> ## Documentation Index
> Fetch the complete documentation index at: https://docs.auction-rise.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Workspaces

> Multi-tenant workspace architecture with role-based access control and RLS enforcement.

# Workspaces

Workspaces are the top-level multi-tenant containers in the template. Each workspace has its own members, settings, and data — all isolated from other workspaces via Supabase Row Level Security (RLS).

## Creating a Workspace

1. Click the workspace switcher in the sidebar header.
2. Select **Create Workspace**.
3. Enter a name — the URL slug is generated automatically.
4. Click **Create**.

You become the **Owner** of any workspace you create.

## Switching Workspaces

The `SidebarWorkspaceSwitcher` component persists your active workspace to a cookie (`active_workspace_id`). All navigation and data fetches are scoped to the active workspace.

## Role Hierarchy

Three roles are supported: **Owner**, **Admin**, and **Member**.

| Permission                | Owner    | Admin            | Member |
| ------------------------- | -------- | ---------------- | ------ |
| View workspace            | Yes      | Yes              | Yes    |
| View members              | Yes      | Yes              | Yes    |
| Update workspace settings | Yes      | Yes              | No     |
| Delete workspace          | Yes      | No               | No     |
| Invite members            | Yes      | Yes              | No     |
| Remove members            | Yes      | Admins only\*    | No     |
| Change roles              | Yes      | Members only\*\* | No     |
| Transfer ownership        | Yes      | No               | No     |
| Leave workspace           | No\*\*\* | Yes              | Yes    |

\* Admins can only remove members, not other admins or owners.
\*\* Admins can only promote/demote members, not admin or owner roles.
\*\*\* Owners must transfer ownership before they can leave.

## Server Actions

All workspace operations live in `@/lib/workspaces/actions`:

```typescript theme={null}
import {
  createWorkspace,
  getWorkspaces,
  getWorkspace,
  updateWorkspace,
  deleteWorkspace,
  getWorkspaceMembers,
  updateMemberRole,
  removeMember,
  leaveWorkspace,
  transferOwnership,
} from "@/lib/workspaces/actions";
```

Permission checks live in `@/lib/workspaces/role-utils` (pure functions, safe for client-side use) and `@/lib/workspaces/roles` (server actions that query the database).

## Workspace Context

Access the active workspace in any Client Component:

```typescript theme={null}
import { useWorkspace } from "@/lib/workspaces/context";

export function MyComponent() {
  const { activeWorkspace, workspaces, setActiveWorkspace, isLoading } = useWorkspace();
  return <p>Active: {activeWorkspace?.name}</p>;
}
```

## RLS Enforcement

All workspace-scoped tables use RLS policies that call the `is_workspace_member(workspace_id)` SQL helper. No data is accessible without a valid session and matching membership row.

<Warning>
  Never use the admin Supabase client to fetch workspace-scoped user data in a context where cross-workspace leakage would be a problem — the admin client bypasses RLS.
</Warning>

## Settings

Owners and admins can navigate to **Workspace Settings** to update the workspace name. The **Danger Zone** (delete workspace) is visible only to owners. The **Members** tab exposes the `MembersManagement` component for role changes, removal, and ownership transfer.
