First application slice

Controlled onboarding before budget workflows.

This baseline keeps signup closed, binds every active session to one organization, and makes invite, accept, recovery, deactivation, and audit flows explicit before any construction-budget domain logic lands.

Open sign-in Accept an invitation Manage members

Authentication

Email and password, but invite-first.

Accounts are activated from a valid invitation and then authenticated against Supabase Auth.

Authorization

Single organization, three roles.

Owner, admin, and member are enforced from application membership state rather than token decoration.

Audit

No direct delete path.

Invite, resend, revoke, deactivate, reactivate, and role-change actions stay recoverable and logged.