feat(auth): auto-join organizations for self-hosted mode

When running in self-hosted mode with autoJoinOrganizations enabled:
- First user signup creates a 'default' team organization (user becomes owner)
- Subsequent users are automatically added as members to all existing team orgs

The auto-join logic is in a separate querier method (autoJoinTeamOrganizations)
called from the auth handlers, keeping insertUser focused on user creation.

Author: kylecarbs

bun.lock

@@ -302,6 +302,11 @@ async function handleOAuthCallback(
       password: null,
     });
 
+    // Auto-join team organizations (self-hosted mode)
+    if (c.env.autoJoinOrganizations) {
+      await db.autoJoinTeamOrganizations(user.id);
+    }
+
     // consume single-use invite (mark accepted)
     if (usedInviteId) {
       try {
@@ -926,6 +931,11 @@ export default function mountAuth(server: APIServer) {
         email_verified: emailVerified,
       });
 
+      // Auto-join team organizations (self-hosted mode)
+      if (c.env.autoJoinOrganizations) {
+        await db.autoJoinTeamOrganizations(user.id);
+      }
+
       // Sync user to telemetry system (async, don't block)
       if (c.env.sendTelemetryEvent) {
         c.env

internal/api/src/routes/auth/auth.server.ts

@@ -236,6 +236,9 @@ export interface Bindings {
 
   readonly serverVersion: string;
 
+  /** When true, auto-add new users to all existing team organizations (self-hosted mode) */
+  readonly autoJoinOrganizations?: boolean;
+
   // Optional AWS credentials used by platform logging to CloudWatch
   readonly AWS_ACCESS_KEY_ID?: string;
   readonly AWS_SECRET_ACCESS_KEY?: string;

internal/api/src/server.ts

@@ -200,6 +200,47 @@ export default class Querier {
   }
 
   // selectUserByID fetches a user by their ID.
+
+  // autoJoinTeamOrganizations handles auto-join logic for self-hosted deployments.
+  // If no team organizations exist, creates a "default" org with the user as owner.
+  // Otherwise, adds the user as a member to all existing team organizations.
+  public async autoJoinTeamOrganizations(userId: string): Promise<void> {
+    await this.tx(async (tx) => {
+      // Get all existing team organizations
+      const teamOrgs = await tx.db
+        .select({ id: organization.id })
+        .from(organization)
+        .where(eq(organization.kind, "organization"));
+
+      if (teamOrgs.length === 0) {
+        // First user: create default org, make them owner
+        const [defaultOrg] = await tx.db
+          .insert(organization)
+          .values({
+            name: "default",
+            kind: "organization",
+            created_by: userId,
+          })
+          .returning();
+
+        await tx.db.insert(organization_membership).values({
+          organization_id: defaultOrg!.id,
+          user_id: userId,
+          role: "owner",
+        });
+      } else {
+        // Subsequent users: add as member to all existing team orgs
+        await tx.db.insert(organization_membership).values(
+          teamOrgs.map((org) => ({
+            organization_id: org.id,
+            user_id: userId,
+            role: "member" as const,
+          }))
+        );
+      }
+    });
+  }
+
   public async selectUserByID(
     id: string
   ): Promise<UserWithPersonalOrganization | undefined> {

internal/database/src/querier.ts

@@ -130,6 +130,7 @@ export async function startServer(options: ServerOptions) {
           {
             AUTH_SECRET: authSecret,
             NODE_ENV: "development",
+            autoJoinOrganizations: true,
             serverVersion: pkg.version,
             ONBOARDING_AGENT_BUNDLE_URL:
               "https://artifacts.blink.host/starter-agent/bundle.tar.gz",