Gate private collaboration expansion

Status	File	+	-
M	`internal/entitlements/private_collaboration.go`	19	1
M	`internal/entitlements/private_collaboration_test.go`	2	1
M	`internal/orgs/invitations.go`	24	0
M	`internal/orgs/members.go`	19	0
A	`internal/orgs/private_collaboration_test.go`	102	0
M	`internal/orgs/teams.go`	15	0
M	`internal/repos/create.go`	10	0
M	`internal/repos/create_test.go`	43	0
M	`internal/repos/lifecycle/lifecycle_test.go`	46	0
M	`internal/repos/lifecycle/visibility.go`	10	0
M	`internal/web/handlers/api/collaborators.go`	11	0
M	`internal/web/handlers/api/repos.go`	7	0
M	`internal/web/handlers/orgs/orgs.go`	23	0
M	`internal/web/handlers/orgs/teams.go`	18	3
M	`internal/web/handlers/repo/lifecycle.go`	3	0
M	`internal/web/handlers/repo/repo.go`	3	0
M	`internal/web/templates/orgs/people.html`	1	0

internal/entitlements/private_collaboration.gomodified

  	Reason       Reason
+ }
++type PrivateCollaborationLimitError struct {
++	Check PrivateCollaborationCheck
++}
++
++func (e *PrivateCollaborationLimitError) Error() string {
++	if e == nil {
++		return ErrPrivateCollaborationLimitExceeded.Error()
++	}
++	if msg := e.Check.Message(); msg != "" {
++		return msg
++	}
++	return ErrPrivateCollaborationLimitExceeded.Error()
++}
++
++func (e *PrivateCollaborationLimitError) Unwrap() error {
++	return ErrPrivateCollaborationLimitExceeded
++}
++
  func PrivateCollaborationUsageForOrg(ctx context.Context, deps Deps, orgID int64) (PrivateCollaborationUsage, error) {
  	usage, _, err := privateCollaborationUsageWithIDs(ctx, deps, orgID)
  	return usage, err
  	if c.Allowed {
  		return nil
+ 	}
--	return ErrPrivateCollaborationLimitExceeded
++	return &PrivateCollaborationLimitError{Check: c}
+ }
  func (c PrivateCollaborationCheck) Message() string {

internal/entitlements/private_collaboration_test.gomodified

  import (
  	"context"
++	"errors"
  	"strings"
  	"testing"
  	"time"
  	if err != nil {
  		t.Fatalf("blocked expansion: %v", err)
  	}
--	if check.Allowed || check.WouldUse != 4 || check.Err() != entitlements.ErrPrivateCollaborationLimitExceeded {
++	if check.Allowed || check.WouldUse != 4 || !errors.Is(check.Err(), entitlements.ErrPrivateCollaborationLimitExceeded) {
  		t.Fatalf("three-user free expansion check = %+v, want blocked", check)
  	}
  	if !strings.Contains(check.Message(), "up to 3 private collaborators") {

internal/orgs/invitations.gomodified

  	"github.com/tenseleyFlow/shithub/internal/auth/email"
  	"github.com/tenseleyFlow/shithub/internal/auth/token"
++	"github.com/tenseleyFlow/shithub/internal/entitlements"
  	orgsdb "github.com/tenseleyFlow/shithub/internal/orgs/sqlc"
  	usersdb "github.com/tenseleyFlow/shithub/internal/users/sqlc"
+ )
  	} else if !errors.Is(err, pgx.ErrNoRows) {
  		return InviteResult{}, err
+ 	}
++	if role == orgsdb.OrgRoleOwner {
++		var check entitlements.PrivateCollaborationCheck
++		if targetUserID.Valid {
++			check, err = entitlements.CheckOrgOwnerPrivateCollaboration(ctx, entitlements.Deps{Pool: deps.Pool}, p.OrgID, targetUserID.Int64)
++		} else {
++			check, err = entitlements.CheckPrivateInvitationSlot(ctx, entitlements.Deps{Pool: deps.Pool}, p.OrgID)
++		}
++		if err != nil {
++			return InviteResult{}, err
++		}
++		if err := check.Err(); err != nil {
++			return InviteResult{}, err
++		}
++	}
  	tokEnc, tokHash, err := token.New()
  	if err != nil {
  			return ErrUnauthorizedAcceptor
+ 		}
+ 	}
++	if inv.Role == orgsdb.OrgRoleOwner {
++		check, err := entitlements.CheckOrgOwnerPrivateCollaboration(ctx, entitlements.Deps{Pool: deps.Pool}, inv.OrgID, acceptorUserID)
++		if err != nil {
++			return err
++		}
++		if err := check.Err(); err != nil {
++			return err
++		}
++	}
  	tx, err := deps.Pool.Begin(ctx)
  	if err != nil {

internal/orgs/members.gomodified

  	"github.com/jackc/pgx/v5"
  	"github.com/jackc/pgx/v5/pgtype"
++	"github.com/tenseleyFlow/shithub/internal/entitlements"
  	orgsdb "github.com/tenseleyFlow/shithub/internal/orgs/sqlc"
+ )
  	if err != nil {
  		return err
+ 	}
++	if r == orgsdb.OrgRoleOwner {
++		check, err := entitlements.CheckOrgOwnerPrivateCollaboration(ctx, entitlements.Deps{Pool: deps.Pool}, orgID, userID)
++		if err != nil {
++			return err
++		}
++		if err := check.Err(); err != nil {
++			return err
++		}
++	}
  	tx, err := deps.Pool.Begin(ctx)
  	if err != nil {
  		return err
  			return ErrLastOwner
+ 		}
+ 	}
++	if current.Role != orgsdb.OrgRoleOwner && r == orgsdb.OrgRoleOwner {
++		check, err := entitlements.CheckOrgOwnerPrivateCollaboration(ctx, entitlements.Deps{Pool: deps.Pool}, orgID, userID)
++		if err != nil {
++			return err
++		}
++		if err := check.Err(); err != nil {
++			return err
++		}
++	}
  	return q.ChangeOrgMemberRole(ctx, deps.Pool, orgsdb.ChangeOrgMemberRoleParams{
  		OrgID: orgID, UserID: userID, Role: r,
  	})

internal/orgs/private_collaboration_test.goadded

++// SPDX-License-Identifier: AGPL-3.0-or-later
++
++package orgs_test
++
++import (
++	"context"
++	"errors"
++	"testing"
++
++	"github.com/jackc/pgx/v5/pgtype"
++
++	"github.com/tenseleyFlow/shithub/internal/entitlements"
++	"github.com/tenseleyFlow/shithub/internal/orgs"
++	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"
++)
++
++func TestOwnerExpansionRespectsPrivateCollaborationLimit(t *testing.T) {
++	pool, deps, alice := setup(t)
++	ctx := context.Background()
++	org, err := orgs.Create(ctx, deps, orgs.CreateParams{Slug: "acme", CreatedByUserID: alice})
++	if err != nil {
++		t.Fatalf("create org: %v", err)
++	}
++	repo := mustOrgRepo(t, pool, org.ID, "secret", "private")
++	insertDirectCollab(t, pool, repo.ID, mustUser(t, pool, "bob"))
++	insertDirectCollab(t, pool, repo.ID, mustUser(t, pool, "carol"))
++
++	dave := mustUser(t, pool, "dave")
++	if err := orgs.AddMember(ctx, deps, org.ID, dave, alice, "owner"); !errors.Is(err, entitlements.ErrPrivateCollaborationLimitExceeded) {
++		t.Fatalf("AddMember owner err=%v, want private collaboration limit", err)
++	}
++	if err := orgs.AddMember(ctx, deps, org.ID, dave, alice, "member"); err != nil {
++		t.Fatalf("plain member add should not expand private collaboration: %v", err)
++	}
++	if err := orgs.ChangeRole(ctx, deps, org.ID, dave, "owner"); !errors.Is(err, entitlements.ErrPrivateCollaborationLimitExceeded) {
++		t.Fatalf("ChangeRole owner err=%v, want private collaboration limit", err)
++	}
++}
++
++func TestTeamExpansionRespectsPrivateCollaborationLimit(t *testing.T) {
++	pool, deps, alice := setup(t)
++	ctx := context.Background()
++	org, err := orgs.Create(ctx, deps, orgs.CreateParams{Slug: "acme", CreatedByUserID: alice})
++	if err != nil {
++		t.Fatalf("create org: %v", err)
++	}
++	repo := mustOrgRepo(t, pool, org.ID, "secret", "private")
++	insertDirectCollab(t, pool, repo.ID, mustUser(t, pool, "bob"))
++	insertDirectCollab(t, pool, repo.ID, mustUser(t, pool, "carol"))
++
++	team, err := orgs.CreateTeam(ctx, deps, orgs.CreateTeamParams{OrgID: org.ID, Slug: "security", CreatedByUserID: alice})
++	if err != nil {
++		t.Fatalf("create team: %v", err)
++	}
++	if err := orgs.GrantTeamRepoAccess(ctx, deps, team.ID, repo.ID, alice, "read"); err != nil {
++		t.Fatalf("empty-team private grant should not expand private collaboration: %v", err)
++	}
++	dave := mustUser(t, pool, "dave")
++	if err := orgs.AddTeamMember(ctx, deps, team.ID, dave, alice, "member"); !errors.Is(err, entitlements.ErrPrivateCollaborationLimitExceeded) {
++		t.Fatalf("AddTeamMember err=%v, want private collaboration limit", err)
++	}
++
++	team2, err := orgs.CreateTeam(ctx, deps, orgs.CreateTeamParams{OrgID: org.ID, Slug: "ops", CreatedByUserID: alice})
++	if err != nil {
++		t.Fatalf("create second team: %v", err)
++	}
++	insertTeamMemberRaw(t, pool, team2.ID, dave)
++	if err := orgs.GrantTeamRepoAccess(ctx, deps, team2.ID, repo.ID, alice, "read"); !errors.Is(err, entitlements.ErrPrivateCollaborationLimitExceeded) {
++		t.Fatalf("GrantTeamRepoAccess err=%v, want private collaboration limit", err)
++	}
++	if err := orgs.RemoveTeamMember(ctx, deps, team2.ID, dave); err != nil {
++		t.Fatalf("cleanup remove team member should remain allowed: %v", err)
++	}
++}
++
++func mustOrgRepo(t *testing.T, db reposdb.DBTX, orgID int64, name, visibility string) reposdb.Repo {
++	t.Helper()
++	repo, err := reposdb.New().CreateRepo(context.Background(), db, reposdb.CreateRepoParams{
++		OwnerOrgID:    pgtype.Int8{Int64: orgID, Valid: true},
++		Name:          name,
++		Visibility:    reposdb.RepoVisibility(visibility),
++		DefaultBranch: "trunk",
++	})
++	if err != nil {
++		t.Fatalf("create org repo %s: %v", name, err)
++	}
++	return repo
++}
++
++func insertDirectCollab(t *testing.T, db reposdb.DBTX, repoID, userID int64) {
++	t.Helper()
++	if _, err := db.Exec(context.Background(), `INSERT INTO repo_collaborators (repo_id, user_id, role) VALUES ($1, $2, 'read')`, repoID, userID); err != nil {
++		t.Fatalf("insert direct collaborator: %v", err)
++	}
++}
++
++func insertTeamMemberRaw(t *testing.T, db reposdb.DBTX, teamID, userID int64) {
++	t.Helper()
++	if _, err := db.Exec(context.Background(), `INSERT INTO team_members (team_id, user_id, role) VALUES ($1, $2, 'member')`, teamID, userID); err != nil {
++		t.Fatalf("insert team member: %v", err)
++	}
++}

internal/orgs/teams.gomodified

  	"github.com/jackc/pgx/v5/pgconn"
  	"github.com/jackc/pgx/v5/pgtype"
++	"github.com/tenseleyFlow/shithub/internal/entitlements"
  	orgsdb "github.com/tenseleyFlow/shithub/internal/orgs/sqlc"
+ )
  	if err != nil {
  		return err
+ 	}
++	check, err := entitlements.CheckTeamMemberPrivateCollaboration(ctx, entitlements.Deps{Pool: deps.Pool}, teamID, userID)
++	if err != nil {
++		return err
++	}
++	if err := check.Err(); err != nil {
++		return err
++	}
  	return orgsdb.New().AddTeamMember(ctx, deps.Pool, orgsdb.AddTeamMemberParams{
  		TeamID:        teamID,
  		UserID:        userID,
  	if err != nil {
  		return err
+ 	}
++	check, err := entitlements.CheckTeamPrivateRepoGrant(ctx, entitlements.Deps{Pool: deps.Pool}, teamID, repoID)
++	if err != nil {
++		return err
++	}
++	if err := check.Err(); err != nil {
++		return err
++	}
  	return orgsdb.New().GrantTeamRepoAccess(ctx, deps.Pool, orgsdb.GrantTeamRepoAccessParams{
  		TeamID:        teamID,
  		RepoID:        repoID,

internal/repos/create.gomodified

  	"github.com/tenseleyFlow/shithub/internal/auth/audit"
  	"github.com/tenseleyFlow/shithub/internal/auth/throttle"
++	"github.com/tenseleyFlow/shithub/internal/entitlements"
  	"github.com/tenseleyFlow/shithub/internal/git/hooks"
  	"github.com/tenseleyFlow/shithub/internal/infra/storage"
  	"github.com/tenseleyFlow/shithub/internal/issues"
  	default:
  		return Result{}, errors.New("repos: owner is XOR — set OwnerUserID OR OwnerOrgID, not both")
+ 	}
++	if p.OwnerOrgID != 0 && p.Visibility == "private" {
++		check, err := entitlements.CheckPrivateRepositoryCreation(ctx, entitlements.Deps{Pool: deps.Pool}, p.OwnerOrgID)
++		if err != nil {
++			return Result{}, err
++		}
++		if err := check.Err(); err != nil {
++			return Result{}, err
++		}
++	}
  	// Rate-limit per actor (NOT per owner) so a user can't bypass the
  	// per-account cap by spreading creates across orgs they manage.

internal/repos/create_test.gomodified

  	"github.com/tenseleyFlow/shithub/internal/auth/audit"
  	"github.com/tenseleyFlow/shithub/internal/auth/throttle"
++	"github.com/tenseleyFlow/shithub/internal/entitlements"
  	"github.com/tenseleyFlow/shithub/internal/infra/storage"
  	"github.com/tenseleyFlow/shithub/internal/orgs"
  	"github.com/tenseleyFlow/shithub/internal/repos"
  	return pool, deps, user.ID, user.Username, root
+ }
++func mustCreateRepoUser(t *testing.T, db usersdb.DBTX, username string) usersdb.User {
++	t.Helper()
++	user, err := usersdb.New().CreateUser(context.Background(), db, usersdb.CreateUserParams{
++		Username:     username,
++		DisplayName:  username,
++		PasswordHash: fixtureHash,
++	})
++	if err != nil {
++		t.Fatalf("CreateUser %s: %v", username, err)
++	}
++	return user
++}
++
  func TestCreate_EmptyRepo(t *testing.T) {
  	t.Parallel()
  	_, deps, uid, uname, root := setupCreateEnv(t)
+ 	}
+ }
++func TestCreate_PrivateOrgRepoRespectsCollaborationLimit(t *testing.T) {
++	t.Parallel()
++	pool, deps, uid, _, _ := setupCreateEnv(t)
++	ctx := context.Background()
++	org, err := orgs.Create(ctx, orgs.Deps{Pool: pool}, orgs.CreateParams{
++		Slug:            "acme",
++		CreatedByUserID: uid,
++	})
++	if err != nil {
++		t.Fatalf("create org: %v", err)
++	}
++	for _, name := range []string{"owner2", "owner3", "owner4"} {
++		user := mustCreateRepoUser(t, pool, name)
++		if _, err := pool.Exec(ctx, `INSERT INTO org_members (org_id, user_id, role) VALUES ($1, $2, 'owner')`, org.ID, user.ID); err != nil {
++			t.Fatalf("insert owner: %v", err)
++		}
++	}
++	_, err = repos.Create(ctx, deps, repos.Params{
++		OwnerOrgID:  org.ID,
++		OwnerSlug:   string(org.Slug),
++		ActorUserID: uid,
++		Name:        "secret",
++		Visibility:  "private",
++	})
++	if !errors.Is(err, entitlements.ErrPrivateCollaborationLimitExceeded) {
++		t.Fatalf("Create private org repo err=%v, want private collaboration limit", err)
++	}
++}
++
  func TestCreate_WithReadmeLicenseGitignore(t *testing.T) {
  	t.Parallel()
  	_, deps, uid, uname, _ := setupCreateEnv(t)

internal/repos/lifecycle/lifecycle_test.gomodified

  	"github.com/tenseleyFlow/shithub/internal/auth/audit"
  	"github.com/tenseleyFlow/shithub/internal/auth/throttle"
++	"github.com/tenseleyFlow/shithub/internal/entitlements"
  	"github.com/tenseleyFlow/shithub/internal/infra/storage"
++	"github.com/tenseleyFlow/shithub/internal/orgs"
  	"github.com/tenseleyFlow/shithub/internal/repos"
  	"github.com/tenseleyFlow/shithub/internal/repos/lifecycle"
  	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"
+ 	}
+ }
++func mustLifecycleUser(t *testing.T, db usersdb.DBTX, username string) usersdb.User {
++	t.Helper()
++	user, err := usersdb.New().CreateUser(context.Background(), db, usersdb.CreateUserParams{
++		Username:     username,
++		DisplayName:  username,
++		PasswordHash: fixtureHash,
++	})
++	if err != nil {
++		t.Fatalf("CreateUser %s: %v", username, err)
++	}
++	return user
++}
++
  func TestRename_HappyPath(t *testing.T) {
  	t.Parallel()
  	env := setup(t)
+ 	}
+ }
++func TestSetVisibilityRespectsPrivateCollaborationLimit(t *testing.T) {
++	t.Parallel()
++	env := setup(t)
++	ctx := context.Background()
++	org, err := orgs.Create(ctx, orgs.Deps{Pool: env.deps.Pool}, orgs.CreateParams{
++		Slug:            "acme",
++		CreatedByUserID: env.alice.ID,
++	})
++	if err != nil {
++		t.Fatalf("create org: %v", err)
++	}
++	repo, err := reposdb.New().CreateRepo(ctx, env.deps.Pool, reposdb.CreateRepoParams{
++		OwnerOrgID:    pgtype.Int8{Int64: org.ID, Valid: true},
++		Name:          "soon-private",
++		DefaultBranch: "trunk",
++		Visibility:    reposdb.RepoVisibilityPublic,
++	})
++	if err != nil {
++		t.Fatalf("create org repo: %v", err)
++	}
++	for _, userID := range []int64{env.bob.ID, mustLifecycleUser(t, env.deps.Pool, "carol").ID, mustLifecycleUser(t, env.deps.Pool, "dave").ID} {
++		if _, err := env.deps.Pool.Exec(ctx, `INSERT INTO repo_collaborators (repo_id, user_id, role) VALUES ($1, $2, 'read')`, repo.ID, userID); err != nil {
++			t.Fatalf("insert collaborator: %v", err)
++		}
++	}
++	err = lifecycle.SetVisibility(ctx, env.deps, env.alice.ID, repo.ID, "private")
++	if !errors.Is(err, entitlements.ErrPrivateCollaborationLimitExceeded) {
++		t.Fatalf("SetVisibility err=%v, want private collaboration limit", err)
++	}
++}
++
  func TestSoftDeleteAndRestore(t *testing.T) {
  	t.Parallel()
  	env := setup(t)

internal/repos/lifecycle/visibility.gomodified

  	"fmt"
  	"github.com/tenseleyFlow/shithub/internal/auth/audit"
++	"github.com/tenseleyFlow/shithub/internal/entitlements"
  	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"
+ )
  	if string(repo.Visibility) == newVisibility {
  		return nil // idempotent no-op
+ 	}
++	if repo.OwnerOrgID.Valid && newVisibility == "private" {
++		check, err := entitlements.CheckRepoPrivateVisibility(ctx, entitlements.Deps{Pool: deps.Pool}, repo.OwnerOrgID.Int64, repo.ID)
++		if err != nil {
++			return err
++		}
++		if err := check.Err(); err != nil {
++			return err
++		}
++	}
  	if err := rq.SetRepoVisibility(ctx, deps.Pool, reposdb.SetRepoVisibilityParams{
  		ID:         repoID,

internal/web/handlers/api/collaborators.gomodified

  	"github.com/tenseleyFlow/shithub/internal/auth/pat"
  	"github.com/tenseleyFlow/shithub/internal/auth/policy"
  	policydb "github.com/tenseleyFlow/shithub/internal/auth/policy/sqlc"
++	"github.com/tenseleyFlow/shithub/internal/entitlements"
  	usersdb "github.com/tenseleyFlow/shithub/internal/users/sqlc"
  	"github.com/tenseleyFlow/shithub/internal/web/middleware"
+ )
  		writeAPIError(w, http.StatusUnprocessableEntity, err.Error())
  		return
+ 	}
++	check, err := entitlements.CheckDirectPrivateCollaborator(r.Context(), entitlements.Deps{Pool: h.d.Pool}, repo.ID, user.ID)
++	if err != nil {
++		h.d.Logger.ErrorContext(r.Context(), "api: private collaborator entitlement check", "error", err)
++		writeAPIError(w, http.StatusInternalServerError, "collaborator entitlement check failed")
++		return
++	}
++	if err := check.Err(); err != nil {
++		writeAPIError(w, http.StatusPaymentRequired, err.Error())
++		return
++	}
  	if err := policydb.New().UpsertCollabRole(r.Context(), h.d.Pool, policydb.UpsertCollabRoleParams{
  		RepoID: repo.ID,
  		UserID: user.ID,

internal/web/handlers/api/repos.gomodified

  	"github.com/tenseleyFlow/shithub/internal/auth/pat"
  	"github.com/tenseleyFlow/shithub/internal/auth/policy"
++	"github.com/tenseleyFlow/shithub/internal/entitlements"
  	"github.com/tenseleyFlow/shithub/internal/orgs"
  	orgsdb "github.com/tenseleyFlow/shithub/internal/orgs/sqlc"
  	"github.com/tenseleyFlow/shithub/internal/repos"
  		writeAPIError(w, http.StatusConflict, "name taken for owner")
  	case errors.Is(err, repos.ErrNoVerifiedEmail):
  		writeAPIError(w, http.StatusUnprocessableEntity, "actor has no verified primary email")
++	case errors.Is(err, entitlements.ErrPrivateCollaborationLimitExceeded):
++		writeAPIError(w, http.StatusPaymentRequired, err.Error())
  	default:
  		writeAPIError(w, http.StatusInternalServerError, "create failed")
  	}
  			ldeps := lifecycle.Deps{Pool: h.d.Pool, RepoFS: h.d.RepoFS, Audit: h.d.Audit, Logger: h.d.Logger}
  			if err := lifecycle.SetVisibility(r.Context(), ldeps, auth.UserID, repo.ID, newVis); err != nil {
  				h.d.Logger.ErrorContext(r.Context(), "api: set visibility", "error", err)
++				if errors.Is(err, entitlements.ErrPrivateCollaborationLimitExceeded) {
++					writeAPIError(w, http.StatusPaymentRequired, err.Error())
++					return
++				}
  				writeAPIError(w, http.StatusInternalServerError, "visibility update failed")
  				return
  			}

internal/web/handlers/orgs/orgs.gomodified

  	authemail "github.com/tenseleyFlow/shithub/internal/auth/email"
  	"github.com/tenseleyFlow/shithub/internal/auth/secretbox"
  	"github.com/tenseleyFlow/shithub/internal/billing/stripebilling"
++	"github.com/tenseleyFlow/shithub/internal/entitlements"
  	"github.com/tenseleyFlow/shithub/internal/infra/storage"
  	"github.com/tenseleyFlow/shithub/internal/orgs"
  	orgsdb "github.com/tenseleyFlow/shithub/internal/orgs/sqlc"
  		"HasQuery":        query != "",
  		"IsOwner":         isOwner,
  		"CanManagePeople": isOwner,
++		"Notice":          peopleNoticeMessage(r.URL.Query().Get("notice")),
  	}); err != nil {
  		h.d.Logger.ErrorContext(r.Context(), "orgs: render", "tpl", "orgs/people", "error", err)
  	}
  }
++func peopleNoticeMessage(code string) string {
++	switch code {
++	case "private-collab-upgrade":
++		return "Free organizations can have up to 3 private collaborators. Upgrade to Team to add more private collaborators."
++	default:
++		return ""
++	}
++}
++
  func filterOrgMembers(members []orgsdb.ListOrgMembersRow, query string) []orgsdb.ListOrgMembersRow {
  	query = strings.ToLower(strings.TrimSpace(query))
  	if query == "" {
  	if _, err := orgs.Invite(r.Context(), h.deps(), p); err != nil {
  		h.d.Logger.WarnContext(r.Context(), "orgs: invite failed",
  			"org", org.Slug, "target", target, "error", err)
++		if errors.Is(err, entitlements.ErrPrivateCollaborationLimitExceeded) {
++			http.Redirect(w, r, "/"+org.Slug+"/people?notice=private-collab-upgrade", http.StatusSeeOther)
++			return
++		}
  	}
  	http.Redirect(w, r, "/"+org.Slug+"/people", http.StatusSeeOther)
  }
  	if err := action(org.ID, uid); err != nil {
  		h.d.Logger.WarnContext(r.Context(), "orgs: member mutation",
  			"org", org.Slug, "user_id", uid, "error", err)
++		if errors.Is(err, entitlements.ErrPrivateCollaborationLimitExceeded) {
++			http.Redirect(w, r, "/"+org.Slug+"/people?notice=private-collab-upgrade", http.StatusSeeOther)
++			return
++		}
  	}
  	http.Redirect(w, r, "/"+org.Slug+"/people", http.StatusSeeOther)
  }
  		if err := orgs.AcceptInvitation(r.Context(), h.deps(), inv, viewer.ID); err != nil {
  			h.d.Logger.WarnContext(r.Context(), "orgs: accept invitation",
  				"id", inv.ID, "error", err)
++			if errors.Is(err, entitlements.ErrPrivateCollaborationLimitExceeded) {
++				h.d.Render.HTTPError(w, r, http.StatusPaymentRequired, "")
++				return
++			}
  			h.d.Render.HTTPError(w, r, http.StatusForbidden, "")
  			return
  		}

internal/web/handlers/orgs/teams.gomodified

  import (
  	"context"
++	"errors"
  	"net/http"
  	"net/url"
  	"strconv"
  		return "Secret teams are read-only until Team billing is brought back into good standing."
  	case "secret-teams-enterprise":
  		return "Secret teams are unavailable for Enterprise preview organizations. Contact sales to enable them."
++	case "private-collab-upgrade":
++		return "Free organizations can have up to 3 private collaborators. Upgrade to Team to add more private collaborators."
  	default:
  		return ""
+ 	}
  			return
+ 		}
  		role := r.PostFormValue("role")
--		_ = orgs.AddTeamMember(r.Context(), h.deps(), team.ID, uid, viewer.ID, role)
++		if err := orgs.AddTeamMember(r.Context(), h.deps(), team.ID, uid, viewer.ID, role); err != nil {
++			h.d.Logger.WarnContext(r.Context(), "teams: add member", "org_id", org.ID, "team_id", team.ID, "user_id", uid, "error", err)
++			if errors.Is(err, entitlements.ErrPrivateCollaborationLimitExceeded) {
++				http.Redirect(w, r, h.teamPath(org, team)+"?notice=private-collab-upgrade", http.StatusSeeOther)
++				return
++			}
++		}
+ 	}
  	http.Redirect(w, r, h.teamPath(org, team), http.StatusSeeOther)
+ }
  			http.Redirect(w, r, h.teamPath(org, team)+"?notice="+noticeCode, http.StatusSeeOther)
  			return
+ 		}
--		_ = orgs.GrantTeamRepoAccess(r.Context(), h.deps(), team.ID, repoID, viewer.ID,
++		if err := orgs.GrantTeamRepoAccess(r.Context(), h.deps(), team.ID, repoID, viewer.ID,
--			r.PostFormValue("role"))
++			r.PostFormValue("role")); err != nil {
++			h.d.Logger.WarnContext(r.Context(), "teams: grant repo", "org_id", org.ID, "team_id", team.ID, "repo_id", repoID, "error", err)
++			if errors.Is(err, entitlements.ErrPrivateCollaborationLimitExceeded) {
++				http.Redirect(w, r, h.teamPath(org, team)+"?notice=private-collab-upgrade", http.StatusSeeOther)
++				return
++			}
++		}
+ 	}
  	http.Redirect(w, r, h.teamPath(org, team), http.StatusSeeOther)
+ }

internal/web/handlers/repo/lifecycle.gomodified

  	"github.com/jackc/pgx/v5/pgtype"
  	"github.com/tenseleyFlow/shithub/internal/auth/policy"
++	"github.com/tenseleyFlow/shithub/internal/entitlements"
  	"github.com/tenseleyFlow/shithub/internal/orgs"
  	"github.com/tenseleyFlow/shithub/internal/repos/lifecycle"
  	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"
  		http.Error(w, "transfer no longer pending", http.StatusConflict)
  	case errors.Is(err, lifecycle.ErrPastGrace):
  		http.Error(w, "soft-delete grace expired", http.StatusGone)
++	case errors.Is(err, entitlements.ErrPrivateCollaborationLimitExceeded):
++		http.Error(w, err.Error(), http.StatusPaymentRequired)
  	default:
  		h.d.Logger.WarnContext(r.Context(), "lifecycle: unexpected error", "error", err)
  		http.Error(w, "internal error", http.StatusInternalServerError)

internal/web/handlers/repo/repo.gomodified

  	"github.com/tenseleyFlow/shithub/internal/auth/secretbox"
  	"github.com/tenseleyFlow/shithub/internal/auth/throttle"
  	checksdb "github.com/tenseleyFlow/shithub/internal/checks/sqlc"
++	"github.com/tenseleyFlow/shithub/internal/entitlements"
  	"github.com/tenseleyFlow/shithub/internal/infra/storage"
  	issuesdb "github.com/tenseleyFlow/shithub/internal/issues/sqlc"
  	"github.com/tenseleyFlow/shithub/internal/orgs"
  		return "Unknown license selection."
  	case errors.Is(err, repos.ErrUnknownGitignore):
  		return "Unknown .gitignore selection."
++	case errors.Is(err, entitlements.ErrPrivateCollaborationLimitExceeded):
++		return err.Error()
  	}
  	if t, ok := isThrottled(err); ok {
  		return "You're creating repositories too quickly. Try again in " + t + "."

internal/web/templates/orgs/people.htmlmodified


     </aside>
 
     <div class="shithub-org-people-main">
+      {{ with .Notice }}<p class="shithub-flash shithub-flash-notice" role="status">{{ . }}</p>{{ end }}
       <div class="shithub-org-people-toolbar">
         <form method="GET" action="/{{ .Org.Slug }}/people" class="shithub-org-people-search" role="search">
           {{ octicon "search" }}

`@@ -28,6 +28,7 @@`
28	</aside>	28	</aside>
29		29
30	<div class="shithub-org-people-main">	30	<div class="shithub-org-people-main">
		31	+ {{ with .Notice }}<p class="shithub-flash shithub-flash-notice" role="status">{{ . }}</p>{{ end }}
31	<div class="shithub-org-people-toolbar">	32	<div class="shithub-org-people-toolbar">
32	<form method="GET" action="/{{ .Org.Slug }}/people" class="shithub-org-people-search" role="search">	33	<form method="GET" action="/{{ .Org.Slug }}/people" class="shithub-org-people-search" role="search">
33	{{ octicon "search" }}	34	{{ octicon "search" }}

tenseleyflow/shithub / `09c93d2`

17 changed files