From 3932bc056e57bb4dbdb5766b55c78b619a1b19c3 Mon Sep 17 00:00:00 2001
From: pptx704 <rafeed@omukk.dev>
Date: Tue, 24 Mar 2026 16:56:10 +0600
Subject: [PATCH] Add user names, team-scoped sandbox guard, and login
 robustness fixes

- Add name column to users (migration + sqlc regen); propagate through JWT
  claims, auth context, all auth/OAuth handlers, service layer, and frontend
- Sidebar and team page show name instead of email; team page splits Name/Email
  into separate columns
- Block sandbox creation in UI and API when user has no active team context
- loginTeam helper falls back to first active team when no default is set,
  fixing login for invited users with no is_default membership
- Exclude soft-deleted teams from GetDefaultTeamForUser, GetBYOCTeams queries
- Guard host creation against soft-deleted teams in service/host.go
- SwitchTeam re-fetches name from DB instead of trusting stale JWT claim
- Reset teams store on login so stale data from a previous session never persists
- Update openapi.yaml: add name to SignupRequest and AuthResponse schemas
---
 db/migrations/20260324100234_user_names.sql   |  5 ++
 db/queries/teams.sql                          |  6 +-
 db/queries/users.sql                          | 11 ++-
 frontend/src/lib/api/auth.ts                  |  5 +-
 frontend/src/lib/api/team.ts                  |  3 +-
 frontend/src/lib/auth.svelte.ts               | 13 +++-
 frontend/src/lib/components/Sidebar.svelte    |  2 +-
 frontend/src/lib/teams.svelte.ts              |  4 +
 .../routes/auth/github/callback/+page.svelte  |  5 +-
 .../routes/dashboard/capsules/+page.svelte    |  8 +-
 .../src/routes/dashboard/team/+page.svelte    | 26 +++++--
 frontend/src/routes/login/+page.svelte        | 23 +++++-
 internal/api/handlers_auth.go                 | 74 ++++++++++++++++---
 internal/api/handlers_oauth.go                | 32 +++-----
 internal/api/handlers_sandbox.go              |  4 +
 internal/api/handlers_team.go                 |  2 +
 internal/api/middleware_auth.go               |  1 +
 internal/api/middleware_jwt.go                |  1 +
 internal/api/openapi.yaml                     |  7 +-
 internal/auth/context.go                      |  1 +
 internal/auth/jwt.go                          |  4 +-
 internal/db/models.go                         |  1 +
 internal/db/teams.sql.go                      |  8 +-
 internal/db/users.sql.go                      | 48 +++++++++---
 internal/service/host.go                      |  5 +-
 internal/service/team.go                      |  6 +-
 26 files changed, 228 insertions(+), 77 deletions(-)
 create mode 100644 db/migrations/20260324100234_user_names.sql

diff --git a/db/migrations/20260324100234_user_names.sql b/db/migrations/20260324100234_user_names.sql
new file mode 100644
index 0000000..2775d12
--- /dev/null
+++ b/db/migrations/20260324100234_user_names.sql
@@ -0,0 +1,5 @@
+-- +goose Up
+ALTER TABLE users ADD COLUMN name TEXT NOT NULL DEFAULT '';
+
+-- +goose Down
+ALTER TABLE users DROP COLUMN name;
diff --git a/db/queries/teams.sql b/db/queries/teams.sql
index 935c4dd..2117e95 100644
--- a/db/queries/teams.sql
+++ b/db/queries/teams.sql
@@ -13,14 +13,14 @@ VALUES ($1, $2, $3, $4);
 -- name: GetDefaultTeamForUser :one
 SELECT t.* FROM teams t
 JOIN users_teams ut ON ut.team_id = t.id
-WHERE ut.user_id = $1 AND ut.is_default = TRUE
+WHERE ut.user_id = $1 AND ut.is_default = TRUE AND t.deleted_at IS NULL
 LIMIT 1;
 
 -- name: SetTeamBYOC :exec
 UPDATE teams SET is_byoc = $2 WHERE id = $1;
 
 -- name: GetBYOCTeams :many
-SELECT * FROM teams WHERE is_byoc = TRUE ORDER BY created_at;
+SELECT * FROM teams WHERE is_byoc = TRUE AND deleted_at IS NULL ORDER BY created_at;
 
 -- name: GetTeamMembership :one
 SELECT * FROM users_teams WHERE user_id = $1 AND team_id = $2;
@@ -42,7 +42,7 @@ WHERE ut.user_id = $1 AND t.deleted_at IS NULL
 ORDER BY ut.created_at;
 
 -- name: GetTeamMembers :many
-SELECT u.id, u.email, ut.role, ut.created_at AS joined_at
+SELECT u.id, u.name, u.email, ut.role, ut.created_at AS joined_at
 FROM users_teams ut
 JOIN users u ON u.id = ut.user_id
 WHERE ut.team_id = $1
diff --git a/db/queries/users.sql b/db/queries/users.sql
index 171ef70..a244fc9 100644
--- a/db/queries/users.sql
+++ b/db/queries/users.sql
@@ -1,6 +1,6 @@
 -- name: InsertUser :one
-INSERT INTO users (id, email, password_hash)
-VALUES ($1, $2, $3)
+INSERT INTO users (id, email, password_hash, name)
+VALUES ($1, $2, $3, $4)
 RETURNING *;
 
 -- name: GetUserByEmail :one
@@ -10,8 +10,8 @@ SELECT * FROM users WHERE email = $1;
 SELECT * FROM users WHERE id = $1;
 
 -- name: InsertUserOAuth :one
-INSERT INTO users (id, email)
-VALUES ($1, $2)
+INSERT INTO users (id, email, name)
+VALUES ($1, $2, $3)
 RETURNING *;
 
 -- name: SetUserAdmin :exec
@@ -37,3 +37,6 @@ SELECT EXISTS(
 
 -- name: SearchUsersByEmailPrefix :many
 SELECT id, email FROM users WHERE email LIKE $1 || '%' ORDER BY email LIMIT 10;
+
+-- name: UpdateUserName :exec
+UPDATE users SET name = $2, updated_at = NOW() WHERE id = $1;
diff --git a/frontend/src/lib/api/auth.ts b/frontend/src/lib/api/auth.ts
index 51b987a..845b8a3 100644
--- a/frontend/src/lib/api/auth.ts
+++ b/frontend/src/lib/api/auth.ts
@@ -3,6 +3,7 @@ export type AuthResponse = {
 	user_id: string;
 	team_id: string;
 	email: string;
+	name: string;
 };
 
 export type AuthResult = { ok: true; data: AuthResponse } | { ok: false; error: string };
@@ -11,8 +12,8 @@ export async function apiLogin(email: string, password: string): Promise<AuthRes
 	return authFetch('/api/v1/auth/login', { email, password });
 }
 
-export async function apiSignup(email: string, password: string): Promise<AuthResult> {
-	return authFetch('/api/v1/auth/signup', { email, password });
+export async function apiSignup(email: string, password: string, name: string): Promise<AuthResult> {
+	return authFetch('/api/v1/auth/signup', { email, password, name });
 }
 
 async function authFetch(url: string, body: Record<string, string>): Promise<AuthResult> {
diff --git a/frontend/src/lib/api/team.ts b/frontend/src/lib/api/team.ts
index 0fae217..a1ff935 100644
--- a/frontend/src/lib/api/team.ts
+++ b/frontend/src/lib/api/team.ts
@@ -2,6 +2,7 @@ import { apiFetch, type ApiResult } from '$lib/api/client';
 
 export type TeamMember = {
 	user_id: string;
+	name: string;
 	email: string;
 	role: 'owner' | 'admin' | 'member';
 	joined_at: string;
@@ -42,7 +43,7 @@ export async function createTeam(name: string): Promise<ApiResult<TeamWithRole>>
 
 export async function switchTeam(
 	teamId: string
-): Promise<ApiResult<{ token: string; user_id: string; team_id: string; email: string }>> {
+): Promise<ApiResult<{ token: string; user_id: string; team_id: string; email: string; name: string }>> {
 	return apiFetch('POST', '/api/v1/auth/switch-team', { team_id: teamId });
 }
 
diff --git a/frontend/src/lib/auth.svelte.ts b/frontend/src/lib/auth.svelte.ts
index 86325df..b42cf52 100644
--- a/frontend/src/lib/auth.svelte.ts
+++ b/frontend/src/lib/auth.svelte.ts
@@ -4,7 +4,8 @@ const STORAGE_KEYS = {
 	token: 'wrenn_token',
 	userId: 'wrenn_user_id',
 	teamId: 'wrenn_team_id',
-	email: 'wrenn_email'
+	email: 'wrenn_email',
+	name: 'wrenn_name'
 } as const;
 
 function isTokenExpired(token: string): boolean {
@@ -23,6 +24,7 @@ function createAuth() {
 	let userId = $state<string | null>(null);
 	let teamId = $state<string | null>(null);
 	let email = $state<string | null>(null);
+	let name = $state<string | null>(null);
 	let initialized = $state(false);
 
 	// Initialize from localStorage synchronously at module load.
@@ -33,6 +35,7 @@ function createAuth() {
 			userId = localStorage.getItem(STORAGE_KEYS.userId);
 			teamId = localStorage.getItem(STORAGE_KEYS.teamId);
 			email = localStorage.getItem(STORAGE_KEYS.email);
+			name = localStorage.getItem(STORAGE_KEYS.name);
 		} else if (stored) {
 			// Expired — clean up.
 			for (const key of Object.values(STORAGE_KEYS)) {
@@ -57,6 +60,9 @@ function createAuth() {
 		get email() {
 			return email;
 		},
+		get name() {
+			return name;
+		},
 		get isAuthenticated() {
 			return isAuthenticated;
 		},
@@ -64,16 +70,18 @@ function createAuth() {
 			return initialized;
 		},
 
-		login(data: { token: string; user_id: string; team_id: string; email: string }) {
+		login(data: { token: string; user_id: string; team_id: string; email: string; name: string }) {
 			token = data.token;
 			userId = data.user_id;
 			teamId = data.team_id;
 			email = data.email;
+			name = data.name;
 
 			localStorage.setItem(STORAGE_KEYS.token, data.token);
 			localStorage.setItem(STORAGE_KEYS.userId, data.user_id);
 			localStorage.setItem(STORAGE_KEYS.teamId, data.team_id);
 			localStorage.setItem(STORAGE_KEYS.email, data.email);
+			localStorage.setItem(STORAGE_KEYS.name, data.name);
 		},
 
 		logout() {
@@ -81,6 +89,7 @@ function createAuth() {
 			userId = null;
 			teamId = null;
 			email = null;
+			name = null;
 
 			for (const key of Object.values(STORAGE_KEYS)) {
 				localStorage.removeItem(key);
diff --git a/frontend/src/lib/components/Sidebar.svelte b/frontend/src/lib/components/Sidebar.svelte
index b2fe99a..47feb54 100644
--- a/frontend/src/lib/components/Sidebar.svelte
+++ b/frontend/src/lib/components/Sidebar.svelte
@@ -27,7 +27,7 @@
 	let teamPopoverOpen = $state(false);
 
 	let currentTeamName = $derived(teamsStore.list.find((t) => t.id === auth.teamId)?.name ?? '');
-	let userName = $derived(auth.email ?? '');
+	let userName = $derived(auth.name || auth.email || '');
 
 	// Create team dialog
 	let showCreateTeam = $state(false);
diff --git a/frontend/src/lib/teams.svelte.ts b/frontend/src/lib/teams.svelte.ts
index f9596d3..01bdbb3 100644
--- a/frontend/src/lib/teams.svelte.ts
+++ b/frontend/src/lib/teams.svelte.ts
@@ -24,6 +24,10 @@ function createTeamsStore() {
 		set(newTeams: TeamWithRole[]) {
 			teams = newTeams;
 			loaded = true;
+		},
+		reset() {
+			teams = [];
+			loaded = false;
 		}
 	};
 }
diff --git a/frontend/src/routes/auth/github/callback/+page.svelte b/frontend/src/routes/auth/github/callback/+page.svelte
index 692427d..8ca4472 100644
--- a/frontend/src/routes/auth/github/callback/+page.svelte
+++ b/frontend/src/routes/auth/github/callback/+page.svelte
@@ -2,6 +2,7 @@
 	import { goto } from '$app/navigation';
 	import { page } from '$app/stores';
 	import { auth } from '$lib/auth.svelte';
+	import { teams } from '$lib/teams.svelte';
 
 	const params = $page.url.searchParams;
 	const error = params.get('error');
@@ -13,9 +14,11 @@
 		const userId = params.get('user_id');
 		const teamId = params.get('team_id');
 		const email = params.get('email');
+		const name = params.get('name') ?? '';
 
 		if (token && userId && teamId && email) {
-			auth.login({ token, user_id: userId, team_id: teamId, email });
+			teams.reset();
+			auth.login({ token, user_id: userId, team_id: teamId, email, name });
 			goto('/dashboard');
 		} else {
 			goto('/login?error=missing_token');
diff --git a/frontend/src/routes/dashboard/capsules/+page.svelte b/frontend/src/routes/dashboard/capsules/+page.svelte
index 13cf682..d9818e2 100644
--- a/frontend/src/routes/dashboard/capsules/+page.svelte
+++ b/frontend/src/routes/dashboard/capsules/+page.svelte
@@ -2,6 +2,7 @@
 	import Sidebar from '$lib/components/Sidebar.svelte';
 	import { onMount } from 'svelte';
 	import { toast } from '$lib/toast.svelte';
+	import { auth } from '$lib/auth.svelte';
 	import {
 		listCapsules,
 		createCapsule,
@@ -440,7 +441,9 @@
 
 						<button
 							onclick={() => { showCreateDialog = true; createError = null; }}
-							class="flex items-center gap-2 rounded-[var(--radius-button)] bg-[var(--color-accent)] px-4 py-2 text-ui font-semibold text-white transition-all duration-150 hover:brightness-115 hover:-translate-y-px active:translate-y-0"
+							disabled={!auth.teamId}
+							title={!auth.teamId ? 'No active team — re-authenticate to create capsules' : undefined}
+							class="flex items-center gap-2 rounded-[var(--radius-button)] bg-[var(--color-accent)] px-4 py-2 text-ui font-semibold text-white transition-all duration-150 hover:brightness-115 hover:-translate-y-px active:translate-y-0 disabled:pointer-events-none disabled:opacity-40"
 						>
 							<svg width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round">
 								<line x1="12" y1="5" x2="12" y2="19" /><line x1="5" y1="12" x2="19" y2="12" />
@@ -494,7 +497,8 @@
 								</p>
 								<button
 									onclick={() => { showCreateDialog = true; createError = null; }}
-									class="mt-6 flex items-center gap-2 rounded-[var(--radius-button)] bg-[var(--color-accent)] px-5 py-2.5 text-ui font-semibold text-white transition-all duration-150 hover:brightness-115 hover:-translate-y-px active:translate-y-0"
+									disabled={!auth.teamId}
+								class="mt-6 flex items-center gap-2 rounded-[var(--radius-button)] bg-[var(--color-accent)] px-5 py-2.5 text-ui font-semibold text-white transition-all duration-150 hover:brightness-115 hover:-translate-y-px active:translate-y-0 disabled:pointer-events-none disabled:opacity-40"
 								>
 									Launch a Capsule
 									<svg width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round">
diff --git a/frontend/src/routes/dashboard/team/+page.svelte b/frontend/src/routes/dashboard/team/+page.svelte
index 32a33e3..998738f 100644
--- a/frontend/src/routes/dashboard/team/+page.svelte
+++ b/frontend/src/routes/dashboard/team/+page.svelte
@@ -209,8 +209,8 @@
 			);
 			toast.success(
 				newRole === 'admin'
-					? `${member.email} is now an admin`
-					: `${member.email} is now a member`
+					? `${member.name || member.email} is now an admin`
+					: `${member.name || member.email} is now a member`
 			);
 		} else {
 			toast.error(result.error);
@@ -675,12 +675,17 @@
 						>
 							<!-- Table header -->
 							<div
-								class="grid grid-cols-[1fr_120px_140px_120px] border-b border-[var(--color-border)] bg-[var(--color-bg-3)]"
+								class="grid grid-cols-[1fr_1fr_120px_140px_120px] border-b border-[var(--color-border)] bg-[var(--color-bg-3)]"
 							>
 								<div
 									class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]"
 								>
-									Member
+									Name
+								</div>
+								<div
+									class="px-4 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]"
+								>
+									Email
 								</div>
 								<div
 									class="px-4 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]"
@@ -699,15 +704,15 @@
 
 							{#each members as member, i (member.user_id)}
 								<div
-									class="grid grid-cols-[1fr_120px_140px_120px] items-center border-b border-[var(--color-border)] transition-colors duration-150 hover:bg-[var(--color-bg-3)] last:border-b-0 {recentlyAddedId === member.user_id ? 'member-flash' : ''}"
+									class="grid grid-cols-[1fr_1fr_120px_140px_120px] items-center border-b border-[var(--color-border)] transition-colors duration-150 hover:bg-[var(--color-bg-3)] last:border-b-0 {recentlyAddedId === member.user_id ? 'member-flash' : ''}"
 									in:fly={{ y: 6, duration: 200, delay: i * 30, easing: cubicOut }}
 									out:fly={{ x: -16, duration: 180, easing: cubicOut }}
 								>
-									<!-- Email -->
+									<!-- Name -->
 									<div class="min-w-0 px-5 py-4">
 										<div class="flex min-w-0 items-center gap-2">
 											<span class="truncate text-ui text-[var(--color-text-bright)]"
-												>{member.email}</span
+												>{member.name || member.email}</span
 											>
 											{#if member.user_id === auth.userId}
 												<span class="shrink-0 rounded-[2px] bg-[var(--color-bg-4)] px-1.5 py-0.5 text-badge font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">you</span>
@@ -715,6 +720,11 @@
 										</div>
 									</div>
 
+									<!-- Email -->
+									<div class="min-w-0 px-4 py-4">
+										<span class="truncate font-mono text-ui text-[var(--color-text-secondary)]">{member.email}</span>
+									</div>
+
 									<!-- Role badge -->
 									<div class="px-4 py-4">
 										{#if updatingRoleId === member.user_id}
@@ -1092,7 +1102,7 @@
 			</h2>
 			<p class="mt-2 text-ui text-[var(--color-text-tertiary)]">
 				Remove <span class="font-medium text-[var(--color-text-secondary)]"
-					>{removeTarget.email}</span
+					>{removeTarget.name || removeTarget.email}</span
 				> from the team? They will lose access immediately.
 			</p>
 
diff --git a/frontend/src/routes/login/+page.svelte b/frontend/src/routes/login/+page.svelte
index f86120b..0c6e526 100644
--- a/frontend/src/routes/login/+page.svelte
+++ b/frontend/src/routes/login/+page.svelte
@@ -3,11 +3,13 @@
 	import { onMount } from 'svelte';
 	import { page } from '$app/stores';
 	import { auth } from '$lib/auth.svelte';
+	import { teams } from '$lib/teams.svelte';
 	import { apiLogin, apiSignup } from '$lib/api/auth';
 	import {
 		IconGithub,
 		IconMail,
 		IconLock,
+		IconUser,
 		IconEye,
 		IconEyeOff
 	} from '$lib/components/icons';
@@ -15,6 +17,7 @@
 	let mode: 'signin' | 'signup' = $state('signin');
 	let email = $state('');
 	let password = $state('');
+	let name = $state('');
 	let showPassword = $state(false);
 	let error = $state('');
 	let loading = $state(false);
@@ -77,6 +80,7 @@
 	function switchMode() {
 		mode = mode === 'signin' ? 'signup' : 'signin';
 		error = '';
+		name = '';
 	}
 
 	async function handleSubmit(e: Event) {
@@ -87,7 +91,7 @@
 		const result =
 			mode === 'signin'
 				? await apiLogin(email, password)
-				: await apiSignup(email, password);
+				: await apiSignup(email, password, name);
 
 		loading = false;
 
@@ -96,6 +100,7 @@
 			return;
 		}
 
+		teams.reset();
 		auth.login(result.data);
 		goto('/dashboard');
 	}
@@ -204,6 +209,22 @@
 
 			<!-- Form -->
 			<form onsubmit={handleSubmit} class="space-y-3">
+				{#if mode === 'signup'}
+					<div class="group relative">
+						<div
+							class="pointer-events-none absolute left-3 top-1/2 -translate-y-1/2 text-[var(--color-text-muted)] transition-colors duration-150 group-focus-within:text-[var(--color-accent)]"
+						>
+							<IconUser size={14} />
+						</div>
+						<input
+							type="text"
+							bind:value={name}
+							placeholder="Full name"
+							autocomplete="name"
+							class="w-full rounded-[var(--radius-input)] border border-[var(--color-border)] bg-[var(--color-bg-2)] py-3 pl-9 pr-3 text-body text-[var(--color-text-bright)] outline-none transition-all duration-150 placeholder:text-[var(--color-text-muted)] focus:border-[var(--color-accent)]"
+						/>
+					</div>
+				{/if}
 				<div class="group relative">
 					<div
 						class="pointer-events-none absolute left-3 top-1/2 -translate-y-1/2 text-[var(--color-text-muted)] transition-colors duration-150 group-focus-within:text-[var(--color-accent)]"
diff --git a/internal/api/handlers_auth.go b/internal/api/handlers_auth.go
index d8d9443..ae63883 100644
--- a/internal/api/handlers_auth.go
+++ b/internal/api/handlers_auth.go
@@ -1,6 +1,7 @@
 package api
 
 import (
+	"context"
 	"errors"
 	"net/http"
 	"strings"
@@ -15,6 +16,41 @@ import (
 	"git.omukk.dev/wrenn/sandbox/internal/id"
 )
 
+// loginTeam returns the team and role to stamp into a login JWT.
+// It prefers the user's default team; if none is flagged as default it falls
+// back to the earliest-joined team. Returns pgx.ErrNoRows when the user has
+// no team memberships at all.
+func loginTeam(ctx context.Context, q *db.Queries, userID string) (db.Team, string, error) {
+	team, err := q.GetDefaultTeamForUser(ctx, userID)
+	if err == nil {
+		membership, err := q.GetTeamMembership(ctx, db.GetTeamMembershipParams{UserID: userID, TeamID: team.ID})
+		if err != nil {
+			return db.Team{}, "", err
+		}
+		return team, membership.Role, nil
+	}
+	if !errors.Is(err, pgx.ErrNoRows) {
+		return db.Team{}, "", err
+	}
+	// No default set — fall back to earliest-joined team.
+	rows, err := q.GetTeamsForUser(ctx, userID)
+	if err != nil {
+		return db.Team{}, "", err
+	}
+	if len(rows) == 0 {
+		return db.Team{}, "", pgx.ErrNoRows
+	}
+	first := rows[0]
+	return db.Team{
+		ID:        first.ID,
+		Name:      first.Name,
+		Slug:      first.Slug,
+		IsByoc:    first.IsByoc,
+		CreatedAt: first.CreatedAt,
+		DeletedAt: first.DeletedAt,
+	}, first.Role, nil
+}
+
 type switchTeamRequest struct {
 	TeamID string `json:"team_id"`
 }
@@ -32,6 +68,7 @@ func newAuthHandler(db *db.Queries, pool *pgxpool.Pool, jwtSecret []byte) *authH
 type signupRequest struct {
 	Email    string `json:"email"`
 	Password string `json:"password"`
+	Name     string `json:"name"`
 }
 
 type loginRequest struct {
@@ -44,6 +81,7 @@ type authResponse struct {
 	UserID string `json:"user_id"`
 	TeamID string `json:"team_id"`
 	Email  string `json:"email"`
+	Name   string `json:"name"`
 }
 
 // Signup handles POST /v1/auth/signup.
@@ -55,6 +93,7 @@ func (h *authHandler) Signup(w http.ResponseWriter, r *http.Request) {
 	}
 
 	req.Email = strings.TrimSpace(strings.ToLower(req.Email))
+	req.Name = strings.TrimSpace(req.Name)
 	if !strings.Contains(req.Email, "@") || len(req.Email) < 3 {
 		writeError(w, http.StatusBadRequest, "invalid_request", "invalid email address")
 		return
@@ -63,6 +102,10 @@ func (h *authHandler) Signup(w http.ResponseWriter, r *http.Request) {
 		writeError(w, http.StatusBadRequest, "invalid_request", "password must be at least 8 characters")
 		return
 	}
+	if req.Name == "" || len(req.Name) > 100 {
+		writeError(w, http.StatusBadRequest, "invalid_request", "name must be between 1 and 100 characters")
+		return
+	}
 
 	ctx := r.Context()
 
@@ -87,6 +130,7 @@ func (h *authHandler) Signup(w http.ResponseWriter, r *http.Request) {
 		ID:           userID,
 		Email:        req.Email,
 		PasswordHash: pgtype.Text{String: passwordHash, Valid: true},
+		Name:         req.Name,
 	})
 	if err != nil {
 		var pgErr *pgconn.PgError
@@ -102,7 +146,7 @@ func (h *authHandler) Signup(w http.ResponseWriter, r *http.Request) {
 	teamID := id.NewTeamID()
 	if _, err := qtx.InsertTeam(ctx, db.InsertTeamParams{
 		ID:   teamID,
-		Name: req.Email + "'s Team",
+		Name: req.Name + "'s Team",
 		Slug: id.NewTeamSlug(),
 	}); err != nil {
 		writeError(w, http.StatusInternalServerError, "db_error", "failed to create team")
@@ -124,7 +168,7 @@ func (h *authHandler) Signup(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	token, err := auth.SignJWT(h.jwtSecret, userID, teamID, req.Email, "owner")
+	token, err := auth.SignJWT(h.jwtSecret, userID, teamID, req.Email, req.Name, "owner")
 	if err != nil {
 		writeError(w, http.StatusInternalServerError, "internal_error", "failed to generate token")
 		return
@@ -135,6 +179,7 @@ func (h *authHandler) Signup(w http.ResponseWriter, r *http.Request) {
 		UserID: userID,
 		TeamID: teamID,
 		Email:  req.Email,
+		Name:   req.Name,
 	})
 }
 
@@ -173,19 +218,17 @@ func (h *authHandler) Login(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	team, err := h.db.GetDefaultTeamForUser(ctx, user.ID)
+	team, role, err := loginTeam(ctx, h.db, user.ID)
 	if err != nil {
+		if errors.Is(err, pgx.ErrNoRows) {
+			writeError(w, http.StatusForbidden, "no_team", "user is not a member of any team")
+			return
+		}
 		writeError(w, http.StatusInternalServerError, "db_error", "failed to look up team")
 		return
 	}
 
-	membership, err := h.db.GetTeamMembership(ctx, db.GetTeamMembershipParams{UserID: user.ID, TeamID: team.ID})
-	if err != nil {
-		writeError(w, http.StatusInternalServerError, "db_error", "failed to look up membership")
-		return
-	}
-
-	token, err := auth.SignJWT(h.jwtSecret, user.ID, team.ID, user.Email, membership.Role)
+	token, err := auth.SignJWT(h.jwtSecret, user.ID, team.ID, user.Email, user.Name, role)
 	if err != nil {
 		writeError(w, http.StatusInternalServerError, "internal_error", "failed to generate token")
 		return
@@ -196,6 +239,7 @@ func (h *authHandler) Login(w http.ResponseWriter, r *http.Request) {
 		UserID: user.ID,
 		TeamID: team.ID,
 		Email:  user.Email,
+		Name:   user.Name,
 	})
 }
 
@@ -247,7 +291,14 @@ func (h *authHandler) SwitchTeam(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	token, err := auth.SignJWT(h.jwtSecret, ac.UserID, req.TeamID, ac.Email, membership.Role)
+	// Fetch current name from DB — JWT name is not trusted here (may be stale or empty for old tokens).
+	user, err := h.db.GetUserByID(ctx, ac.UserID)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "db_error", "failed to look up user")
+		return
+	}
+
+	token, err := auth.SignJWT(h.jwtSecret, ac.UserID, req.TeamID, ac.Email, user.Name, membership.Role)
 	if err != nil {
 		writeError(w, http.StatusInternalServerError, "internal_error", "failed to generate token")
 		return
@@ -258,5 +309,6 @@ func (h *authHandler) SwitchTeam(w http.ResponseWriter, r *http.Request) {
 		UserID: ac.UserID,
 		TeamID: req.TeamID,
 		Email:  ac.Email,
+		Name:   user.Name,
 	})
 }
diff --git a/internal/api/handlers_oauth.go b/internal/api/handlers_oauth.go
index e52bb6f..1c72285 100644
--- a/internal/api/handlers_oauth.go
+++ b/internal/api/handlers_oauth.go
@@ -150,25 +150,19 @@ func (h *oauthHandler) Callback(w http.ResponseWriter, r *http.Request) {
 			redirectWithError(w, r, redirectBase, "db_error")
 			return
 		}
-		team, err := h.db.GetDefaultTeamForUser(ctx, user.ID)
+		team, role, err := loginTeam(ctx, h.db, user.ID)
 		if err != nil {
 			slog.Error("oauth login: failed to get team", "error", err)
 			redirectWithError(w, r, redirectBase, "db_error")
 			return
 		}
-		membership, err := h.db.GetTeamMembership(ctx, db.GetTeamMembershipParams{UserID: user.ID, TeamID: team.ID})
-		if err != nil {
-			slog.Error("oauth login: failed to get membership", "error", err)
-			redirectWithError(w, r, redirectBase, "db_error")
-			return
-		}
-		token, err := auth.SignJWT(h.jwtSecret, user.ID, team.ID, user.Email, membership.Role)
+		token, err := auth.SignJWT(h.jwtSecret, user.ID, team.ID, user.Email, user.Name, role)
 		if err != nil {
 			slog.Error("oauth login: failed to sign jwt", "error", err)
 			redirectWithError(w, r, redirectBase, "internal_error")
 			return
 		}
-		redirectWithToken(w, r, redirectBase, token, user.ID, team.ID, user.Email)
+		redirectWithToken(w, r, redirectBase, token, user.ID, team.ID, user.Email, user.Name)
 		return
 	}
 	if !errors.Is(err, pgx.ErrNoRows) {
@@ -205,6 +199,7 @@ func (h *oauthHandler) Callback(w http.ResponseWriter, r *http.Request) {
 	_, err = qtx.InsertUserOAuth(ctx, db.InsertUserOAuthParams{
 		ID:    userID,
 		Email: email,
+		Name:  profile.Name,
 	})
 	if err != nil {
 		var pgErr *pgconn.PgError
@@ -260,14 +255,14 @@ func (h *oauthHandler) Callback(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	token, err := auth.SignJWT(h.jwtSecret, userID, teamID, email, "owner")
+	token, err := auth.SignJWT(h.jwtSecret, userID, teamID, email, profile.Name, "owner")
 	if err != nil {
 		slog.Error("oauth: failed to sign jwt", "error", err)
 		redirectWithError(w, r, redirectBase, "internal_error")
 		return
 	}
 
-	redirectWithToken(w, r, redirectBase, token, userID, teamID, email)
+	redirectWithToken(w, r, redirectBase, token, userID, teamID, email, profile.Name)
 }
 
 // retryAsLogin handles the race where a concurrent request already created the user.
@@ -289,33 +284,28 @@ func (h *oauthHandler) retryAsLogin(w http.ResponseWriter, r *http.Request, prov
 		redirectWithError(w, r, redirectBase, "db_error")
 		return
 	}
-	team, err := h.db.GetDefaultTeamForUser(ctx, user.ID)
+	team, role, err := loginTeam(ctx, h.db, user.ID)
 	if err != nil {
 		slog.Error("oauth: retry login: failed to get team", "error", err)
 		redirectWithError(w, r, redirectBase, "db_error")
 		return
 	}
-	membership, err := h.db.GetTeamMembership(ctx, db.GetTeamMembershipParams{UserID: user.ID, TeamID: team.ID})
-	if err != nil {
-		slog.Error("oauth: retry login: failed to get membership", "error", err)
-		redirectWithError(w, r, redirectBase, "db_error")
-		return
-	}
-	token, err := auth.SignJWT(h.jwtSecret, user.ID, team.ID, user.Email, membership.Role)
+	token, err := auth.SignJWT(h.jwtSecret, user.ID, team.ID, user.Email, user.Name, role)
 	if err != nil {
 		slog.Error("oauth: retry login: failed to sign jwt", "error", err)
 		redirectWithError(w, r, redirectBase, "internal_error")
 		return
 	}
-	redirectWithToken(w, r, redirectBase, token, user.ID, team.ID, user.Email)
+	redirectWithToken(w, r, redirectBase, token, user.ID, team.ID, user.Email, user.Name)
 }
 
-func redirectWithToken(w http.ResponseWriter, r *http.Request, base, token, userID, teamID, email string) {
+func redirectWithToken(w http.ResponseWriter, r *http.Request, base, token, userID, teamID, email, name string) {
 	u := base + "?" + url.Values{
 		"token":   {token},
 		"user_id": {userID},
 		"team_id": {teamID},
 		"email":   {email},
+		"name":    {name},
 	}.Encode()
 	http.Redirect(w, r, u, http.StatusFound)
 }
diff --git a/internal/api/handlers_sandbox.go b/internal/api/handlers_sandbox.go
index a312e5f..08f99b0 100644
--- a/internal/api/handlers_sandbox.go
+++ b/internal/api/handlers_sandbox.go
@@ -79,6 +79,10 @@ func (h *sandboxHandler) Create(w http.ResponseWriter, r *http.Request) {
 	}
 
 	ac := auth.MustFromContext(r.Context())
+	if ac.TeamID == "" {
+		writeError(w, http.StatusForbidden, "no_team", "no active team context; re-authenticate")
+		return
+	}
 
 	sb, err := h.svc.Create(r.Context(), service.SandboxCreateParams{
 		TeamID:     ac.TeamID,
diff --git a/internal/api/handlers_team.go b/internal/api/handlers_team.go
index f1df8f8..e852583 100644
--- a/internal/api/handlers_team.go
+++ b/internal/api/handlers_team.go
@@ -36,6 +36,7 @@ type teamWithRoleResponse struct {
 
 type memberResponse struct {
 	UserID   string `json:"user_id"`
+	Name     string `json:"name"`
 	Email    string `json:"email"`
 	Role     string `json:"role"`
 	JoinedAt string `json:"joined_at,omitempty"`
@@ -56,6 +57,7 @@ func teamToResponse(t db.Team) teamResponse {
 func memberInfoToResponse(m service.MemberInfo) memberResponse {
 	return memberResponse{
 		UserID:   m.UserID,
+		Name:     m.Name,
 		Email:    m.Email,
 		Role:     m.Role,
 		JoinedAt: m.JoinedAt.Format(time.RFC3339),
diff --git a/internal/api/middleware_auth.go b/internal/api/middleware_auth.go
index 4cde817..41daf36 100644
--- a/internal/api/middleware_auth.go
+++ b/internal/api/middleware_auth.go
@@ -45,6 +45,7 @@ func requireAPIKeyOrJWT(queries *db.Queries, jwtSecret []byte) func(http.Handler
 					TeamID: claims.TeamID,
 					UserID: claims.Subject,
 					Email:  claims.Email,
+					Name:   claims.Name,
 					Role:   claims.Role,
 				})
 				next.ServeHTTP(w, r.WithContext(ctx))
diff --git a/internal/api/middleware_jwt.go b/internal/api/middleware_jwt.go
index bfe1438..c0b17fa 100644
--- a/internal/api/middleware_jwt.go
+++ b/internal/api/middleware_jwt.go
@@ -29,6 +29,7 @@ func requireJWT(secret []byte) func(http.Handler) http.Handler {
 				TeamID: claims.TeamID,
 				UserID: claims.Subject,
 				Email:  claims.Email,
+				Name:   claims.Name,
 				Role:   claims.Role,
 			})
 			next.ServeHTTP(w, r.WithContext(ctx))
diff --git a/internal/api/openapi.yaml b/internal/api/openapi.yaml
index 02bcd77..5f8dff5 100644
--- a/internal/api/openapi.yaml
+++ b/internal/api/openapi.yaml
@@ -1410,7 +1410,7 @@ components:
   schemas:
     SignupRequest:
       type: object
-      required: [email, password]
+      required: [email, password, name]
       properties:
         email:
           type: string
@@ -1418,6 +1418,9 @@ components:
         password:
           type: string
           minLength: 8
+        name:
+          type: string
+          maxLength: 100
 
     LoginRequest:
       type: object
@@ -1441,6 +1444,8 @@ components:
           type: string
         email:
           type: string
+        name:
+          type: string
 
     CreateAPIKeyRequest:
       type: object
diff --git a/internal/auth/context.go b/internal/auth/context.go
index e5ae893..36dd06c 100644
--- a/internal/auth/context.go
+++ b/internal/auth/context.go
@@ -11,6 +11,7 @@ type AuthContext struct {
 	TeamID string
 	UserID string // empty when authenticated via API key
 	Email  string // empty when authenticated via API key
+	Name   string // empty when authenticated via API key
 	Role   string // owner, admin, or member; empty when authenticated via API key
 }
 
diff --git a/internal/auth/jwt.go b/internal/auth/jwt.go
index 331cae2..eebba31 100644
--- a/internal/auth/jwt.go
+++ b/internal/auth/jwt.go
@@ -16,16 +16,18 @@ type Claims struct {
 	TeamID string `json:"team_id"`
 	Role   string `json:"role"` // owner, admin, or member within TeamID
 	Email  string `json:"email"`
+	Name   string `json:"name"`
 	jwt.RegisteredClaims
 }
 
 // SignJWT signs a new 6-hour JWT for the given user.
-func SignJWT(secret []byte, userID, teamID, email, role string) (string, error) {
+func SignJWT(secret []byte, userID, teamID, email, name, role string) (string, error) {
 	now := time.Now()
 	claims := Claims{
 		TeamID: teamID,
 		Role:   role,
 		Email:  email,
+		Name:   name,
 		RegisteredClaims: jwt.RegisteredClaims{
 			Subject:   userID,
 			IssuedAt:  jwt.NewNumericDate(now),
diff --git a/internal/db/models.go b/internal/db/models.go
index 6e29928..158193b 100644
--- a/internal/db/models.go
+++ b/internal/db/models.go
@@ -112,6 +112,7 @@ type User struct {
 	CreatedAt    pgtype.Timestamptz `json:"created_at"`
 	UpdatedAt    pgtype.Timestamptz `json:"updated_at"`
 	IsAdmin      bool               `json:"is_admin"`
+	Name         string             `json:"name"`
 }
 
 type UsersTeam struct {
diff --git a/internal/db/teams.sql.go b/internal/db/teams.sql.go
index 7324763..a00f5ef 100644
--- a/internal/db/teams.sql.go
+++ b/internal/db/teams.sql.go
@@ -26,7 +26,7 @@ func (q *Queries) DeleteTeamMember(ctx context.Context, arg DeleteTeamMemberPara
 }
 
 const getBYOCTeams = `-- name: GetBYOCTeams :many
-SELECT id, name, created_at, is_byoc, slug, deleted_at FROM teams WHERE is_byoc = TRUE ORDER BY created_at
+SELECT id, name, created_at, is_byoc, slug, deleted_at FROM teams WHERE is_byoc = TRUE AND deleted_at IS NULL ORDER BY created_at
 `
 
 func (q *Queries) GetBYOCTeams(ctx context.Context) ([]Team, error) {
@@ -59,7 +59,7 @@ func (q *Queries) GetBYOCTeams(ctx context.Context) ([]Team, error) {
 const getDefaultTeamForUser = `-- name: GetDefaultTeamForUser :one
 SELECT t.id, t.name, t.created_at, t.is_byoc, t.slug, t.deleted_at FROM teams t
 JOIN users_teams ut ON ut.team_id = t.id
-WHERE ut.user_id = $1 AND ut.is_default = TRUE
+WHERE ut.user_id = $1 AND ut.is_default = TRUE AND t.deleted_at IS NULL
 LIMIT 1
 `
 
@@ -114,7 +114,7 @@ func (q *Queries) GetTeamBySlug(ctx context.Context, slug string) (Team, error)
 }
 
 const getTeamMembers = `-- name: GetTeamMembers :many
-SELECT u.id, u.email, ut.role, ut.created_at AS joined_at
+SELECT u.id, u.name, u.email, ut.role, ut.created_at AS joined_at
 FROM users_teams ut
 JOIN users u ON u.id = ut.user_id
 WHERE ut.team_id = $1
@@ -123,6 +123,7 @@ ORDER BY ut.created_at
 
 type GetTeamMembersRow struct {
 	ID       string             `json:"id"`
+	Name     string             `json:"name"`
 	Email    string             `json:"email"`
 	Role     string             `json:"role"`
 	JoinedAt pgtype.Timestamptz `json:"joined_at"`
@@ -139,6 +140,7 @@ func (q *Queries) GetTeamMembers(ctx context.Context, teamID string) ([]GetTeamM
 		var i GetTeamMembersRow
 		if err := rows.Scan(
 			&i.ID,
+			&i.Name,
 			&i.Email,
 			&i.Role,
 			&i.JoinedAt,
diff --git a/internal/db/users.sql.go b/internal/db/users.sql.go
index 82c7c4b..50ba287 100644
--- a/internal/db/users.sql.go
+++ b/internal/db/users.sql.go
@@ -55,7 +55,7 @@ func (q *Queries) GetAdminPermissions(ctx context.Context, userID string) ([]Adm
 }
 
 const getAdminUsers = `-- name: GetAdminUsers :many
-SELECT id, email, password_hash, created_at, updated_at, is_admin FROM users WHERE is_admin = TRUE ORDER BY created_at
+SELECT id, email, password_hash, created_at, updated_at, is_admin, name FROM users WHERE is_admin = TRUE ORDER BY created_at
 `
 
 func (q *Queries) GetAdminUsers(ctx context.Context) ([]User, error) {
@@ -74,6 +74,7 @@ func (q *Queries) GetAdminUsers(ctx context.Context) ([]User, error) {
 			&i.CreatedAt,
 			&i.UpdatedAt,
 			&i.IsAdmin,
+			&i.Name,
 		); err != nil {
 			return nil, err
 		}
@@ -86,7 +87,7 @@ func (q *Queries) GetAdminUsers(ctx context.Context) ([]User, error) {
 }
 
 const getUserByEmail = `-- name: GetUserByEmail :one
-SELECT id, email, password_hash, created_at, updated_at, is_admin FROM users WHERE email = $1
+SELECT id, email, password_hash, created_at, updated_at, is_admin, name FROM users WHERE email = $1
 `
 
 func (q *Queries) GetUserByEmail(ctx context.Context, email string) (User, error) {
@@ -99,12 +100,13 @@ func (q *Queries) GetUserByEmail(ctx context.Context, email string) (User, error
 		&i.CreatedAt,
 		&i.UpdatedAt,
 		&i.IsAdmin,
+		&i.Name,
 	)
 	return i, err
 }
 
 const getUserByID = `-- name: GetUserByID :one
-SELECT id, email, password_hash, created_at, updated_at, is_admin FROM users WHERE id = $1
+SELECT id, email, password_hash, created_at, updated_at, is_admin, name FROM users WHERE id = $1
 `
 
 func (q *Queries) GetUserByID(ctx context.Context, id string) (User, error) {
@@ -117,6 +119,7 @@ func (q *Queries) GetUserByID(ctx context.Context, id string) (User, error) {
 		&i.CreatedAt,
 		&i.UpdatedAt,
 		&i.IsAdmin,
+		&i.Name,
 	)
 	return i, err
 }
@@ -156,19 +159,25 @@ func (q *Queries) InsertAdminPermission(ctx context.Context, arg InsertAdminPerm
 }
 
 const insertUser = `-- name: InsertUser :one
-INSERT INTO users (id, email, password_hash)
-VALUES ($1, $2, $3)
-RETURNING id, email, password_hash, created_at, updated_at, is_admin
+INSERT INTO users (id, email, password_hash, name)
+VALUES ($1, $2, $3, $4)
+RETURNING id, email, password_hash, created_at, updated_at, is_admin, name
 `
 
 type InsertUserParams struct {
 	ID           string      `json:"id"`
 	Email        string      `json:"email"`
 	PasswordHash pgtype.Text `json:"password_hash"`
+	Name         string      `json:"name"`
 }
 
 func (q *Queries) InsertUser(ctx context.Context, arg InsertUserParams) (User, error) {
-	row := q.db.QueryRow(ctx, insertUser, arg.ID, arg.Email, arg.PasswordHash)
+	row := q.db.QueryRow(ctx, insertUser,
+		arg.ID,
+		arg.Email,
+		arg.PasswordHash,
+		arg.Name,
+	)
 	var i User
 	err := row.Scan(
 		&i.ID,
@@ -177,23 +186,25 @@ func (q *Queries) InsertUser(ctx context.Context, arg InsertUserParams) (User, e
 		&i.CreatedAt,
 		&i.UpdatedAt,
 		&i.IsAdmin,
+		&i.Name,
 	)
 	return i, err
 }
 
 const insertUserOAuth = `-- name: InsertUserOAuth :one
-INSERT INTO users (id, email)
-VALUES ($1, $2)
-RETURNING id, email, password_hash, created_at, updated_at, is_admin
+INSERT INTO users (id, email, name)
+VALUES ($1, $2, $3)
+RETURNING id, email, password_hash, created_at, updated_at, is_admin, name
 `
 
 type InsertUserOAuthParams struct {
 	ID    string `json:"id"`
 	Email string `json:"email"`
+	Name  string `json:"name"`
 }
 
 func (q *Queries) InsertUserOAuth(ctx context.Context, arg InsertUserOAuthParams) (User, error) {
-	row := q.db.QueryRow(ctx, insertUserOAuth, arg.ID, arg.Email)
+	row := q.db.QueryRow(ctx, insertUserOAuth, arg.ID, arg.Email, arg.Name)
 	var i User
 	err := row.Scan(
 		&i.ID,
@@ -202,6 +213,7 @@ func (q *Queries) InsertUserOAuth(ctx context.Context, arg InsertUserOAuthParams
 		&i.CreatedAt,
 		&i.UpdatedAt,
 		&i.IsAdmin,
+		&i.Name,
 	)
 	return i, err
 }
@@ -248,3 +260,17 @@ func (q *Queries) SetUserAdmin(ctx context.Context, arg SetUserAdminParams) erro
 	_, err := q.db.Exec(ctx, setUserAdmin, arg.ID, arg.IsAdmin)
 	return err
 }
+
+const updateUserName = `-- name: UpdateUserName :exec
+UPDATE users SET name = $2, updated_at = NOW() WHERE id = $1
+`
+
+type UpdateUserNameParams struct {
+	ID   string `json:"id"`
+	Name string `json:"name"`
+}
+
+func (q *Queries) UpdateUserName(ctx context.Context, arg UpdateUserNameParams) error {
+	_, err := q.db.Exec(ctx, updateUserName, arg.ID, arg.Name)
+	return err
+}
diff --git a/internal/service/host.go b/internal/service/host.go
index bae412e..a331a58 100644
--- a/internal/service/host.go
+++ b/internal/service/host.go
@@ -96,9 +96,10 @@ func (s *HostService) Create(ctx context.Context, p HostCreateParams) (HostCreat
 		}
 	}
 
-	// Validate team exists for BYOC hosts.
+	// Validate team exists and is not deleted for BYOC hosts.
 	if p.TeamID != "" {
-		if _, err := s.DB.GetTeam(ctx, p.TeamID); err != nil {
+		team, err := s.DB.GetTeam(ctx, p.TeamID)
+		if err != nil || team.DeletedAt.Valid {
 			return HostCreateResult{}, fmt.Errorf("invalid request: team not found")
 		}
 	}
diff --git a/internal/service/team.go b/internal/service/team.go
index 888e53f..87baadc 100644
--- a/internal/service/team.go
+++ b/internal/service/team.go
@@ -33,9 +33,10 @@ type TeamWithRole struct {
 	Role string `json:"role"`
 }
 
-// MemberInfo is a team member with resolved email.
+// MemberInfo is a team member with resolved user details.
 type MemberInfo struct {
 	UserID   string    `json:"user_id"`
+	Name     string    `json:"name"`
 	Email    string    `json:"email"`
 	Role     string    `json:"role"`
 	JoinedAt time.Time `json:"joined_at"`
@@ -215,6 +216,7 @@ func (s *TeamService) GetMembers(ctx context.Context, teamID string) ([]MemberIn
 		}
 		members[i] = MemberInfo{
 			UserID:   r.ID,
+			Name:     r.Name,
 			Email:    r.Email,
 			Role:     r.Role,
 			JoinedAt: joinedAt,
@@ -262,7 +264,7 @@ func (s *TeamService) AddMember(ctx context.Context, teamID, callerUserID, email
 		return MemberInfo{}, fmt.Errorf("insert member: %w", err)
 	}
 
-	return MemberInfo{UserID: target.ID, Email: target.Email, Role: "member"}, nil
+	return MemberInfo{UserID: target.ID, Name: target.Name, Email: target.Email, Role: "member"}, nil
 }
 
 // RemoveMember removes a user from the team.