-profile* 1 {:is-active true})
+        profile-user   (th/create-profile* 2 {:is-active true})
+
+        org-default-team (th/create-team* 99 {:profile-id (:id profile-user)})
+        project          (th/create-project* 99 {:profile-id (:id profile-user)
+                                                 :team-id (:id org-default-team)})
+        _                (th/create-file* 99 {:profile-id (:id profile-user)
+                                              :project-id (:id project)})
+
+        organization-id         (uuid/random)
+        ;; The user's personal penpot team in the org context
+        your-penpot-id (:id org-default-team)
+
+        org-summary    (make-org-summary
+                        :organization-id            organization-id
+                        :organization-name          "Test Org"
+                        :owner-id          (:id profile-owner)
+                        :your-penpot-teams [your-penpot-id]
+                        :org-teams         [])]
+
+    (with-redefs [nitrate/call (nitrate-call-mock org-summary)]
+      (let [data {::th/type        :leave-org
+                  ::rpc/profile-id (:id profile-user)
+                  :id          organization-id
+                  :name        "Test Org"
+                  :default-team-id your-penpot-id
+                  :teams-to-delete []
+                  :teams-to-leave  []}
+            out  (th/command! data)]
+
+        ;; (th/print-result! out)
+        (t/is (th/success? out))
+        (t/is (nil? (:result out)))
+
+        ;; The personal team must be renamed with the org prefix and
+        ;; unset as a default team.
+        (let [team (th/db-get :team {:id your-penpot-id})]
+          (t/is (str/starts-with? (:name team) "[Test Org] "))
+          (t/is (false? (:is-default team))))))))
+
+(t/deftest leave-org-deletes-org-default-team-when-empty
+  (let [profile-owner   (th/create-profile* 1 {:is-active true})
+        profile-user    (th/create-profile* 2 {:is-active true})
+        org-default-team (th/create-team* 98 {:profile-id (:id profile-user)})
+
+        organization-id          (uuid/random)
+        your-penpot-id  (:id org-default-team)
+
+        org-summary     (make-org-summary
+                         :organization-id            organization-id
+                         :organization-name          "Test Org"
+                         :owner-id          (:id profile-owner)
+                         :your-penpot-teams [your-penpot-id]
+                         :org-teams         [])]
+
+    (with-redefs [nitrate/call (nitrate-call-mock org-summary)]
+      (let [data {::th/type        :leave-org
+                  ::rpc/profile-id (:id profile-user)
+                  :id          organization-id
+                  :name        "Test Org"
+                  :default-team-id your-penpot-id
+                  :teams-to-delete []
+                  :teams-to-leave  []}
+            out  (th/command! data)]
+
+        (t/is (th/success? out))
+
+        ;; Empty org default team should be soft-deleted.
+        (let [team (th/db-get :team {:id your-penpot-id} {::db/remove-deleted false})]
+          (t/is (some? (:deleted-at team))))))))
+
+(t/deftest leave-org-keeps-and-renames-org-default-team-when-has-files
+  (let [profile-owner    (th/create-profile* 1 {:is-active true})
+        profile-user     (th/create-profile* 2 {:is-active true})
+        org-default-team (th/create-team* 97 {:profile-id (:id profile-user)})
+        project          (th/create-project* 97 {:profile-id (:id profile-user)
+                                                 :team-id (:id org-default-team)})
+        _                (th/create-file* 97 {:profile-id (:id profile-user)
+                                              :project-id (:id project)})
+
+        organization-id           (uuid/random)
+        your-penpot-id   (:id org-default-team)
+
+        org-summary      (make-org-summary
+                          :organization-id            organization-id
+                          :organization-name          "Test Org"
+                          :owner-id          (:id profile-owner)
+                          :your-penpot-teams [your-penpot-id]
+                          :org-teams         [])]
+
+    (with-redefs [nitrate/call (nitrate-call-mock org-summary)]
+      (let [data {::th/type        :leave-org
+                  ::rpc/profile-id (:id profile-user)
+                  :id          organization-id
+                  :name        "Test Org"
+                  :default-team-id your-penpot-id
+                  :teams-to-delete []
+                  :teams-to-leave  []}
+            out  (th/command! data)]
+
+        (t/is (th/success? out))
+
+        ;; Non-empty org default team should remain and be renamed.
+        (let [team (th/db-get :team {:id your-penpot-id})]
+          (t/is (str/starts-with? (:name team) "[Test Org] "))
+          (t/is (false? (:is-default team)))
+          (t/is (nil? (:deleted-at team))))))))
+
+(t/deftest leave-org-with-teams-to-delete
+  (let [profile-owner  (th/create-profile* 1 {:is-active true})
+        profile-user   (th/create-profile* 2 {:is-active true})
+        ;; profile-user is the sole owner/member of team1
+        team1          (th/create-team* 1 {:profile-id (:id profile-user)})
+        org-default-team (th/create-team* 99 {:profile-id (:id profile-user)})
+
+        organization-id         (uuid/random)
+        your-penpot-id (:id org-default-team)
+
+        org-summary    (make-org-summary
+                        :organization-id            organization-id
+                        :organization-name          "Test Org"
+                        :owner-id          (:id profile-owner)
+                        :your-penpot-teams [your-penpot-id]
+                        :org-teams         [(:id team1)])]
+
+    (with-redefs [nitrate/call (nitrate-call-mock org-summary)]
+      (let [data {::th/type        :leave-org
+                  ::rpc/profile-id (:id profile-user)
+                  :id          organization-id
+                  :name        "Test Org"
+                  :default-team-id your-penpot-id
+                  :teams-to-delete [(:id team1)]
+                  :teams-to-leave  []}
+            out  (th/command! data)]
+
+        ;; (th/print-result! out)
+        (t/is (th/success? out))
+
+        ;; team1 should be scheduled for deletion (deleted-at set)
+        (let [team (th/db-get :team {:id (:id team1)} {::db/remove-deleted false})]
+          (t/is (some? (:deleted-at team))))))))
+
+(t/deftest leave-org-with-ownership-transfer
+  (let [profile-owner  (th/create-profile* 1 {:is-active true})
+        profile-user   (th/create-profile* 2 {:is-active true})
+        ;; profile-user owns team1; profile-owner is also a member
+        team1          (th/create-team* 1 {:profile-id (:id profile-user)})
+        _              (th/create-team-role* {:team-id    (:id team1)
+                                              :profile-id (:id profile-owner)
+                                              :role       :editor})
+        org-default-team (th/create-team* 99 {:profile-id (:id profile-user)})
+
+        organization-id         (uuid/random)
+        your-penpot-id (:id org-default-team)
+
+        org-summary    (make-org-summary
+                        :organization-id            organization-id
+                        :organization-name          "Test Org"
+                        :owner-id          (:id profile-owner)
+                        :your-penpot-teams [your-penpot-id]
+                        :org-teams         [(:id team1)])]
+
+    (with-redefs [nitrate/call (nitrate-call-mock org-summary)]
+      (let [data {::th/type        :leave-org
+                  ::rpc/profile-id (:id profile-user)
+                  :id          organization-id
+                  :name        "Test Org"
+                  :default-team-id your-penpot-id
+                  :teams-to-delete []
+                  :teams-to-leave  [{:id (:id team1) :reassign-to (:id profile-owner)}]}
+            out  (th/command! data)]
+
+        ;; (th/print-result! out)
+        (t/is (th/success? out))
+
+        ;; profile-user should no longer be a member of team1
+        (let [rel (th/db-get :team-profile-rel
+                             {:team-id    (:id team1)
+                              :profile-id (:id profile-user)})]
+          (t/is (nil? rel)))
+
+        ;; profile-owner should have been promoted to owner
+        (let [rel (th/db-get :team-profile-rel
+                             {:team-id    (:id team1)
+                              :profile-id (:id profile-owner)})]
+          (t/is (true? (:is-owner rel))))))))
+
+(t/deftest leave-org-exit-as-non-owner
+  (let [profile-owner  (th/create-profile* 1 {:is-active true})
+        profile-user   (th/create-profile* 2 {:is-active true})
+        ;; profile-owner owns team1; profile-user is a non-owner member
+        team1          (th/create-team* 1 {:profile-id (:id profile-owner)})
+        _              (th/create-team-role* {:team-id    (:id team1)
+                                              :profile-id (:id profile-user)
+                                              :role       :editor})
+        org-default-team (th/create-team* 99 {:profile-id (:id profile-user)})
+
+        organization-id         (uuid/random)
+        your-penpot-id (:id org-default-team)
+
+        org-summary    (make-org-summary
+                        :organization-id            organization-id
+                        :organization-name          "Test Org"
+                        :owner-id          (:id profile-owner)
+                        :your-penpot-teams [your-penpot-id]
+                        :org-teams         [(:id team1)])]
+
+    (with-redefs [nitrate/call (nitrate-call-mock org-summary)]
+      (let [data {::th/type        :leave-org
+                  ::rpc/profile-id (:id profile-user)
+                  :id          organization-id
+                  :name        "Test Org"
+                  :default-team-id your-penpot-id
+                  :teams-to-delete []
+                  :teams-to-leave  [{:id (:id team1)}]}
+            out  (th/command! data)]
+
+        ;; (th/print-result! out)
+        (t/is (th/success? out))
+
+        ;; profile-user should no longer be a member of team1
+        (let [rel (th/db-get :team-profile-rel
+                             {:team-id    (:id team1)
+                              :profile-id (:id profile-user)})]
+          (t/is (nil? rel)))
+
+        ;; The team itself should still exist
+        (let [team (th/db-get :team {:id (:id team1)})]
+          (t/is (nil? (:deleted-at team))))))))
+
+(t/deftest leave-org-error-org-owner-cannot-leave
+  (let [profile-owner  (th/create-profile* 1 {:is-active true})
+        org-default-team (th/create-team* 99 {:profile-id (:id profile-owner)})
+        organization-id         (uuid/random)
+        your-penpot-id (:id org-default-team)
+
+        ;; profile-owner IS the org owner in the org-summary
+        org-summary    (make-org-summary
+                        :organization-id            organization-id
+                        :organization-name          "Test Org"
+                        :owner-id          (:id profile-owner)
+                        :your-penpot-teams [your-penpot-id]
+                        :org-teams         [])]
+
+    (with-redefs [nitrate/call (nitrate-call-mock org-summary)]
+      (let [data {::th/type        :leave-org
+                  ::rpc/profile-id (:id profile-owner)
+                  :id          organization-id
+                  :name        "Test Org"
+                  :default-team-id your-penpot-id
+                  :teams-to-delete []
+                  :teams-to-leave  []}
+            out  (th/command! data)]
+
+        (t/is (not (th/success? out)))
+        (t/is (= :validation (th/ex-type (:error out))))
+        (t/is (= :org-owner-cannot-leave (th/ex-code (:error out))))))))
+
+(t/deftest leave-org-error-invalid-default-team-id
+  (let [profile-owner  (th/create-profile* 1 {:is-active true})
+        profile-user   (th/create-profile* 2 {:is-active true})
+        org-default-team (th/create-team* 99 {:profile-id (:id profile-user)})
+        organization-id         (uuid/random)
+        your-penpot-id (:id org-default-team)
+
+        org-summary    (make-org-summary
+                        :organization-id            organization-id
+                        :organization-name          "Test Org"
+                        :owner-id          (:id profile-owner)
+                        :your-penpot-teams [your-penpot-id]
+                        :org-teams         [])]
+
+    (with-redefs [nitrate/call (nitrate-call-mock org-summary)]
+      ;; Pass a random UUID that is not in the your-penpot-teams list
+      (let [data {::th/type        :leave-org
+                  ::rpc/profile-id (:id profile-user)
+                  :id          organization-id
+                  :name        "Test Org"
+                  :default-team-id (uuid/random)
+                  :teams-to-delete []
+                  :teams-to-leave  []}
+            out  (th/command! data)]
+
+        (t/is (not (th/success? out)))
+        (t/is (= :validation (th/ex-type (:error out))))
+        (t/is (= :not-valid-teams (th/ex-code (:error out))))))))
+
+  ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Unit Tests for calculate-valid-teams
+  ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+(def ^:private calculate-valid-teams
+  (or (ns-resolve 'app.rpc.commands.nitrate 'calculate-valid-teams)
+      (throw (ex-info "Unable to resolve calculate-valid-teams"
+                      {:ns 'app.rpc.commands.nitrate
+                       :symbol 'calculate-valid-teams}))))
+
+(defn- make-team [id & {:keys [is-owner num-members member-ids]
+                        :or   {is-owner false num-members 1 member-ids []}}]
+  {:id id :is-owner is-owner :num-members num-members :member-ids member-ids})
+
+(t/deftest calculate-valid-teams-no-org-teams
+  (let [default-id (uuid/random)
+        default-team (make-team default-id)
+        result (calculate-valid-teams [default-team] default-id)]
+    (t/is (= default-team (:valid-default-team result)))
+    (t/is (empty? (:valid-teams-to-delete-ids result)))
+    (t/is (empty? (:valid-teams-to-transfer result)))
+    (t/is (empty? (:valid-teams-to-exit result)))))
+
+(t/deftest calculate-valid-teams-default-not-found
+  (let [default-id   (uuid/random)
+        other-id     (uuid/random)
+        other-team   (make-team other-id)
+        ;; default-id is not in org-teams at all
+        result (calculate-valid-teams [other-team] default-id)]
+    (t/is (nil? (:valid-default-team result)))))
+
+(t/deftest calculate-valid-teams-sole-owner-team
+  (let [default-id (uuid/random)
+        team-id    (uuid/random)
+        default    (make-team default-id)
+        solo-team  (make-team team-id :is-owner true :num-members 1)
+        result     (calculate-valid-teams [default solo-team] default-id)]
+    (t/is (contains? (:valid-teams-to-delete-ids result) team-id))
+    (t/is (empty? (:valid-teams-to-transfer result)))
+    (t/is (empty? (:valid-teams-to-exit result)))))
+
+(t/deftest calculate-valid-teams-owned-multi-member-team
+  (let [default-id (uuid/random)
+        team-id    (uuid/random)
+        default    (make-team default-id)
+        ;; owner of a team with 3 members — must be transferred
+        multi-team (make-team team-id :is-owner true :num-members 3)
+        result     (calculate-valid-teams [default multi-team] default-id)]
+    (t/is (empty? (:valid-teams-to-delete-ids result)))
+    (t/is (= [team-id] (map :id (:valid-teams-to-transfer result))))
+    (t/is (empty? (:valid-teams-to-exit result)))))
+
+(t/deftest calculate-valid-teams-non-owner-multi-member-team
+  (let [default-id (uuid/random)
+        team-id    (uuid/random)
+        default    (make-team default-id)
+        ;; non-owner member of a team with 2 members — can just exit
+        exit-team  (make-team team-id :is-owner false :num-members 2)
+        result     (calculate-valid-teams [default exit-team] default-id)]
+    (t/is (empty? (:valid-teams-to-delete-ids result)))
+    (t/is (empty? (:valid-teams-to-transfer result)))
+    (t/is (= [team-id] (map :id (:valid-teams-to-exit result))))))
+
+(t/deftest calculate-valid-teams-mixed
+  (let [default-id   (uuid/random)
+        solo-id      (uuid/random)
+        transfer-id  (uuid/random)
+        exit-id      (uuid/random)
+        default      (make-team default-id)
+        solo-team    (make-team solo-id     :is-owner true  :num-members 1)
+        transfer-team (make-team transfer-id :is-owner true  :num-members 2)
+        exit-team    (make-team exit-id     :is-owner false :num-members 3)
+        result       (calculate-valid-teams [default solo-team transfer-team exit-team] default-id)]
+    (t/is (= #{solo-id} (:valid-teams-to-delete-ids result)))
+    (t/is (= [transfer-id] (map :id (:valid-teams-to-transfer result))))
+    (t/is (= [exit-id] (map :id (:valid-teams-to-exit result))))
+    (t/is (= default-id (:id (:valid-default-team result))))))
+
+  ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Integration: combined delete + leave
+  ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+(t/deftest leave-org-combined-delete-and-leave
+  (let [profile-owner  (th/create-profile* 1 {:is-active true})
+        profile-user   (th/create-profile* 2 {:is-active true})
+        ;; team1: profile-user is sole owner — must delete
+        team1          (th/create-team* 1 {:profile-id (:id profile-user)})
+        ;; team2: profile-user owns it, profile-owner is also member — must transfer
+        team2          (th/create-team* 2 {:profile-id (:id profile-user)})
+        _              (th/create-team-role* {:team-id    (:id team2)
+                                              :profile-id (:id profile-owner)
+                                              :role       :editor})
+        ;; team3: profile-owner owns it, profile-user is non-owner member — can exit
+        team3          (th/create-team* 3 {:profile-id (:id profile-owner)})
+        _              (th/create-team-role* {:team-id    (:id team3)
+                                              :profile-id (:id profile-user)
+                                              :role       :editor})
+        org-default-team (th/create-team* 99 {:profile-id (:id profile-user)})
+
+        organization-id         (uuid/random)
+        your-penpot-id (:id org-default-team)
+
+        org-summary    (make-org-summary
+                        :organization-id            organization-id
+                        :organization-name          "Test Org"
+                        :owner-id          (:id profile-owner)
+                        :your-penpot-teams [your-penpot-id]
+                        :org-teams         [(:id team1) (:id team2) (:id team3)])]
+
+    (with-redefs [nitrate/call (nitrate-call-mock org-summary)]
+      (let [data {::th/type        :leave-org
+                  ::rpc/profile-id (:id profile-user)
+                  :id          organization-id
+                  :name        "Test Org"
+                  :default-team-id your-penpot-id
+                  :teams-to-delete [(:id team1)]
+                  :teams-to-leave  [{:id (:id team2) :reassign-to (:id profile-owner)}
+                                    {:id (:id team3)}]}
+            out  (th/command! data)]
+
+        (t/is (th/success? out))
+
+        ;; team1 should be soft-deleted
+        (let [team (th/db-get :team {:id (:id team1)} {::db/remove-deleted false})]
+          (t/is (some? (:deleted-at team))))
+
+        ;; profile-user should no longer be a member of team2
+        (let [rel (th/db-get :team-profile-rel {:team-id (:id team2) :profile-id (:id profile-user)})]
+          (t/is (nil? rel)))
+
+        ;; profile-owner should now own team2
+        (let [rel (th/db-get :team-profile-rel {:team-id (:id team2) :profile-id (:id profile-owner)})]
+          (t/is (true? (:is-owner rel))))
+
+        ;; profile-user should no longer be a member of team3
+        (let [rel (th/db-get :team-profile-rel {:team-id (:id team3) :profile-id (:id profile-user)})]
+          (t/is (nil? rel)))
+
+        ;; team3 itself should still exist (profile-owner is still there)
+        (let [team (th/db-get :team {:id (:id team3)})]
+          (t/is (some? team)))))))
+(t/deftest leave-org-error-teams-to-delete-incomplete
+  (let [profile-owner  (th/create-profile* 1 {:is-active true})
+        profile-user   (th/create-profile* 2 {:is-active true})
+        ;; profile-user is the sole owner/member of both team1 and team2
+        team1          (th/create-team* 1 {:profile-id (:id profile-user)})
+        team2          (th/create-team* 2 {:profile-id (:id profile-user)})
+        org-default-team (th/create-team* 99 {:profile-id (:id profile-user)})
+
+        organization-id         (uuid/random)
+        your-penpot-id (:id org-default-team)
+
+        org-summary    (make-org-summary
+                        :organization-id            organization-id
+                        :organization-name          "Test Org"
+                        :owner-id          (:id profile-owner)
+                        :your-penpot-teams [your-penpot-id]
+                        :org-teams         [(:id team1) (:id team2)])]
+
+    (with-redefs [nitrate/call (nitrate-call-mock org-summary)]
+      ;; Only team1 is listed; team2 is also a sole-owner team and must be included
+      (let [data {::th/type        :leave-org
+                  ::rpc/profile-id (:id profile-user)
+                  :id          organization-id
+                  :name        "Test Org"
+                  :default-team-id your-penpot-id
+                  :teams-to-delete [(:id team1)]
+                  :teams-to-leave  []}
+            out  (th/command! data)]
+
+        (t/is (not (th/success? out)))
+        (t/is (= :validation (th/ex-type (:error out))))
+        (t/is (= :not-valid-teams (th/ex-code (:error out))))))))
+
+(t/deftest leave-org-error-cannot-delete-multi-member-team
+  (let [profile-owner  (th/create-profile* 1 {:is-active true})
+        profile-user   (th/create-profile* 2 {:is-active true})
+        ;; team1 has two members: profile-user (owner) and profile-owner (editor)
+        team1          (th/create-team* 1 {:profile-id (:id profile-user)})
+        _              (th/create-team-role* {:team-id    (:id team1)
+                                              :profile-id (:id profile-owner)
+                                              :role       :editor})
+        org-default-team (th/create-team* 99 {:profile-id (:id profile-user)})
+
+        organization-id         (uuid/random)
+        your-penpot-id (:id org-default-team)
+
+        org-summary    (make-org-summary
+                        :organization-id            organization-id
+                        :organization-name          "Test Org"
+                        :owner-id          (:id profile-owner)
+                        :your-penpot-teams [your-penpot-id]
+                        :org-teams         [(:id team1)])]
+
+    (with-redefs [nitrate/call (nitrate-call-mock org-summary)]
+      ;; team1 has 2 members so it is not a valid deletion candidate
+      (let [data {::th/type        :leave-org
+                  ::rpc/profile-id (:id profile-user)
+                  :id          organization-id
+                  :name        "Test Org"
+                  :default-team-id your-penpot-id
+                  :teams-to-delete [(:id team1)]
+                  :teams-to-leave  []}
+            out  (th/command! data)]
+
+        (t/is (not (th/success? out)))
+        (t/is (= :validation (th/ex-type (:error out))))
+        (t/is (= :not-valid-teams (th/ex-code (:error out))))))))
+
+(t/deftest leave-org-error-teams-to-leave-incomplete
+  (let [profile-owner  (th/create-profile* 1 {:is-active true})
+        profile-user   (th/create-profile* 2 {:is-active true})
+        ;; profile-user owns team1, which also has profile-owner as editor
+        team1          (th/create-team* 1 {:profile-id (:id profile-user)})
+        _              (th/create-team-role* {:team-id    (:id team1)
+                                              :profile-id (:id profile-owner)
+                                              :role       :editor})
+        org-default-team (th/create-team* 99 {:profile-id (:id profile-user)})
+
+        organization-id         (uuid/random)
+        your-penpot-id (:id org-default-team)
+
+        org-summary    (make-org-summary
+                        :organization-id            organization-id
+                        :organization-name          "Test Org"
+                        :owner-id          (:id profile-owner)
+                        :your-penpot-teams [your-penpot-id]
+                        :org-teams         [(:id team1)])]
+
+    (with-redefs [nitrate/call (nitrate-call-mock org-summary)]
+      ;; team1 must be transferred (owner + multiple members) but is absent
+      (let [data {::th/type        :leave-org
+                  ::rpc/profile-id (:id profile-user)
+                  :id          organization-id
+                  :name        "Test Org"
+                  :default-team-id your-penpot-id
+                  :teams-to-delete []
+                  :teams-to-leave  []}
+            out  (th/command! data)]
+
+        (t/is (not (th/success? out)))
+        (t/is (= :validation (th/ex-type (:error out))))
+        (t/is (= :not-valid-teams (th/ex-code (:error out))))))))
+
+(t/deftest leave-org-error-reassign-to-self
+  (let [profile-owner  (th/create-profile* 1 {:is-active true})
+        profile-user   (th/create-profile* 2 {:is-active true})
+        team1          (th/create-team* 1 {:profile-id (:id profile-user)})
+        _              (th/create-team-role* {:team-id    (:id team1)
+                                              :profile-id (:id profile-owner)
+                                              :role       :editor})
+        org-default-team (th/create-team* 99 {:profile-id (:id profile-user)})
+
+        organization-id         (uuid/random)
+        your-penpot-id (:id org-default-team)
+
+        org-summary    (make-org-summary
+                        :organization-id            organization-id
+                        :organization-name          "Test Org"
+                        :owner-id          (:id profile-owner)
+                        :your-penpot-teams [your-penpot-id]
+                        :org-teams         [(:id team1)])]
+
+    (with-redefs [nitrate/call (nitrate-call-mock org-summary)]
+      ;; reassign-to points to the profile that is leaving — not allowed
+      (let [data {::th/type        :leave-org
+                  ::rpc/profile-id (:id profile-user)
+                  :id          organization-id
+                  :name        "Test Org"
+                  :default-team-id your-penpot-id
+                  :teams-to-delete []
+                  :teams-to-leave  [{:id (:id team1) :reassign-to (:id profile-user)}]}
+            out  (th/command! data)]
+
+        (t/is (not (th/success? out)))
+        (t/is (= :validation (th/ex-type (:error out))))
+        (t/is (= :not-valid-teams (th/ex-code (:error out))))))))
+
+(t/deftest leave-org-error-reassign-to-non-member
+  (let [profile-owner  (th/create-profile* 1 {:is-active true})
+        profile-user   (th/create-profile* 2 {:is-active true})
+        profile-other  (th/create-profile* 3 {:is-active true})
+        ;; team1 has profile-user (owner) and profile-owner (editor) — NOT profile-other
+        team1          (th/create-team* 1 {:profile-id (:id profile-user)})
+        _              (th/create-team-role* {:team-id    (:id team1)
+                                              :profile-id (:id profile-owner)
+                                              :role       :editor})
+        org-default-team (th/create-team* 99 {:profile-id (:id profile-user)})
+
+        organization-id         (uuid/random)
+        your-penpot-id (:id org-default-team)
+
+        org-summary    (make-org-summary
+                        :organization-id            organization-id
+                        :organization-name          "Test Org"
+                        :owner-id          (:id profile-owner)
+                        :your-penpot-teams [your-penpot-id]
+                        :org-teams         [(:id team1)])]
+
+    (with-redefs [nitrate/call (nitrate-call-mock org-summary)]
+      ;; profile-other is not a member of team1
+      (let [data {::th/type        :leave-org
+                  ::rpc/profile-id (:id profile-user)
+                  :id          organization-id
+                  :name        "Test Org"
+                  :default-team-id your-penpot-id
+                  :teams-to-delete []
+                  :teams-to-leave  [{:id (:id team1) :reassign-to (:id profile-other)}]}
+            out  (th/command! data)]
+
+        (t/is (not (th/success? out)))
+        (t/is (= :validation (th/ex-type (:error out))))
+        (t/is (= :not-valid-teams (th/ex-code (:error out))))))))
+
+(t/deftest leave-org-error-reassign-on-non-owned-team
+  (let [profile-owner  (th/create-profile* 1 {:is-active true})
+        profile-user   (th/create-profile* 2 {:is-active true})
+        ;; profile-owner owns team1; profile-user is just a non-owner member
+        team1          (th/create-team* 1 {:profile-id (:id profile-owner)})
+        _              (th/create-team-role* {:team-id    (:id team1)
+                                              :profile-id (:id profile-user)
+                                              :role       :editor})
+        org-default-team (th/create-team* 99 {:profile-id (:id profile-user)})
+
+        organization-id         (uuid/random)
+        your-penpot-id (:id org-default-team)
+
+        org-summary    (make-org-summary
+                        :organization-id            organization-id
+                        :organization-name          "Test Org"
+                        :owner-id          (:id profile-owner)
+                        :your-penpot-teams [your-penpot-id]
+                        :org-teams         [(:id team1)])]
+
+    (with-redefs [nitrate/call (nitrate-call-mock org-summary)]
+      ;; profile-user is not the owner so providing reassign-to is invalid
+      (let [data {::th/type        :leave-org
+                  ::rpc/profile-id (:id profile-user)
+                  :id          organization-id
+                  :name        "Test Org"
+                  :default-team-id your-penpot-id
+                  :teams-to-delete []
+                  :teams-to-leave  [{:id (:id team1) :reassign-to (:id profile-owner)}]}
+            out  (th/command! data)]
+
+        (t/is (not (th/success? out)))
+        (t/is (= :validation (th/ex-type (:error out))))
+        (t/is (= :not-valid-teams (th/ex-code (:error out))))))))

backend/test/backend_tests/rpc_profile_test.clj

@@ -125,7 +125,20 @@
             out  (th/command! data)]
 
         ;; (th/print-result! out)
-        (t/is (nil? (:error out)))))))
+        (t/is (nil? (:error out)))))
+
+    (t/testing "delete photo clears photo-id"
+      (let [data {::th/type :delete-profile-photo
+                  ::rpc/profile-id (:id profile)}
+            out  (th/command! data)]
+        (t/is (nil? (:error out)))
+        (t/is (nil? (:result out))))
+
+      (let [data {::th/type :get-profile
+                  ::rpc/profile-id (:id profile)}
+            out  (th/command! data)]
+        (t/is (nil? (:error out)))
+        (t/is (nil? (:photo-id (:result out))))))))
 
 (t/deftest profile-deletion-1
   (let [prof (th/create-profile* 1)

backend/test/backend_tests/rpc_team_test.clj

@@ -11,6 +11,7 @@
    [app.common.uuid :as uuid]
    [app.config :as cf]
    [app.db :as db]
+   [app.email.blacklist :as email.blacklist]
    [app.http :as http]
    [app.rpc :as-alias rpc]
    [app.storage :as sto]
@@ -102,6 +103,46 @@
           (t/is (= :validation (:type edata)))
           (t/is (= :member-is-muted (:code edata))))))))
 
+(t/deftest create-team-invitations-blacklisted-domain
+  (with-mocks [mock {:target 'app.email/send! :return nil}]
+    (let [profile1 (th/create-profile* 1 {:is-active true})
+          team     (th/create-team* 1 {:profile-id (:id profile1)})
+          data     {::th/type :create-team-invitations
+                    ::rpc/profile-id (:id profile1)
+                    :team-id (:id team)
+                    :role :editor}]
+
+      ;; invite from a directly blacklisted domain should fail
+      (with-redefs [email.blacklist/enabled?  (constantly true)
+                    email.blacklist/contains? (fn [_ email]
+                                                (clojure.string/ends-with? email "@blacklisted.com"))]
+        (let [out (th/command! (assoc data :emails ["user@blacklisted.com"]))]
+          (t/is (not (th/success? out)))
+          (t/is (= 0 (:call-count @mock)))
+          (let [edata (-> out :error ex-data)]
+            (t/is (= :restriction (:type edata)))
+            (t/is (= :email-domain-is-not-allowed (:code edata))))))
+
+      ;; invite from a subdomain of a blacklisted domain should also fail
+      (th/reset-mock! mock)
+      (with-redefs [email.blacklist/enabled?  (constantly true)
+                    email.blacklist/contains? (fn [_ email]
+                                                (clojure.string/ends-with? email "@sub.blacklisted.com"))]
+        (let [out (th/command! (assoc data :emails ["user@sub.blacklisted.com"]))]
+          (t/is (not (th/success? out)))
+          (t/is (= 0 (:call-count @mock)))
+          (let [edata (-> out :error ex-data)]
+            (t/is (= :restriction (:type edata)))
+            (t/is (= :email-domain-is-not-allowed (:code edata))))))
+
+      ;; invite from a non-blacklisted domain should succeed
+      (th/reset-mock! mock)
+      (with-redefs [email.blacklist/enabled?  (constantly true)
+                    email.blacklist/contains? (constantly false)]
+        (let [out (th/command! (assoc data :emails ["user@allowed.com"]))]
+          (t/is (th/success? out))
+          (t/is (= 1 (:call-count @mock))))))))
+
 (t/deftest create-team-invitations-with-request-access
   (with-mocks [mock {:target 'app.email/send! :return nil}]
     (let [profile1  (th/create-profile* 1 {:is-active true})
@@ -726,3 +767,82 @@
       (t/is (th/success? (th/command! data)))
       (t/is (= 1 (:call-count @mock))))))
 
+(t/deftest create-team-with-invalid-name
+  (let [profile (th/create-profile* 1 {:is-active true})]
+
+    ;; name with a dot should fail
+    (let [data {::th/type :create-team
+                ::rpc/profile-id (:id profile)
+                :name "foo.bar"}
+          out  (th/command! data)]
+      (t/is (not (th/success? out)))
+      (t/is (th/ex-of-type? (:error out) :validation))
+      (t/is (th/ex-of-code? (:error out) :params-validation)))
+
+    ;; name with a colon should fail
+    (let [data {::th/type :create-team
+                ::rpc/profile-id (:id profile)
+                :name "foo:bar"}
+          out  (th/command! data)]
+      (t/is (not (th/success? out)))
+      (t/is (th/ex-of-type? (:error out) :validation))
+      (t/is (th/ex-of-code? (:error out) :params-validation)))
+
+    ;; name with a slash should fail
+    (let [data {::th/type :create-team
+                ::rpc/profile-id (:id profile)
+                :name "foo/bar"}
+          out  (th/command! data)]
+      (t/is (not (th/success? out)))
+      (t/is (th/ex-of-type? (:error out) :validation))
+      (t/is (th/ex-of-code? (:error out) :params-validation)))
+
+    ;; valid name should succeed
+    (let [data {::th/type :create-team
+                ::rpc/profile-id (:id profile)
+                :name "My Valid Team"}
+          out  (th/command! data)]
+      (t/is (th/success? out)))))
+
+(t/deftest update-team-with-invalid-name
+  (let [profile (th/create-profile* 1 {:is-active true})
+        team    (th/create-team* 1 {:profile-id (:id profile)})]
+
+    ;; name with a dot should fail
+    (let [data {::th/type :update-team
+                ::rpc/profile-id (:id profile)
+                :id (:id team)
+                :name "foo.bar"}
+          out  (th/command! data)]
+      (t/is (not (th/success? out)))
+      (t/is (th/ex-of-type? (:error out) :validation))
+      (t/is (th/ex-of-code? (:error out) :params-validation)))
+
+    ;; name with a colon should fail
+    (let [data {::th/type :update-team
+                ::rpc/profile-id (:id profile)
+                :id (:id team)
+                :name "foo:bar"}
+          out  (th/command! data)]
+      (t/is (not (th/success? out)))
+      (t/is (th/ex-of-type? (:error out) :validation))
+      (t/is (th/ex-of-code? (:error out) :params-validation)))
+
+    ;; name with a slash should fail
+    (let [data {::th/type :update-team
+                ::rpc/profile-id (:id profile)
+                :id (:id team)
+                :name "foo/bar"}
+          out  (th/command! data)]
+      (t/is (not (th/success? out)))
+      (t/is (th/ex-of-type? (:error out) :validation))
+      (t/is (th/ex-of-code? (:error out) :params-validation)))
+
+    ;; valid name should succeed
+    (let [data {::th/type :update-team
+                ::rpc/profile-id (:id profile)
+                :id (:id team)
+                :name "My Valid Team"}
+          out  (th/command! data)]
+      (t/is (th/success? out)))))
+

backend/test/backend_tests/rpc_viewer_test.clj

@@ -9,6 +9,7 @@
    [app.common.uuid :as uuid]
    [app.db :as db]
    [app.rpc :as-alias rpc]
+   [app.rpc.commands.viewer :as viewer]
    [backend-tests.helpers :as th]
    [clojure.test :as t]
    [datoteka.fs :as fs]))
@@ -16,6 +17,28 @@
 (t/use-fixtures :once th/state-init)
 (t/use-fixtures :each th/database-reset)
 
+(t/deftest obfuscate-email-happy-path
+  (t/is (= "a****@****.com" (viewer/obfuscate-email "alice@example.com")))
+  (t/is (= "a****@****.example.com" (viewer/obfuscate-email "alice@sub.example.com")))
+  (t/is (= "****@****.com" (viewer/obfuscate-email "bob@bar.com"))))
+
+(t/deftest obfuscate-email-handles-domain-without-dot
+  ;; `localhost`-style domains have no `.`; the previous implementation produced
+  ;; a dangling-dot output like "a****@****." — now the trailing `.` is only
+  ;; emitted when there actually is a TLD segment to append.
+  (t/is (= "a****@****" (viewer/obfuscate-email "alice@localhost")))
+  (t/is (= "****@****" (viewer/obfuscate-email "x@y"))))
+
+(t/deftest obfuscate-email-handles-malformed-input
+  ;; These shapes must not throw — `obfuscate-email` runs while building the
+  ;; view-only bundle for share-link viewers and an NPE here aborts the whole
+  ;; RPC response. The previous implementation called `clojure.string/split`
+  ;; on `nil` for the `no-@` case, raising NullPointerException.
+  (t/is (= "****@****" (viewer/obfuscate-email nil)))
+  (t/is (= "****@****" (viewer/obfuscate-email "")))
+  (t/is (= "r***@****" (viewer/obfuscate-email "root")))       ; no `@`, count > 3
+  (t/is (= "****@****" (viewer/obfuscate-email "bob"))))       ; no `@`, count <= 3
+
 (t/deftest retrieve-bundle
   (let [prof     (th/create-profile* 1 {:is-active true})
         prof2    (th/create-profile* 2 {:is-active true})

common/src/app/common/data.cljc

@@ -1120,6 +1120,71 @@
      (when (num? value)
        (format-precision value precision)))))
 
+(defn- natural-sort-key
+  "Splits a string into a sequence of alternating string and number segments,
+   converting numeric segments to longs/ints so they compare by value rather
+   than lexicographically. e.g. \"size10b\" => (\"size\" 10 \"b\")"
+  [s]
+  (map (fn [part]
+         (if (re-matches #"\d+" part)
+           #?(:clj (Long/parseLong part)
+              :cljs (js/parseInt part))
+           part))
+       (re-seq #"\d+|\D+" s)))
+
+(defn- natural-compare
+  "Comparator that orders strings naturally, sorting numeric segments by value
+   rather than lexicographically. Returns a negative number, zero, or positive
+   number when a is before, equal to, or after b respectively.
+   e.g. \"size2\" < \"size10\" instead of \"size10\" < \"size2\"."
+  [a b]
+  (loop [ka (natural-sort-key a)
+         kb (natural-sort-key b)]
+    (cond
+      (and (empty? ka) (empty? kb)) 0
+      (empty? ka) -1
+      (empty? kb)  1
+      :else
+      (let [pa (first ka)
+            pb (first kb)
+            result (cond
+                     (and (number? pa) (number? pb)) (compare pa pb)
+                     (and (string? pa) (string? pb)) (compare pa pb)
+                     (number? pa) -1
+                     :else 1)]
+        (if (zero? result)
+          (recur (rest ka) (rest kb))
+          result)))))
+
+(defn natural-sort-by
+  "Sorts coll by extracting a string key with keyfn and ordering elements
+   using natural sort order, where embedded numbers are compared by value
+   rather than lexicographically.
+   e.g. (natural-sort-by :name [{:name \"size10\"} {:name \"size2\"}])
+        => [{:name \"size2\"} {:name \"size10\"}]"
+  [key coll]
+  (sort-by key natural-compare coll))
+
+(defn sanitize-string [s]
+  (if s
+    (-> s
+        str
+        str/trim
+        (str/replace #"[^\w\s\-_()]+" "")
+        (str/replace #"\s+" " ")
+        str/trim)
+    ""))
+
+(defn get-initials
+  "Returns up to two uppercase initials extracted from a string.
+  Non-letter prefixes in each token are ignored."
+  [name]
+  (->> (str/split (str/trim (or name "")) #"\s+")
+       (keep #(first (re-seq #"[a-zA-Z]" %)))
+       (take 2)
+       (map str/upper)
+       (apply str)))
+
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; Util protocols
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

common/src/app/common/files/changes.cljc

@@ -261,7 +261,11 @@
      ;; All props are optional, background can be nil because is the
      ;; way to remove already set background
      [:background {:optional true} [:maybe ctc/schema:hex-color]]
-     [:name {:optional true} :string]]]
+     [:name {:optional true} :string]
+     ;; Pixel grid display controls — nil removes the per-page override
+     ;; and falls back to the default hardcoded grid color/opacity.
+     [:pixel-grid-color {:optional true} [:maybe ctc/schema:hex-color]]
+     [:pixel-grid-opacity {:optional true} [:maybe ::sm/safe-number]]]]
 
    [:set-plugin-data schema:set-plugin-data-change]
 
@@ -853,8 +857,10 @@
   [data {:keys [id] :as params}]
   (d/update-in-when data [:pages-index id]
                     (fn [page]
-                      (let [name (get params :name)
-                            bg   (get params :background :not-found)]
+                      (let [name       (get params :name)
+                            bg         (get params :background :not-found)
+                            grid-color (get params :pixel-grid-color :not-found)
+                            grid-op    (get params :pixel-grid-opacity :not-found)]
                         (cond-> page
                           (string? name)
                           (assoc :name name)
@@ -863,7 +869,19 @@
                           (assoc :background bg)
 
                           (nil? bg)
-                          (dissoc :background))))))
+                          (dissoc :background)
+
+                          (string? grid-color)
+                          (assoc :pixel-grid-color grid-color)
+
+                          (and (not= grid-color :not-found) (nil? grid-color))
+                          (dissoc :pixel-grid-color)
+
+                          (number? grid-op)
+                          (assoc :pixel-grid-opacity grid-op)
+
+                          (and (not= grid-op :not-found) (nil? grid-op))
+                          (dissoc :pixel-grid-opacity))))))
 
 (defmethod process-change :set-plugin-data
   [data {:keys [object-type object-id page-id namespace key value]}]

common/src/app/common/files/changes_builder.cljc

@@ -213,21 +213,33 @@
    (let [page (::page (meta changes))]
      (mod-page changes page options)))
 
-  ([changes page {:keys [name background]}]
+  ([changes page {:keys [name background pixel-grid-color pixel-grid-opacity]}]
    (let [change {:type :mod-page :id (:id page)}
          redo   (cond-> change
                   (some? name)
                   (assoc :name name)
 
                   (some? background)
-                  (assoc :background background))
+                  (assoc :background background)
+
+                  (some? pixel-grid-color)
+                  (assoc :pixel-grid-color pixel-grid-color)
+
+                  (some? pixel-grid-opacity)
+                  (assoc :pixel-grid-opacity pixel-grid-opacity))
 
          undo   (cond-> change
                   (some? name)
                   (assoc :name (:name page))
 
                   (some? background)
-                  (assoc :background (:background page)))]
+                  (assoc :background (:background page))
+
+                  (some? pixel-grid-color)
+                  (assoc :pixel-grid-color (:pixel-grid-color page))
+
+                  (some? pixel-grid-opacity)
+                  (assoc :pixel-grid-opacity (:pixel-grid-opacity page)))]
 
      (-> changes
          (update :redo-changes conj redo)

common/src/app/common/files/comp_processors.cljc

@@ -0,0 +1,115 @@
+;; This Source Code Form is subject to the terms of the Mozilla Public
+;; License, v. 2.0. If a copy of the MPL was not distributed with this
+;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;;
+;; Copyright (c) KALEIDOS INC
+
+(ns app.common.files.comp-processors
+  "Repair, migration or transformation utilities for components."
+  (:require
+   [app.common.logging :as log]
+   [app.common.types.component :as ctk]
+   [app.common.types.file :as ctf]))
+
+(log/set-level! :warn)
+
+(defn remove-unneeded-objects-in-components
+  "Some components have an :objects attribute, despite not being deleted. This removes it.
+   It also adds an empty :objects if it's deleted and does not have it."
+  [file-data]
+  (ctf/update-components
+   file-data
+   (fn [component]
+     (if (:deleted component)
+       (if (nil? (:objects component))
+         (do
+           (log/warn :msg "Adding empty :objects to deleted component"
+                     :component-id (:id component)
+                     :component-name (:name component)
+                     :file-id (:id file-data))
+           (assoc component :objects {}))
+         component)
+       (if (contains? component :objects)
+         (do
+           (log/warn :msg "Removing :objects from non-deleted component"
+                     :component-id (:id component)
+                     :component-name (:name component)
+                     :file-id (:id file-data))
+           (dissoc component :objects))
+         component)))))
+
+(defn fix-missing-swap-slots
+  "Locate shapes that have been swapped (i.e. their shape-ref does not point to the near match) but
+   they don't have a swap slot. In this case, add one pointing to the near match."
+  [file-data libraries]
+  (ctf/update-all-shapes
+   file-data
+   (fn [shape]
+     (if (ctk/subcopy-head? shape)
+       (let [container (:container (meta shape))
+             file {:id (:id file-data) :data file-data}
+             near-match (ctf/find-near-match file container libraries shape :include-deleted? true :with-context? false)]
+         (if (and (some? near-match)
+                  (not= (:shape-ref shape) (:id near-match))
+                  (nil? (ctk/get-swap-slot shape)))
+           (let [updated-shape (ctk/set-swap-slot shape (:id near-match))]
+             (log/warn :msg "Adding missing swap slot to shape"
+                       :shape-id (:id shape)
+                       :shape-name (:name shape)
+                       :swap-slot (:id near-match)
+                       :file-id (:id file)
+                       :container-id (:id container)
+                       :container-type (:type container))
+             {:result :update :updated-shape updated-shape})
+           {:result :keep}))
+       {:result :keep}))))
+
+(defn sync-component-id-with-ref-shape
+  "Ensure that all copies heads have the same component id and file as the referenced shape.
+   There may be bugs that cause them to get out of sync."
+  [file-data libraries]
+  (letfn [(sync-one-iteration
+            [file-data libraries]
+            (ctf/update-all-shapes
+             file-data
+             (fn [shape]
+               (if (and (ctk/subcopy-head? shape) (nil? (ctk/get-swap-slot shape)))
+                 (let [container (:container (meta shape))
+                       file {:id (:id file-data) :data file-data}
+                       ref-shape (ctf/find-ref-shape file container libraries shape {:include-deleted? true :with-context? true})]
+                   (if (and (some? ref-shape)
+                            (or (not= (:component-id shape) (:component-id ref-shape))
+                                (not= (:component-file shape) (:component-file ref-shape))))
+                     (let [shape' (cond-> shape
+                                    (some? (:component-id ref-shape))
+                                    (assoc :component-id (:component-id ref-shape))
+
+                                    (nil? (:component-id ref-shape))
+                                    (dissoc :component-id)
+
+                                    (some? (:component-file ref-shape))
+                                    (assoc :component-file (:component-file ref-shape))
+
+                                    (nil? (:component-file ref-shape))
+                                    (dissoc :component-file))]
+                       (log/warn :msg "Syncing component id and file with ref shape"
+                                 :shape-id (:id shape)
+                                 :shape-name (:name shape)
+                                 :component-id (:component-id shape')
+                                 :component-file (:component-file shape')
+                                 :ref-shape-id (:id ref-shape)
+                                 :file-id (:id file)
+                                 :container-id (:id container)
+                                 :container-type (:type container))
+                       {:result :update :updated-shape shape'})
+                     {:result :keep}))
+                 {:result :keep}))))]
+    ;; If a copy inside a main is updated, we need to repeat the process for the change to be
+    ;; propagated to all copies.
+    (loop [current-data file-data
+           iteration    0]
+      (let [next-data (sync-one-iteration current-data libraries)]
+        (if (or (= current-data next-data)
+                (> iteration 20))     ;; safety bound
+          next-data
+          (recur next-data (inc iteration)))))))

common/src/app/common/files/migrations.cljc

@@ -10,6 +10,7 @@
    [app.common.data.macros :as dm]
    [app.common.features :as cfeat]
    [app.common.files.changes :as cpc]
+   [app.common.files.comp-processors :as cfcp]
    [app.common.files.defaults :as cfd]
    [app.common.files.helpers :as cfh]
    [app.common.geom.matrix :as gmt]
@@ -1786,6 +1787,24 @@
         (update :pages-index d/update-vals update-container)
         (d/update-when :components d/update-vals update-container))))
 
+(defmethod migrate-data "0018-remove-unneeded-objects-from-components"
+  [data _]
+  (cfcp/remove-unneeded-objects-in-components data))
+
+(defmethod migrate-data "0019-fix-missing-swap-slots"
+  [data _]
+  (let [libraries (if (:libs data)
+                    (deref (:libs data))
+                    {})]
+    (cfcp/fix-missing-swap-slots data libraries)))
+
+(defmethod migrate-data "0020-sync-component-id-with-near-main"
+  [data _]
+  (let [libraries (if (:libs data)
+                    (deref (:libs data))
+                    {})]
+    (cfcp/sync-component-id-with-ref-shape data libraries)))
+
 (def available-migrations
   (into (d/ordered-set)
         ["legacy-2"
@@ -1860,4 +1879,7 @@
          "0015-fix-text-attrs-blank-strings"
          "0015-clean-shadow-color"
          "0016-copy-fills-from-position-data-to-text-node"
-         "0017-fix-layout-flex-dir"]))
+         "0017-fix-layout-flex-dir"
+         "0018-remove-unneeded-objects-from-components"
+         "0019-fix-missing-swap-slots"
+         "0020-sync-component-id-with-near-main"]))

common/src/app/common/files/repair.cljc

@@ -334,6 +334,31 @@
         (pcb/with-file-data file-data)
         (pcb/update-shapes [(:id shape)] repair-shape))))
 
+(defmethod repair-error :component-id-mismatch
+  [_ {:keys [shape page-id args] :as error} file-data _]
+  (let [repair-shape
+        (fn [shape]
+          ; Set the component-id and component-file to the ones of the near main
+          (log/debug :hint (str "  -> set component-id to " (:component-id args)))
+          (log/debug :hint (str "  -> set component-file to " (:component-file args)))
+          (cond-> shape
+            (some? (:component-id args))
+            (assoc :component-id (:component-id args))
+
+            (nil? (:component-id args))
+            (dissoc :component-id)
+
+            (some? (:component-file args))
+            (assoc :component-file (:component-file args))
+
+            (nil? (:component-file args))
+            (dissoc :component-file)))]
+
+    (log/dbg :hint "repairing shape :component-id-mismatch" :id (:id shape) :name (:name shape) :page-id page-id)
+    (-> (pcb/empty-changes nil page-id)
+        (pcb/with-file-data file-data)
+        (pcb/update-shapes [(:id shape)] repair-shape))))
+
 (defmethod repair-error :ref-shape-is-head
   [_ {:keys [shape page-id args] :as error} file-data _]
   (let [repair-shape
@@ -501,7 +526,7 @@
         (pcb/update-shapes [(:id shape)] repair-shape))))
 
 (defmethod repair-error :component-nil-objects-not-allowed
-  [_ {:keys [shape] :as error} file-data _]
+  [_ {component :shape} file-data _]   ; in this error the :shape argument is the component
   (let [repair-component
         (fn [component]
           ;; Remove the objects key, or set it to {} if the component is deleted
@@ -513,10 +538,26 @@
               (log/debug :hint "  -> remove :objects")
               (dissoc component :objects))))]
 
-    (log/dbg :hint "repairing component :component-nil-objects-not-allowed" :id (:id shape) :name (:name shape))
+    (log/dbg :hint "repairing component :component-nil-objects-not-allowed" :id (:id component) :name (:name component))
     (-> (pcb/empty-changes nil)
         (pcb/with-library-data file-data)
-        (pcb/update-component (:id shape) repair-component))))
+        (pcb/update-component (:id component) repair-component))))
+
+(defmethod repair-error :non-deleted-component-cannot-have-objects
+  [_ {component :shape} file-data _]   ; in this error the :shape argument is the component
+  (let [repair-component
+        (fn [component]
+          ; Remove the :objects field
+          (if-not (:deleted component)
+            (do
+              (log/debug :hint "  -> remove :objects")
+              (dissoc component :objects))
+            component))]
+
+    (log/dbg :hint "repairing component :non-deleted-component-cannot-have-objects" :id (:id component) :name (:name component))
+    (-> (pcb/empty-changes nil)
+        (pcb/with-library-data file-data)
+        (pcb/update-component (:id component) repair-component))))
 
 (defmethod repair-error :invalid-text-touched
   [_ {:keys [shape page-id] :as error} file-data _]

common/src/app/common/files/shapes_builder.cljc

@@ -340,12 +340,26 @@
       :svg-viewbox vbox
       :svg-defs defs})))
 
+(defn- stroke-only-svg-path?
+  "Returns true when the SVG element renders only a stroke (fill=none).
+  Stroke-only paths can have their consecutive touching subpaths safely
+  merged into a continuous polyline so that `stroke-linejoin` applies at
+  shared endpoints, without affecting any fill-rule semantics."
+  [attrs]
+  (let [attr-fill  (some-> (:fill attrs) str/trim)
+        style-fill (some-> (get-in attrs [:style :fill]) str/trim)]
+    (= "none" (or attr-fill style-fill))))
+
 (defn create-path-shape [name frame-id svg-data {:keys [attrs] :as data}]
   (when (and (contains? attrs :d) (seq (:d attrs)))
-    (let [transform (csvg/parse-transform (:transform attrs))
-          content   (cond-> (path/from-string (:d attrs))
-                      (some? transform)
-                      (path.segm/transform-content transform))
+    (let [transform    (csvg/parse-transform (:transform attrs))
+          stroke-only? (stroke-only-svg-path? attrs)
+          content      (cond-> (path/from-string (:d attrs))
+                         stroke-only?
+                         (path/merge-touching-subpaths)
+
+                         (some? transform)
+                         (path.segm/transform-content transform))
 
           selrect    (path.segm/content->selrect content)
           points     (grc/rect->points selrect)

common/src/app/common/files/stats.cljc

@@ -0,0 +1,74 @@
+;; This Source Code Form is subject to the terms of the Mozilla Public
+;; License, v. 2.0. If a copy of the MPL was not distributed with this
+;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;;
+;; Copyright (c) KALEIDOS INC
+
+(ns app.common.files.stats
+  "Pure helpers that compute aggregate statistics for a file data map.
+
+  Given a decoded file data structure (the value stored under `:data`
+  on a file row), produces a small map with page/shape/library counts.
+  Intended to be cheap — a single pass over each page's `:objects`
+  map, no database access, no side effects."
+  (:require
+   [app.common.uuid :as uuid]))
+
+(def empty-shape-counts
+  {:total 0 :by-type {}})
+
+(defn- inc-type
+  [by-type shape-type]
+  (if (nil? shape-type)
+    by-type
+    (update by-type shape-type (fnil inc 0))))
+
+(defn count-shapes-by-type
+  "Walk an `:objects` map of a single page and return
+   `{:total N :by-type {:rect N :frame N ...}}`. The synthetic root
+   shape at `uuid/zero` is skipped so it never contributes to totals."
+  [objects]
+  (if (empty? objects)
+    empty-shape-counts
+    (reduce-kv
+     (fn [acc id shape]
+       (if (= id uuid/zero)
+         acc
+         (-> acc
+             (update :total inc)
+             (update :by-type inc-type (:type shape)))))
+     empty-shape-counts
+     objects)))
+
+(defn- merge-shape-counts
+  [a b]
+  {:total   (+ (:total a) (:total b))
+   :by-type (merge-with + (:by-type a) (:by-type b))})
+
+(defn- aggregate-shape-counts
+  [pages-index]
+  (transduce
+   (map (comp count-shapes-by-type :objects))
+   (completing merge-shape-counts)
+   empty-shape-counts
+   (vals pages-index)))
+
+(defn calc-file-stats
+  "Given a decoded file data map with the standard keys
+   `:pages-index`, `:components`, `:deleted-components`, `:colors`
+   and `:typographies`, return per-file aggregates.
+
+   The result is a plain map suitable for serialization; it never
+   contains any pointer-map or objects-map instances."
+  [fdata]
+  (let [pages-index        (get fdata :pages-index)
+        components         (get fdata :components)
+        deleted-components (get fdata :deleted-components)
+        colors             (get fdata :colors)
+        typographies       (get fdata :typographies)]
+    {:page-count              (count pages-index)
+     :shape-counts            (aggregate-shape-counts pages-index)
+     :component-count         (count components)
+     :deleted-component-count (count deleted-components)
+     :color-count             (count colors)
+     :typography-count        (count typographies)}))

common/src/app/common/files/tokens.cljc

@@ -147,6 +147,27 @@
     #(and (some? tokens-tree)
           (not (ctob/token-name-path-exists? % tokens-tree)))]])
 
+(defn make-node-token-name-schema
+  "Dynamically generates a schema to check a token node name, adding translated error messages
+   and two additional validations:
+    - Min and max length.
+    - Checks if other token with a path derived from the name already exists at `tokens-tree`.
+      e.g. it's not allowed to create a token `foo.bar` if a token `foo` already exists."
+  [active-tokens tokens-tree node]
+  [:and
+   [:string {:min 1 :max 255 :error/fn #(str (:value %) (tr "workspace.tokens.token-name-length-validation-error"))}]
+   (-> cto/schema:token-node-name
+       (sm/update-properties assoc :error/fn #(str (:value %) (tr "workspace.tokens.token-name-validation-error"))))
+   [:fn {:error/fn #(tr "workspace.tokens.token-name-duplication-validation-error" (:value %))}
+    (fn [name]
+      (let [current-path (:path node)
+            current-name (:name node)
+            new-tokens (ctob/update-tokens-group active-tokens current-path current-name name)]
+        (and (some? new-tokens)
+             (some (fn [[token-name _]]
+                     (not (ctob/token-name-path-exists? token-name tokens-tree)))
+                   new-tokens))))]])
+
 (def schema:token-description
   [:string {:max 2048 :error/fn #(tr "errors.field-max-length" 2048)}])
 
@@ -165,6 +186,11 @@
       (when (and name value)
         (not (cto/token-value-self-reference? name value))))]])
 
+(defn make-node-token-schema
+  [active-tokens tokens-tree node]
+  [:map
+   [:name (make-node-token-name-schema active-tokens tokens-tree node)]])
+
 (defn convert-dtcg-token
   "Convert token attributes as they come from a decoded json, with DTCG types, to internal types.
    Eg. From this:
@@ -288,16 +314,12 @@
                         {:value parsed-value
                          :unit unit}))))
 
-;; FIXME: looks very redundant function
-(defn token-identifier
-  [{:keys [name] :as _token}]
-  name)
-
 (defn attributes-map
-  "Creats an attributes map using collection of `attributes` for `id`."
+  "Creates an attributes map using collection of `attributes` for `id`."
   [attributes token]
-  (->> (map (fn [attr] [attr (token-identifier token)]) attributes)
-       (into {})))
+  (into {}
+        (map (fn [attr] [attr (:name token)]))
+        attributes))
 
 (defn remove-attributes-for-token
   "Removes applied tokens with `token-name` for the given `attributes` set from `applied-tokens`."
@@ -313,7 +335,7 @@
   "Test if `token` is applied to a `shape` on single `token-attribute`."
   [token shape token-attribute]
   (when-let [id (dm/get-in shape [:applied-tokens token-attribute])]
-    (= (token-identifier token) id)))
+    (= (:name token) id)))
 
 (defn token-applied?
   "Test if `token` is applied to a `shape` with at least one of the given `token-attributes`."

common/src/app/common/files/validate.cljc

@@ -51,6 +51,7 @@
     :ref-shape-is-head
     :ref-shape-is-not-head
     :shape-ref-in-main
+    :component-id-mismatch
     :root-main-not-allowed
     :nested-main-not-allowed
     :root-copy-not-allowed
@@ -59,6 +60,7 @@
     :not-head-copy-not-allowed
     :not-component-not-allowed
     :component-nil-objects-not-allowed
+    :non-deleted-component-cannot-have-objects
     :instance-head-not-frame
     :invalid-text-touched
     :misplaced-slot
@@ -326,6 +328,20 @@
                     :component-file (:component-file ref-shape)
                     :component-id (:component-id ref-shape)))))
 
+(defn- check-ref-component-id
+  "Validate that if the copy has not been swapped, the component-id and component-file are
+   the same as in the referenced shape in the near main."
+  [shape file page libraries]
+  (when (nil? (ctk/get-swap-slot shape))
+    (when-let [ref-shape (ctf/find-ref-shape file page libraries shape :include-deleted? true)]
+      (when (or (not= (:component-id shape) (:component-id ref-shape))
+                (not= (:component-file shape) (:component-file ref-shape)))
+        (report-error :component-id-mismatch
+                      "Nested copy component-id and component-file must be the same as the near main"
+                      shape file page
+                      :component-id (:component-id ref-shape)
+                      :component-file (:component-file ref-shape))))))
+
 (defn- check-empty-swap-slot
   "Validate that this shape does not have any swap slot."
   [shape file page]
@@ -350,6 +366,19 @@
                   "This shape has children with the same swap slot"
                   shape file page)))
 
+(defn- check-required-swap-slot
+  "Validate that the shape has swap-slot if it's a subinstance head and the ref shape is not the
+   matching shape by position in the near main."
+  [shape file page libraries]
+  (let [near-match (ctf/find-near-match file page libraries shape :include-deleted? true :with-context? false)]
+    (when (and (some? near-match)
+               (not= (:shape-ref shape) (:id near-match))
+               (nil? (ctk/get-swap-slot shape)))
+      (report-error :missing-slot
+                    "Shape has been swapped, should have swap slot"
+                    shape file page
+                    :swap-slot (or (ctk/get-swap-slot near-match) (:id near-match))))))
+
 (defn- check-valid-touched
   "Validate that the text touched flags are coherent."
   [shape file page]
@@ -418,6 +447,8 @@
   (check-component-not-main-head shape file page libraries)
   (check-component-not-root shape file page)
   (check-valid-touched shape file page)
+  (check-ref-component-id shape file page libraries)
+  (check-required-swap-slot shape file page libraries)
   ;; We can have situations where the nested copy and the ancestor copy come from different libraries and some of them have been dettached
   ;; so we only validate the shape-ref if the ancestor is from a valid library
   (when library-exists
@@ -458,8 +489,7 @@
 (defn- check-variant-container
   "Shape is a variant container, so:
      -all its children should be variants with variant-id equals to the shape-id
-     -all the components should have the same properties
-   "
+     -all the components should have the same properties"
   [shape file page]
   (let [shape-id   (:id shape)
         shapes     (:shapes shape)
@@ -648,6 +678,13 @@
                     "Component main not allowed inside other component"
                     main-instance file component-page))))
 
+(defn- check-not-objects
+  [component file]
+  (when (d/not-empty? (:objects component))
+    (report-error :non-deleted-component-cannot-have-objects
+                  "A non-deleted component cannot have shapes inside"
+                  component file nil)))
+
 (defn- check-component
   "Validate semantic coherence of a component. Report all errors found."
   [component file]
@@ -656,7 +693,8 @@
                   "Objects list cannot be nil"
                   component file nil))
   (when-not (:deleted component)
-    (check-main-inside-main component file))
+    (check-main-inside-main component file)
+    (check-not-objects component file))
   (when (:deleted component)
     (check-component-duplicate-swap-slot component file)
     (check-ref-cycles component file))
@@ -674,8 +712,6 @@
 ;; PUBLIC API: VALIDATION FUNCTIONS
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 
-(declare check-swap-slots)
-
 (defn validate-file
   "Validate full referential integrity and semantic coherence on file data.
 
@@ -686,8 +722,6 @@
 
       (doseq [page (filter :id (ctpl/pages-seq data))]
         (check-shape uuid/zero file page libraries)
-        (when (str/includes? (:name file) "check-swap-slot")
-          (check-swap-slots uuid/zero file page libraries))
         (->> (get-orphan-shapes page)
              (run! #(check-shape % file page libraries))))
 
@@ -728,40 +762,3 @@
               :hint "error on validating file referential integrity"
               :file-id (:id file)
               :details errors)))
-
-(declare compare-slots)
-
-;; Optional check to look for missing swap slots.
-;; Search for copies that do not point the shape-ref to the near component but don't have swap slot
-;; (looking for position relative to the parent, in the copy and the main).
-;;
-;; This check cannot be generally enabled, because files that have been migrated from components v1
-;; may have copies with shapes that do not match by position, but have not been swapped. So we enable
-;; it for specific files only. To activate the check, you need to add the string "check-swap-slot" to
-;; the name of the file.
-(defn- check-swap-slots
-  [shape-id file page libraries]
-  (let [shape (ctst/get-shape page shape-id)]
-    (if (and (ctk/instance-root? shape) (ctk/in-component-copy? shape))
-      (let [ref-shape (ctf/find-ref-shape file page libraries shape :include-deleted? true :with-context? true)
-            container (:container (meta ref-shape))]
-        (when (some? ref-shape)
-          (compare-slots shape ref-shape file page container)))
-      (doall (for [child-id (:shapes shape)]
-               (check-swap-slots child-id file page libraries))))))
-
-(defn- compare-slots
-  [shape-copy shape-main file container-copy container-main]
-  (if (and (not= (:shape-ref shape-copy) (:id shape-main))
-           (nil? (ctk/get-swap-slot shape-copy)))
-    (report-error :missing-slot
-                  "Shape has been swapped, should have swap slot"
-                  shape-copy file container-copy
-                  :swap-slot (or (ctk/get-swap-slot shape-main) (:id shape-main)))
-    (when (nil? (ctk/get-swap-slot shape-copy))
-      (let [children-id-pairs (d/zip-all (:shapes shape-copy) (:shapes shape-main))]
-        (doall (for [[child-copy-id child-main-id] children-id-pairs]
-                 (let [child-copy (ctst/get-shape container-copy child-copy-id)
-                       child-main (ctst/get-shape container-main child-main-id)]
-                   (when (and (some? child-copy) (some? child-main))
-                     (compare-slots child-copy child-main file container-copy container-main)))))))))

common/src/app/common/flags.cljc

@@ -128,6 +128,8 @@
     :token-shadow
     :token-tokenscript
     :token-import-from-library
+    :token-typography-row
+
     ;; Only for developtment.
     :transit-readable-response
     :user-feedback
@@ -138,6 +140,7 @@
     :render-wasm-dpr
     ;; Show WASM renderer info label (hidden by default).
     :render-wasm-info
+    :render-switch
     :hide-release-modal
     :subscriptions
     :subscriptions-old
@@ -194,8 +197,7 @@
    :enable-inspect-styles
    :enable-feature-fdata-objects-map
    :enable-feature-render-wasm
-   ;; Temporary deactivated
-   #_:enable-token-import-from-library])
+   :enable-token-import-from-library])
 
 (defn parse
   [& flags]

common/src/app/common/fressian.clj

@@ -17,11 +17,11 @@
    java.util.List
    linked.map.LinkedMap
    linked.set.LinkedSet
+   org.fressian.handlers.ReadHandler
+   org.fressian.handlers.WriteHandler
    org.fressian.Reader
    org.fressian.StreamingWriter
-   org.fressian.Writer
-   org.fressian.handlers.ReadHandler
-   org.fressian.handlers.WriteHandler))
+   org.fressian.Writer))
 
 (set! *warn-on-reflection* true)
 

common/src/app/common/generic_pool.clj

@@ -8,11 +8,11 @@
   (:refer-clojure :exclude [get])
   (:import
    java.lang.AutoCloseable
+   org.apache.commons.pool2.impl.DefaultPooledObject
+   org.apache.commons.pool2.impl.SoftReferenceObjectPool
    org.apache.commons.pool2.ObjectPool
    org.apache.commons.pool2.PooledObject
-   org.apache.commons.pool2.PooledObjectFactory
-   org.apache.commons.pool2.impl.DefaultPooledObject
-   org.apache.commons.pool2.impl.SoftReferenceObjectPool))
+   org.apache.commons.pool2.PooledObjectFactory))
 
 (defn pool?
   [o]

common/src/app/common/logic/libraries.cljc

@@ -333,7 +333,7 @@
         (pcb/update-shapes [shape-id] #(do (log/trace :msg "  -> promote to root")
                                            (assoc % :component-root true)))
 
-        :always
+        (some? (ctk/get-swap-slot shape))
         ; First level subinstances of a detached component can't have swap-slot
         (pcb/update-shapes [shape-id] #(do (log/trace :msg "  -> remove swap-slot")
                                            (ctk/remove-swap-slot %)))
@@ -364,7 +364,7 @@
                       (let [ref-shape (ctf/find-ref-shape file container libraries shape {:include-deleted? true})]
                         (cond-> changes
                           (some? (:shape-ref ref-shape))
-                          (pcb/update-shapes [(:id shape)] #(do (log/trace :msg "       (advanced)")
+                          (pcb/update-shapes [(:id shape)] #(do (log/trace :msg (str "       (advanced to " (:shape-ref ref-shape) ")"))
                                                                 (assoc % :shape-ref (:shape-ref ref-shape))))
 
                           ;; When advancing level, the normal touched groups (not swap slots) of the
@@ -374,16 +374,18 @@
                           (pcb/update-shapes
                            [(:id shape)]
                            #(do (log/trace :msg "       (merge touched)")
+                                (log/trace :msg (str "       (ref-shape: " (:id ref-shape) ")"))
+                                (log/trace :msg (str "       (ref touched: " (:touched ref-shape) ")"))
                                 (assoc % :touched
-                                       (clojure.set/union (:touched shape)
-                                                          (ctk/normal-touched-groups ref-shape)))))
+                                       (set/union (:touched shape)
+                                                  (ctk/normal-touched-groups ref-shape)))))
 
                           ;; Swap slot must also be copied if the current shape has not any,
                           ;; except if this is the first level subcopy.
                           (and (some? (ctk/get-swap-slot ref-shape))
                                (nil? (ctk/get-swap-slot shape))
                                (not= (:id shape) shape-id))
-                          (pcb/update-shapes [(:id shape)] #(do (log/trace :msg "       (got swap-slot)")
+                          (pcb/update-shapes [(:id shape)] #(do (log/trace :msg (str "       (got swap-slot " (ctk/get-swap-slot ref-shape) ")"))
                                                                 (ctk/set-swap-slot % (ctk/get-swap-slot ref-shape))))
 
                           ;; If we can't get the ref-shape (e.g. it's in an external library not linked),
@@ -771,14 +773,6 @@
 ;;         is different than the one in the near component (Shape-2-2-1)
 ;;         but it's not touched.
 
-(defn- redirect-shaperef ;;Set the :shape-ref of a shape pointing to the :id of its remote-shape
-  ([container libraries shape]
-   (redirect-shaperef nil nil shape (ctf/find-remote-shape container libraries shape)))
-  ([_ _ shape remote-shape]
-   (if (some? (:shape-ref shape))
-     (assoc shape :shape-ref (:id remote-shape))
-     shape)))
-
 (defn generate-sync-shape-direct
   "Generate changes to synchronize one shape that is the root of a component
   instance, and all its children, from the given component."
@@ -790,18 +784,12 @@
         component  (ctkl/get-component library (:component-id shape-inst) true)]
     (if (and (ctk/in-component-copy? shape-inst)
              (or (ctf/direct-copy? shape-inst component container nil libraries) reset?)) ; In a normal sync, we don't want to sync remote mains, only direct/near
-      (let [redirect-shaperef (partial redirect-shaperef container libraries)
-
-            shape-main (when component
+      (let [shape-main (when component
                          (if reset?
                            ;; the reset is against the ref-shape, not against the original shape of the component
                            (ctf/find-ref-shape file container libraries shape-inst)
                            (ctf/get-ref-shape library component shape-inst)))
 
-            shape-inst (if reset?
-                         (redirect-shaperef shape-inst shape-main)
-                         shape-inst)
-
             initial-root?  (:component-root shape-inst)
 
             root-inst      shape-inst
@@ -819,8 +807,8 @@
                                                 root-inst
                                                 root-main
                                                 reset?
-                                                initial-root?
-                                                redirect-shaperef)
+                                                initial-root?)
+
           ;; If the component is not found, because the master component has been
           ;; deleted or the library unlinked, do nothing.
           changes))
@@ -844,7 +832,7 @@
             nil))))))
 
 (defn- generate-sync-shape-direct-recursive
-  [changes container shape-inst component library file libraries shape-main root-inst root-main reset? initial-root? redirect-shaperef]
+  [changes container shape-inst component library file libraries shape-main root-inst root-main reset? initial-root?]
   (shape-log :debug (:id shape-inst) container
              :msg "Sync shape direct recursive"
              :shape-inst (str (:name shape-inst) " " (pretty-uuid (:id shape-inst)))
@@ -891,9 +879,6 @@
           children-inst       (vec (ctn/get-direct-children container shape-inst))
           children-main       (vec (ctn/get-direct-children component-container shape-main))
 
-          children-inst (if reset?
-                          (map #(redirect-shaperef %) children-inst) children-inst)
-
           only-inst (fn [changes child-inst]
                       (shape-log :trace (:id child-inst) container
                                  :msg "Only inst"
@@ -942,8 +927,7 @@
                                                        root-inst
                                                        root-main
                                                        reset?
-                                                       initial-root?
-                                                       redirect-shaperef))
+                                                       initial-root?))
 
           swapped (fn [changes child-inst child-main]
                     (shape-log :trace (:id child-inst) container
@@ -1008,16 +992,13 @@
   the values in the shape and all its children."
   [changes file libraries container shape-id]
   (shape-log :debug shape-id container :msg "Sync shape inverse" :shape (str shape-id))
-  (let [redirect-shaperef (partial redirect-shaperef container libraries)
-        shape-inst     (ctn/get-shape container shape-id)
+  (let [shape-inst     (ctn/get-shape container shape-id)
         library        (dm/get-in libraries [(:component-file shape-inst) :data])
         component      (ctkl/get-component library (:component-id shape-inst))
 
         shape-main     (when component
                          (ctf/find-remote-shape container libraries shape-inst))
 
-        shape-inst     (redirect-shaperef shape-inst shape-main)
-
         initial-root?  (:component-root shape-inst)
 
         root-inst      shape-inst
@@ -1038,12 +1019,11 @@
                                              shape-main
                                              root-inst
                                              root-main
-                                             initial-root?
-                                             redirect-shaperef)
+                                             initial-root?)
       changes)))
 
 (defn- generate-sync-shape-inverse-recursive
-  [changes container shape-inst component library file libraries shape-main root-inst root-main initial-root? redirect-shaperef]
+  [changes container shape-inst component library file libraries shape-main root-inst root-main initial-root?]
   (shape-log :trace (:id shape-inst) container
              :msg "Sync shape inverse recursive"
              :shape (str (:name shape-inst))
@@ -1100,8 +1080,6 @@
           children-main   (mapv #(ctn/get-shape component-container %)
                                 (:shapes shape-main))
 
-          children-inst (map #(redirect-shaperef %) children-inst)
-
           only-inst (fn [changes child-inst]
                       (add-shape-to-main changes
                                          child-inst
@@ -1130,8 +1108,7 @@
                                                         child-main
                                                         root-inst
                                                         root-main
-                                                        initial-root?
-                                                        redirect-shaperef))
+                                                        initial-root?))
 
           swapped (fn [changes child-inst child-main]
                     (shape-log :trace (:id child-inst) container
@@ -1773,6 +1750,23 @@
     (pcb/update-shapes changes [(:id dest-shape)] ctk/unhead-shape {:ignore-touched true})
     changes))
 
+(defn- check-swapped-main
+  [changes dest-shape origin-shape]
+  ;; Only for direct updates (from main to copy). Check if the main shape
+  ;; has been swapped. If so, the new component-id and component-file must
+  ;; be put into the copy.
+  (if (and (= (:shape-ref dest-shape) (:id origin-shape))
+           (ctk/instance-head? dest-shape)
+           (ctk/instance-head? origin-shape)
+           (or (not= (:component-id dest-shape) (:component-id origin-shape))
+               (not= (:component-file dest-shape) (:component-file origin-shape))))
+    (pcb/update-shapes changes [(:id dest-shape)]
+                       #(assoc %
+                               :component-id (:component-id origin-shape)
+                               :component-file (:component-file origin-shape))
+                       {:ignore-touched true})
+    changes))
+
 (defn- update-attrs
   "The main function that implements the attribute sync algorithm. Copy
   attributes that have changed in the origin shape to the dest shape.
@@ -1816,6 +1810,8 @@
             :always
             (check-detached-main dest-shape origin-shape)
             :always
+            (check-swapped-main dest-shape origin-shape)
+            :always
             (generate-update-tokens container dest-shape origin-shape touched omit-touched? nil))
 
           (let [sync-group

common/src/app/common/path_names.cljc

@@ -148,16 +148,16 @@ Some naming conventions:
      :path 'one'
      :depth 0
      :leaf nil
-     :children-fn (fn [] [{:name 'two'
-                           :path 'one.two'
-                           :depth 1
-                           :leaf nil
-                           :children-fn (fn [] [{... :name 'three'} {... :name 'four'}])}
-                          {:name 'five'
-                           :path 'one.five'
-                           :depth 1
-                           :leaf {... :name 'five'}
-                           ...}])}]"
+     :children [{:name 'two'
+                 :path 'one.two'
+                 :depth 1
+                 :leaf nil
+                 :children [{... :name 'three'} {... :name 'four'}]}
+                {:name 'five'
+                 :path 'one.five'
+                 :depth 1
+                 :leaf {... :name 'five'}
+                 :children nil}]}]"
 
 (defn- sort-by-children
   "Sorts segments so that those with children come first."
@@ -191,7 +191,7 @@ Some naming conventions:
     (into (sorted-map) grouped)))
 
 (defn- build-tree-node
-  "Builds a single tree node with lazy children."
+  "Builds a single tree node with computed children."
   [segment-name remaining-segments separator parent-path depth]
   (let [current-path (if parent-path
                        (str parent-path "." segment-name)
@@ -208,12 +208,11 @@ Some naming conventions:
               :path current-path
               :depth depth
               :leaf leaf-segment
-              :children-fn (when-not is-leaf?
-                             (fn []
-                               (let [grouped-elements (sort-and-group-segments remaining-segments separator)]
-                                 (mapv (fn [[child-segment-name remaining-child-segments]]
-                                         (build-tree-node child-segment-name remaining-child-segments separator current-path (inc depth)))
-                                       grouped-elements))))}]
+              :children (when-not is-leaf?
+                          (let [grouped-elements (sort-and-group-segments remaining-segments separator)]
+                            (mapv (fn [[child-segment-name remaining-child-segments]]
+                                    (build-tree-node child-segment-name remaining-child-segments separator current-path (inc depth)))
+                                  grouped-elements)))}]
     node))
 
 (defn build-tree-root

common/src/app/common/spec.cljc

@@ -113,12 +113,19 @@
             (tgen/fmap keyword)))))
 
 ;; --- SPEC: email
+;;
+;; Regex rules enforced:
+;;   local part  - valid RFC chars, no leading/trailing dot, no consecutive dots
+;;   domain      - labels can't start/end with hyphen, no empty labels
+;;   TLD         - at least 2 alphabetic chars
 
-(def email-re #"[a-zA-Z0-9_.+-\\\\]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+")
+(def email-re
+  #"^[a-zA-Z0-9!#$%&'*+/=?^_`{|}~-]+(\.[a-zA-Z0-9!#$%&'*+/=?^_`{|}~-]+)*@[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*\.[a-zA-Z]{2,63}$")
 
 (defn parse-email
   [s]
-  (some->> s (re-seq email-re) first))
+  (when (and (string? s) (re-matches email-re s))
+    s))
 
 (letfn [(conformer [v]
           (or (parse-email v) ::s/invalid))
@@ -126,11 +133,10 @@
           (dm/str v))]
   (s/def ::email
     (s/with-gen (s/conformer conformer unformer)
-      #(as-> (tgen/let [p1 (s/gen ::not-empty-string)
-                        p2 (s/gen ::not-empty-string)
-                        p3 (tgen/elements ["com" "net"])]
-               (str p1 "@" p2 "." p3)) $
-         (tgen/such-that (partial re-matches email-re) $ 50)))))
+      #(tgen/let [local (tgen/string-alphanumeric 1 20)
+                  label (tgen/string-alphanumeric 2 10)
+                  tld   (tgen/elements ["com" "net" "org" "io" "co" "dev"])]
+         (str local "@" label "." tld)))))
 
 ;; -- SPEC: uri
 

common/src/app/common/test_helpers/compositions.cljc

@@ -177,8 +177,11 @@
       (thc/instantiate-component component-label copy-root-label copy-root-params)))
 
 (defn add-nested-component
-  [file component1-label main1-root-label main1-child-label component2-label main2-root-label nested-head-label
-   & {:keys [component1-params root1-params main1-child-params component2-params main2-root-params nested-head-params]}]
+  [file
+   component1-label main1-root-label main1-child-label
+   component2-label main2-root-label nested-head-label
+   & {:keys [component1-params root1-params main1-child-params
+             component2-params main2-root-params nested-head-params]}]
   ;; Generated shape tree:
   ;; {:main1-root-label} [:name Frame1]      # [Component :component1-label]
   ;;     :main1-child-label [:name Rect1]
@@ -204,8 +207,13 @@
                           component2-params)))
 
 (defn add-nested-component-with-copy
-  [file component1-label main1-root-label main1-child-label component2-label main2-root-label nested-head-label copy2-root-label
-   & {:keys [component1-params root1-params main1-child-params component2-params main2-root-params nested-head-params copy2-root-params]}]
+  [file
+   component1-label main1-root-label main1-child-label
+   component2-label main2-root-label nested-head-label
+   copy2-root-label
+   & {:keys [component1-params root1-params main1-child-params
+             component2-params main2-root-params nested-head-params
+             copy2-root-params]}]
   ;; Generated shape tree:
   ;; {:main1-root-label} [:name Frame1]      # [Component :component1-label]
   ;;     :main1-child-label [:name Rect1]
@@ -232,6 +240,102 @@
                             :nested-head-params nested-head-params)
       (thc/instantiate-component component2-label copy2-root-label copy2-root-params)))
 
+(defn add-two-levels-nested-component
+  [file
+   component1-label main1-root-label main1-child-label
+   component2-label main2-root-label nested-head1-label
+   component3-label main3-root-label nested-head2-label nested-subhead2-label
+   & {:keys [component1-params root1-params main1-child-params
+             component2-params main2-root-params nested-head1-params
+             component3-params main3-root-params nested-head2-params]}]
+  ;; Generated shape tree:
+  ;; {:main1-root-label} [:name Frame1]            # [Component :component1-label]
+  ;;     :main1-child-label [:name Rect1]
+  ;;
+  ;; {:main2-root-label} [:name Frame2]            # [Component :component2-label]
+  ;;     :nested-head1-label [:name Frame1]        @--> [Component :component1-label] :main1-root-label
+  ;;         <no-label> [:name Rect1]              ---> :main1-child-label
+  ;;
+  ;; {:main3-root-label} [:name Frame3]            # [Component :component3-label]
+  ;;     :nested-head2-label [:name Frame2]        @--> [Component :component2-label] :main2-root-label
+  ;;         :nested-subhead2-label [:name Frame1] @--> [Component :component1-label] :main1-root-label
+  ;;             <no-label> [:name Rect1]          ---> :main1-child-label
+  (-> file
+      (add-simple-component component1-label
+                            main1-root-label
+                            main1-child-label
+                            :component-params component1-params
+                            :root-params root1-params
+                            :child-params main1-child-params)
+      (add-frame main2-root-label (merge {:name "Frame2"}
+                                         main2-root-params))
+      (thc/instantiate-component component1-label
+                                 nested-head1-label
+                                 (assoc nested-head1-params
+                                        :parent-label main2-root-label))
+      (thc/make-component component2-label
+                          main2-root-label
+                          component2-params)
+      (add-frame main3-root-label (merge {:name "Frame3"}
+                                         main3-root-params))
+      (thc/instantiate-component component2-label
+                                 nested-head2-label
+                                 (assoc nested-head2-params
+                                        :parent-label main3-root-label
+                                        :children-labels [nested-subhead2-label]))
+      (thc/make-component component3-label
+                          main3-root-label
+                          component3-params)))
+
+(defn add-two-levels-nested-component-with-copy
+  [file
+   component1-label main1-root-label main1-child-label
+   component2-label main2-root-label nested-head1-label
+   component3-label main3-root-label nested-head2-label nested-subhead2-label
+   copy2-root-label
+   & {:keys [component1-params root1-params main1-child-params
+             component2-params main2-root-params nested-head1-params
+             component3-params main3-root-params nested-head2-params
+             copy2-root-params]}]
+  ;; Generated shape tree:
+  ;; {:main1-root-label} [:name Frame1]            # [Component :component1-label]
+  ;;     :main1-child-label [:name Rect1]
+  ;;
+  ;; {:main2-root-label} [:name Frame2]            # [Component :component2-label]
+  ;;     :nested-head1-label [:name Frame1]        @--> [Component :component1-label] :main1-root-label
+  ;;         <no-label> [:name Rect1]              ---> :main1-child-label
+  ;;
+  ;; {:main3-root-label} [:name Frame3]            # [Component :component3-label]
+  ;;     :nested-head2-label [:name Frame2]        @--> [Component :component2-label] :main2-root-label
+  ;;         :nested-subhead2-label [:name Frame1] @--> [Component :component1-label] :main1-root-label
+  ;;             <no-label> [:name Rect1]          ---> :main1-child-label
+  ;;
+  ;; :copy2-label [:name Frame3]                   #--> [Component :component3-label] :main3-root-label
+  ;;     <no-label> [:name Frame2]                 @--> [Component :component2-label] :nested-head2-label
+  ;;         <no-label> [:name Frame1]             @--> [Component :component1-label] :nested-subhead2-label
+  ;;             <no-label> [:name Rect1]          ---> <no-label>
+  (-> file
+      (add-two-levels-nested-component component1-label
+                                       main1-root-label
+                                       main1-child-label
+                                       component2-label
+                                       main2-root-label
+                                       nested-head1-label
+                                       component3-label
+                                       main3-root-label
+                                       nested-head2-label
+                                       nested-subhead2-label
+                                       :component1-params component1-params
+                                       :root1-params root1-params
+                                       :main1-child-params main1-child-params
+                                       :component2-params component2-params
+                                       :main2-root-params main2-root-params
+                                       :nested-head1-params nested-head1-params
+                                       :component3-params component3-params
+                                       :main3-root-params main3-root-params
+                                       :nested-head2-params nested-head2-params)
+      (thc/instantiate-component component3-label copy2-root-label copy2-root-params)))
+
 ;; ----- Getters
 
 (defn bottom-shape-by-id
@@ -274,15 +378,18 @@
                      file-id
                      {file-id file}
                      file-id))]
-    (thf/apply-changes file changes)))
+    (thf/apply-changes file changes :validate? false)))
 
-(defn swap-component
+(defn swap-component-
   "Swap the specified shape by the component specified by component-tag"
-  [file shape component-tag & {:keys [page-label propagate-fn keep-touched? new-shape-label]}]
+  [file shape component-tag & {:keys [page-label propagate-fn keep-touched? new-shape-label library]}]
   (let [page    (if page-label
                   (thf/get-page file page-label)
                   (thf/current-page file))
-        libraries {(:id  file) file}
+        libraries (cond-> {(:id file) file}
+                    (some? library)
+                    (assoc (:id library) library))
+        library   (or library file)
 
         orig-shapes (when keep-touched? (cfh/get-children-with-self (:objects page) (:id shape)))
 
@@ -290,10 +397,10 @@
         (cll/generate-component-swap (pcb/empty-changes)
                                      (:objects page)
                                      shape
-                                     (:data file)
+                                     (:data library)
                                      page
                                      libraries
-                                     (->  (thc/get-component file component-tag)
+                                     (->  (thc/get-component library component-tag)
                                           :id)
                                      0
                                      nil
@@ -305,26 +412,36 @@
                       [changes nil])
 
 
-        file' (thf/apply-changes file changes)]
+        file' (thf/apply-changes file changes :validate? (not propagate-fn))]
     (when new-shape-label
       (thi/rm-id! (:id new-shape))
       (thi/set-id! new-shape-label (:id new-shape)))
     (if propagate-fn
-      (propagate-fn file')
+      (-> (propagate-fn file')
+          (thf/validate-file!))
       file')))
 
-(defn swap-component-in-shape [file shape-tag component-tag & {:keys [page-label propagate-fn]}]
-  (swap-component file (ths/get-shape file shape-tag :page-label page-label) component-tag :page-label page-label :propagate-fn propagate-fn))
+(defn swap-component-in-shape
+  [file shape-tag component-tag & {:keys [page-label propagate-fn keep-touched? new-shape-label library]}]
+  (swap-component- file (ths/get-shape file shape-tag :page-label page-label)
+                   component-tag
+                   :page-label page-label
+                   :propagate-fn propagate-fn
+                   :keep-touched? keep-touched?
+                   :new-shape-label new-shape-label
+                   :library library))
 
-(defn swap-component-in-first-child [file shape-tag component-tag & {:keys [page-label propagate-fn]}]
+(defn swap-component-in-first-child
+  [file shape-tag component-tag & {:keys [page-label propagate-fn library]}]
   (let [first-child-id (->> (ths/get-shape file shape-tag :page-label page-label)
                             :shapes
                             first)]
-    (swap-component file
-                    (ths/get-shape-by-id file first-child-id :page-label page-label)
-                    component-tag
-                    :page-label page-label
-                    :propagate-fn propagate-fn)))
+    (swap-component- file
+                     (ths/get-shape-by-id file first-child-id :page-label page-label)
+                     component-tag
+                     :page-label page-label
+                     :propagate-fn propagate-fn
+                     :library library)))
 
 (defn update-color
   "Update the first fill color for the shape identified by shape-tag"
@@ -339,9 +456,10 @@
                                       (assoc shape :fills (ths/sample-fills-color :fill-color color)))
                                     (:objects page)
                                     {})
-        file' (thf/apply-changes file changes)]
+        file' (thf/apply-changes file changes :validate? (not propagate-fn))]
     (if propagate-fn
-      (propagate-fn file')
+      (-> (propagate-fn file')
+          (thf/validate-file!))
       file')))
 
 (defn update-bottom-color
@@ -357,9 +475,10 @@
                                       (assoc shape :fills (ths/sample-fills-color :fill-color color)))
                                     (:objects page)
                                     {})
-        file' (thf/apply-changes file changes)]
+        file' (thf/apply-changes file changes :validate? (not propagate-fn))]
     (if propagate-fn
-      (propagate-fn file')
+      (-> (propagate-fn file')
+          (thf/validate-file!))
       file')))
 
 (defn reset-overrides [file shape & {:keys [page-label propagate-fn]}]
@@ -374,9 +493,10 @@
                        {file-id file}
                        (ctn/make-container container :page)
                        (:id shape)))
-        file' (thf/apply-changes file changes)]
+        file' (thf/apply-changes file changes :validate? (not propagate-fn))]
     (if propagate-fn
-      (propagate-fn file')
+      (-> (propagate-fn file')
+          (thf/validate-file!))
       file')))
 
 (defn reset-overrides-in-first-child [file shape-tag & {:keys [page-label propagate-fn]}]
@@ -398,9 +518,10 @@
                                                 #{(-> (ths/get-shape file shape-tag :page-label page-label)
                                                       :id)}
                                                 {})
-        file' (thf/apply-changes file changes)]
+        file' (thf/apply-changes file changes :validate? (not propagate-fn))]
     (if propagate-fn
-      (propagate-fn file')
+      (-> (propagate-fn file')
+          (thf/validate-file!))
       file')))
 
 (defn duplicate-shape [file shape-tag & {:keys [page-label propagate-fn]}]
@@ -419,8 +540,9 @@
                                             (:id file))             ;; file-id
             (cll/generate-duplicate-changes-update-indices (:objects page)  ;; objects
                                                            #{(:id shape)}))
-        file' (thf/apply-changes file changes)]
+        file' (thf/apply-changes file changes :validate? (not propagate-fn))]
     (if propagate-fn
-      (propagate-fn file')
+      (-> (propagate-fn file')
+          (thf/validate-file!))
       file')))
 

common/src/app/common/test_helpers/files.cljc

@@ -54,12 +54,14 @@
   ([file] (validate-file! file {}))
   ([file libraries]
    (cfv/validate-file-schema! file)
-   (cfv/validate-file! file libraries)))
+   (cfv/validate-file! file libraries)
+   file))
 
 (defn apply-changes
-  [file changes]
+  [file changes & {:keys [validate?] :or {validate? true}}]
   (let [file' (ctf/update-file-data file #(cfc/process-changes % (:redo-changes changes) true))]
-    (validate-file! file')
+    (when validate?
+      (validate-file! file'))
     file'))
 
 (defn apply-undo-changes

common/src/app/common/test_helpers/shapes.cljc

@@ -82,6 +82,18 @@
                                 (:id page)
                                 #(ctst/set-shape % (ctn/set-shape-attr shape attr val)))))))
 
+(defn update-shape-by-id
+  [file shape-id attr val & {:keys [page-label]}]
+  (let [page (if page-label
+               (thf/get-page file page-label)
+               (thf/current-page file))
+        shape (ctst/get-shape page shape-id)]
+    (update file :data
+            (fn [file-data]
+              (ctpl/update-page file-data
+                                (:id page)
+                                #(ctst/set-shape % (ctn/set-shape-attr shape attr val)))))))
+
 (defn update-shape-text
   [file shape-label attr val & {:keys [page-label]}]
   (let [page (if page-label

common/src/app/common/text.cljc

@@ -37,7 +37,9 @@
 (defn attrs-to-styles
   [attrs]
   (reduce-kv (fn [res k v]
-               (conj res (encode-style k v)))
+               (if (some? v)
+                 (conj res (encode-style k v))
+                 res))
              #{}
              attrs))
 

common/src/app/common/types/component.cljc

@@ -163,11 +163,15 @@
    Note that design tokens also are involved, although they go by an alternate
    route and thus they are not part of :sync-attrs.
    Also when detaching a nested copy it also needs to trigger a synchronization,
-   even though :shape-ref is not a synced attribute per se"
+   even though :shape-ref, :component-id or :component-file are not synced
+   attributes per se."
   [attr]
   (or (contains? sync-attrs attr)
       (= :shape-ref attr)
-      (= :applied-tokens attr)))
+      (= :applied-tokens attr)
+      (= :component-id attr)
+      (= :component-file attr)
+      (= :component-root attr)))
 
 (defn instance-root?
   "Check if this shape is the head of a top instance."

common/src/app/common/types/components_list.cljc

@@ -60,6 +60,9 @@
                                        (some? objects)
                                        (assoc :objects objects)
 
+                                       (nil? objects)
+                                       (dissoc :objects)
+
                                        (some? modified-at)
                                        (assoc :modified-at modified-at)
 

common/src/app/common/types/container.cljc

@@ -55,6 +55,10 @@
   [page-or-component type]
   (assoc page-or-component :type type))
 
+(defn unmake-container
+  [container]
+  (dissoc container :type))
+
 (defn page?
   [container]
   (= (:type container) :page))

common/src/app/common/types/file.cljc

@@ -204,7 +204,8 @@
 
 (defn update-file-data
   [file f]
-  (update file :data f))
+  (when file
+    (update file :data f)))
 
 (defn containers-seq
   "Generate a sequence of all pages and all components, wrapped as containers"
@@ -225,6 +226,85 @@
     (ctpl/update-page file-data (:id container) f)
     (ctkl/update-component file-data (:id container) f)))
 
+(defn update-pages
+  "Update all pages inside the file"
+  [file-data f]
+  (update file-data :pages-index d/update-vals
+          (fn [page]
+            (-> page
+                (ctn/make-container :page)
+                (f)
+                (ctn/unmake-container)))))
+
+(defn update-components
+  "Update all components inside the file"
+  [file-data f]
+  (d/update-when file-data :components d/update-vals
+                 (fn [component]
+                   (-> component
+                       (ctn/make-container :component)
+                       (f)
+                       (ctn/unmake-container)))))
+
+(defn update-containers
+  "Update all pages and components inside the file"
+  [file-data f]
+  (-> file-data
+      (update-pages f)
+      (update-components f)))
+
+(defn update-objects-tree
+  "Do a depth-first traversal of the shapes in a container, doing different kinds of updates.
+   The function f receives a shape with a context metadata with the container.
+   It must return a map with the following keys:
+   - :result -> :keep, :update or :remove
+   - :updated-shape -> the updated shape if result is :update"
+  [container f]
+  (letfn [(update-shape-recursive
+            [container shape-id]
+            (let [shape (ctst/get-shape container shape-id)]
+              (when (not shape)
+                (throw (ex-info "Shape not found" {:shape-id shape-id})))
+              (let [shape (with-meta shape {:container container})
+
+                    {:keys [result updated-shape]} (f shape)
+
+                    container'
+                    (case result
+                      :keep
+                      container
+
+                      :update
+                      (ctst/set-shape container updated-shape)
+
+                      :remove
+                      (ctst/delete-shape container shape-id true)
+
+                      (throw (ex-info "Invalid result from update function" {:result result})))]
+
+                (if (= result :remove)
+                  container'
+                  (reduce update-shape-recursive
+                          container'
+                          (:shapes shape))))))]
+
+    (let [root-id (if (ctn/page? container)
+                    uuid/zero
+                    (:main-instance-id container))]
+
+      (if-not (empty? (:objects container))
+        (update-shape-recursive container root-id)
+        container))))
+
+(defn update-all-shapes
+  "Update all shapes in the file data, using the update-objects-tree function for each container"
+  [file-data f]
+  (when file-data
+    (update-containers
+     file-data
+     (fn [container]
+       (update-objects-tree container f)))))
+
 ;; Asset helpers
 (defn find-component-file
   [file libraries component-file]
@@ -328,6 +408,27 @@
               (get-ref-shape (:data component-file) component shape :with-context? with-context?))))]
     (some find-ref-shape-in-head (ctn/get-parent-heads (:objects container) shape))))
 
+(defn find-near-match
+  "Locate the shape that occupies the same position in the near main component.
+  This will be the ref-shape except if the shape is a copy subhead that has been
+  swapped. In this case, the near match will be the ref-shape that was before
+  the swap."
+  [file container libraries shape & {:keys [include-deleted? with-context?] :or {include-deleted? false with-context? false}}]
+  (let  [parent-shape     (ctst/get-shape container (:parent-id shape))
+         parent-ref-shape (when parent-shape
+                            (find-ref-shape file container libraries parent-shape :include-deleted? include-deleted? :with-context? true))
+         ref-container    (when parent-ref-shape
+                            (:container (meta parent-ref-shape)))
+         shape-index      (when parent-shape
+                            (d/index-of (:shapes parent-shape) (:id shape)))
+         near-match-id    (when (and parent-ref-shape shape-index)
+                            (get (:shapes parent-ref-shape) shape-index))
+         near-match       (when near-match-id
+                            (cond-> (ctst/get-shape ref-container near-match-id)
+                              with-context?
+                              (with-meta (meta parent-ref-shape))))]
+    near-match))
+
 (defn advance-shape-ref
   "Get the shape-ref of the near main of the shape, recursively repeated as many times
    as the given levels."

common/src/app/common/types/organization.cljc

@@ -0,0 +1,50 @@
+;; This Source Code Form is subject to the terms of the Mozilla Public
+;; License, v. 2.0. If a copy of the MPL was not distributed with this
+;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;;
+;; Copyright (c) KALEIDOS INC
+
+(ns app.common.types.organization
+  (:require
+   [app.common.schema :as sm]))
+
+(def schema:organization
+  [:map
+   [:id ::sm/uuid]
+   [:name ::sm/text]
+   [:slug ::sm/text]
+   [:owner-id ::sm/uuid]
+   [:avatar-bg-url ::sm/uri]
+   [:logo-id {:optional true} [:maybe ::sm/uuid]]])
+
+
+(def schema:team-with-organization
+  [:map
+   [:id ::sm/uuid]
+   [:is-your-penpot :boolean]
+   [:organization schema:organization]])
+
+(def organization->team-keys
+  "Mapping from organization field keys to their corresponding :organization-* team keys."
+  [[:id            :organization-id]
+   [:name          :organization-name]
+   [:custom-photo  :organization-custom-photo]
+   [:slug          :organization-slug]
+   [:avatar-bg-url :organization-avatar-bg-url]
+   [:owner-id      :organization-owner-id]])
+
+(defn apply-organization
+  "Updates a team map with organization fields sourced from org.
+	Associates each org field to the corresponding :organization-* team key when
+	the value is non-nil; dissociates the key otherwise. This correctly handles
+	both attaching an org (all values present) and detaching one (org is nil or
+	all fields absent)."
+  [team organization]
+  (let [id (:id organization)]
+    (reduce (fn [acc [org-k team-k]]
+              (let [v (get organization org-k)]
+                (if (and id (some? v))
+                  (assoc acc team-k v)
+                  (dissoc acc team-k))))
+            team
+            organization->team-keys)))

common/src/app/common/types/page.cljc

@@ -34,7 +34,8 @@
    [:id ::sm/uuid]
    [:axis [::sm/one-of #{:x :y}]]
    [:position ::sm/safe-number]
-   [:frame-id {:optional true} [:maybe ::sm/uuid]]])
+   [:frame-id {:optional true} [:maybe ::sm/uuid]]
+   [:color {:optional true} [:maybe ctc/schema:hex-color]]])
 
 (def schema:guides
   [:map-of {:gen/max 2} ::sm/uuid schema:guide])
@@ -58,6 +59,10 @@
    [:guides {:optional true} schema:guides]
    [:plugin-data {:optional true} ctpg/schema:plugin-data]
    [:background {:optional true} ctc/schema:hex-color]
+   ;; Per-page pixel grid color. Falls back to a hardcoded default when
+   ;; unset so existing files render identically to before.
+   [:pixel-grid-color {:optional true} ctc/schema:hex-color]
+   [:pixel-grid-opacity {:optional true} ::sm/safe-number]
 
    [:comment-thread-positions {:optional true}
     [:map-of ::sm/uuid schema:comment-thread-position]]])

common/src/app/common/types/path.cljc

@@ -84,6 +84,19 @@
   (-> (subpath/close-subpaths content)
       (impl/from-plain)))
 
+(defn merge-touching-subpaths
+  "Given a content, fold consecutive subpaths whose endpoints coincide
+  into a single continuous subpath, returning a PathData instance.
+
+  Conservative counterpart of `close-subpaths`: only adjacent subpaths
+  are merged and none are reversed, so fill rules and stroke-dasharray
+  semantics are preserved. Used at SVG-import time on stroke-only paths
+  to recover the `stroke-linejoin` rendering when authoring tools split
+  a continuous polyline into adjacent `M..L M..L` subpaths."
+  [content]
+  (-> (subpath/merge-touching-subpaths content)
+      (impl/from-plain)))
+
 (defn apply-content-modifiers
   "Apply delta modifiers over the path content"
   [content modifiers]

common/src/app/common/types/path/subpath.cljc

@@ -128,6 +128,36 @@
 (def ^:private xf-mapcat-data
   (mapcat :data))
 
+(defn- join-adjacent
+  "Fold neighbouring subpaths into the accumulator only when the
+  current accumulator's end-point matches the next subpath's start-point.
+  Unlike `merge-paths` this does not reverse subpaths nor reorder them;
+  the original draw order is preserved so stroke-dasharray and animation
+  semantics stay intact."
+  [acc subpath]
+  (if-let [prev (peek acc)]
+    (if (and (not (is-closed? prev))
+             (not (is-closed? subpath))
+             (pt= (:to prev) (:from subpath)))
+      (conj (pop acc) (subpaths-join prev subpath))
+      (conj acc subpath))
+    (conj acc subpath)))
+
+(defn merge-touching-subpaths
+  "Merge consecutive subpaths whose endpoints coincide into a single
+  continuous subpath, preserving the original drawing order.
+
+  This is a conservative variant of `close-subpaths`: it never reverses
+  a subpath and only merges immediate neighbours, so closed regions and
+  fill semantics are left untouched. The intent is to recover the
+  `stroke-linejoin` rendering for SVG paths whose authoring tools split
+  a continuous polyline into adjacent `M..L M..L` subpaths (e.g. the
+  `m0 0` markers Figma emits when exporting Heroicons-like icons)."
+  [content]
+  (let [subpaths (get-subpaths content)
+        merged   (reduce join-adjacent [] subpaths)]
+    (into [] xf-mapcat-data merged)))
+
 (defn close-subpaths
   "Searches a path for possible subpaths that can create closed loops and merge them"
   [content]

common/src/app/common/types/shape.cljc

@@ -145,7 +145,8 @@
     [::sm/one-of stroke-caps]]
    [:stroke-color {:optional true} clr/schema:hex-color]
    [:stroke-color-gradient {:optional true} clr/schema:gradient]
-   [:stroke-image {:optional true} clr/schema:image]])
+   [:stroke-image {:optional true} clr/schema:image]
+   [:hidden {:optional true} :boolean]])
 
 (def stroke-attrs
   "A set of attrs that corresponds to stroke data type"

common/src/app/common/types/shape/layout.cljc

@@ -874,6 +874,42 @@
         (duplicate-cells :column index (inc index) ids-map)
         (assign-cells objects))))
 
+(defn duplicate-row-at
+  "Duplicate source row and insert the copy at target-index (0-indexed).
+   Like `duplicate-row` but inserts at an arbitrary position.
+   Note: after add-grid-row, if target <= source the source cells shift
+   by +1, so we must adjust the from-index for duplicate-cells."
+  [shape objects source-index target-index ids-map]
+  (let [value          (dm/get-in shape [:layout-grid-rows source-index])
+        ;; After inserting at target-index, cells at rows >= (inc target-index)
+        ;; get shifted +1. If target <= source, the source row shifts.
+        adjusted-source (if (<= target-index source-index)
+                          (inc source-index)
+                          source-index)]
+    (-> shape
+        (remove-cell-areas-after :row source-index)
+        (add-grid-row value target-index)
+        (duplicate-cells :row adjusted-source target-index ids-map)
+        (assign-cells objects))))
+
+(defn duplicate-column-at
+  "Duplicate source column and insert the copy at target-index (0-indexed).
+   Like `duplicate-column` but inserts at an arbitrary position.
+   Note: after add-grid-column, if target <= source the source cells shift
+   by +1, so we must adjust the from-index for duplicate-cells."
+  [shape objects source-index target-index ids-map]
+  (let [value          (dm/get-in shape [:layout-grid-columns source-index])
+        ;; After inserting at target-index, cells at columns >= (inc target-index)
+        ;; get shifted +1. If target <= source, the source column shifts.
+        adjusted-source (if (<= target-index source-index)
+                          (inc source-index)
+                          source-index)]
+    (-> shape
+        (remove-cell-areas-after :column source-index)
+        (add-grid-column value target-index)
+        (duplicate-cells :column adjusted-source target-index ids-map)
+        (assign-cells objects))))
+
 (defn make-remove-cell
   [attr span-attr track-num]
   (fn [[_ cell]]

common/src/app/common/types/shape_tree.cljc

@@ -16,8 +16,6 @@
    [app.common.types.shape.layout :as ctl]
    [app.common.uuid :as uuid]))
 
-
-;; FIXME: the order of arguments seems arbitrary, container should be a first artgument
 (defn add-shape
   "Insert a shape in the tree, at the given index below the given parent or frame.
   Update the parent as needed."

common/src/app/common/types/team.cljc

@@ -20,9 +20,16 @@
 (def schema:role
   [::sm/one-of {:title "TeamRole"} valid-roles])
 
+(def schema:team-name
+  [:and
+   [::sm/text {:max 250}]
+   [:fn {:error/code "errors.team-name-invalid-chars"}
+    (fn [s] (not (re-find #"[.:/]" s)))]])
+
 ;; FIXME: specify more fields
 (def schema:team
   [:map {:title "Team"}
    [:id ::sm/uuid]
    [:name :string]])
 
+

common/src/app/common/types/text.cljc

@@ -95,7 +95,9 @@
    :text-direction "ltr"})
 
 (def default-text-attrs
-  {:font-id "sourcesanspro"
+  {:typography-ref-file nil
+   :typography-ref-id nil
+   :font-id "sourcesanspro"
    :font-family "sourcesanspro"
    :font-variant-id "regular"
    :font-size "14"
@@ -354,6 +356,32 @@
             [k (get attrs k v)]))))
 
 
+(defn content-has-text?
+  [content search]
+  (let [search-lower (str/lower search)]
+    (->> (node-seq is-text-node? content)
+         (some #(str/includes? (str/lower (:text %)) search-lower))
+         (boolean))))
+
+(defn replace-all-case-insensitive
+  [text search replacement]
+  (let [text-lower   (str/lower text)
+        search-lower (str/lower search)
+        search-len   (count search)]
+    (loop [result "" idx 0]
+      (let [found (str/index-of text-lower search-lower idx)]
+        (if (nil? found)
+          (str result (subs text idx))
+          (recur (str result (subs text idx found) replacement)
+                 (+ found search-len)))))))
+
+(defn replace-text-in-content
+  [content search replacement]
+  (transform-nodes
+   is-text-node?
+   (fn [node] (update node :text replace-all-case-insensitive search replacement))
+   content))
+
 (defn content->text
   "Given a root node of a text content extracts the texts with its associated styles"
   [content]

common/src/app/common/types/token.cljc

@@ -136,6 +136,9 @@
 (def token-name-validation-regex
   #"^[a-zA-Z0-9_-][a-zA-Z0-9$_-]*(\.[a-zA-Z0-9$_-]+)*$")
 
+(def token-node-name-validation-regex
+  #"^[a-zA-Z0-9_-][a-zA-Z0-9$_-]*(\.[a-zA-Z0-9$_-]+)*$")
+
 (def schema:token-name
   "A token name can contains letters, numbers, underscores the character $ and dots, but
    not start with $ or end with a dot. The $ character does not have any special meaning,
@@ -153,6 +156,14 @@
         :gen/gen sg/text}
    token-ref-validation-regex])
 
+(def schema:token-node-name
+  "A token node name can contains letters, numbers, underscores and the character $, but
+   not start with $ or a dot, or end with a dot. The $ character does not have any special meaning,
+   but dots separate token groups (e.g. color.primary.background)."
+  [:re {:title "TokenNodeName"
+        :gen/gen sg/text}
+   token-node-name-validation-regex])
+
 (def schema:token-type
   [::sm/one-of {:decode/json (fn [type]
                                (if (string? type)
@@ -521,31 +532,32 @@
 
 (def tokens-by-input
   "A map from input name to applicable token for that input."
-  {:width #{:sizing :dimensions}
-   :height #{:sizing :dimensions}
-   :max-width #{:sizing :dimensions}
-   :max-height #{:sizing :dimensions}
-   :min-width #{:sizing :dimensions}
-   :min-height #{:sizing :dimensions}
-   :x #{:dimensions}
-   :y #{:dimensions}
-   :rotation #{:number :rotation}
-   :border-radius #{:border-radius :dimensions}
-   :row-gap #{:spacing :dimensions}
-   :column-gap #{:spacing :dimensions}
-   :horizontal-padding #{:spacing :dimensions}
-   :vertical-padding #{:spacing :dimensions}
-   :sided-paddings #{:spacing :dimensions}
-   :horizontal-margin #{:spacing :dimensions}
-   :vertical-margin #{:spacing :dimensions}
-   :sided-margins #{:spacing :dimensions}
-   :line-height #{:line-height :number}
-   :opacity #{:opacity}
-   :stroke-width #{:stroke-width :dimensions}
-   :font-size #{:font-size}
-   :letter-spacing #{:letter-spacing}
-   :fill #{:color}
-   :stroke-color #{:color}})
+  {:width              [:sizing :dimensions]
+   :height             [:sizing :dimensions]
+   :max-width          [:sizing :dimensions]
+   :max-height         [:sizing :dimensions]
+   :min-width          [:sizing :dimensions]
+   :min-height         [:sizing :dimensions]
+   :x                  [:dimensions]
+   :y                  [:dimensions]
+   :rotation           [:rotation :number]
+   :border-radius      [:border-radius :dimensions]
+   :row-gap            [:spacing :dimensions]
+   :column-gap         [:spacing :dimensions]
+   :horizontal-padding [:spacing :dimensions]
+   :vertical-padding   [:spacing :dimensions]
+   :sided-paddings     [:spacing :dimensions]
+   :horizontal-margin  [:spacing :dimensions]
+   :vertical-margin    [:spacing :dimensions]
+   :sided-margins      [:spacing :dimensions]
+   :line-height        [:line-height :number]
+   :opacity            [:opacity]
+   :stroke-width       [:stroke-width :dimensions]
+   :font-size          [:font-size]
+   :letter-spacing     [:letter-spacing]
+   :fill               [:color]
+   :stroke-color       [:color]
+   :typography         [:typography]})
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; HELPERS for tokens application

common/src/app/common/types/tokens_lib.cljc

@@ -153,6 +153,18 @@
                   tokens)]
     (group-by :type tokens')))
 
+(defn rename-path
+  "Renames a node or token path segment with a new name.
+   If token is provided, it renames a token path, otherwise it renames a node path."
+  ([node new-name]
+   (rename-path node nil new-name))
+  ([node token new-name]
+   (let [element (if token (:name token) (:path node))
+         split-path (cpn/split-path element :separator ".")
+         updated-split-element-name (assoc split-path (:depth node) new-name)
+         new-element-path (cpn/join-path updated-split-element-name :separator "." :with-spaces? false)]
+     new-element-path)))
+
 ;; === Token Set
 
 (defprotocol ITokenSet
@@ -920,6 +932,7 @@ Will return a value that matches this schema:
 `:all`     All of the nested sets are active
 `:partial` Mixed active state of nested sets")
   (get-tokens-in-active-sets [_] "set of set names that are active in the the active themes")
+  (get-tokens-in-active-sets-force [_ force-set-id] "same as above but forcing a set to be active, even if it's not in the active themes")
   (get-all-tokens [_] "all tokens in the lib, as a sequence")
   (get-all-tokens-map [_] "all tokens in the lib, as a map name -> token")
   (get-tokens [_ set-id] "return a map of tokens in the set, indexed by token-name"))
@@ -1317,6 +1330,21 @@ Will return a value that matches this schema:
                                    active-set-names)]
       tokens))
 
+  (get-tokens-in-active-sets-force [this force-set-id]
+    (let [theme-set-names  (get-active-themes-set-names this)
+          all-set-names    (get-set-names this)
+          force-set        (get-set this force-set-id)
+          active-set-names (cond-> (filter theme-set-names all-set-names)
+                             (some? force-set)
+                             (conj (get-name force-set)))
+
+          tokens           (reduce (fn [tokens set-name]
+                                     (let [set (get-set-by-name this set-name)]
+                                       (merge tokens (get-tokens- set))))
+                                   (d/ordered-map)
+                                   active-set-names)]
+      tokens))
+
   (get-all-tokens [this]
     (mapcat #(vals (get-tokens- %))
             (get-sets this)))
@@ -1493,6 +1521,30 @@ Will return a value that matches this schema:
                 (seq)
                 (boolean)))))
 
+(defn update-tokens-group
+  "Updates the active tokens path when renaming a group node.
+   - Filters tokens whose path matches the current path prefix
+   - Replaces the token name with the new name
+   - Updates the :path value in the token object
+
+   active-tokens: map of token-name to token-object for all active tokens in the set
+   current-path: the path of the group being renamed, e.g. \"foo.bar\"
+   current-name: the current name of the group being renamed, e.g. \"bar\"
+   new-name: the new name for the group being renamed, e.g. \"baz\""
+
+  [active-tokens current-path current-name new-name]
+  (let [path-prefix (str/replace current-path current-name "")]
+    (mapv (fn [[token-path token-obj]]
+            (if (str/starts-with? token-path path-prefix)
+              (let [new-token-path (str/replace token-path current-name new-name)
+                    new-token-obj (-> token-obj
+                                      (assoc :name new-token-path)
+                                      (cond-> (:path token-obj)
+                                        (assoc :path (str/replace (:path token-obj) current-name new-name))))]
+                [new-token-path new-token-obj])
+              [token-path token-obj]))
+          active-tokens)))
+
 ;; === Import / Export from JSON format
 
 ;; Supported formats:

common/src/app/common/uuid.cljc

@@ -60,8 +60,9 @@
      :cljs (uuid (impl/v4))))
 
 (defn custom
-  ([a] #?(:clj (UUID. 0 a) :cljs (uuid (impl/custom 0 a))))
-  ([b a] #?(:clj (UUID. b a) :cljs (uuid (impl/custom b a)))))
+  "Generate a uuid using directly the given number (specified as one or two long integers)"
+  ([low] #?(:clj (UUID. 0 low) :cljs (uuid (impl/custom 0 low))))
+  ([high low] #?(:clj (UUID. high low) :cljs (uuid (impl/custom high low)))))
 
 (def zero (uuid "00000000-0000-0000-0000-000000000000"))
 
@@ -137,6 +138,22 @@
        (+ (clojure.lang.Murmur3/hashLong a)
           (clojure.lang.Murmur3/hashLong b)))))
 
+;; Fake uuids generator
+(def ^:private fake-ids (atom 0))
+
+(defn reset-fake!
+  "Reset the fake uuid counter to 0, for reproducible results across tests."
+  []
+  (reset! fake-ids 0))
+
+(defn next-fake
+  "When you need predictable uuids, for example when debugging a failing test, wrap the code with
+     (with-redefs [uuid/next uuid/next-fake]
+       ...tested code...)"
+  []
+  (-> (swap! fake-ids inc)
+      (custom)))
+
 ;; Commented code used for debug
 ;; #?(:cljs
 ;;    (defn ^:export test-uuid