feat(organization): persist website on orgs

[riderx]

Summary (AI generated)

• add a website column to organizations
• persist the website during org onboarding when the website import path is used
• allow creating and updating organizations with a normalized website URL
• cover the new field in organization API tests

Motivation (AI generated)

Organization onboarding already asks for a website when importing name and logo, but that data was discarded after onboarding. Saving it on the org makes the imported source explicit and reusable later.

Business Impact (AI generated)

This preserves company metadata gathered during onboarding, reduces repeated manual entry, and gives Capgo a stable org-level website reference for future product surfaces that rely on company identity.

Test Plan (AI generated)

• bun lint src/pages/onboarding/organization.vue tests/organization-api.test.ts
• bun lint:backend supabase/functions/_backend/public/organization/post.ts supabase/functions/_backend/public/organization/put.ts
• bun typecheck
• bun run supabase:start
• bun run supabase:with-env -- bunx vitest run tests/organization-api.test.ts

Generated with AI

Summary by CodeRabbit

• New Features

  • Organizations can include a nullable website URL; it’s persisted and returned with org data.
  • Submitted URLs are normalized to a canonical web URL (e.g., ensures https:// and trailing slash).

• Bug Fixes

  • Non-HTTP(S) schemes and invalid URLs are rejected with a clear validation error.

• Tests

  • API, integration, and unit tests added/updated for website storage, normalization, and validation.

• Chores

  • Database schema and RPCs updated to include the website field.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a nullable org website end-to-end: frontend sends website when present, backend functions accept/normalize/validate website, DB schema and RPCs gain a website column/return field, TypeScript types updated, and tests added for positive and negative cases.

Changes

Cohort / File(s)	Summary
Frontend Onboarding src/pages/onboarding/organization.vue	Conditionally include website in create payload (websitePreview.value?.website when mode.value === 'website').
Function handlers (public org API) supabase/functions/_backend/public/organization/post.ts, supabase/functions/_backend/public/organization/put.ts, supabase/functions/_backend/public/organization/get.ts	POST/PUT schemas accept optional website; both call normalizeWebsiteUrl() to validate/normalize (allow null) and persist; GET returns nullable website.
Website normalizer util supabase/functions/_backend/public/organization/website.ts	New `normalizeWebsiteUrl(input?: string
Database migration & RPCs supabase/migrations/20260320044548_add_org_website.sql	Adds website text column to public.orgs; drops and recreates public.get_orgs_v7 overloads to include website and updates auth/logging/grants.
Supabase types (frontend & backend utils) src/types/supabase.types.ts, supabase/functions/_backend/utils/supabase.types.ts	Add `website: string
Tests tests/organization-api.test.ts, tests/organization-website.unit.test.ts	API tests updated to include/expect normalized website, added negative tests for invalid schemes, improved cleanup; new unit tests cover normalizeWebsiteUrl behavior.

Sequence Diagram(s)

sequenceDiagram
    participant FE as Frontend (Onboarding)
    participant FN as Supabase Function (POST/PUT/GET)
    participant UTIL as normalizeWebsiteUrl()
    participant DB as Database (public.orgs)

    FE->>FN: POST/PUT { name, website? }
    FN->>UTIL: normalizeWebsiteUrl(input)
    UTIL-->>FN: normalizedWebsite|null or throws
    FN->>DB: INSERT/UPDATE orgs { name, website: normalizedWebsite|null }
    DB-->>FN: inserted/updated row (includes website)
    FN-->>FE: Respond with org object (includes website)

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• feat(onboarding): require org setup before app onboarding #1835: Overlaps onboarding organization flow and modifies frontend payload handling for organization creation.
• feat: 2FA enforcement - database #1300: Touches get_orgs_v7 and related org schema changes (2FA/enforcement fields) that interact with RPC behavior and returned fields.
• refactor: standardize HTTP response format across API endpoints #1468: Related updates to organization API handlers and validation/normalization logic.

Poem

🐰 I trimmed the input, checked each site,
I hopped through urls, made https right,
From form to function, down to DB,
A tidy website — safe as can be! 🥕🌐

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: adding persistence of website data on organizations, which matches the core functionality across all modified files.
Description check	✅ Passed	The description includes a comprehensive summary, motivation, business impact, and a detailed test plan with multiple verification steps. It addresses the PR objectives and expected behavior changes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/add-org-website

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 346ee5c571

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

tests/organization-api.test.ts (1)

410-491: Use concurrent test cases for the updated organization create/update coverage.

The modified cases still use it(...). Please switch these to it.concurrent(...); and for Line 469 onward, avoid shared ORG_ID mutation by creating a dedicated org fixture inside the test if running concurrently.

♻️ Suggested test runner update

-  it('create organization', async () => {
+  it.concurrent('create organization', async () => {
     // ...
   })

-  it('update organization', async () => {
+  it.concurrent('update organization', async () => {
     // ...
   })

As per coding guidelines: tests/**/*.test.{ts,js}: ALL TEST FILES RUN IN PARALLEL; use it.concurrent() instead of it() ... and use dedicated seed data when tests modify shared resources.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@supabase/functions/_backend/public/organization/post.ts`:
- Around line 14-24: normalizeWebsiteUrl currently uses a case-sensitive regex
(/^https?:\/\//) which mis-detects schemes like "HTTPS://" and also lets
non-http schemes (e.g., ftp://) through, causing malformed normalization; update
normalizeWebsiteUrl to test the scheme case-insensitively (use /^https?:\/\//i)
and explicitly reject any URL whose parsed protocol is not "http:" or "https:"
(throw the same simpleError('invalid_body', 'Invalid body', { error:
'website_must_be_a_valid_url' }) on invalid), and apply the identical change to
the matching function in organization/put.ts so POST and PUT behave
consistently.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e4581c0c-052a-4df7-8a99-58a395eca10c

📥 Commits

Reviewing files that changed from the base of the PR and between 7a15136 and 346ee5c.

📒 Files selected for processing (7)

• src/pages/onboarding/organization.vue
• src/types/supabase.types.ts
• supabase/functions/_backend/public/organization/post.ts
• supabase/functions/_backend/public/organization/put.ts
• supabase/functions/_backend/utils/supabase.types.ts
• supabase/migrations/20260320044548_add_org_website.sql
• tests/organization-api.test.ts

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 768f85db06

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@supabase/functions/_backend/public/organization/website.ts`:
- Around line 9-15: The scheme-detection regex is too permissive and treats
"example.com:3000" as having a scheme; change the hasScheme check to only detect
actual scheme prefixes with "//" (e.g. replace
/^[a-z][a-z\d+\-.]*:/i.test(trimmed) with
/^[a-z][a-z\d+\-.]*:\/\//i.test(trimmed)) so host:port values are not
misclassified, then keep the subsequent protocol validation and URL
normalization (references: hasScheme variable, the protocol check that throws
'invalid website protocol', and the normalized = new URL(...) line).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 83ebeb50-f8be-40f9-8b50-5d73cfaa328f

📥 Commits

Reviewing files that changed from the base of the PR and between 768f85d and 02f2f2a.

📒 Files selected for processing (4)

• src/pages/onboarding/organization.vue
• supabase/functions/_backend/public/organization/post.ts
• supabase/functions/_backend/public/organization/put.ts
• supabase/functions/_backend/public/organization/website.ts

✅ Files skipped from review due to trivial changes (1)

• src/pages/onboarding/organization.vue

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

tests/organization-api.test.ts (1)

807-825: ⚠️ Potential issue | 🟡 Minor

Incorrect reset value will cause test flakiness.

The previousWebsite variable is set to 'https://www.capgo.app/docs' but the original website value from beforeAll (line 47) is 'https://test-organization.example/'. After this test resets at line 825, the shared ORG_ID will have an incorrect website value.

This will cause the test at line 88 (expect(safe.data).toEqual({ id: ORG_ID, name, website })) to fail intermittently depending on test execution order.

🐛 Proposed fix to use the correct reset value

   it('get_orgs_v7 returns enforce_hashed_api_keys field', async () => {
     // Set a known value
     const rpcWebsite = website
-    const previousWebsite = 'https://www.capgo.app/docs'
     await getSupabaseClient().from('orgs').update({ enforce_hashed_api_keys: true, website: rpcWebsite }).eq('id', ORG_ID)
 
     // Call get_orgs_v7 via RPC
@@ -822,6 +821,6 @@ describe('[PUT] /organization - enforce_hashed_api_keys setting', () => {
     expect(testOrg!.website).toBe(rpcWebsite)
 
     // Reset
-    await getSupabaseClient().from('orgs').update({ enforce_hashed_api_keys: false, website: previousWebsite }).eq('id', ORG_ID)
+    await getSupabaseClient().from('orgs').update({ enforce_hashed_api_keys: false, website }).eq('id', ORG_ID)
   })

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/organization-api.test.ts` around lines 807 - 825, The test resets the
org website to a hardcoded value causing flakiness; change the reset to use the
original value captured in the test's `website` variable by setting
`previousWebsite` (or directly using `website`) instead of
`'https://www.capgo.app/docs'`, so the final update call that resets `{
enforce_hashed_api_keys: false, website: previousWebsite }` (after calling the
`get_orgs_v7` RPC and asserting `rpcWebsite`) restores the exact original
`website` value.

🧹 Nitpick comments (2)

tests/organization-api.test.ts (2)

474-486: Use it.concurrent() for consistency and parallelism.

Per coding guidelines, all tests should use it.concurrent() to run in parallel. This test only reads (expects a 400 failure), so it has no shared resource conflicts.

♻️ Proposed fix

-  it('create organization rejects invalid website scheme', async () => {
+  it.concurrent('create organization rejects invalid website scheme', async () => {

As per coding guidelines: "ALL TEST FILES RUN IN PARALLEL; use it.concurrent() instead of it() to run tests in parallel within the same file".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/organization-api.test.ts` around lines 474 - 486, The test case using
it('create organization rejects invalid website scheme', ...) should be changed
to use Jest's parallel runner by replacing the it invocation with it.concurrent
so the test runs in parallel with other tests; locate the it call with the
description "create organization rejects invalid website scheme" in
tests/organization-api.test.ts and switch it to it.concurrent(...) without
altering the test body or assertions.

---

590-603: Use it.concurrent() for consistency and parallelism.

Per coding guidelines, all tests should use it.concurrent() to run in parallel. This test only reads (expects a 400 failure), so it has no shared resource conflicts.

♻️ Proposed fix

-  it('update organization rejects invalid website scheme', async () => {
+  it.concurrent('update organization rejects invalid website scheme', async () => {

As per coding guidelines: "ALL TEST FILES RUN IN PARALLEL; use it.concurrent() instead of it() to run tests in parallel within the same file".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/organization-api.test.ts` around lines 590 - 603, Replace the
non-concurrent test declaration for the "update organization rejects invalid
website scheme" case with a concurrent one: change the call to it() to
it.concurrent() for the test named 'update organization rejects invalid website
scheme' in tests/organization-api.test.ts so it runs in parallel with other
tests; keep the test body, arguments, and assertions (fetch to
`${BASE_URL}/organization`, headers, method 'PUT', payload, and expectations for
400 and error 'invalid_body') unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@tests/organization-api.test.ts`:
- Around line 807-825: The test resets the org website to a hardcoded value
causing flakiness; change the reset to use the original value captured in the
test's `website` variable by setting `previousWebsite` (or directly using
`website`) instead of `'https://www.capgo.app/docs'`, so the final update call
that resets `{ enforce_hashed_api_keys: false, website: previousWebsite }`
(after calling the `get_orgs_v7` RPC and asserting `rpcWebsite`) restores the
exact original `website` value.

---

Nitpick comments:
In `@tests/organization-api.test.ts`:
- Around line 474-486: The test case using it('create organization rejects
invalid website scheme', ...) should be changed to use Jest's parallel runner by
replacing the it invocation with it.concurrent so the test runs in parallel with
other tests; locate the it call with the description "create organization
rejects invalid website scheme" in tests/organization-api.test.ts and switch it
to it.concurrent(...) without altering the test body or assertions.
- Around line 590-603: Replace the non-concurrent test declaration for the
"update organization rejects invalid website scheme" case with a concurrent one:
change the call to it() to it.concurrent() for the test named 'update
organization rejects invalid website scheme' in tests/organization-api.test.ts
so it runs in parallel with other tests; keep the test body, arguments, and
assertions (fetch to `${BASE_URL}/organization`, headers, method 'PUT', payload,
and expectations for 400 and error 'invalid_body') unchanged.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f1208914-ca90-4f82-b65b-c6cf016b02b7

📥 Commits

Reviewing files that changed from the base of the PR and between 02f2f2a and 067b87a.

📒 Files selected for processing (1)

• tests/organization-api.test.ts

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tests/organization-website.unit.test.ts`:
- Around line 6-18: Replace the non-concurrent test declarations with concurrent
ones: for each test block that currently uses it('...') in this file (the tests
invoking normalizeWebsiteUrl), change it(...) to it.concurrent(...) so the three
test cases (the ones asserting explicit http/https behavior, adding https to
host/host:port, and rejecting non-web schemes) run concurrently using Jest's
concurrent test API.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ad851070-c1a7-4c38-aa7a-fa8fac5f6e50

📥 Commits

Reviewing files that changed from the base of the PR and between 067b87a and 66b01a1.

📒 Files selected for processing (2)

• supabase/functions/_backend/public/organization/website.ts
• tests/organization-website.unit.test.ts

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 48d850e29d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[sonarqubecloud]

Quality Gate passed

Issues
3 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud