address comments

Author: icecrasher321

apps/sim/app/api/organizations/[id]/members/[memberId]/route.ts

@@ -8,7 +8,10 @@ import { z } from 'zod'
 import { getSession } from '@/lib/auth'
 import { setActiveOrganizationForCurrentSession } from '@/lib/auth/active-organization'
 import { getUserUsageData } from '@/lib/billing/core/usage'
-import { removeUserFromOrganization } from '@/lib/billing/organizations/membership'
+import {
+  removeExternalUserFromOrganizationWorkspaces,
+  removeUserFromOrganization,
+} from '@/lib/billing/organizations/membership'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 
 const logger = createLogger('OrganizationMemberAPI')
@@ -311,7 +314,68 @@ export const DELETE = withRouteHandler(
         .limit(1)
 
       if (targetMember.length === 0) {
-        return NextResponse.json({ error: 'Member not found' }, { status: 404 })
+        const [targetUser] = await db
+          .select({ id: user.id, email: user.email, name: user.name })
+          .from(user)
+          .where(eq(user.id, targetUserId))
+          .limit(1)
+
+        if (!targetUser) {
+          return NextResponse.json({ error: 'Member not found' }, { status: 404 })
+        }
+
+        const externalResult = await removeExternalUserFromOrganizationWorkspaces({
+          userId: targetUserId,
+          organizationId,
+        })
+
+        if (!externalResult.success) {
+          return NextResponse.json(
+            { error: externalResult.error || 'External workspace member not found' },
+            { status: externalResult.error === 'External workspace member not found' ? 404 : 500 }
+          )
+        }
+
+        logger.info('External workspace member removed from organization workspaces', {
+          organizationId,
+          removedMemberId: targetUserId,
+          removedBy: session.user.id,
+          workspaceAccessRevoked: externalResult.workspaceAccessRevoked,
+          permissionGroupsRevoked: externalResult.permissionGroupsRevoked,
+        })
+
+        recordAudit({
+          workspaceId: null,
+          actorId: session.user.id,
+          action: AuditAction.ORG_MEMBER_REMOVED,
+          resourceType: AuditResourceType.ORGANIZATION,
+          resourceId: organizationId,
+          actorName: session.user.name ?? undefined,
+          actorEmail: session.user.email ?? undefined,
+          description: `Removed external workspace member ${targetUserId} from organization`,
+          metadata: {
+            targetUserId,
+            targetEmail: targetUser.email ?? undefined,
+            targetName: targetUser.name ?? undefined,
+            membershipType: 'external',
+            workspaceAccessRevoked: externalResult.workspaceAccessRevoked,
+            permissionGroupsRevoked: externalResult.permissionGroupsRevoked,
+          },
+          request,
+        })
+
+        return NextResponse.json({
+          success: true,
+          message: 'External member removed successfully',
+          data: {
+            removedMemberId: targetUserId,
+            removedBy: session.user.id,
+            removedAt: new Date().toISOString(),
+            membershipType: 'external',
+            workspaceAccessRevoked: externalResult.workspaceAccessRevoked,
+            permissionGroupsRevoked: externalResult.permissionGroupsRevoked,
+          },
+        })
       }
 
       const result = await removeUserFromOrganization({

apps/sim/app/api/organizations/[id]/roster/route.ts

@@ -8,7 +8,7 @@ import {
   workspace,
 } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
-import { and, eq, inArray, ne, sql } from 'drizzle-orm'
+import { and, eq, inArray, isNull, ne, sql } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
@@ -118,6 +118,75 @@ export const GET = withRouteHandler(
         workspaces: permissionsByUser.get(row.userId) ?? [],
       }))
 
+      const externalPermissionRows =
+        orgWorkspaceIds.length > 0
+          ? await db
+              .select({
+                userId: user.id,
+                userName: user.name,
+                userEmail: user.email,
+                userImage: user.image,
+                workspaceId: permissions.entityId,
+                permission: permissions.permissionType,
+                createdAt: permissions.createdAt,
+              })
+              .from(permissions)
+              .innerJoin(user, eq(permissions.userId, user.id))
+              .leftJoin(
+                member,
+                and(eq(member.userId, user.id), eq(member.organizationId, organizationId))
+              )
+              .where(
+                and(
+                  eq(permissions.entityType, 'workspace'),
+                  inArray(permissions.entityId, orgWorkspaceIds),
+                  isNull(member.id)
+                )
+              )
+          : []
+
+      const externalMembersByUser = new Map<
+        string,
+        {
+          memberId: string
+          userId: string
+          role: 'external'
+          createdAt: Date
+          name: string
+          email: string
+          image: string | null
+          workspaces: RosterWorkspaceAccess[]
+        }
+      >()
+
+      for (const row of externalPermissionRows) {
+        const existing = externalMembersByUser.get(row.userId)
+        const workspaceAccess: RosterWorkspaceAccess = {
+          workspaceId: row.workspaceId,
+          workspaceName: workspaceNameById.get(row.workspaceId) ?? 'Workspace',
+          permission: row.permission,
+        }
+
+        if (existing) {
+          existing.workspaces.push(workspaceAccess)
+          if (row.createdAt < existing.createdAt) existing.createdAt = row.createdAt
+          continue
+        }
+
+        externalMembersByUser.set(row.userId, {
+          memberId: `external-${row.userId}`,
+          userId: row.userId,
+          role: 'external',
+          createdAt: row.createdAt,
+          name: row.userName,
+          email: row.userEmail,
+          image: row.userImage,
+          workspaces: [workspaceAccess],
+        })
+      }
+
+      const rosterMembers = [...members, ...externalMembersByUser.values()]
+
       const pendingInvitationRows = await db
         .select({
           id: invitation.id,
@@ -180,7 +249,7 @@ export const GET = withRouteHandler(
       return NextResponse.json({
         success: true,
         data: {
-          members,
+          members: rosterMembers,
           pendingInvitations,
           workspaces: orgWorkspaces,
         },

apps/sim/app/workspace/[workspaceId]/settings/components/team-management/components/organization-roster/organization-roster.tsx

@@ -521,6 +521,7 @@ export function OrganizationRoster({
                 const rowKey = `member-${m.memberId}`
                 const expanded = expandedRows.has(rowKey)
                 const isSelf = m.email === currentUserEmail
+                const isExternal = m.role === 'external'
                 const credits = memberCredits[m.userId] ?? 0
                 const canRemove = isAdminOrOwner && m.role !== 'owner' && !isSelf
                 const canTransferAndLeave = isSelf && m.role === 'owner' && !!onTransferOwnership
@@ -545,7 +546,10 @@ export function OrganizationRoster({
                         </button>
                       </TableCell>
                       <TableCell>
-                        {m.role === 'owner' || !canEditRoles || m.userId === currentUserId ? (
+                        {m.role === 'owner' ||
+                        isExternal ||
+                        !canEditRoles ||
+                        m.userId === currentUserId ? (
                           <RoleBadge role={m.role} />
                         ) : (
                           <OrgRoleSelector

apps/sim/app/workspace/[workspaceId]/settings/components/team-management/components/remove-member-dialog/remove-member-dialog.tsx

@@ -13,6 +13,7 @@ interface RemoveMemberDialogProps {
   memberName: string
   shouldReduceSeats: boolean
   isSelfRemoval?: boolean
+  isExternalRemoval?: boolean
   error?: Error | null
   onOpenChange: (open: boolean) => void
   onShouldReduceSeatsChange: (shouldReduce: boolean) => void
@@ -30,15 +31,29 @@ export function RemoveMemberDialog({
   onConfirmRemove,
   onCancel,
   isSelfRemoval = false,
+  isExternalRemoval = false,
 }: RemoveMemberDialogProps) {
+  const title = isSelfRemoval
+    ? 'Leave Organization'
+    : isExternalRemoval
+      ? 'Remove External Member'
+      : 'Remove Team Member'
+
   return (
     <Modal open={open} onOpenChange={onOpenChange}>
       <ModalContent size='sm'>
-        <ModalHeader>{isSelfRemoval ? 'Leave Organization' : 'Remove Team Member'}</ModalHeader>
+        <ModalHeader>{title}</ModalHeader>
         <ModalBody>
           <p className='text-[var(--text-secondary)]'>
             {isSelfRemoval ? (
               'Are you sure you want to leave this organization? You will lose access to all team resources.'
+            ) : isExternalRemoval ? (
+              <>
+                Are you sure you want to remove{' '}
+                <span className='font-medium text-[var(--text-primary)]'>{memberName}</span> from
+                all organization workspaces? Their workspace access and workspace credential access
+                will be revoked.
+              </>
             ) : (
               <>
                 Are you sure you want to remove{' '}
@@ -49,7 +64,7 @@ export function RemoveMemberDialog({
             This action cannot be undone.
           </p>
 
-          {!isSelfRemoval && (
+          {!isSelfRemoval && !isExternalRemoval && (
             <div className='mt-4'>
               <div className='flex items-center gap-2'>
                 <Checkbox
@@ -80,7 +95,10 @@ export function RemoveMemberDialog({
           <Button variant='default' onClick={onCancel}>
             Cancel
           </Button>
-          <Button variant='destructive' onClick={() => onConfirmRemove(shouldReduceSeats)}>
+          <Button
+            variant='destructive'
+            onClick={() => onConfirmRemove(isExternalRemoval ? false : shouldReduceSeats)}
+          >
             {isSelfRemoval ? 'Leave Organization' : 'Remove'}
           </Button>
         </ModalFooter>

apps/sim/app/workspace/[workspaceId]/settings/components/team-management/team-management.tsx

@@ -8,12 +8,7 @@ import { getSubscriptionAccessState } from '@/lib/billing/client/utils'
 import { getPlanTierCredits, getPlanTierDollars } from '@/lib/billing/plan-helpers'
 import { checkEnterprisePlan } from '@/lib/billing/subscriptions/utils'
 import { getBaseUrl } from '@/lib/core/utils/urls'
-import {
-  generateSlug,
-  getUsedSeats,
-  isAdminOrOwner,
-  type Member,
-} from '@/lib/workspaces/organization'
+import { generateSlug, isAdminOrOwner, type Member } from '@/lib/workspaces/organization'
 import {
   MemberInvitationCard,
   NoOrganizationView,
@@ -93,6 +88,7 @@ export function TeamManagement() {
     memberName: string
     shouldReduceSeats: boolean
     isSelfRemoval?: boolean
+    isExternalRemoval?: boolean
   }>({ open: false, memberId: '', memberName: '', shouldReduceSeats: false })
   const [transferDialogOpen, setTransferDialogOpen] = useState(false)
   const [transferPortalError, setTransferPortalError] = useState<string | null>(null)
@@ -108,8 +104,8 @@ export function TeamManagement() {
   )
 
   const adminOrOwner = isAdminOrOwner(organization, session?.user?.email)
-  const usedSeats = getUsedSeats(organization)
   const totalSeats = organizationBillingData?.data?.totalSeats ?? 0
+  const usedSeats = organizationBillingData?.data?.usedSeats ?? 0
 
   useEffect(() => {
     if ((hasTeamPlan || hasEnterprisePlan) && session?.user?.name && !orgName) {
@@ -209,6 +205,7 @@ export function TeamManagement() {
         memberName: displayName,
         shouldReduceSeats: false,
         isSelfRemoval: isLeavingSelf,
+        isExternalRemoval: member.role === 'external',
       })
     },
     [session?.user, activeOrganization?.id]
@@ -230,6 +227,7 @@ export function TeamManagement() {
           memberId: '',
           memberName: '',
           shouldReduceSeats: false,
+          isExternalRemoval: false,
         })
 
         if (isSelfRemoval) {
@@ -446,7 +444,7 @@ export function TeamManagement() {
           subscriptionData={subscriptionData || null}
           isLoadingSubscription={isLoadingSubscription}
           totalSeats={totalSeats}
-          usedSeats={usedSeats.used}
+          usedSeats={usedSeats}
           isLoading={isLoading}
           onAddSeatDialog={handleAddSeatDialog}
         />
@@ -466,7 +464,7 @@ export function TeamManagement() {
             onLoadUserWorkspaces={async () => {}}
             onWorkspaceToggle={handleWorkspaceToggle}
             inviteSuccess={inviteSuccess}
-            availableSeats={Math.max(0, totalSeats - usedSeats.used)}
+            availableSeats={Math.max(0, totalSeats - usedSeats)}
             maxSeats={totalSeats}
             invitationError={inviteMutation.error}
             isLoadingWorkspaces={isLoadingWorkspaces}
@@ -505,6 +503,7 @@ export function TeamManagement() {
         memberName={removeMemberDialog.memberName}
         shouldReduceSeats={removeMemberDialog.shouldReduceSeats}
         isSelfRemoval={removeMemberDialog.isSelfRemoval}
+        isExternalRemoval={removeMemberDialog.isExternalRemoval}
         error={removeMemberMutation.error}
         onOpenChange={(open: boolean) => {
           if (!open) setRemoveMemberDialog({ ...removeMemberDialog, open: false })
@@ -523,6 +522,7 @@ export function TeamManagement() {
             memberName: '',
             shouldReduceSeats: false,
             isSelfRemoval: false,
+            isExternalRemoval: false,
           })
         }
       />

apps/sim/hooks/queries/organization.ts

@@ -33,7 +33,7 @@ export type RosterWorkspaceAccess = {
 export type RosterMember = {
   memberId: string
   userId: string
-  role: string
+  role: 'owner' | 'admin' | 'member' | 'external'
   createdAt: string
   name: string
   email: string

apps/sim/lib/billing/core/organization.ts

@@ -1,7 +1,7 @@
 import { db } from '@sim/db'
-import { member, organization, user, userStats } from '@sim/db/schema'
+import { invitation, member, organization, user, userStats } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
-import { and, eq } from 'drizzle-orm'
+import { and, count, eq, gt, ne } from 'drizzle-orm'
 import { isOrganizationBillingBlocked } from '@/lib/billing/core/access'
 import { getOrganizationSubscription, getPlanPricing } from '@/lib/billing/core/billing'
 import {
@@ -172,6 +172,19 @@ export async function getOrganizationBillingData(
 
     const averageUsagePerMember = members.length > 0 ? totalCurrentUsage / members.length : 0
 
+    const [pendingInvitationCount] = await db
+      .select({ count: count() })
+      .from(invitation)
+      .where(
+        and(
+          eq(invitation.organizationId, organizationId),
+          eq(invitation.status, 'pending'),
+          ne(invitation.membershipIntent, 'external'),
+          gt(invitation.expiresAt, new Date())
+        )
+      )
+    const usedSeats = members.length + (pendingInvitationCount?.count ?? 0)
+
     const billingPeriodStart = subscription.periodStart || null
     const billingPeriodEnd = subscription.periodEnd || null
 
@@ -181,7 +194,7 @@ export async function getOrganizationBillingData(
       subscriptionPlan: subscription.plan,
       subscriptionStatus: subscription.status || 'inactive',
       totalSeats: effectiveSeats,
-      usedSeats: members.length,
+      usedSeats,
       seatsCount: licensedSeats,
       totalCurrentUsage: roundCurrency(totalCurrentUsage),
       totalUsageLimit: roundCurrency(totalUsageLimit),