feat(db): mesh data model — meshes, members, invites, audit log

- pgSchema "mesh" with 4 tables isolating the peer mesh domain
- Enums: visibility, transport, tier, role
- audit_log is metadata-only (E2E encryption enforced at broker/client)
- Cascade on mesh delete, soft-delete via archivedAt/revokedAt

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

apps/web/src/app/[locale]/auth/error/page.tsx

@@ -0,0 +1,38 @@
+import { getTranslation } from "@turbostarter/i18n/server";
+import { Icons } from "@turbostarter/ui-web/icons";
+
+import { pathsConfig } from "~/config/paths";
+import { TurboLink } from "~/modules/common/turbo-link";
+
+const AuthError = async ({
+  searchParams,
+}: {
+  searchParams: Promise<{ error?: string }>;
+}) => {
+  const { error } = await searchParams;
+  const { t } = await getTranslation({ ns: ["common", "auth"] });
+
+  return (
+    <div className="flex flex-col items-center justify-center gap-4">
+      <Icons.CircleX className="text-destructive size-24" strokeWidth={1.2} />
+      <h1 className="text-center text-2xl font-semibold">
+        {t("error.general")}
+      </h1>
+
+      {error && (
+        <code className="bg-muted rounded-md px-2 py-0.5 font-mono">
+          {error}
+        </code>
+      )}
+
+      <TurboLink
+        href={pathsConfig.auth.login}
+        className="text-muted-foreground hover:text-primary mt-3 text-sm font-medium underline underline-offset-4"
+      >
+        {t("goToLogin")}
+      </TurboLink>
+    </div>
+  );
+};
+
+export default AuthError;

apps/web/src/app/[locale]/auth/join/page.tsx

@@ -0,0 +1,65 @@
+import { notFound, redirect } from "next/navigation";
+
+import { handle } from "@turbostarter/api/utils";
+
+import { pathsConfig } from "~/config/paths";
+import { api } from "~/lib/api/server";
+import { getInvitation, getSession } from "~/lib/auth/server";
+import { getMetadata } from "~/lib/metadata";
+import { Invitation } from "~/modules/organization/invitations/invitation";
+import { InvitationEmailMismatch } from "~/modules/organization/invitations/invitation-email-mismatch";
+import { InvitationExpired } from "~/modules/organization/invitations/invitation-expired";
+
+export const generateMetadata = getMetadata({
+  title: "organization:join.title",
+  description: "organization:join.description",
+});
+
+export default async function JoinPage({
+  searchParams,
+}: {
+  searchParams: Promise<{ invitationId?: string; email?: string }>;
+}) {
+  const { invitationId, email } = await searchParams;
+
+  if (!invitationId) {
+    return notFound();
+  }
+
+  const { user } = await getSession();
+
+  if (!user) {
+    const searchParams = new URLSearchParams();
+    searchParams.set("invitationId", invitationId);
+    if (email) searchParams.set("email", email);
+    searchParams.set(
+      "redirectTo",
+      `${pathsConfig.auth.join}?${searchParams.toString()}`,
+    );
+    return redirect(`${pathsConfig.auth.login}?${searchParams.toString()}`);
+  }
+
+  const invitation = await getInvitation({ id: invitationId });
+
+  if (invitation) {
+    const { organization } = await handle(api.organizations[":id"].$get)({
+      param: {
+        id: invitation.organizationId,
+      },
+    });
+
+    if (!organization) {
+      return notFound();
+    }
+
+    return <Invitation invitation={invitation} organization={organization} />;
+  }
+
+  if (email && user.email !== email) {
+    return (
+      <InvitationEmailMismatch invitationId={invitationId} email={email} />
+    );
+  }
+
+  return <InvitationExpired />;
+}

apps/web/src/app/[locale]/auth/layout.tsx

@@ -0,0 +1,35 @@
+import { getTranslation } from "@turbostarter/i18n/server";
+import { Icons } from "@turbostarter/ui-web/icons";
+
+import { pathsConfig } from "~/config/paths";
+import { TurboLink } from "~/modules/common/turbo-link";
+
+export default async function AuthLayout({
+  children,
+}: {
+  children: React.ReactNode;
+}) {
+  const { t } = await getTranslation({ ns: "common" });
+
+  return (
+    <main className="grid h-full w-full flex-1 lg:grid-cols-2">
+      <section className="flex h-full flex-col items-center justify-center p-6 lg:p-10">
+        <header className="text-navy -mt-1 mb-auto flex self-start justify-self-start">
+          <TurboLink
+            href={pathsConfig.index}
+            className="flex shrink-0 items-center gap-3"
+            aria-label={t("home")}
+          >
+            <Icons.Logo className="text-primary h-8" />
+            <Icons.LogoText className="text-foreground h-4" />
+          </TurboLink>
+        </header>
+        <div className="mt-16 mb-auto flex w-full max-w-md flex-col gap-6 pb-16">
+          {children}
+        </div>
+      </section>
+
+      <aside className="bg-muted hidden flex-1 lg:block"></aside>
+    </main>
+  );
+}

apps/web/src/app/[locale]/auth/login/page.tsx

@@ -0,0 +1,28 @@
+import { getMetadata } from "~/lib/metadata";
+import { LoginFlow } from "~/modules/auth/login";
+
+export const generateMetadata = getMetadata({
+  title: "auth:login.title",
+});
+
+const Login = async ({
+  searchParams,
+}: {
+  searchParams: Promise<{
+    redirectTo?: string;
+    invitationId?: string;
+    email?: string;
+  }>;
+}) => {
+  const { redirectTo, invitationId, email } = await searchParams;
+
+  return (
+    <LoginFlow
+      redirectTo={redirectTo}
+      invitationId={invitationId}
+      email={email}
+    />
+  );
+};
+
+export default Login;

apps/web/src/app/[locale]/auth/password/forgot/page.tsx

@@ -0,0 +1,24 @@
+import { getTranslation } from "@turbostarter/i18n/server";
+
+import { getMetadata } from "~/lib/metadata";
+import { ForgotPasswordForm } from "~/modules/auth/form/password/forgot";
+import { AuthHeader } from "~/modules/auth/layout/header";
+
+export const generateMetadata = getMetadata({
+  title: "auth:account.password.forgot.title",
+});
+
+const ForgotPassword = async () => {
+  const { t } = await getTranslation({ ns: "auth" });
+  return (
+    <>
+      <AuthHeader
+        title={t("account.password.forgot.header.title")}
+        description={t("account.password.forgot.header.description")}
+      />
+      <ForgotPasswordForm />
+    </>
+  );
+};
+
+export default ForgotPassword;

apps/web/src/app/[locale]/auth/password/update/page.tsx

@@ -0,0 +1,32 @@
+import { getTranslation } from "@turbostarter/i18n/server";
+
+import { getMetadata } from "~/lib/metadata";
+import { UpdatePasswordForm } from "~/modules/auth/form/password/update";
+import { AuthHeader } from "~/modules/auth/layout/header";
+
+export const generateMetadata = getMetadata({
+  title: "auth:account.password.update.title",
+});
+
+interface UpdatePasswordPageProps {
+  readonly searchParams: Promise<{
+    readonly token?: string;
+  }>;
+}
+
+const UpdatePassword = async ({ searchParams }: UpdatePasswordPageProps) => {
+  const token = (await searchParams).token;
+  const { t } = await getTranslation({ ns: "auth" });
+
+  return (
+    <>
+      <AuthHeader
+        title={t("account.password.update.header.title")}
+        description={t("account.password.update.header.description")}
+      />
+      <UpdatePasswordForm token={token} />
+    </>
+  );
+};
+
+export default UpdatePassword;

apps/web/src/app/[locale]/auth/register/page.tsx

@@ -0,0 +1,50 @@
+import { getTranslation } from "@turbostarter/i18n/server";
+
+import { authConfig } from "~/config/auth";
+import { getMetadata } from "~/lib/metadata";
+import { AnonymousLogin } from "~/modules/auth/form/anonymous";
+import { LoginCta } from "~/modules/auth/form/login/form";
+import { RegisterForm } from "~/modules/auth/form/register-form";
+import { SocialProviders } from "~/modules/auth/form/social-providers";
+import { AuthDivider } from "~/modules/auth/layout/divider";
+import { AuthHeader } from "~/modules/auth/layout/header";
+import { InvitationDisclaimer } from "~/modules/auth/layout/invitation-disclaimer";
+
+export const generateMetadata = getMetadata({
+  title: "auth:register.title",
+});
+
+const Register = async ({
+  searchParams,
+}: {
+  searchParams: Promise<{
+    redirectTo?: string;
+    invitationId?: string;
+    email?: string;
+  }>;
+}) => {
+  const { redirectTo, invitationId, email } = await searchParams;
+  const { t } = await getTranslation({ ns: "auth" });
+
+  return (
+    <>
+      <AuthHeader
+        title={t("register.header.title")}
+        description={t("register.header.description")}
+      />
+      {invitationId && <InvitationDisclaimer />}
+      <SocialProviders
+        providers={authConfig.providers.oAuth}
+        redirectTo={redirectTo}
+      />
+      {authConfig.providers.oAuth.length > 0 && <AuthDivider />}
+      <div className="flex flex-col gap-2">
+        <RegisterForm redirectTo={redirectTo} email={email} />
+        {authConfig.providers.anonymous && <AnonymousLogin />}
+      </div>
+      <LoginCta />
+    </>
+  );
+};
+
+export default Register;