Create Global Admins team when admin user is created

- Admin user is now automatically added to Global Admins team as owner
- Ensures every user belongs to at least one team
- Updated unit tests to handle multiple db.add() calls

.env.example

@@ -0,0 +1,7 @@
+# Orchard Local Development Environment
+# Copy this file to .env and customize as needed
+# Note: .env is gitignored and will not be committed
+
+# Admin account password (required for local development)
+# This sets the initial admin password when the database is first created
+ORCHARD_ADMIN_PASSWORD=changeme123

.gitlab-ci.yml

@@ -15,6 +15,7 @@ variables:
   STAGE_RDS_HOST: orchard-stage.cluster-cvw3jzjkozoc.us-gov-west-1.rds.amazonaws.com
   STAGE_RDS_DBNAME: postgres
   STAGE_SECRET_ARN: "arn:aws-us-gov:secretsmanager:us-gov-west-1:052673043337:secret:rds!cluster-a573672b-1a38-4665-a654-1b7df37b5297-IaeFQL"
+  STAGE_AUTH_SECRET_ARN: "arn:aws-us-gov:secretsmanager:us-gov-west-1:052673043337:secret:orchard-stage-creds-SMqvQx"
   STAGE_S3_BUCKET: orchard-artifacts-stage
   AWS_REGION: us-gov-west-1
   # Shared pip cache directory
@@ -117,6 +118,9 @@ release:
     - pip install --index-url "$PIP_INDEX_URL" pytest pytest-asyncio httpx
   script:
     - cd backend
+    # Debug: Print environment variables for test configuration
+    - echo "ORCHARD_TEST_URL=$ORCHARD_TEST_URL"
+    - echo "ORCHARD_TEST_PASSWORD is set to '${ORCHARD_TEST_PASSWORD:-NOT SET}'"
     # Run full integration test suite, excluding:
     # - large/slow tests
     # - requires_direct_s3 tests (can't access MinIO from outside K8s cluster)
@@ -196,24 +200,13 @@ release:
           sys.exit(0)
       PYTEST_SCRIPT
 
-# Integration tests for stage deployment (full suite)
+# Reset stage template - runs from CI runner, uses CI variable for auth
-integration_test_stage:
-  <<: *integration_test_template
-  needs: [deploy_stage]
-  variables:
-    ORCHARD_TEST_URL: $STAGE_URL
-  rules:
-    - if: '$CI_COMMIT_BRANCH == "main"'
-      when: on_success
-
-# Reset stage environment after integration tests (clean slate for next run)
 # Calls the /api/v1/admin/factory-reset endpoint which handles DB and S3 cleanup
-reset_stage:
+.reset_stage_template: &reset_stage_template
   stage: deploy
-  needs: [integration_test_stage]
   image: deps.global.bsf.tools/docker/python:3.12-slim
   timeout: 5m
-  retry: 1  # Retry once on transient failures
+  retry: 1
   before_script:
     - pip install --index-url "$PIP_INDEX_URL" httpx
   script:
@@ -226,19 +219,22 @@ reset_stage:
 
       BASE_URL = os.environ.get("STAGE_URL", "")
       ADMIN_USER = "admin"
-      ADMIN_PASS = "changeme123"  # Default admin password
+      ADMIN_PASS = os.environ.get("STAGE_ADMIN_PASSWORD", "")
       MAX_RETRIES = 3
-      RETRY_DELAY = 5  # seconds
+      RETRY_DELAY = 5
 
       if not BASE_URL:
-          print("ERROR: STAGE_URL environment variable not set")
+          print("ERROR: STAGE_URL not set")
+          sys.exit(1)
+
+      if not ADMIN_PASS:
+          print("ERROR: STAGE_ADMIN_PASSWORD not set")
           sys.exit(1)
 
       print(f"=== Resetting stage environment at {BASE_URL} ===")
 
       def do_reset():
           with httpx.Client(base_url=BASE_URL, timeout=120.0) as client:
-              # Login as admin
               print("Logging in as admin...")
               login_response = client.post(
                   "/api/v1/auth/login",
@@ -248,7 +244,6 @@ reset_stage:
                   raise Exception(f"Login failed: {login_response.status_code} - {login_response.text}")
               print("Login successful")
 
-              # Call factory reset endpoint
               print("Calling factory reset endpoint...")
               reset_response = client.post(
                   "/api/v1/admin/factory-reset",
@@ -266,7 +261,6 @@ reset_stage:
               else:
                   raise Exception(f"Factory reset failed: {reset_response.status_code} - {reset_response.text}")
 
-      # Retry loop
       for attempt in range(1, MAX_RETRIES + 1):
           try:
               print(f"Attempt {attempt}/{MAX_RETRIES}")
@@ -284,14 +278,38 @@ reset_stage:
   rules:
     - if: '$CI_COMMIT_BRANCH == "main"'
       when: on_success
+
+# Reset stage BEFORE integration tests (ensure known state)
+reset_stage_pre:
+  <<: *reset_stage_template
+  needs: [deploy_stage]
+
+# Integration tests for stage deployment
+# Uses CI variable STAGE_ADMIN_PASSWORD (set in GitLab CI/CD settings)
+integration_test_stage:
+  <<: *integration_test_template
+  needs: [reset_stage_pre]
+  variables:
+    ORCHARD_TEST_URL: $STAGE_URL
+    ORCHARD_TEST_PASSWORD: $STAGE_ADMIN_PASSWORD
+  rules:
+    - if: '$CI_COMMIT_BRANCH == "main"'
+      when: on_success
+
+# Reset stage AFTER integration tests (clean slate for next run)
+reset_stage:
+  <<: *reset_stage_template
+  needs: [integration_test_stage]
   allow_failure: true  # Don't fail pipeline if reset has issues
 
 # Integration tests for feature deployment (full suite)
+# Uses DEV_ADMIN_PASSWORD CI variable (same as deploy_feature)
 integration_test_feature:
   <<: *integration_test_template
   needs: [deploy_feature]
   variables:
     ORCHARD_TEST_URL: https://orchard-$CI_COMMIT_REF_SLUG.common.global.bsf.tools
+    ORCHARD_TEST_PASSWORD: $DEV_ADMIN_PASSWORD
   rules:
     - if: '$CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != "main"'
       when: on_success
@@ -412,6 +430,7 @@ deploy_stage:
         --namespace $NAMESPACE \
         -f $VALUES_FILE \
         --set image.tag=git.linux-amd64-$CI_COMMIT_SHA \
+        --set orchard.auth.adminPassword=$STAGE_ADMIN_PASSWORD \
         --wait \
         --atomic \
         --timeout 10m
@@ -443,6 +462,7 @@ deploy_feature:
         --namespace $NAMESPACE \
         -f $VALUES_FILE \
         --set image.tag=git.linux-amd64-$CI_COMMIT_SHA \
+        --set orchard.auth.adminPassword=$DEV_ADMIN_PASSWORD \
         --set ingress.hosts[0].host=orchard-$CI_COMMIT_REF_SLUG.common.global.bsf.tools \
         --set ingress.tls[0].hosts[0]=orchard-$CI_COMMIT_REF_SLUG.common.global.bsf.tools \
         --set ingress.tls[0].secretName=orchard-$CI_COMMIT_REF_SLUG-tls \

CHANGELOG.md

@@ -6,13 +6,120 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+### Added
+- Added team-based multi-tenancy for organizing projects and collaboration (#88-#104)
+  - Teams serve as organizational containers for projects
+  - Users can belong to multiple teams with different roles (owner, admin, member)
+  - Projects can optionally belong to a team
+- Added database schema for teams (#88):
+  - `teams` table with id, name, slug, description, settings, timestamps
+  - `team_memberships` table mapping users to teams with roles
+  - `team_id` column on projects table for team association
+  - Migrations `009_teams.sql` and `009b_migrate_projects.sql`
+- Added Team and TeamMembership ORM models with relationships (#89)
+- Added TeamAuthorizationService for team-level access control (#90):
+  - Team owner/admin gets admin access to all team projects
+  - Team member gets read access to team projects (upgradeable by explicit permission)
+  - Role hierarchy: owner > admin > member
+- Added Team API endpoints (#92, #93, #94, #95):
+  - `GET /api/v1/teams` - List teams user belongs to (paginated)
+  - `POST /api/v1/teams` - Create team (creator becomes owner)
+  - `GET /api/v1/teams/{slug}` - Get team details
+  - `PUT /api/v1/teams/{slug}` - Update team (requires admin)
+  - `DELETE /api/v1/teams/{slug}` - Delete team (requires owner)
+  - `GET /api/v1/teams/{slug}/members` - List team members
+  - `POST /api/v1/teams/{slug}/members` - Add member (requires admin)
+  - `PUT /api/v1/teams/{slug}/members/{username}` - Update member role
+  - `DELETE /api/v1/teams/{slug}/members/{username}` - Remove member
+  - `GET /api/v1/teams/{slug}/projects` - List team projects (paginated)
+- Updated project creation to support optional team assignment (#95)
+- Updated project responses to include team info (team_id, team_slug, team_name)
+- Added frontend team management (#97-#104):
+  - TeamContext provider for managing current team selection
+  - TeamSelector dropdown component (persists selection in localStorage)
+  - Teams list page at `/teams`
+  - Team dashboard page at `/teams/{slug}` with inline project creation
+  - Team settings page at `/teams/{slug}/settings`
+  - Team members page at `/teams/{slug}/members`
+  - Teams navigation link in header (authenticated users only)
+- Updated seed data to create a "Demo Team" and assign all seed projects to it
+- Added TypeScript types and API client functions for teams
+- Access management now shows team-based permissions alongside explicit permissions
+  - Team-based access displayed as read-only with "Source" column indicating origin
+  - Team members with access show team slug and role
+- Added integration tests for team CRUD, membership, and project operations
+- Redesigned teams portal with modern card-based layout
+  - Card grid view with team avatar, name, slug, role badge, and stats
+  - Stats bar showing total teams, owned teams, and total projects
+  - Search functionality for filtering teams (appears when >3 teams)
+  - Empty states for no teams and no search results
+- Added user autocomplete component for team member invitations
+  - `GET /api/v1/users/search` endpoint for username prefix search
+  - Dropdown shows matching users as you type
+  - Keyboard navigation support (arrow keys, enter, escape)
+  - Debounced search to reduce API calls
+- Added unit tests for TeamAuthorizationService
+- Added `ORCHARD_ADMIN_PASSWORD` environment variable to configure initial admin password (#87)
+  - When set, admin user is created with the specified password (no password change required)
+  - When not set, defaults to `changeme123` and requires password change on first login
+- Added Helm chart support for admin password via multiple sources (#87):
+  - `orchard.auth.adminPassword` - plain value (creates K8s secret)
+  - `orchard.auth.existingSecret` - reference existing K8s secret
+  - `orchard.auth.secretsManager` - AWS Secrets Manager integration
+- Added `.env.example` template for local development (#87)
+- Added `.env` file support in docker-compose.local.yml (#87)
+- Added Project Settings page accessible to project admins (#65)
+  - General settings section for editing description and visibility
+  - Access Management section (moved from project page)
+  - Danger Zone section with inline delete confirmation requiring project name
+  - Settings button (gear icon) on project page header for admins
+- Added artifact dependency management system (#76, #77, #78, #79, #80, #81)
+  - `artifact_dependencies` table with version/tag constraints and check constraints
+  - `ArtifactDependency` SQLAlchemy model with indexes for fast lookups
+  - Ensure file parsing (`orchard.ensure` YAML format) during artifact upload
+  - Circular dependency detection at upload time (rejected with 400)
+  - Dependency conflict detection at resolution time (409 with conflict details)
+- Added dependency API endpoints (#78, #79):
+  - `GET /api/v1/artifact/{artifact_id}/dependencies` - Get dependencies by artifact ID
+  - `GET /api/v1/project/{project}/{package}/+/{ref}/dependencies` - Get dependencies by ref
+  - `GET /api/v1/project/{project}/{package}/reverse-dependencies` - Get reverse dependencies (paginated)
+  - `GET /api/v1/project/{project}/{package}/+/{ref}/resolve` - Resolve full dependency tree
+- Added dependency resolution with topological sorting (#79)
+  - Returns flat list of all artifacts needed in dependency order
+  - Includes download URLs, sizes, and version info for each artifact
+- Added frontend dependency visualization (#84, #85, #86):
+  - Dependencies section on package page showing direct dependencies for selected tag
+  - Tag/version selector to switch between artifacts
+  - "Used By" section showing reverse dependencies with pagination
+  - Interactive dependency graph modal with:
+    - Tree visualization with collapsible nodes
+    - Zoom (mouse wheel + buttons) and pan (click-drag)
+    - Click to navigate to package
+    - Hover tooltip with package details
+    - Error display for circular dependencies and conflicts
+- Added migration `008_artifact_dependencies.sql` for dependency schema
+- Added `dependencies.py` module with parsing, validation, and resolution logic
+- Added comprehensive integration tests for all dependency features
+
+### Changed
+- Added pre-test stage reset to ensure known environment state before integration tests (#54)
+- Upload endpoint now accepts optional `ensure` file parameter for declaring dependencies
+- Updated upload API documentation with ensure file format and examples
+- Converted teams list and team projects to use DataTable component for consistent styling
+- Centered team members and team settings page content
+- Added orchard logo icon and dot separator to footer
+
+### Fixed
+- Fixed dark theme styling for team pages - modals, forms, and dropdowns now use correct theme variables
+- Fixed UserAutocomplete and TeamSelector dropdown backgrounds for dark theme
 
 ## [0.5.1] - 2026-01-23
+### Changed
+- Simplified tag pipeline to only run deploy and smoke tests (image already built on main) (#54)
 
 ### Fixed
 - Fixed production CI deployment namespace to use correct `orch-namespace` (#54)
 - Added gitleaks config to allowlist test files from secret scanning (#54)
-- Simplified tag pipeline to only run deploy and smoke tests (image already built on main) (#54)
 
 ## [0.5.0] - 2026-01-23
 ### Added

backend/app/auth.py

@@ -11,7 +11,7 @@ from typing import Optional
 from passlib.context import CryptContext
 from sqlalchemy.orm import Session
 
-from .models import User, Session as UserSession, APIKey
+from .models import User, Session as UserSession, APIKey, Team, TeamMembership
 from .config import get_settings
 
 logger = logging.getLogger(__name__)
@@ -360,21 +360,59 @@ def create_default_admin(db: Session) -> Optional[User]:
     """Create the default admin user if no users exist.
 
     Returns the created user, or None if users already exist.
+
+    The admin password can be set via ORCHARD_ADMIN_PASSWORD environment variable.
+    If not set, defaults to 'changeme123' and requires password change on first login.
+
+    Also creates the "Global Admins" team and adds the admin user to it.
     """
     # Check if any users exist
     user_count = db.query(User).count()
     if user_count > 0:
         return None
 
+    settings = get_settings()
+
+    # Use configured password or default
+    password = settings.admin_password if settings.admin_password else "changeme123"
+    # Only require password change if using the default password
+    must_change = not settings.admin_password
+
     # Create default admin
     auth_service = AuthService(db)
     admin = auth_service.create_user(
         username="admin",
-        password="changeme123",
+        password=password,
         is_admin=True,
-        must_change_password=True,
+        must_change_password=must_change,
     )
 
+    # Create Global Admins team and add admin to it
+    global_admins_team = Team(
+        name="Global Admins",
+        slug="global-admins",
+        description="System administrators with full access",
+        created_by="admin",
+    )
+    db.add(global_admins_team)
+    db.flush()
+
+    membership = TeamMembership(
+        team_id=global_admins_team.id,
+        user_id=admin.id,
+        role="owner",
+        invited_by="admin",
+    )
+    db.add(membership)
+    db.commit()
+
+    logger.info("Created Global Admins team and added admin as owner")
+
+    if settings.admin_password:
+        logger.info("Created default admin user with configured password")
+    else:
+        logger.info("Created default admin user with default password (changeme123)")
+
     return admin
 
 
@@ -648,9 +686,11 @@ class AuthorizationService:
         Checks in order:
         1. System admin - gets admin access to all projects
         2. Project owner (created_by) - gets admin access
-        3. Explicit permission in access_permissions table
+        3. Team-based access (owner/admin gets admin, member gets read)
+        4. Explicit permission in access_permissions table
+        5. Public access
         """
-        from .models import Project, AccessPermission
+        from .models import Project, AccessPermission, TeamMembership
 
         # Get the project
         project = self.db.query(Project).filter(Project.id == project_id).first()
@@ -669,6 +709,23 @@ class AuthorizationService:
         if project.created_by == user.username:
             return "admin"
 
+        # Check team-based access if project belongs to a team
+        if project.team_id:
+            membership = (
+                self.db.query(TeamMembership)
+                .filter(
+                    TeamMembership.team_id == project.team_id,
+                    TeamMembership.user_id == user.id,
+                )
+                .first()
+            )
+            if membership:
+                # Team owner/admin gets admin on all team projects
+                if membership.role in ("owner", "admin"):
+                    return "admin"
+                # Team member gets read access (upgradeable by explicit permission)
+                # Continue checking explicit permissions for potential upgrade
+
         # Check explicit permissions
         permission = (
             self.db.query(AccessPermission)
@@ -682,9 +739,23 @@ class AuthorizationService:
         if permission:
             # Check expiration
             if permission.expires_at and permission.expires_at < datetime.now(timezone.utc):
-                return "read" if project.is_public else None
+                pass  # Permission expired, fall through
+            else:
                 return permission.level
 
+        # Team member gets read access if no explicit permission
+        if project.team_id:
+            membership = (
+                self.db.query(TeamMembership)
+                .filter(
+                    TeamMembership.team_id == project.team_id,
+                    TeamMembership.user_id == user.id,
+                )
+                .first()
+            )
+            if membership:
+                return "read"
+
         # Fall back to public access
         return "read" if project.is_public else None
 
@@ -869,6 +940,226 @@ def check_project_access(
     return project
 
 
+# --- Team Authorization ---
+
+# Team roles in order of increasing privilege
+TEAM_ROLES = ["member", "admin", "owner"]
+
+
+def get_team_role_rank(role: str) -> int:
+    """Get numeric rank for team role comparison."""
+    try:
+        return TEAM_ROLES.index(role)
+    except ValueError:
+        return -1
+
+
+def has_sufficient_team_role(user_role: str, required_role: str) -> bool:
+    """Check if user_role is sufficient for required_role.
+
+    Role hierarchy: owner > admin > member
+    """
+    return get_team_role_rank(user_role) >= get_team_role_rank(required_role)
+
+
+class TeamAuthorizationService:
+    """Service for checking team-level authorization."""
+
+    def __init__(self, db: Session):
+        self.db = db
+
+    def get_user_team_role(
+        self, team_id: str, user: Optional[User]
+    ) -> Optional[str]:
+        """Get the user's role in a team.
+
+        Returns the role ('owner', 'admin', 'member') or None if not a member.
+        System admins who are not team members are treated as team admins.
+        """
+        from .models import Team, TeamMembership
+
+        if not user:
+            return None
+
+        # Check actual membership first
+        membership = (
+            self.db.query(TeamMembership)
+            .filter(
+                TeamMembership.team_id == team_id,
+                TeamMembership.user_id == user.id,
+            )
+            .first()
+        )
+
+        if membership:
+            return membership.role
+
+        # System admins who are not members get admin access
+        if user.is_admin:
+            return "admin"
+
+        return None
+
+    def check_team_access(
+        self,
+        team_id: str,
+        user: Optional[User],
+        required_role: str = "member",
+    ) -> bool:
+        """Check if user has required role in team.
+
+        Args:
+            team_id: Team ID to check
+            user: User to check (None means no access)
+            required_role: Minimum required role ('member', 'admin', 'owner')
+
+        Returns:
+            True if user has sufficient role, False otherwise
+        """
+        user_role = self.get_user_team_role(team_id, user)
+        if not user_role:
+            return False
+        return has_sufficient_team_role(user_role, required_role)
+
+    def can_create_project(self, team_id: str, user: Optional[User]) -> bool:
+        """Check if user can create projects in team (requires admin+)."""
+        return self.check_team_access(team_id, user, "admin")
+
+    def can_manage_members(self, team_id: str, user: Optional[User]) -> bool:
+        """Check if user can manage team members (requires admin+)."""
+        return self.check_team_access(team_id, user, "admin")
+
+    def can_delete_team(self, team_id: str, user: Optional[User]) -> bool:
+        """Check if user can delete the team (requires owner)."""
+        return self.check_team_access(team_id, user, "owner")
+
+    def get_team_by_slug(self, slug: str) -> Optional["Team"]:
+        """Get a team by its slug."""
+        from .models import Team
+
+        return self.db.query(Team).filter(Team.slug == slug).first()
+
+    def get_user_teams(self, user: User) -> list:
+        """Get all teams a user is a member of."""
+        from .models import Team, TeamMembership
+
+        return (
+            self.db.query(Team)
+            .join(TeamMembership)
+            .filter(TeamMembership.user_id == user.id)
+            .order_by(Team.name)
+            .all()
+        )
+
+
+def get_team_authorization_service(db: Session = Depends(get_db)) -> TeamAuthorizationService:
+    """Get a TeamAuthorizationService instance."""
+    return TeamAuthorizationService(db)
+
+
+class TeamAccessChecker:
+    """Dependency for checking team access in route handlers."""
+
+    def __init__(self, required_role: str = "member"):
+        self.required_role = required_role
+
+    def __call__(
+        self,
+        slug: str,
+        db: Session = Depends(get_db),
+        current_user: Optional[User] = Depends(get_current_user_optional),
+    ) -> User:
+        """Check if user has required role in team.
+
+        Raises 404 if team not found, 401 if not authenticated, 403 if insufficient role.
+        Returns the current user.
+        """
+        from .models import Team
+
+        # Find team by slug
+        team = db.query(Team).filter(Team.slug == slug).first()
+        if not team:
+            raise HTTPException(
+                status_code=status.HTTP_404_NOT_FOUND,
+                detail=f"Team '{slug}' not found",
+            )
+
+        if not current_user:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="Authentication required",
+                headers={"WWW-Authenticate": "Bearer"},
+            )
+
+        auth_service = TeamAuthorizationService(db)
+
+        if not auth_service.check_team_access(str(team.id), current_user, self.required_role):
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail=f"Insufficient team permissions. Required role: {self.required_role}",
+            )
+
+        return current_user
+
+
+# Pre-configured team access checkers
+require_team_member = TeamAccessChecker("member")
+require_team_admin = TeamAccessChecker("admin")
+require_team_owner = TeamAccessChecker("owner")
+
+
+def check_team_access(
+    db: Session,
+    team_slug: str,
+    user: Optional[User],
+    required_role: str = "member",
+) -> "Team":
+    """Check if user has required role in team.
+
+    This is a helper function for use in route handlers.
+
+    Args:
+        db: Database session
+        team_slug: Slug of the team
+        user: Current user (can be None for no access)
+        required_role: Required team role (member, admin, owner)
+
+    Returns:
+        The Team object if access is granted
+
+    Raises:
+        HTTPException 404: Team not found
+        HTTPException 401: Authentication required
+        HTTPException 403: Insufficient permissions
+    """
+    from .models import Team
+
+    # Find team by slug
+    team = db.query(Team).filter(Team.slug == team_slug).first()
+    if not team:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail=f"Team '{team_slug}' not found",
+        )
+
+    if not user:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Authentication required",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+
+    auth_service = TeamAuthorizationService(db)
+
+    if not auth_service.check_team_access(str(team.id), user, required_role):
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail=f"Insufficient team permissions. Required role: {required_role}",
+        )
+
+    return team
+
+
 # --- OIDC Configuration Service ---
 
 

backend/app/config.py

@@ -53,6 +53,9 @@ class Settings(BaseSettings):
     log_level: str = "INFO"  # DEBUG, INFO, WARNING, ERROR, CRITICAL
     log_format: str = "auto"  # "json", "standard", or "auto" (json in production)
 
+    # Initial admin user settings
+    admin_password: str = ""  # Initial admin password (if empty, uses 'changeme123')
+
     # JWT Authentication settings (optional, for external identity providers)
     jwt_enabled: bool = False  # Enable JWT token validation
     jwt_secret: str = ""  # Secret key for HS256, or leave empty for RS256 with JWKS

backend/app/dependencies.py

@@ -0,0 +1,723 @@
+"""
+Dependency management module for artifact dependencies.
+
+Handles:
+- Parsing orchard.ensure files
+- Storing dependencies in the database
+- Querying dependencies and reverse dependencies
+- Dependency resolution with topological sorting
+- Circular dependency detection
+- Conflict detection
+"""
+
+import yaml
+from typing import List, Dict, Any, Optional, Set, Tuple
+from sqlalchemy.orm import Session
+from sqlalchemy import and_
+
+from .models import (
+    Project,
+    Package,
+    Artifact,
+    Tag,
+    ArtifactDependency,
+    PackageVersion,
+)
+from .schemas import (
+    EnsureFileContent,
+    EnsureFileDependency,
+    DependencyResponse,
+    ArtifactDependenciesResponse,
+    DependentInfo,
+    ReverseDependenciesResponse,
+    ResolvedArtifact,
+    DependencyResolutionResponse,
+    DependencyConflict,
+    PaginationMeta,
+)
+
+
+class DependencyError(Exception):
+    """Base exception for dependency errors."""
+    pass
+
+
+class CircularDependencyError(DependencyError):
+    """Raised when a circular dependency is detected."""
+    def __init__(self, cycle: List[str]):
+        self.cycle = cycle
+        super().__init__(f"Circular dependency detected: {' -> '.join(cycle)}")
+
+
+class DependencyConflictError(DependencyError):
+    """Raised when conflicting dependency versions are detected."""
+    def __init__(self, conflicts: List[DependencyConflict]):
+        self.conflicts = conflicts
+        super().__init__(f"Dependency conflicts detected: {len(conflicts)} conflict(s)")
+
+
+class DependencyNotFoundError(DependencyError):
+    """Raised when a dependency cannot be resolved."""
+    def __init__(self, project: str, package: str, constraint: str):
+        self.project = project
+        self.package = package
+        self.constraint = constraint
+        super().__init__(f"Dependency not found: {project}/{package}@{constraint}")
+
+
+class InvalidEnsureFileError(DependencyError):
+    """Raised when the ensure file is invalid."""
+    pass
+
+
+class DependencyDepthExceededError(DependencyError):
+    """Raised when dependency resolution exceeds max depth."""
+    def __init__(self, max_depth: int):
+        self.max_depth = max_depth
+        super().__init__(f"Dependency resolution exceeded maximum depth of {max_depth}")
+
+
+# Safety limits to prevent DoS attacks
+MAX_DEPENDENCY_DEPTH = 50  # Maximum levels of nested dependencies
+MAX_DEPENDENCIES_PER_ARTIFACT = 200  # Maximum direct dependencies per artifact
+
+
+def parse_ensure_file(content: bytes) -> EnsureFileContent:
+    """
+    Parse an orchard.ensure file.
+
+    Args:
+        content: Raw bytes of the ensure file
+
+    Returns:
+        Parsed EnsureFileContent
+
+    Raises:
+        InvalidEnsureFileError: If the file is invalid YAML or has wrong structure
+    """
+    try:
+        data = yaml.safe_load(content.decode('utf-8'))
+    except yaml.YAMLError as e:
+        raise InvalidEnsureFileError(f"Invalid YAML: {e}")
+    except UnicodeDecodeError as e:
+        raise InvalidEnsureFileError(f"Invalid encoding: {e}")
+
+    if data is None:
+        return EnsureFileContent(dependencies=[])
+
+    if not isinstance(data, dict):
+        raise InvalidEnsureFileError("Ensure file must be a YAML dictionary")
+
+    dependencies = []
+    deps_data = data.get('dependencies', [])
+
+    if not isinstance(deps_data, list):
+        raise InvalidEnsureFileError("'dependencies' must be a list")
+
+    # Safety limit: prevent DoS through excessive dependencies
+    if len(deps_data) > MAX_DEPENDENCIES_PER_ARTIFACT:
+        raise InvalidEnsureFileError(
+            f"Too many dependencies: {len(deps_data)} exceeds maximum of {MAX_DEPENDENCIES_PER_ARTIFACT}"
+        )
+
+    for i, dep in enumerate(deps_data):
+        if not isinstance(dep, dict):
+            raise InvalidEnsureFileError(f"Dependency {i} must be a dictionary")
+
+        project = dep.get('project')
+        package = dep.get('package')
+        version = dep.get('version')
+        tag = dep.get('tag')
+
+        if not project:
+            raise InvalidEnsureFileError(f"Dependency {i} missing 'project'")
+        if not package:
+            raise InvalidEnsureFileError(f"Dependency {i} missing 'package'")
+        if not version and not tag:
+            raise InvalidEnsureFileError(
+                f"Dependency {i} must have either 'version' or 'tag'"
+            )
+        if version and tag:
+            raise InvalidEnsureFileError(
+                f"Dependency {i} cannot have both 'version' and 'tag'"
+            )
+
+        dependencies.append(EnsureFileDependency(
+            project=project,
+            package=package,
+            version=version,
+            tag=tag,
+        ))
+
+    return EnsureFileContent(dependencies=dependencies)
+
+
+def validate_dependencies(
+    db: Session,
+    dependencies: List[EnsureFileDependency],
+) -> List[str]:
+    """
+    Validate that all dependency projects exist.
+
+    Args:
+        db: Database session
+        dependencies: List of dependencies to validate
+
+    Returns:
+        List of error messages (empty if all valid)
+    """
+    errors = []
+
+    for dep in dependencies:
+        project = db.query(Project).filter(Project.name == dep.project).first()
+        if not project:
+            errors.append(f"Project '{dep.project}' not found")
+
+    return errors
+
+
+def store_dependencies(
+    db: Session,
+    artifact_id: str,
+    dependencies: List[EnsureFileDependency],
+) -> List[ArtifactDependency]:
+    """
+    Store dependencies for an artifact.
+
+    Args:
+        db: Database session
+        artifact_id: The artifact ID that has these dependencies
+        dependencies: List of dependencies to store
+
+    Returns:
+        List of created ArtifactDependency objects
+    """
+    created = []
+
+    for dep in dependencies:
+        artifact_dep = ArtifactDependency(
+            artifact_id=artifact_id,
+            dependency_project=dep.project,
+            dependency_package=dep.package,
+            version_constraint=dep.version,
+            tag_constraint=dep.tag,
+        )
+        db.add(artifact_dep)
+        created.append(artifact_dep)
+
+    return created
+
+
+def get_artifact_dependencies(
+    db: Session,
+    artifact_id: str,
+) -> List[DependencyResponse]:
+    """
+    Get all dependencies for an artifact.
+
+    Args:
+        db: Database session
+        artifact_id: The artifact ID
+
+    Returns:
+        List of DependencyResponse objects
+    """
+    deps = db.query(ArtifactDependency).filter(
+        ArtifactDependency.artifact_id == artifact_id
+    ).all()
+
+    return [DependencyResponse.from_orm_model(dep) for dep in deps]
+
+
+def get_reverse_dependencies(
+    db: Session,
+    project_name: str,
+    package_name: str,
+    page: int = 1,
+    limit: int = 50,
+) -> ReverseDependenciesResponse:
+    """
+    Get all artifacts that depend on a given package.
+
+    Args:
+        db: Database session
+        project_name: Target project name
+        package_name: Target package name
+        page: Page number (1-indexed)
+        limit: Results per page
+
+    Returns:
+        ReverseDependenciesResponse with dependents and pagination
+    """
+    # Query dependencies that point to this project/package
+    query = db.query(ArtifactDependency).filter(
+        ArtifactDependency.dependency_project == project_name,
+        ArtifactDependency.dependency_package == package_name,
+    )
+
+    total = query.count()
+    offset = (page - 1) * limit
+    deps = query.offset(offset).limit(limit).all()
+
+    dependents = []
+    for dep in deps:
+        # Get artifact info to find the project/package/version
+        artifact = db.query(Artifact).filter(Artifact.id == dep.artifact_id).first()
+        if not artifact:
+            continue
+
+        # Find which package this artifact belongs to via tags or versions
+        tag = db.query(Tag).filter(Tag.artifact_id == dep.artifact_id).first()
+        if tag:
+            pkg = db.query(Package).filter(Package.id == tag.package_id).first()
+            if pkg:
+                proj = db.query(Project).filter(Project.id == pkg.project_id).first()
+                if proj:
+                    # Get version if available
+                    version_record = db.query(PackageVersion).filter(
+                        PackageVersion.artifact_id == dep.artifact_id,
+                        PackageVersion.package_id == pkg.id,
+                    ).first()
+
+                    dependents.append(DependentInfo(
+                        artifact_id=dep.artifact_id,
+                        project=proj.name,
+                        package=pkg.name,
+                        version=version_record.version if version_record else None,
+                        constraint_type="version" if dep.version_constraint else "tag",
+                        constraint_value=dep.version_constraint or dep.tag_constraint,
+                    ))
+
+    total_pages = (total + limit - 1) // limit
+
+    return ReverseDependenciesResponse(
+        project=project_name,
+        package=package_name,
+        dependents=dependents,
+        pagination=PaginationMeta(
+            page=page,
+            limit=limit,
+            total=total,
+            total_pages=total_pages,
+            has_more=page < total_pages,
+        ),
+    )
+
+
+def _resolve_dependency_to_artifact(
+    db: Session,
+    project_name: str,
+    package_name: str,
+    version: Optional[str],
+    tag: Optional[str],
+) -> Optional[Tuple[str, str, int]]:
+    """
+    Resolve a dependency constraint to an artifact ID.
+
+    Args:
+        db: Database session
+        project_name: Project name
+        package_name: Package name
+        version: Version constraint (exact)
+        tag: Tag constraint
+
+    Returns:
+        Tuple of (artifact_id, resolved_version_or_tag, size) or None if not found
+    """
+    # Get project and package
+    project = db.query(Project).filter(Project.name == project_name).first()
+    if not project:
+        return None
+
+    package = db.query(Package).filter(
+        Package.project_id == project.id,
+        Package.name == package_name,
+    ).first()
+    if not package:
+        return None
+
+    if version:
+        # Look up by version
+        pkg_version = db.query(PackageVersion).filter(
+            PackageVersion.package_id == package.id,
+            PackageVersion.version == version,
+        ).first()
+        if pkg_version:
+            artifact = db.query(Artifact).filter(
+                Artifact.id == pkg_version.artifact_id
+            ).first()
+            if artifact:
+                return (artifact.id, version, artifact.size)
+
+        # Also check if there's a tag with this exact name
+        tag_record = db.query(Tag).filter(
+            Tag.package_id == package.id,
+            Tag.name == version,
+        ).first()
+        if tag_record:
+            artifact = db.query(Artifact).filter(
+                Artifact.id == tag_record.artifact_id
+            ).first()
+            if artifact:
+                return (artifact.id, version, artifact.size)
+
+    if tag:
+        # Look up by tag
+        tag_record = db.query(Tag).filter(
+            Tag.package_id == package.id,
+            Tag.name == tag,
+        ).first()
+        if tag_record:
+            artifact = db.query(Artifact).filter(
+                Artifact.id == tag_record.artifact_id
+            ).first()
+            if artifact:
+                return (artifact.id, tag, artifact.size)
+
+    return None
+
+
+def _detect_package_cycle(
+    db: Session,
+    project_name: str,
+    package_name: str,
+    target_project: str,
+    target_package: str,
+    visiting: Set[str],
+    visited: Set[str],
+    path: List[str],
+) -> Optional[List[str]]:
+    """
+    Detect cycles at the package level using DFS.
+
+    Args:
+        db: Database session
+        project_name: Current project being visited
+        package_name: Current package being visited
+        target_project: The project we're checking for cycles back to
+        target_package: The package we're checking for cycles back to
+        visiting: Set of package keys currently in the recursion stack
+        visited: Set of fully processed package keys
+        path: Current path for cycle reporting
+
+    Returns:
+        Cycle path if detected, None otherwise
+    """
+    pkg_key = f"{project_name}/{package_name}"
+
+    # Check if we've reached the target package (cycle detected)
+    if project_name == target_project and package_name == target_package:
+        return path + [pkg_key]
+
+    if pkg_key in visiting:
+        # Unexpected internal cycle
+        return None
+
+    if pkg_key in visited:
+        return None
+
+    visiting.add(pkg_key)
+    path.append(pkg_key)
+
+    # Get the package and find any artifacts with dependencies
+    project = db.query(Project).filter(Project.name == project_name).first()
+    if project:
+        package = db.query(Package).filter(
+            Package.project_id == project.id,
+            Package.name == package_name,
+        ).first()
+        if package:
+            # Find all artifacts in this package via tags
+            tags = db.query(Tag).filter(Tag.package_id == package.id).all()
+            artifact_ids = {t.artifact_id for t in tags}
+
+            # Get dependencies from all artifacts in this package
+            for artifact_id in artifact_ids:
+                deps = db.query(ArtifactDependency).filter(
+                    ArtifactDependency.artifact_id == artifact_id
+                ).all()
+
+                for dep in deps:
+                    cycle = _detect_package_cycle(
+                        db,
+                        dep.dependency_project,
+                        dep.dependency_package,
+                        target_project,
+                        target_package,
+                        visiting,
+                        visited,
+                        path,
+                    )
+                    if cycle:
+                        return cycle
+
+    path.pop()
+    visiting.remove(pkg_key)
+    visited.add(pkg_key)
+
+    return None
+
+
+def check_circular_dependencies(
+    db: Session,
+    artifact_id: str,
+    new_dependencies: List[EnsureFileDependency],
+    project_name: Optional[str] = None,
+    package_name: Optional[str] = None,
+) -> Optional[List[str]]:
+    """
+    Check if adding the new dependencies would create a circular dependency.
+
+    Args:
+        db: Database session
+        artifact_id: The artifact that will have these dependencies
+        new_dependencies: Dependencies to be added
+        project_name: Project name (optional, will try to look up from tag if not provided)
+        package_name: Package name (optional, will try to look up from tag if not provided)
+
+    Returns:
+        Cycle path if detected, None otherwise
+    """
+    # First, get the package info for this artifact to build path labels
+    if project_name and package_name:
+        current_path = f"{project_name}/{package_name}"
+    else:
+        # Try to look up from tag
+        artifact = db.query(Artifact).filter(Artifact.id == artifact_id).first()
+        if not artifact:
+            return None
+
+        # Find package for this artifact
+        tag = db.query(Tag).filter(Tag.artifact_id == artifact_id).first()
+        if not tag:
+            return None
+
+        package = db.query(Package).filter(Package.id == tag.package_id).first()
+        if not package:
+            return None
+
+        project = db.query(Project).filter(Project.id == package.project_id).first()
+        if not project:
+            return None
+
+        current_path = f"{project.name}/{package.name}"
+
+    # Extract target project and package from current_path
+    if "/" in current_path:
+        target_project, target_package = current_path.split("/", 1)
+    else:
+        return None
+
+    # For each new dependency, check if it would create a cycle back to our package
+    for dep in new_dependencies:
+        # Check if this dependency (transitively) depends on us at the package level
+        visiting: Set[str] = set()
+        visited: Set[str] = set()
+        path: List[str] = [current_path]
+
+        # Check from the dependency's package
+        cycle = _detect_package_cycle(
+            db,
+            dep.project,
+            dep.package,
+            target_project,
+            target_package,
+            visiting,
+            visited,
+            path,
+        )
+        if cycle:
+            return cycle
+
+    return None
+
+
+def resolve_dependencies(
+    db: Session,
+    project_name: str,
+    package_name: str,
+    ref: str,
+    base_url: str,
+) -> DependencyResolutionResponse:
+    """
+    Resolve all dependencies for an artifact recursively.
+
+    Args:
+        db: Database session
+        project_name: Project name
+        package_name: Package name
+        ref: Tag or version reference
+        base_url: Base URL for download URLs
+
+    Returns:
+        DependencyResolutionResponse with all resolved artifacts
+
+    Raises:
+        DependencyNotFoundError: If a dependency cannot be resolved
+        CircularDependencyError: If circular dependencies are detected
+        DependencyConflictError: If conflicting versions are required
+    """
+    # Resolve the initial artifact
+    project = db.query(Project).filter(Project.name == project_name).first()
+    if not project:
+        raise DependencyNotFoundError(project_name, package_name, ref)
+
+    package = db.query(Package).filter(
+        Package.project_id == project.id,
+        Package.name == package_name,
+    ).first()
+    if not package:
+        raise DependencyNotFoundError(project_name, package_name, ref)
+
+    # Try to find artifact by tag or version
+    resolved = _resolve_dependency_to_artifact(
+        db, project_name, package_name, ref, ref
+    )
+    if not resolved:
+        raise DependencyNotFoundError(project_name, package_name, ref)
+
+    root_artifact_id, root_version, root_size = resolved
+
+    # Track resolved artifacts and their versions
+    resolved_artifacts: Dict[str, ResolvedArtifact] = {}
+    # Track version requirements for conflict detection
+    version_requirements: Dict[str, List[Dict[str, Any]]] = {}  # pkg_key -> [(version, required_by)]
+    # Track visiting/visited for cycle detection
+    visiting: Set[str] = set()
+    visited: Set[str] = set()
+    # Resolution order (topological)
+    resolution_order: List[str] = []
+
+    def _resolve_recursive(
+        artifact_id: str,
+        proj_name: str,
+        pkg_name: str,
+        version_or_tag: str,
+        size: int,
+        required_by: Optional[str],
+        depth: int = 0,
+    ):
+        """Recursively resolve dependencies with cycle/conflict detection."""
+        # Safety limit: prevent DoS through deeply nested dependencies
+        if depth > MAX_DEPENDENCY_DEPTH:
+            raise DependencyDepthExceededError(MAX_DEPENDENCY_DEPTH)
+
+        pkg_key = f"{proj_name}/{pkg_name}"
+
+        # Cycle detection (at artifact level)
+        if artifact_id in visiting:
+            # Build cycle path
+            raise CircularDependencyError([pkg_key, pkg_key])
+
+        # Conflict detection - check if we've seen this package before with a different version
+        if pkg_key in version_requirements:
+            existing_versions = {r["version"] for r in version_requirements[pkg_key]}
+            if version_or_tag not in existing_versions:
+                # Conflict detected - same package, different version
+                requirements = version_requirements[pkg_key] + [
+                    {"version": version_or_tag, "required_by": required_by}
+                ]
+                raise DependencyConflictError([
+                    DependencyConflict(
+                        project=proj_name,
+                        package=pkg_name,
+                        requirements=[
+                            {
+                                "version": r["version"],
+                                "required_by": [{"path": r["required_by"]}] if r["required_by"] else []
+                            }
+                            for r in requirements
+                        ],
+                    )
+                ])
+            # Same version already resolved - skip
+            if artifact_id in visited:
+                return
+
+        if artifact_id in visited:
+            return
+
+        visiting.add(artifact_id)
+
+        # Track version requirement
+        if pkg_key not in version_requirements:
+            version_requirements[pkg_key] = []
+        version_requirements[pkg_key].append({
+            "version": version_or_tag,
+            "required_by": required_by,
+        })
+
+        # Get dependencies
+        deps = db.query(ArtifactDependency).filter(
+            ArtifactDependency.artifact_id == artifact_id
+        ).all()
+
+        # Resolve each dependency first (depth-first)
+        for dep in deps:
+            resolved_dep = _resolve_dependency_to_artifact(
+                db,
+                dep.dependency_project,
+                dep.dependency_package,
+                dep.version_constraint,
+                dep.tag_constraint,
+            )
+
+            if not resolved_dep:
+                constraint = dep.version_constraint or dep.tag_constraint
+                raise DependencyNotFoundError(
+                    dep.dependency_project,
+                    dep.dependency_package,
+                    constraint,
+                )
+
+            dep_artifact_id, dep_version, dep_size = resolved_dep
+            _resolve_recursive(
+                dep_artifact_id,
+                dep.dependency_project,
+                dep.dependency_package,
+                dep_version,
+                dep_size,
+                pkg_key,
+                depth + 1,
+            )
+
+        visiting.remove(artifact_id)
+        visited.add(artifact_id)
+
+        # Add to resolution order (dependencies before dependents)
+        resolution_order.append(artifact_id)
+
+        # Store resolved artifact info
+        resolved_artifacts[artifact_id] = ResolvedArtifact(
+            artifact_id=artifact_id,
+            project=proj_name,
+            package=pkg_name,
+            version=version_or_tag,
+            size=size,
+            download_url=f"{base_url}/api/v1/project/{proj_name}/{pkg_name}/+/{version_or_tag}",
+        )
+
+    # Start resolution from root
+    _resolve_recursive(
+        root_artifact_id,
+        project_name,
+        package_name,
+        root_version,
+        root_size,
+        None,
+    )
+
+    # Build response in topological order
+    resolved_list = [resolved_artifacts[aid] for aid in resolution_order]
+    total_size = sum(r.size for r in resolved_list)
+
+    return DependencyResolutionResponse(
+        requested={
+            "project": project_name,
+            "package": package_name,
+            "ref": ref,
+        },
+        resolved=resolved_list,
+        total_size=total_size,
+        artifact_count=len(resolved_list),
+    )

backend/app/models.py

@@ -32,6 +32,7 @@ class Project(Base):
         DateTime(timezone=True), default=datetime.utcnow, onupdate=datetime.utcnow
     )
     created_by = Column(String(255), nullable=False)
+    team_id = Column(UUID(as_uuid=True), ForeignKey("teams.id", ondelete="SET NULL"))
 
     packages = relationship(
         "Package", back_populates="project", cascade="all, delete-orphan"
@@ -39,10 +40,12 @@ class Project(Base):
     permissions = relationship(
         "AccessPermission", back_populates="project", cascade="all, delete-orphan"
     )
+    team = relationship("Team", back_populates="projects")
 
     __table_args__ = (
         Index("idx_projects_name", "name"),
         Index("idx_projects_created_by", "created_by"),
+        Index("idx_projects_team_id", "team_id"),
     )
 
 
@@ -117,6 +120,9 @@ class Artifact(Base):
     tags = relationship("Tag", back_populates="artifact")
     uploads = relationship("Upload", back_populates="artifact")
     versions = relationship("PackageVersion", back_populates="artifact")
+    dependencies = relationship(
+        "ArtifactDependency", back_populates="artifact", cascade="all, delete-orphan"
+    )
 
     @property
     def sha256(self) -> str:
@@ -366,6 +372,9 @@ class User(Base):
     sessions = relationship(
         "Session", back_populates="user", cascade="all, delete-orphan"
     )
+    team_memberships = relationship(
+        "TeamMembership", back_populates="user", cascade="all, delete-orphan"
+    )
 
     __table_args__ = (
         Index("idx_users_username", "username"),
@@ -507,3 +516,124 @@ class PackageHistory(Base):
         Index("idx_package_history_changed_at", "changed_at"),
         Index("idx_package_history_package_changed_at", "package_id", "changed_at"),
     )
+
+
+class ArtifactDependency(Base):
+    """Dependency declared by an artifact on another package.
+
+    Each artifact can declare dependencies on other packages, specifying either
+    an exact version or a tag. This enables recursive dependency resolution.
+    """
+
+    __tablename__ = "artifact_dependencies"
+
+    id = Column(UUID(as_uuid=True), primary_key=True, default=uuid.uuid4)
+    artifact_id = Column(
+        String(64),
+        ForeignKey("artifacts.id", ondelete="CASCADE"),
+        nullable=False,
+    )
+    dependency_project = Column(String(255), nullable=False)
+    dependency_package = Column(String(255), nullable=False)
+    version_constraint = Column(String(255), nullable=True)
+    tag_constraint = Column(String(255), nullable=True)
+    created_at = Column(DateTime(timezone=True), default=datetime.utcnow)
+
+    # Relationship to the artifact that declares this dependency
+    artifact = relationship("Artifact", back_populates="dependencies")
+
+    __table_args__ = (
+        # Exactly one of version_constraint or tag_constraint must be set
+        CheckConstraint(
+            "(version_constraint IS NOT NULL AND tag_constraint IS NULL) OR "
+            "(version_constraint IS NULL AND tag_constraint IS NOT NULL)",
+            name="check_constraint_type",
+        ),
+        # Each artifact can only depend on a specific project/package once
+        Index(
+            "idx_artifact_dependencies_artifact_id",
+            "artifact_id",
+        ),
+        Index(
+            "idx_artifact_dependencies_target",
+            "dependency_project",
+            "dependency_package",
+        ),
+        Index(
+            "idx_artifact_dependencies_unique",
+            "artifact_id",
+            "dependency_project",
+            "dependency_package",
+            unique=True,
+        ),
+    )
+
+
+class Team(Base):
+    """Team for organizing projects and users."""
+
+    __tablename__ = "teams"
+
+    id = Column(UUID(as_uuid=True), primary_key=True, default=uuid.uuid4)
+    name = Column(String(255), nullable=False)
+    slug = Column(String(255), unique=True, nullable=False)
+    description = Column(Text)
+    created_at = Column(DateTime(timezone=True), default=datetime.utcnow)
+    updated_at = Column(
+        DateTime(timezone=True), default=datetime.utcnow, onupdate=datetime.utcnow
+    )
+    created_by = Column(String(255), nullable=False)
+    settings = Column(JSON, default=dict)
+
+    # Relationships
+    memberships = relationship(
+        "TeamMembership", back_populates="team", cascade="all, delete-orphan"
+    )
+    projects = relationship("Project", back_populates="team")
+
+    __table_args__ = (
+        Index("idx_teams_slug", "slug"),
+        Index("idx_teams_created_by", "created_by"),
+        Index("idx_teams_created_at", "created_at"),
+        CheckConstraint(
+            "slug ~ '^[a-z0-9][a-z0-9-]*[a-z0-9]$' OR slug ~ '^[a-z0-9]$'",
+            name="check_team_slug_format",
+        ),
+    )
+
+
+class TeamMembership(Base):
+    """Maps users to teams with their roles."""
+
+    __tablename__ = "team_memberships"
+
+    id = Column(UUID(as_uuid=True), primary_key=True, default=uuid.uuid4)
+    team_id = Column(
+        UUID(as_uuid=True),
+        ForeignKey("teams.id", ondelete="CASCADE"),
+        nullable=False,
+    )
+    user_id = Column(
+        UUID(as_uuid=True),
+        ForeignKey("users.id", ondelete="CASCADE"),
+        nullable=False,
+    )
+    role = Column(String(20), nullable=False, default="member")
+    created_at = Column(DateTime(timezone=True), default=datetime.utcnow)
+    invited_by = Column(String(255))
+
+    # Relationships
+    team = relationship("Team", back_populates="memberships")
+    user = relationship("User", back_populates="team_memberships")
+
+    __table_args__ = (
+        Index("idx_team_memberships_team_id", "team_id"),
+        Index("idx_team_memberships_user_id", "user_id"),
+        Index("idx_team_memberships_role", "role"),
+        Index("idx_team_memberships_team_role", "team_id", "role"),
+        Index("idx_team_memberships_unique", "team_id", "user_id", unique=True),
+        CheckConstraint(
+            "role IN ('owner', 'admin', 'member')",
+            name="check_team_role",
+        ),
+    )

backend/app/schemas.py

@@ -25,6 +25,7 @@ class ProjectCreate(BaseModel):
     name: str
     description: Optional[str] = None
     is_public: bool = True
+    team_id: Optional[UUID] = None
 
 
 class ProjectResponse(BaseModel):
@@ -35,6 +36,9 @@ class ProjectResponse(BaseModel):
     created_at: datetime
     updated_at: datetime
     created_by: str
+    team_id: Optional[UUID] = None
+    team_slug: Optional[str] = None
+    team_name: Optional[str] = None
 
     class Config:
         from_attributes = True
@@ -907,6 +911,9 @@ class AccessPermissionResponse(BaseModel):
     level: str
     created_at: datetime
     expires_at: Optional[datetime]
+    source: Optional[str] = "explicit"  # "explicit" or "team"
+    team_slug: Optional[str] = None  # Team slug if source is "team"
+    team_role: Optional[str] = None  # Team role if source is "team"
 
     class Config:
         from_attributes = True
@@ -916,3 +923,276 @@ class ProjectWithAccessResponse(ProjectResponse):
     """Project response with user's access level"""
     user_access_level: Optional[str] = None
 
+
+# Artifact Dependency schemas
+class DependencyCreate(BaseModel):
+    """Schema for creating a dependency"""
+    project: str
+    package: str
+    version: Optional[str] = None
+    tag: Optional[str] = None
+
+    @field_validator('version', 'tag')
+    @classmethod
+    def validate_constraint(cls, v, info):
+        return v
+
+    def model_post_init(self, __context):
+        """Validate that exactly one of version or tag is set"""
+        if self.version is None and self.tag is None:
+            raise ValueError("Either 'version' or 'tag' must be specified")
+        if self.version is not None and self.tag is not None:
+            raise ValueError("Cannot specify both 'version' and 'tag'")
+
+
+class DependencyResponse(BaseModel):
+    """Schema for dependency response"""
+    id: UUID
+    artifact_id: str
+    project: str
+    package: str
+    version: Optional[str] = None
+    tag: Optional[str] = None
+    created_at: datetime
+
+    class Config:
+        from_attributes = True
+
+    @classmethod
+    def from_orm_model(cls, dep) -> "DependencyResponse":
+        """Create from ORM model with field mapping"""
+        return cls(
+            id=dep.id,
+            artifact_id=dep.artifact_id,
+            project=dep.dependency_project,
+            package=dep.dependency_package,
+            version=dep.version_constraint,
+            tag=dep.tag_constraint,
+            created_at=dep.created_at,
+        )
+
+
+class ArtifactDependenciesResponse(BaseModel):
+    """Response containing all dependencies for an artifact"""
+    artifact_id: str
+    dependencies: List[DependencyResponse]
+
+
+class DependentInfo(BaseModel):
+    """Information about an artifact that depends on a package"""
+    artifact_id: str
+    project: str
+    package: str
+    version: Optional[str] = None
+    constraint_type: str  # 'version' or 'tag'
+    constraint_value: str
+
+
+class ReverseDependenciesResponse(BaseModel):
+    """Response containing packages that depend on a given package"""
+    project: str
+    package: str
+    dependents: List[DependentInfo]
+    pagination: PaginationMeta
+
+
+class EnsureFileDependency(BaseModel):
+    """Dependency entry from orchard.ensure file"""
+    project: str
+    package: str
+    version: Optional[str] = None
+    tag: Optional[str] = None
+
+    @field_validator('version', 'tag')
+    @classmethod
+    def validate_constraint(cls, v, info):
+        return v
+
+    def model_post_init(self, __context):
+        """Validate that exactly one of version or tag is set"""
+        if self.version is None and self.tag is None:
+            raise ValueError("Either 'version' or 'tag' must be specified")
+        if self.version is not None and self.tag is not None:
+            raise ValueError("Cannot specify both 'version' and 'tag'")
+
+
+class EnsureFileContent(BaseModel):
+    """Parsed content of orchard.ensure file"""
+    dependencies: List[EnsureFileDependency] = []
+
+
+class ResolvedArtifact(BaseModel):
+    """A resolved artifact in the dependency tree"""
+    artifact_id: str
+    project: str
+    package: str
+    version: Optional[str] = None
+    tag: Optional[str] = None
+    size: int
+    download_url: str
+
+
+class DependencyResolutionResponse(BaseModel):
+    """Response from dependency resolution endpoint"""
+    requested: Dict[str, str]  # project, package, ref
+    resolved: List[ResolvedArtifact]
+    total_size: int
+    artifact_count: int
+
+
+class DependencyConflict(BaseModel):
+    """Details about a dependency conflict"""
+    project: str
+    package: str
+    requirements: List[Dict[str, Any]]  # version/tag and required_by info
+
+
+class DependencyConflictError(BaseModel):
+    """Error response for dependency conflicts"""
+    error: str = "dependency_conflict"
+    message: str
+    conflicts: List[DependencyConflict]
+
+
+class CircularDependencyError(BaseModel):
+    """Error response for circular dependencies"""
+    error: str = "circular_dependency"
+    message: str
+    cycle: List[str]  # List of "project/package" strings showing the cycle
+
+
+# Team schemas
+TEAM_ROLES = ["owner", "admin", "member"]
+RESERVED_TEAM_SLUGS = {"new", "api", "admin", "settings", "members", "projects", "search"}
+
+
+class TeamCreate(BaseModel):
+    """Create a new team"""
+    name: str
+    slug: str
+    description: Optional[str] = None
+
+    @field_validator('name')
+    @classmethod
+    def validate_name(cls, v: str) -> str:
+        """Validate team name."""
+        if not v or not v.strip():
+            raise ValueError("Name cannot be empty")
+        if len(v) > 255:
+            raise ValueError("Name must be 255 characters or less")
+        return v.strip()
+
+    @field_validator('slug')
+    @classmethod
+    def validate_slug(cls, v: str) -> str:
+        """Validate team slug format (lowercase alphanumeric with hyphens)."""
+        import re
+        if not v:
+            raise ValueError("Slug cannot be empty")
+        if len(v) < 2:
+            raise ValueError("Slug must be at least 2 characters")
+        if len(v) > 255:
+            raise ValueError("Slug must be 255 characters or less")
+        if not re.match(r'^[a-z0-9][a-z0-9-]*[a-z0-9]$', v) and not re.match(r'^[a-z0-9]$', v):
+            raise ValueError(
+                "Slug must be lowercase alphanumeric with hyphens, "
+                "starting and ending with alphanumeric characters"
+            )
+        if '--' in v:
+            raise ValueError("Slug cannot contain consecutive hyphens")
+        if v in RESERVED_TEAM_SLUGS:
+            raise ValueError(f"Slug '{v}' is reserved and cannot be used")
+        return v
+
+    @field_validator('description')
+    @classmethod
+    def validate_description(cls, v: Optional[str]) -> Optional[str]:
+        """Validate team description."""
+        if v is not None and len(v) > 2000:
+            raise ValueError("Description must be 2000 characters or less")
+        return v
+
+
+class TeamUpdate(BaseModel):
+    """Update team details"""
+    name: Optional[str] = None
+    description: Optional[str] = None
+
+    @field_validator('name')
+    @classmethod
+    def validate_name(cls, v: Optional[str]) -> Optional[str]:
+        """Validate team name."""
+        if v is not None:
+            if not v.strip():
+                raise ValueError("Name cannot be empty")
+            if len(v) > 255:
+                raise ValueError("Name must be 255 characters or less")
+            return v.strip()
+        return v
+
+    @field_validator('description')
+    @classmethod
+    def validate_description(cls, v: Optional[str]) -> Optional[str]:
+        """Validate team description."""
+        if v is not None and len(v) > 2000:
+            raise ValueError("Description must be 2000 characters or less")
+        return v
+
+
+class TeamResponse(BaseModel):
+    """Team response with basic info"""
+    id: UUID
+    name: str
+    slug: str
+    description: Optional[str]
+    created_at: datetime
+    updated_at: datetime
+    member_count: int = 0
+    project_count: int = 0
+
+    class Config:
+        from_attributes = True
+
+
+class TeamDetailResponse(TeamResponse):
+    """Team response with user's role"""
+    user_role: Optional[str] = None  # 'owner', 'admin', 'member', or None
+
+
+class TeamMemberCreate(BaseModel):
+    """Add a member to a team"""
+    username: str
+    role: str = "member"
+
+    @field_validator('role')
+    @classmethod
+    def validate_role(cls, v: str) -> str:
+        if v not in TEAM_ROLES:
+            raise ValueError(f"Role must be one of: {', '.join(TEAM_ROLES)}")
+        return v
+
+
+class TeamMemberUpdate(BaseModel):
+    """Update a team member's role"""
+    role: str
+
+    @field_validator('role')
+    @classmethod
+    def validate_role(cls, v: str) -> str:
+        if v not in TEAM_ROLES:
+            raise ValueError(f"Role must be one of: {', '.join(TEAM_ROLES)}")
+        return v
+
+
+class TeamMemberResponse(BaseModel):
+    """Team member response"""
+    id: UUID
+    user_id: UUID
+    username: str
+    email: Optional[str]
+    role: str
+    created_at: datetime
+
+    class Config:
+        from_attributes = True
+

backend/app/seed.py

@@ -5,8 +5,9 @@ import hashlib
 import logging
 from sqlalchemy.orm import Session
 
-from .models import Project, Package, Artifact, Tag, Upload, PackageVersion
+from .models import Project, Package, Artifact, Tag, Upload, PackageVersion, ArtifactDependency, Team, TeamMembership, User
 from .storage import get_storage
+from .auth import hash_password
 
 logger = logging.getLogger(__name__)
 
@@ -123,6 +124,17 @@ TEST_ARTIFACTS = [
     },
 ]
 
+# Dependencies to create (source artifact -> dependency)
+# Format: (source_project, source_package, source_version, dep_project, dep_package, version_constraint, tag_constraint)
+TEST_DEPENDENCIES = [
+    # ui-components v1.1.0 depends on design-tokens v1.0.0
+    ("frontend-libs", "ui-components", "1.1.0", "frontend-libs", "design-tokens", "1.0.0", None),
+    # auth-lib v1.0.0 depends on common-utils v2.0.0
+    ("backend-services", "auth-lib", "1.0.0", "backend-services", "common-utils", "2.0.0", None),
+    # auth-lib v1.0.0 also depends on design-tokens (stable tag)
+    ("backend-services", "auth-lib", "1.0.0", "frontend-libs", "design-tokens", None, "latest"),
+]
+
 
 def is_database_empty(db: Session) -> bool:
     """Check if the database has any projects."""
@@ -138,6 +150,80 @@ def seed_database(db: Session) -> None:
     logger.info("Seeding database with test data...")
     storage = get_storage()
 
+    # Find or use admin user for team ownership
+    admin_user = db.query(User).filter(User.username == "admin").first()
+    team_owner_username = admin_user.username if admin_user else "seed-user"
+
+    # Create a demo team
+    demo_team = Team(
+        name="Demo Team",
+        slug="demo-team",
+        description="A demonstration team with sample projects",
+        created_by=team_owner_username,
+    )
+    db.add(demo_team)
+    db.flush()
+
+    # Add admin user as team owner if they exist
+    if admin_user:
+        membership = TeamMembership(
+            team_id=demo_team.id,
+            user_id=admin_user.id,
+            role="owner",
+            invited_by=team_owner_username,
+        )
+        db.add(membership)
+        db.flush()
+
+    logger.info(f"Created team: {demo_team.name} ({demo_team.slug})")
+
+    # Create test users with various roles
+    test_users = [
+        {"username": "alice", "email": "alice@example.com", "role": "admin"},
+        {"username": "bob", "email": "bob@example.com", "role": "admin"},
+        {"username": "charlie", "email": "charlie@example.com", "role": "member"},
+        {"username": "diana", "email": "diana@example.com", "role": "member"},
+        {"username": "eve", "email": "eve@example.com", "role": "member"},
+        {"username": "frank", "email": None, "role": "member"},
+    ]
+
+    for user_data in test_users:
+        # Check if user already exists
+        existing_user = db.query(User).filter(User.username == user_data["username"]).first()
+        if existing_user:
+            test_user = existing_user
+        else:
+            # Create the user with password same as username
+            test_user = User(
+                username=user_data["username"],
+                email=user_data["email"],
+                password_hash=hash_password(user_data["username"]),
+                is_admin=False,
+                is_active=True,
+                must_change_password=False,
+            )
+            db.add(test_user)
+            db.flush()
+            logger.info(f"Created test user: {user_data['username']}")
+
+        # Add to demo team with specified role
+        existing_membership = db.query(TeamMembership).filter(
+            TeamMembership.team_id == demo_team.id,
+            TeamMembership.user_id == test_user.id,
+        ).first()
+
+        if not existing_membership:
+            membership = TeamMembership(
+                team_id=demo_team.id,
+                user_id=test_user.id,
+                role=user_data["role"],
+                invited_by=team_owner_username,
+            )
+            db.add(membership)
+            logger.info(f"Added {user_data['username']} to {demo_team.slug} as {user_data['role']}")
+
+    db.flush()
+
     # Create projects and packages
     project_map = {}
     package_map = {}
@@ -147,7 +233,8 @@ def seed_database(db: Session) -> None:
             name=project_data["name"],
             description=project_data["description"],
             is_public=project_data["is_public"],
-            created_by="seed-user",
+            created_by=team_owner_username,
+            team_id=demo_team.id,  # Assign to demo team
         )
         db.add(project)
         db.flush()  # Get the ID
@@ -163,7 +250,7 @@ def seed_database(db: Session) -> None:
             db.flush()
             package_map[(project_data["name"], package_data["name"])] = package
 
-    logger.info(f"Created {len(project_map)} projects and {len(package_map)} packages")
+    logger.info(f"Created {len(project_map)} projects and {len(package_map)} packages (assigned to {demo_team.slug})")
 
     # Create artifacts, tags, and versions
     artifact_count = 0
@@ -201,7 +288,7 @@ def seed_database(db: Session) -> None:
             size=size,
             content_type=artifact_data["content_type"],
             original_name=artifact_data["filename"],
-            created_by="seed-user",
+            created_by=team_owner_username,
             s3_key=s3_key,
             ref_count=ref_count,
         )
@@ -224,7 +311,7 @@ def seed_database(db: Session) -> None:
                 artifact_id=sha256_hash,
                 version=artifact_data["version"],
                 version_source="explicit",
-                created_by="seed-user",
+                created_by=team_owner_username,
             )
             db.add(version)
             version_count += 1
@@ -235,11 +322,45 @@ def seed_database(db: Session) -> None:
                 package_id=package.id,
                 name=tag_name,
                 artifact_id=sha256_hash,
-                created_by="seed-user",
+                created_by=team_owner_username,
             )
             db.add(tag)
             tag_count += 1
 
+    db.flush()
+
+    # Create dependencies
+    dependency_count = 0
+    for dep_data in TEST_DEPENDENCIES:
+        src_project, src_package, src_version, dep_project, dep_package, version_constraint, tag_constraint = dep_data
+
+        # Find the source artifact by looking up its version
+        src_pkg = package_map.get((src_project, src_package))
+        if not src_pkg:
+            logger.warning(f"Source package not found: {src_project}/{src_package}")
+            continue
+
+        # Find the artifact for this version
+        src_version_record = db.query(PackageVersion).filter(
+            PackageVersion.package_id == src_pkg.id,
+            PackageVersion.version == src_version,
+        ).first()
+
+        if not src_version_record:
+            logger.warning(f"Source version not found: {src_project}/{src_package}@{src_version}")
+            continue
+
+        # Create the dependency
+        dependency = ArtifactDependency(
+            artifact_id=src_version_record.artifact_id,
+            dependency_project=dep_project,
+            dependency_package=dep_package,
+            version_constraint=version_constraint,
+            tag_constraint=tag_constraint,
+        )
+        db.add(dependency)
+        dependency_count += 1
+
     db.commit()
-    logger.info(f"Created {artifact_count} artifacts, {tag_count} tags, and {version_count} versions")
+    logger.info(f"Created {artifact_count} artifacts, {tag_count} tags, {version_count} versions, and {dependency_count} dependencies")
     logger.info("Database seeding complete")

backend/tests/conftest.py

@@ -56,6 +56,26 @@ os.environ.setdefault("ORCHARD_S3_BUCKET", "test-bucket")
 os.environ.setdefault("ORCHARD_S3_ACCESS_KEY_ID", "test")
 os.environ.setdefault("ORCHARD_S3_SECRET_ACCESS_KEY", "test")
 
+
+# =============================================================================
+# Admin Credentials Helper
+# =============================================================================
+
+
+def get_admin_password() -> str:
+    """Get the admin password for test authentication.
+
+    Returns the password from ORCHARD_TEST_PASSWORD environment variable,
+    or 'changeme123' as the default for local development.
+    """
+    return os.environ.get("ORCHARD_TEST_PASSWORD", "changeme123")
+
+
+def get_admin_username() -> str:
+    """Get the admin username for test authentication."""
+    return os.environ.get("ORCHARD_TEST_USERNAME", "admin")
+
+
 # Re-export factory functions for backward compatibility
 from tests.factories import (
     create_test_file,

backend/tests/integration/test_auth_api.py

@@ -8,6 +8,8 @@ allow these tests to run. Production uses strict rate limits (5/minute).
 import pytest
 from uuid import uuid4
 
+from tests.conftest import get_admin_password, get_admin_username
+
 
 # Mark all tests in this module as auth_intensive (informational, not excluded from CI)
 pytestmark = pytest.mark.auth_intensive
@@ -21,11 +23,11 @@ class TestAuthLogin:
         """Test successful login with default admin credentials."""
         response = auth_client.post(
             "/api/v1/auth/login",
-            json={"username": "admin", "password": "changeme123"},
+            json={"username": get_admin_username(), "password": get_admin_password()},
         )
         assert response.status_code == 200
         data = response.json()
-        assert data["username"] == "admin"
+        assert data["username"] == get_admin_username()
         assert data["is_admin"] is True
         assert "orchard_session" in response.cookies
 
@@ -34,7 +36,7 @@ class TestAuthLogin:
         """Test login with wrong password."""
         response = auth_client.post(
             "/api/v1/auth/login",
-            json={"username": "admin", "password": "wrongpassword"},
+            json={"username": get_admin_username(), "password": "wrongpassword"},
         )
         assert response.status_code == 401
         assert "Invalid username or password" in response.json()["detail"]
@@ -58,7 +60,7 @@ class TestAuthLogout:
         # First login
         login_response = auth_client.post(
             "/api/v1/auth/login",
-            json={"username": "admin", "password": "changeme123"},
+            json={"username": get_admin_username(), "password": get_admin_password()},
         )
         assert login_response.status_code == 200
 
@@ -84,13 +86,13 @@ class TestAuthMe:
         # Login first
         auth_client.post(
             "/api/v1/auth/login",
-            json={"username": "admin", "password": "changeme123"},
+            json={"username": get_admin_username(), "password": get_admin_password()},
         )
 
         response = auth_client.get("/api/v1/auth/me")
         assert response.status_code == 200
         data = response.json()
-        assert data["username"] == "admin"
+        assert data["username"] == get_admin_username()
         assert data["is_admin"] is True
         assert "id" in data
         assert "created_at" in data
@@ -119,7 +121,7 @@ class TestAuthChangePassword:
         # Login as admin to create a test user
         auth_client.post(
             "/api/v1/auth/login",
-            json={"username": "admin", "password": "changeme123"},
+            json={"username": get_admin_username(), "password": get_admin_password()},
         )
         test_username = f"pwchange_{uuid4().hex[:8]}"
         auth_client.post(
@@ -162,7 +164,7 @@ class TestAuthChangePassword:
         # Login as admin to create a test user
         auth_client.post(
             "/api/v1/auth/login",
-            json={"username": "admin", "password": "changeme123"},
+            json={"username": get_admin_username(), "password": get_admin_password()},
         )
         test_username = f"pwwrong_{uuid4().hex[:8]}"
         auth_client.post(
@@ -194,7 +196,7 @@ class TestAPIKeys:
         # Login first
         auth_client.post(
             "/api/v1/auth/login",
-            json={"username": "admin", "password": "changeme123"},
+            json={"username": get_admin_username(), "password": get_admin_password()},
         )
 
         # Create API key
@@ -226,7 +228,7 @@ class TestAPIKeys:
         # Login and create API key
         auth_client.post(
             "/api/v1/auth/login",
-            json={"username": "admin", "password": "changeme123"},
+            json={"username": get_admin_username(), "password": get_admin_password()},
         )
         create_response = auth_client.post(
             "/api/v1/auth/keys",
@@ -242,12 +244,12 @@ class TestAPIKeys:
             headers={"Authorization": f"Bearer {api_key}"},
         )
         assert response.status_code == 200
-        assert response.json()["username"] == "admin"
+        assert response.json()["username"] == get_admin_username()
 
         # Clean up
         auth_client.post(
             "/api/v1/auth/login",
-            json={"username": "admin", "password": "changeme123"},
+            json={"username": get_admin_username(), "password": get_admin_password()},
         )
         auth_client.delete(f"/api/v1/auth/keys/{key_id}")
 
@@ -257,7 +259,7 @@ class TestAPIKeys:
         # Login and create API key
         auth_client.post(
             "/api/v1/auth/login",
-            json={"username": "admin", "password": "changeme123"},
+            json={"username": get_admin_username(), "password": get_admin_password()},
         )
         create_response = auth_client.post(
             "/api/v1/auth/keys",
@@ -288,14 +290,14 @@ class TestAdminUserManagement:
         # Login as admin
         auth_client.post(
             "/api/v1/auth/login",
-            json={"username": "admin", "password": "changeme123"},
+            json={"username": get_admin_username(), "password": get_admin_password()},
         )
 
         response = auth_client.get("/api/v1/admin/users")
         assert response.status_code == 200
         users = response.json()
         assert len(users) >= 1
-        assert any(u["username"] == "admin" for u in users)
+        assert any(u["username"] == get_admin_username() for u in users)
 
     @pytest.mark.integration
     def test_create_user(self, auth_client):
@@ -303,7 +305,7 @@ class TestAdminUserManagement:
         # Login as admin
         auth_client.post(
             "/api/v1/auth/login",
-            json={"username": "admin", "password": "changeme123"},
+            json={"username": get_admin_username(), "password": get_admin_password()},
         )
 
         # Create new user
@@ -336,7 +338,7 @@ class TestAdminUserManagement:
         # Login as admin
         auth_client.post(
             "/api/v1/auth/login",
-            json={"username": "admin", "password": "changeme123"},
+            json={"username": get_admin_username(), "password": get_admin_password()},
         )
 
         # Create a test user
@@ -362,7 +364,7 @@ class TestAdminUserManagement:
         # Login as admin
         auth_client.post(
             "/api/v1/auth/login",
-            json={"username": "admin", "password": "changeme123"},
+            json={"username": get_admin_username(), "password": get_admin_password()},
         )
 
         # Create a test user
@@ -393,7 +395,7 @@ class TestAdminUserManagement:
         # Login as admin and create non-admin user
         auth_client.post(
             "/api/v1/auth/login",
-            json={"username": "admin", "password": "changeme123"},
+            json={"username": get_admin_username(), "password": get_admin_password()},
         )
         test_username = f"nonadmin_{uuid4().hex[:8]}"
         auth_client.post(
@@ -423,7 +425,7 @@ class TestSecurityEdgeCases:
         # Login as admin and create a user
         auth_client.post(
             "/api/v1/auth/login",
-            json={"username": "admin", "password": "changeme123"},
+            json={"username": get_admin_username(), "password": get_admin_password()},
         )
         test_username = f"inactive_{uuid4().hex[:8]}"
         auth_client.post(
@@ -451,7 +453,7 @@ class TestSecurityEdgeCases:
         """Test that short passwords are rejected when creating users."""
         auth_client.post(
             "/api/v1/auth/login",
-            json={"username": "admin", "password": "changeme123"},
+            json={"username": get_admin_username(), "password": get_admin_password()},
         )
 
         response = auth_client.post(
@@ -467,7 +469,7 @@ class TestSecurityEdgeCases:
         # Create test user
         auth_client.post(
             "/api/v1/auth/login",
-            json={"username": "admin", "password": "changeme123"},
+            json={"username": get_admin_username(), "password": get_admin_password()},
         )
         test_username = f"shortchange_{uuid4().hex[:8]}"
         auth_client.post(
@@ -494,7 +496,7 @@ class TestSecurityEdgeCases:
         """Test that short passwords are rejected when resetting password."""
         auth_client.post(
             "/api/v1/auth/login",
-            json={"username": "admin", "password": "changeme123"},
+            json={"username": get_admin_username(), "password": get_admin_password()},
         )
 
         # Create a test user first
@@ -516,7 +518,7 @@ class TestSecurityEdgeCases:
         """Test that duplicate usernames are rejected."""
         auth_client.post(
             "/api/v1/auth/login",
-            json={"username": "admin", "password": "changeme123"},
+            json={"username": get_admin_username(), "password": get_admin_password()},
         )
 
         test_username = f"duplicate_{uuid4().hex[:8]}"
@@ -541,7 +543,7 @@ class TestSecurityEdgeCases:
         # Login as admin and create an API key
         auth_client.post(
             "/api/v1/auth/login",
-            json={"username": "admin", "password": "changeme123"},
+            json={"username": get_admin_username(), "password": get_admin_password()},
         )
         create_response = auth_client.post(
             "/api/v1/auth/keys",
@@ -572,7 +574,7 @@ class TestSecurityEdgeCases:
         auth_client.cookies.clear()
         auth_client.post(
             "/api/v1/auth/login",
-            json={"username": "admin", "password": "changeme123"},
+            json={"username": get_admin_username(), "password": get_admin_password()},
         )
         auth_client.delete(f"/api/v1/auth/keys/{admin_key_id}")
 
@@ -582,7 +584,7 @@ class TestSecurityEdgeCases:
         # Create a test user
         auth_client.post(
             "/api/v1/auth/login",
-            json={"username": "admin", "password": "changeme123"},
+            json={"username": get_admin_username(), "password": get_admin_password()},
         )
         test_username = f"sessiontest_{uuid4().hex[:8]}"
         auth_client.post(

backend/tests/integration/test_teams_api.py

@@ -0,0 +1,316 @@
+"""
+Integration tests for Teams API endpoints.
+"""
+
+import pytest
+
+
+@pytest.mark.integration
+class TestTeamsCRUD:
+    """Tests for team creation, listing, updating, and deletion."""
+
+    def test_create_team(self, integration_client, unique_test_id):
+        """Test creating a new team."""
+        team_name = f"Test Team {unique_test_id}"
+        team_slug = f"test-team-{unique_test_id}"
+
+        response = integration_client.post(
+            "/api/v1/teams",
+            json={
+                "name": team_name,
+                "slug": team_slug,
+                "description": "A test team",
+            },
+        )
+        assert response.status_code == 201, f"Failed to create team: {response.text}"
+
+        data = response.json()
+        assert data["name"] == team_name
+        assert data["slug"] == team_slug
+        assert data["description"] == "A test team"
+        assert data["user_role"] == "owner"
+        assert data["member_count"] == 1
+        assert data["project_count"] == 0
+
+        # Cleanup
+        integration_client.delete(f"/api/v1/teams/{team_slug}")
+
+    def test_create_team_duplicate_slug(self, integration_client, unique_test_id):
+        """Test that duplicate team slugs are rejected."""
+        team_slug = f"dup-team-{unique_test_id}"
+
+        # Create first team
+        response = integration_client.post(
+            "/api/v1/teams",
+            json={"name": "First Team", "slug": team_slug},
+        )
+        assert response.status_code == 201
+
+        # Try to create second team with same slug
+        response = integration_client.post(
+            "/api/v1/teams",
+            json={"name": "Second Team", "slug": team_slug},
+        )
+        assert response.status_code == 400
+        assert "already exists" in response.json()["detail"].lower()
+
+        # Cleanup
+        integration_client.delete(f"/api/v1/teams/{team_slug}")
+
+    def test_create_team_invalid_slug(self, integration_client):
+        """Test that invalid team slugs are rejected."""
+        invalid_slugs = [
+            "UPPERCASE",
+            "with spaces",
+            "-starts-with-hyphen",
+            "ends-with-hyphen-",
+            "has--double--hyphen",
+        ]
+
+        for invalid_slug in invalid_slugs:
+            response = integration_client.post(
+                "/api/v1/teams",
+                json={"name": "Test", "slug": invalid_slug},
+            )
+            assert response.status_code == 422, f"Slug '{invalid_slug}' should be invalid"
+
+    def test_list_teams(self, integration_client, unique_test_id):
+        """Test listing teams the user belongs to."""
+        # Create a team
+        team_slug = f"list-team-{unique_test_id}"
+        integration_client.post(
+            "/api/v1/teams",
+            json={"name": "List Test Team", "slug": team_slug},
+        )
+
+        # List teams
+        response = integration_client.get("/api/v1/teams")
+        assert response.status_code == 200
+
+        data = response.json()
+        assert "items" in data
+        assert "pagination" in data
+
+        # Find our team
+        team = next((t for t in data["items"] if t["slug"] == team_slug), None)
+        assert team is not None
+        assert team["name"] == "List Test Team"
+
+        # Cleanup
+        integration_client.delete(f"/api/v1/teams/{team_slug}")
+
+    def test_get_team(self, integration_client, unique_test_id):
+        """Test getting team details."""
+        team_slug = f"get-team-{unique_test_id}"
+        integration_client.post(
+            "/api/v1/teams",
+            json={"name": "Get Test Team", "slug": team_slug, "description": "Test"},
+        )
+
+        response = integration_client.get(f"/api/v1/teams/{team_slug}")
+        assert response.status_code == 200
+
+        data = response.json()
+        assert data["slug"] == team_slug
+        assert data["name"] == "Get Test Team"
+        assert data["user_role"] == "owner"
+
+        # Cleanup
+        integration_client.delete(f"/api/v1/teams/{team_slug}")
+
+    def test_get_nonexistent_team(self, integration_client):
+        """Test getting a team that doesn't exist."""
+        response = integration_client.get("/api/v1/teams/nonexistent-team-12345")
+        assert response.status_code == 404
+
+    def test_update_team(self, integration_client, unique_test_id):
+        """Test updating team details."""
+        team_slug = f"update-team-{unique_test_id}"
+        integration_client.post(
+            "/api/v1/teams",
+            json={"name": "Original Name", "slug": team_slug},
+        )
+
+        response = integration_client.put(
+            f"/api/v1/teams/{team_slug}",
+            json={"name": "Updated Name", "description": "New description"},
+        )
+        assert response.status_code == 200
+
+        data = response.json()
+        assert data["name"] == "Updated Name"
+        assert data["description"] == "New description"
+        assert data["slug"] == team_slug  # Slug should not change
+
+        # Cleanup
+        integration_client.delete(f"/api/v1/teams/{team_slug}")
+
+    def test_delete_team(self, integration_client, unique_test_id):
+        """Test deleting a team."""
+        team_slug = f"delete-team-{unique_test_id}"
+        integration_client.post(
+            "/api/v1/teams",
+            json={"name": "Delete Test Team", "slug": team_slug},
+        )
+
+        response = integration_client.delete(f"/api/v1/teams/{team_slug}")
+        assert response.status_code == 204
+
+        # Verify team is gone
+        response = integration_client.get(f"/api/v1/teams/{team_slug}")
+        assert response.status_code == 404
+
+
+@pytest.mark.integration
+class TestTeamMembers:
+    """Tests for team membership management."""
+
+    @pytest.fixture
+    def test_team(self, integration_client, unique_test_id):
+        """Create a test team for member tests."""
+        team_slug = f"member-team-{unique_test_id}"
+        response = integration_client.post(
+            "/api/v1/teams",
+            json={"name": "Member Test Team", "slug": team_slug},
+        )
+        assert response.status_code == 201
+
+        yield team_slug
+
+        # Cleanup
+        try:
+            integration_client.delete(f"/api/v1/teams/{team_slug}")
+        except Exception:
+            pass
+
+    def test_list_members(self, integration_client, test_team):
+        """Test listing team members."""
+        response = integration_client.get(f"/api/v1/teams/{test_team}/members")
+        assert response.status_code == 200
+
+        members = response.json()
+        assert len(members) == 1
+        assert members[0]["role"] == "owner"
+
+    def test_owner_is_first_member(self, integration_client, test_team):
+        """Test that the team creator is automatically the owner."""
+        response = integration_client.get(f"/api/v1/teams/{test_team}/members")
+        members = response.json()
+
+        assert len(members) >= 1
+        owner = next((m for m in members if m["role"] == "owner"), None)
+        assert owner is not None
+
+
+@pytest.mark.integration
+class TestTeamProjects:
+    """Tests for team project management."""
+
+    @pytest.fixture
+    def test_team(self, integration_client, unique_test_id):
+        """Create a test team for project tests."""
+        team_slug = f"proj-team-{unique_test_id}"
+        response = integration_client.post(
+            "/api/v1/teams",
+            json={"name": "Project Test Team", "slug": team_slug},
+        )
+        assert response.status_code == 201
+
+        data = response.json()
+        yield {"slug": team_slug, "id": data["id"]}
+
+        # Cleanup
+        try:
+            integration_client.delete(f"/api/v1/teams/{team_slug}")
+        except Exception:
+            pass
+
+    def test_list_team_projects_empty(self, integration_client, test_team):
+        """Test listing projects in an empty team."""
+        response = integration_client.get(f"/api/v1/teams/{test_team['slug']}/projects")
+        assert response.status_code == 200
+
+        data = response.json()
+        assert data["items"] == []
+        assert data["pagination"]["total"] == 0
+
+    def test_create_project_in_team(self, integration_client, test_team, unique_test_id):
+        """Test creating a project within a team."""
+        project_name = f"team-project-{unique_test_id}"
+
+        response = integration_client.post(
+            "/api/v1/projects",
+            json={
+                "name": project_name,
+                "description": "A team project",
+                "team_id": test_team["id"],
+            },
+        )
+        assert response.status_code == 200, f"Failed to create project: {response.text}"
+
+        data = response.json()
+        assert data["team_id"] == test_team["id"]
+        assert data["team_slug"] == test_team["slug"]
+
+        # Verify project appears in team projects list
+        response = integration_client.get(f"/api/v1/teams/{test_team['slug']}/projects")
+        assert response.status_code == 200
+        projects = response.json()["items"]
+        assert any(p["name"] == project_name for p in projects)
+
+        # Cleanup
+        integration_client.delete(f"/api/v1/projects/{project_name}")
+
+    def test_project_team_info_in_response(self, integration_client, test_team, unique_test_id):
+        """Test that project responses include team info."""
+        project_name = f"team-info-project-{unique_test_id}"
+
+        # Create project in team
+        integration_client.post(
+            "/api/v1/projects",
+            json={"name": project_name, "team_id": test_team["id"]},
+        )
+
+        # Get project and verify team info
+        response = integration_client.get(f"/api/v1/projects/{project_name}")
+        assert response.status_code == 200
+
+        data = response.json()
+        assert data["team_id"] == test_team["id"]
+        assert data["team_slug"] == test_team["slug"]
+        assert data["team_name"] == "Project Test Team"
+
+        # Cleanup
+        integration_client.delete(f"/api/v1/projects/{project_name}")
+
+
+@pytest.mark.integration
+class TestTeamAuthorization:
+    """Tests for team-based authorization."""
+
+    def test_cannot_delete_team_with_projects(self, integration_client, unique_test_id):
+        """Test that teams with projects cannot be deleted."""
+        team_slug = f"nodelete-team-{unique_test_id}"
+        project_name = f"nodelete-project-{unique_test_id}"
+
+        # Create team
+        response = integration_client.post(
+            "/api/v1/teams",
+            json={"name": "No Delete Team", "slug": team_slug},
+        )
+        team_id = response.json()["id"]
+
+        # Create project in team
+        integration_client.post(
+            "/api/v1/projects",
+            json={"name": project_name, "team_id": team_id},
+        )
+
+        # Try to delete team - should fail
+        response = integration_client.delete(f"/api/v1/teams/{team_slug}")
+        assert response.status_code == 400
+        assert "project" in response.json()["detail"].lower()
+
+        # Cleanup - delete project first, then team
+        integration_client.delete(f"/api/v1/projects/{project_name}")
+        integration_client.delete(f"/api/v1/teams/{team_slug}")

backend/tests/unit/test_auth.py

@@ -0,0 +1,103 @@
+"""Unit tests for authentication module."""
+
+import pytest
+from unittest.mock import patch, MagicMock
+
+
+class TestCreateDefaultAdmin:
+    """Tests for the create_default_admin function."""
+
+    def test_create_default_admin_with_env_password(self):
+        """Test that ORCHARD_ADMIN_PASSWORD env var sets admin password."""
+        from app.auth import create_default_admin, verify_password
+        from app.models import User
+
+        # Create mock settings with custom password
+        mock_settings = MagicMock()
+        mock_settings.admin_password = "my-custom-password-123"
+
+        # Mock database session
+        mock_db = MagicMock()
+        mock_db.query.return_value.count.return_value = 0  # No existing users
+
+        # Track all objects that get created
+        created_objects = []
+
+        def capture_object(obj):
+            created_objects.append(obj)
+
+        mock_db.add.side_effect = capture_object
+
+        with patch("app.auth.get_settings", return_value=mock_settings):
+            admin = create_default_admin(mock_db)
+
+        # Verify objects were created (user, team, membership)
+        assert mock_db.add.called
+        assert len(created_objects) >= 1
+
+        # Find the user object
+        created_user = next((obj for obj in created_objects if isinstance(obj, User)), None)
+        assert created_user is not None
+        assert created_user.username == "admin"
+        assert created_user.is_admin is True
+        # Password should NOT require change when set via env var
+        assert created_user.must_change_password is False
+        # Verify password was hashed correctly
+        assert verify_password("my-custom-password-123", created_user.password_hash)
+
+    def test_create_default_admin_with_default_password(self):
+        """Test that default password 'changeme123' is used when env var not set."""
+        from app.auth import create_default_admin, verify_password
+        from app.models import User
+
+        # Create mock settings with empty password (default)
+        mock_settings = MagicMock()
+        mock_settings.admin_password = ""
+
+        # Mock database session
+        mock_db = MagicMock()
+        mock_db.query.return_value.count.return_value = 0  # No existing users
+
+        # Track all objects that get created
+        created_objects = []
+
+        def capture_object(obj):
+            created_objects.append(obj)
+
+        mock_db.add.side_effect = capture_object
+
+        with patch("app.auth.get_settings", return_value=mock_settings):
+            admin = create_default_admin(mock_db)
+
+        # Verify objects were created
+        assert mock_db.add.called
+        assert len(created_objects) >= 1
+
+        # Find the user object
+        created_user = next((obj for obj in created_objects if isinstance(obj, User)), None)
+        assert created_user is not None
+        assert created_user.username == "admin"
+        assert created_user.is_admin is True
+        # Password SHOULD require change when using default
+        assert created_user.must_change_password is True
+        # Verify default password was used
+        assert verify_password("changeme123", created_user.password_hash)
+
+    def test_create_default_admin_skips_when_users_exist(self):
+        """Test that no admin is created when users already exist."""
+        from app.auth import create_default_admin
+
+        # Create mock settings
+        mock_settings = MagicMock()
+        mock_settings.admin_password = "some-password"
+
+        # Mock database session with existing users
+        mock_db = MagicMock()
+        mock_db.query.return_value.count.return_value = 1  # Users exist
+
+        with patch("app.auth.get_settings", return_value=mock_settings):
+            result = create_default_admin(mock_db)
+
+        # Should return None and not create any user
+        assert result is None
+        assert not mock_db.add.called

backend/tests/unit/test_team_auth.py

@@ -0,0 +1,213 @@
+"""
+Unit tests for TeamAuthorizationService.
+"""
+
+import pytest
+from unittest.mock import MagicMock, patch
+import uuid
+
+
+class TestTeamRoleHierarchy:
+    """Tests for team role hierarchy functions."""
+
+    def test_get_team_role_rank(self):
+        """Test role ranking."""
+        from app.auth import get_team_role_rank
+
+        assert get_team_role_rank("member") == 0
+        assert get_team_role_rank("admin") == 1
+        assert get_team_role_rank("owner") == 2
+        assert get_team_role_rank("invalid") == -1
+
+    def test_has_sufficient_team_role(self):
+        """Test role sufficiency checks."""
+        from app.auth import has_sufficient_team_role
+
+        # Same role should be sufficient
+        assert has_sufficient_team_role("member", "member") is True
+        assert has_sufficient_team_role("admin", "admin") is True
+        assert has_sufficient_team_role("owner", "owner") is True
+
+        # Higher role should be sufficient for lower requirements
+        assert has_sufficient_team_role("admin", "member") is True
+        assert has_sufficient_team_role("owner", "member") is True
+        assert has_sufficient_team_role("owner", "admin") is True
+
+        # Lower role should NOT be sufficient for higher requirements
+        assert has_sufficient_team_role("member", "admin") is False
+        assert has_sufficient_team_role("member", "owner") is False
+        assert has_sufficient_team_role("admin", "owner") is False
+
+
+class TestTeamAuthorizationService:
+    """Tests for TeamAuthorizationService class."""
+
+    @pytest.fixture
+    def mock_db(self):
+        """Create a mock database session."""
+        return MagicMock()
+
+    @pytest.fixture
+    def mock_user(self):
+        """Create a mock user."""
+        user = MagicMock()
+        user.id = uuid.uuid4()
+        user.username = "testuser"
+        user.is_admin = False
+        return user
+
+    @pytest.fixture
+    def mock_admin_user(self):
+        """Create a mock admin user."""
+        user = MagicMock()
+        user.id = uuid.uuid4()
+        user.username = "adminuser"
+        user.is_admin = True
+        return user
+
+    def test_get_user_team_role_no_user(self, mock_db):
+        """Test that None is returned for anonymous users."""
+        from app.auth import TeamAuthorizationService
+
+        service = TeamAuthorizationService(mock_db)
+        result = service.get_user_team_role("team-id", None)
+        assert result is None
+
+    def test_get_user_team_role_admin_user(self, mock_db, mock_admin_user):
+        """Test that system admins who are not members get admin role."""
+        from app.auth import TeamAuthorizationService
+
+        # Mock no membership found
+        mock_db.query.return_value.filter.return_value.first.return_value = None
+
+        service = TeamAuthorizationService(mock_db)
+        result = service.get_user_team_role("team-id", mock_admin_user)
+        assert result == "admin"
+
+    def test_get_user_team_role_member(self, mock_db, mock_user):
+        """Test getting role for a team member."""
+        from app.auth import TeamAuthorizationService
+
+        # Mock the membership query
+        mock_membership = MagicMock()
+        mock_membership.role = "member"
+        mock_db.query.return_value.filter.return_value.first.return_value = mock_membership
+
+        service = TeamAuthorizationService(mock_db)
+        result = service.get_user_team_role("team-id", mock_user)
+        assert result == "member"
+
+    def test_get_user_team_role_not_member(self, mock_db, mock_user):
+        """Test getting role for a non-member."""
+        from app.auth import TeamAuthorizationService
+
+        # Mock no membership found
+        mock_db.query.return_value.filter.return_value.first.return_value = None
+
+        service = TeamAuthorizationService(mock_db)
+        result = service.get_user_team_role("team-id", mock_user)
+        assert result is None
+
+    def test_check_team_access_member(self, mock_db, mock_user):
+        """Test access check for member requiring member role."""
+        from app.auth import TeamAuthorizationService
+
+        # Mock the membership query
+        mock_membership = MagicMock()
+        mock_membership.role = "member"
+        mock_db.query.return_value.filter.return_value.first.return_value = mock_membership
+
+        service = TeamAuthorizationService(mock_db)
+
+        # Member should have member access
+        assert service.check_team_access("team-id", mock_user, "member") is True
+        # Member should not have admin access
+        assert service.check_team_access("team-id", mock_user, "admin") is False
+        # Member should not have owner access
+        assert service.check_team_access("team-id", mock_user, "owner") is False
+
+    def test_check_team_access_admin(self, mock_db, mock_user):
+        """Test access check for admin role."""
+        from app.auth import TeamAuthorizationService
+
+        # Mock admin membership
+        mock_membership = MagicMock()
+        mock_membership.role = "admin"
+        mock_db.query.return_value.filter.return_value.first.return_value = mock_membership
+
+        service = TeamAuthorizationService(mock_db)
+
+        assert service.check_team_access("team-id", mock_user, "member") is True
+        assert service.check_team_access("team-id", mock_user, "admin") is True
+        assert service.check_team_access("team-id", mock_user, "owner") is False
+
+    def test_check_team_access_owner(self, mock_db, mock_user):
+        """Test access check for owner role."""
+        from app.auth import TeamAuthorizationService
+
+        # Mock owner membership
+        mock_membership = MagicMock()
+        mock_membership.role = "owner"
+        mock_db.query.return_value.filter.return_value.first.return_value = mock_membership
+
+        service = TeamAuthorizationService(mock_db)
+
+        assert service.check_team_access("team-id", mock_user, "member") is True
+        assert service.check_team_access("team-id", mock_user, "admin") is True
+        assert service.check_team_access("team-id", mock_user, "owner") is True
+
+    def test_can_create_project(self, mock_db, mock_user):
+        """Test can_create_project requires admin role."""
+        from app.auth import TeamAuthorizationService
+
+        service = TeamAuthorizationService(mock_db)
+
+        # Member cannot create projects
+        mock_membership = MagicMock()
+        mock_membership.role = "member"
+        mock_db.query.return_value.filter.return_value.first.return_value = mock_membership
+        assert service.can_create_project("team-id", mock_user) is False
+
+        # Admin can create projects
+        mock_membership.role = "admin"
+        assert service.can_create_project("team-id", mock_user) is True
+
+        # Owner can create projects
+        mock_membership.role = "owner"
+        assert service.can_create_project("team-id", mock_user) is True
+
+    def test_can_manage_members(self, mock_db, mock_user):
+        """Test can_manage_members requires admin role."""
+        from app.auth import TeamAuthorizationService
+
+        service = TeamAuthorizationService(mock_db)
+
+        # Member cannot manage members
+        mock_membership = MagicMock()
+        mock_membership.role = "member"
+        mock_db.query.return_value.filter.return_value.first.return_value = mock_membership
+        assert service.can_manage_members("team-id", mock_user) is False
+
+        # Admin can manage members
+        mock_membership.role = "admin"
+        assert service.can_manage_members("team-id", mock_user) is True
+
+    def test_can_delete_team(self, mock_db, mock_user):
+        """Test can_delete_team requires owner role."""
+        from app.auth import TeamAuthorizationService
+
+        service = TeamAuthorizationService(mock_db)
+
+        # Member cannot delete team
+        mock_membership = MagicMock()
+        mock_membership.role = "member"
+        mock_db.query.return_value.filter.return_value.first.return_value = mock_membership
+        assert service.can_delete_team("team-id", mock_user) is False
+
+        # Admin cannot delete team
+        mock_membership.role = "admin"
+        assert service.can_delete_team("team-id", mock_user) is False
+
+        # Only owner can delete team
+        mock_membership.role = "owner"
+        assert service.can_delete_team("team-id", mock_user) is True

docker-compose.local.yml

@@ -26,6 +26,8 @@ services:
       - ORCHARD_REDIS_PORT=6379
       # Higher rate limit for local development/testing
       - ORCHARD_LOGIN_RATE_LIMIT=1000/minute
+      # Admin password - set in .env file or environment (see .env.example)
+      - ORCHARD_ADMIN_PASSWORD=${ORCHARD_ADMIN_PASSWORD:-}
     depends_on:
       postgres:
         condition: service_healthy

frontend/src/App.tsx

@@ -1,5 +1,6 @@
 import { Routes, Route, Navigate, useLocation } from 'react-router-dom';
 import { AuthProvider, useAuth } from './contexts/AuthContext';
+import { TeamProvider } from './contexts/TeamContext';
 import Layout from './components/Layout';
 import Home from './pages/Home';
 import ProjectPage from './pages/ProjectPage';
@@ -10,6 +11,11 @@ import ChangePasswordPage from './pages/ChangePasswordPage';
 import APIKeysPage from './pages/APIKeysPage';
 import AdminUsersPage from './pages/AdminUsersPage';
 import AdminOIDCPage from './pages/AdminOIDCPage';
+import ProjectSettingsPage from './pages/ProjectSettingsPage';
+import TeamsPage from './pages/TeamsPage';
+import TeamDashboardPage from './pages/TeamDashboardPage';
+import TeamSettingsPage from './pages/TeamSettingsPage';
+import TeamMembersPage from './pages/TeamMembersPage';
 
 // Component that checks if user must change password
 function RequirePasswordChange({ children }: { children: React.ReactNode }) {
@@ -44,7 +50,12 @@ function AppRoutes() {
                 <Route path="/settings/api-keys" element={<APIKeysPage />} />
                 <Route path="/admin/users" element={<AdminUsersPage />} />
                 <Route path="/admin/oidc" element={<AdminOIDCPage />} />
+                <Route path="/teams" element={<TeamsPage />} />
+                <Route path="/teams/:slug" element={<TeamDashboardPage />} />
+                <Route path="/teams/:slug/settings" element={<TeamSettingsPage />} />
+                <Route path="/teams/:slug/members" element={<TeamMembersPage />} />
                 <Route path="/project/:projectName" element={<ProjectPage />} />
+                <Route path="/project/:projectName/settings" element={<ProjectSettingsPage />} />
                 <Route path="/project/:projectName/:packageName" element={<PackagePage />} />
               </Routes>
             </Layout>
@@ -58,7 +69,9 @@ function AppRoutes() {
 function App() {
   return (
     <AuthProvider>
+      <TeamProvider>
         <AppRoutes />
+      </TeamProvider>
     </AuthProvider>
   );
 }

frontend/src/api.ts

@@ -33,6 +33,15 @@ import {
   OIDCConfigUpdate,
   OIDCStatus,
   PackageVersion,
+  ArtifactDependenciesResponse,
+  ReverseDependenciesResponse,
+  DependencyResolutionResponse,
+  TeamDetail,
+  TeamMember,
+  TeamCreate,
+  TeamUpdate,
+  TeamMemberCreate,
+  TeamMemberUpdate,
 } from './types';
 
 const API_BASE = '/api/v1';
@@ -157,7 +166,7 @@ export async function listProjectsSimple(params: ListParams = {}): Promise<Proje
   return data.items;
 }
 
-export async function createProject(data: { name: string; description?: string; is_public?: boolean }): Promise<Project> {
+export async function createProject(data: { name: string; description?: string; is_public?: boolean; team_id?: string }): Promise<Project> {
   const response = await fetch(`${API_BASE}/projects`, {
     method: 'POST',
     headers: { 'Content-Type': 'application/json' },
@@ -171,6 +180,30 @@ export async function getProject(name: string): Promise<Project> {
   return handleResponse<Project>(response);
 }
 
+export async function updateProject(
+  projectName: string,
+  data: { description?: string; is_public?: boolean }
+): Promise<Project> {
+  const response = await fetch(`${API_BASE}/projects/${projectName}`, {
+    method: 'PUT',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify(data),
+    credentials: 'include',
+  });
+  return handleResponse<Project>(response);
+}
+
+export async function deleteProject(projectName: string): Promise<void> {
+  const response = await fetch(`${API_BASE}/projects/${projectName}`, {
+    method: 'DELETE',
+    credentials: 'include',
+  });
+  if (!response.ok) {
+    const error = await response.json().catch(() => ({ detail: 'Unknown error' }));
+    throw new Error(error.detail || `HTTP ${response.status}`);
+  }
+}
+
 // Package API
 export async function listPackages(projectName: string, params: PackageListParams = {}): Promise<PaginatedResponse<Package>> {
   const query = buildQueryString(params as Record<string, unknown>);
@@ -488,3 +521,164 @@ export async function deleteVersion(
     throw new Error(error.detail || `HTTP ${response.status}`);
   }
 }
+
+// Dependency API
+export async function getArtifactDependencies(artifactId: string): Promise<ArtifactDependenciesResponse> {
+  const response = await fetch(`${API_BASE}/artifact/${artifactId}/dependencies`);
+  return handleResponse<ArtifactDependenciesResponse>(response);
+}
+
+export async function getDependenciesByRef(
+  projectName: string,
+  packageName: string,
+  ref: string
+): Promise<ArtifactDependenciesResponse> {
+  const response = await fetch(`${API_BASE}/project/${projectName}/${packageName}/+/${ref}/dependencies`);
+  return handleResponse<ArtifactDependenciesResponse>(response);
+}
+
+export async function getReverseDependencies(
+  projectName: string,
+  packageName: string,
+  params: { page?: number; limit?: number } = {}
+): Promise<ReverseDependenciesResponse> {
+  const query = buildQueryString(params as Record<string, unknown>);
+  const response = await fetch(`${API_BASE}/project/${projectName}/${packageName}/reverse-dependencies${query}`);
+  return handleResponse<ReverseDependenciesResponse>(response);
+}
+
+export async function resolveDependencies(
+  projectName: string,
+  packageName: string,
+  ref: string
+): Promise<DependencyResolutionResponse> {
+  const response = await fetch(`${API_BASE}/project/${projectName}/${packageName}/+/${ref}/resolve`);
+  return handleResponse<DependencyResolutionResponse>(response);
+}
+
+export async function getEnsureFile(
+  projectName: string,
+  packageName: string,
+  ref: string
+): Promise<string> {
+  const response = await fetch(`${API_BASE}/project/${projectName}/${packageName}/+/${ref}/ensure`);
+  if (!response.ok) {
+    const error = await response.json().catch(() => ({ detail: 'Unknown error' }));
+    throw new ApiError(error.detail || `HTTP ${response.status}`, response.status);
+  }
+  return response.text();
+}
+
+// Team API
+export async function listTeams(params: ListParams = {}): Promise<PaginatedResponse<TeamDetail>> {
+  const query = buildQueryString(params as Record<string, unknown>);
+  const response = await fetch(`${API_BASE}/teams${query}`, {
+    credentials: 'include',
+  });
+  return handleResponse<PaginatedResponse<TeamDetail>>(response);
+}
+
+export async function createTeam(data: TeamCreate): Promise<TeamDetail> {
+  const response = await fetch(`${API_BASE}/teams`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify(data),
+    credentials: 'include',
+  });
+  return handleResponse<TeamDetail>(response);
+}
+
+export async function getTeam(slug: string): Promise<TeamDetail> {
+  const response = await fetch(`${API_BASE}/teams/${slug}`, {
+    credentials: 'include',
+  });
+  return handleResponse<TeamDetail>(response);
+}
+
+export async function updateTeam(slug: string, data: TeamUpdate): Promise<TeamDetail> {
+  const response = await fetch(`${API_BASE}/teams/${slug}`, {
+    method: 'PUT',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify(data),
+    credentials: 'include',
+  });
+  return handleResponse<TeamDetail>(response);
+}
+
+export async function deleteTeam(slug: string): Promise<void> {
+  const response = await fetch(`${API_BASE}/teams/${slug}`, {
+    method: 'DELETE',
+    credentials: 'include',
+  });
+  if (!response.ok) {
+    const error = await response.json().catch(() => ({ detail: 'Unknown error' }));
+    throw new ApiError(error.detail || `HTTP ${response.status}`, response.status);
+  }
+}
+
+export async function listTeamMembers(slug: string): Promise<TeamMember[]> {
+  const response = await fetch(`${API_BASE}/teams/${slug}/members`, {
+    credentials: 'include',
+  });
+  return handleResponse<TeamMember[]>(response);
+}
+
+export async function addTeamMember(slug: string, data: TeamMemberCreate): Promise<TeamMember> {
+  const response = await fetch(`${API_BASE}/teams/${slug}/members`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify(data),
+    credentials: 'include',
+  });
+  return handleResponse<TeamMember>(response);
+}
+
+export async function updateTeamMember(
+  slug: string,
+  username: string,
+  data: TeamMemberUpdate
+): Promise<TeamMember> {
+  const response = await fetch(`${API_BASE}/teams/${slug}/members/${username}`, {
+    method: 'PUT',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify(data),
+    credentials: 'include',
+  });
+  return handleResponse<TeamMember>(response);
+}
+
+export async function removeTeamMember(slug: string, username: string): Promise<void> {
+  const response = await fetch(`${API_BASE}/teams/${slug}/members/${username}`, {
+    method: 'DELETE',
+    credentials: 'include',
+  });
+  if (!response.ok) {
+    const error = await response.json().catch(() => ({ detail: 'Unknown error' }));
+    throw new ApiError(error.detail || `HTTP ${response.status}`, response.status);
+  }
+}
+
+export async function listTeamProjects(
+  slug: string,
+  params: ProjectListParams = {}
+): Promise<PaginatedResponse<Project>> {
+  const query = buildQueryString(params as Record<string, unknown>);
+  const response = await fetch(`${API_BASE}/teams/${slug}/projects${query}`, {
+    credentials: 'include',
+  });
+  return handleResponse<PaginatedResponse<Project>>(response);
+}
+
+// User search (for autocomplete)
+export interface UserSearchResult {
+  id: string;
+  username: string;
+  is_admin: boolean;
+}
+
+export async function searchUsers(query: string, limit: number = 10): Promise<UserSearchResult[]> {
+  const response = await fetch(`${API_BASE}/users/search?q=${encodeURIComponent(query)}&limit=${limit}`, {
+    credentials: 'include',
+  });
+  return handleResponse<UserSearchResult[]>(response);
+}

frontend/src/components/AccessManagement.css

@@ -114,3 +114,32 @@
   font-size: 0.875rem;
   color: var(--text-primary);
 }
+
+/* Access source styling */
+.access-source {
+  display: inline-block;
+  padding: 0.2rem 0.4rem;
+  border-radius: 4px;
+  font-size: 0.75rem;
+  font-weight: 500;
+}
+
+.access-source--explicit {
+  background: var(--bg-tertiary);
+  color: var(--text-secondary);
+}
+
+.access-source--team {
+  background: var(--color-info-bg, #e3f2fd);
+  color: var(--color-info, #1976d2);
+}
+
+/* Team access row styling */
+.team-access-row {
+  background: var(--bg-secondary, #fafafa);
+}
+
+.team-access-row td.actions .text-muted {
+  font-size: 0.8125rem;
+  font-style: italic;
+}

frontend/src/components/AccessManagement.tsx

@@ -208,17 +208,20 @@ export function AccessManagement({ projectName }: AccessManagementProps) {
               <tr>
                 <th>User</th>
                 <th>Access Level</th>
+                <th>Source</th>
                 <th>Granted</th>
                 <th>Expires</th>
                 <th>Actions</th>
               </tr>
             </thead>
             <tbody>
-              {permissions.map((p) => (
+              {permissions.map((p) => {
-                <tr key={p.id}>
+                const isTeamBased = p.source === 'team';
+                return (
+                  <tr key={p.id} className={isTeamBased ? 'team-access-row' : ''}>
                     <td>{p.user_id}</td>
                     <td>
-                    {editingUser === p.user_id ? (
+                      {editingUser === p.user_id && !isTeamBased ? (
                         <select
                           value={editLevel}
                           onChange={(e) => setEditLevel(e.target.value as AccessLevel)}
@@ -234,9 +237,20 @@ export function AccessManagement({ projectName }: AccessManagementProps) {
                         </span>
                       )}
                     </td>
+                    <td>
+                      {isTeamBased ? (
+                        <span className="access-source access-source--team" title={`Team role: ${p.team_role}`}>
+                          Team: {p.team_slug}
+                        </span>
+                      ) : (
+                        <span className="access-source access-source--explicit">
+                          Explicit
+                        </span>
+                      )}
+                    </td>
                     <td>{new Date(p.created_at).toLocaleDateString()}</td>
                     <td>
-                    {editingUser === p.user_id ? (
+                      {editingUser === p.user_id && !isTeamBased ? (
                         <input
                           type="date"
                           value={editExpiresAt}
@@ -249,7 +263,11 @@ export function AccessManagement({ projectName }: AccessManagementProps) {
                       )}
                     </td>
                     <td className="actions">
-                    {editingUser === p.user_id ? (
+                      {isTeamBased ? (
+                        <span className="text-muted" title="Manage access via team settings">
+                          Via team
+                        </span>
+                      ) : editingUser === p.user_id ? (
                         <>
                           <button
                             className="btn btn-sm btn-primary"
@@ -286,7 +304,8 @@ export function AccessManagement({ projectName }: AccessManagementProps) {
                       )}
                     </td>
                   </tr>
-              ))}
+                );
+              })}
             </tbody>
           </table>
         )}

frontend/src/components/DependencyGraph.css

@@ -0,0 +1,338 @@
+/* Dependency Graph Modal */
+.dependency-graph-modal {
+  position: fixed;
+  top: 0;
+  left: 0;
+  right: 0;
+  bottom: 0;
+  background: rgba(0, 0, 0, 0.8);
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  z-index: 1000;
+  padding: 24px;
+}
+
+.dependency-graph-content {
+  background: var(--bg-secondary);
+  border: 1px solid var(--border-primary);
+  border-radius: var(--radius-lg);
+  width: 100%;
+  max-width: 1200px;
+  height: 80vh;
+  display: flex;
+  flex-direction: column;
+  overflow: hidden;
+}
+
+.dependency-graph-header {
+  display: flex;
+  align-items: center;
+  gap: 16px;
+  padding: 16px 20px;
+  border-bottom: 1px solid var(--border-primary);
+  background: var(--bg-tertiary);
+}
+
+.dependency-graph-header h2 {
+  margin: 0;
+  font-size: 1.125rem;
+  font-weight: 600;
+  color: var(--text-primary);
+}
+
+.dependency-graph-info {
+  display: flex;
+  align-items: center;
+  gap: 12px;
+  flex: 1;
+  font-size: 0.875rem;
+  color: var(--text-secondary);
+}
+
+.graph-stats {
+  color: var(--text-muted);
+  font-size: 0.8125rem;
+}
+
+.close-btn {
+  background: transparent;
+  border: none;
+  color: var(--text-secondary);
+  cursor: pointer;
+  padding: 4px;
+  border-radius: var(--radius-sm);
+  display: flex;
+  align-items: center;
+  justify-content: center;
+}
+
+.close-btn:hover {
+  background: var(--bg-hover);
+  color: var(--text-primary);
+}
+
+.dependency-graph-toolbar {
+  display: flex;
+  align-items: center;
+  gap: 8px;
+  padding: 12px 20px;
+  border-bottom: 1px solid var(--border-primary);
+  background: var(--bg-secondary);
+}
+
+.zoom-level {
+  margin-left: auto;
+  font-size: 0.8125rem;
+  color: var(--text-muted);
+  font-family: 'JetBrains Mono', monospace;
+}
+
+.dependency-graph-container {
+  flex: 1;
+  overflow: hidden;
+  position: relative;
+  background:
+    linear-gradient(90deg, var(--border-primary) 1px, transparent 1px),
+    linear-gradient(var(--border-primary) 1px, transparent 1px);
+  background-size: 20px 20px;
+  background-position: center center;
+}
+
+.graph-canvas {
+  padding: 40px;
+  min-width: 100%;
+  min-height: 100%;
+  transform-origin: center center;
+  transition: transform 0.1s ease-out;
+}
+
+/* Graph Nodes */
+.graph-node-container {
+  display: flex;
+  flex-direction: column;
+  align-items: flex-start;
+}
+
+.graph-node {
+  background: var(--bg-tertiary);
+  border: 2px solid var(--border-primary);
+  border-radius: var(--radius-md);
+  padding: 12px 16px;
+  min-width: 200px;
+  cursor: pointer;
+  transition: all var(--transition-fast);
+  position: relative;
+}
+
+.graph-node:hover {
+  border-color: var(--accent-primary);
+  box-shadow: 0 4px 12px rgba(16, 185, 129, 0.2);
+}
+
+.graph-node--root {
+  background: linear-gradient(135deg, rgba(16, 185, 129, 0.15) 0%, rgba(5, 150, 105, 0.15) 100%);
+  border-color: var(--accent-primary);
+}
+
+.graph-node--hovered {
+  transform: scale(1.02);
+}
+
+.graph-node__header {
+  display: flex;
+  align-items: center;
+  gap: 8px;
+  margin-bottom: 4px;
+}
+
+.graph-node__name {
+  font-weight: 600;
+  color: var(--accent-primary);
+  font-family: 'JetBrains Mono', monospace;
+  font-size: 0.875rem;
+}
+
+.graph-node__toggle {
+  background: var(--bg-hover);
+  border: 1px solid var(--border-primary);
+  border-radius: 4px;
+  width: 20px;
+  height: 20px;
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  cursor: pointer;
+  font-size: 0.875rem;
+  color: var(--text-secondary);
+  font-weight: 600;
+  margin-left: auto;
+}
+
+.graph-node__toggle:hover {
+  background: var(--bg-tertiary);
+  color: var(--text-primary);
+}
+
+.graph-node__details {
+  display: flex;
+  align-items: center;
+  gap: 12px;
+  font-size: 0.75rem;
+  color: var(--text-muted);
+}
+
+.graph-node__version {
+  font-family: 'JetBrains Mono', monospace;
+  color: var(--text-secondary);
+}
+
+.graph-node__size {
+  color: var(--text-muted);
+}
+
+/* Graph Children / Tree Structure */
+.graph-children {
+  display: flex;
+  padding-left: 24px;
+  margin-top: 8px;
+  position: relative;
+}
+
+.graph-connector {
+  position: absolute;
+  left: 12px;
+  top: 0;
+  bottom: 50%;
+  width: 12px;
+  border-left: 2px solid var(--border-primary);
+  border-bottom: 2px solid var(--border-primary);
+  border-bottom-left-radius: 8px;
+}
+
+.graph-children-list {
+  display: flex;
+  flex-direction: column;
+  gap: 8px;
+  position: relative;
+}
+
+.graph-children-list::before {
+  content: '';
+  position: absolute;
+  left: -12px;
+  top: 20px;
+  bottom: 20px;
+  border-left: 2px solid var(--border-primary);
+}
+
+.graph-children-list > .graph-node-container {
+  position: relative;
+}
+
+.graph-children-list > .graph-node-container::before {
+  content: '';
+  position: absolute;
+  left: -12px;
+  top: 20px;
+  width: 12px;
+  border-top: 2px solid var(--border-primary);
+}
+
+/* Loading, Error, Empty States */
+.graph-loading,
+.graph-error,
+.graph-empty {
+  display: flex;
+  flex-direction: column;
+  align-items: center;
+  justify-content: center;
+  height: 100%;
+  gap: 16px;
+  color: var(--text-muted);
+}
+
+.graph-loading .spinner {
+  width: 32px;
+  height: 32px;
+  border: 3px solid var(--border-primary);
+  border-top-color: var(--accent-primary);
+  border-radius: 50%;
+  animation: spin 1s linear infinite;
+}
+
+@keyframes spin {
+  to { transform: rotate(360deg); }
+}
+
+.graph-error {
+  color: var(--error-color, #ef4444);
+}
+
+.graph-error svg {
+  opacity: 0.6;
+}
+
+.graph-error p {
+  max-width: 400px;
+  text-align: center;
+  line-height: 1.5;
+}
+
+/* Tooltip */
+.graph-tooltip {
+  position: fixed;
+  bottom: 24px;
+  left: 50%;
+  transform: translateX(-50%);
+  background: var(--bg-tertiary);
+  border: 1px solid var(--border-primary);
+  border-radius: var(--radius-md);
+  padding: 12px 16px;
+  font-size: 0.8125rem;
+  box-shadow: 0 8px 24px rgba(0, 0, 0, 0.4);
+  z-index: 1001;
+}
+
+.graph-tooltip strong {
+  display: block;
+  color: var(--accent-primary);
+  font-family: 'JetBrains Mono', monospace;
+  margin-bottom: 4px;
+}
+
+.graph-tooltip div {
+  color: var(--text-secondary);
+  margin-top: 2px;
+}
+
+.tooltip-hint {
+  margin-top: 8px;
+  padding-top: 8px;
+  border-top: 1px solid var(--border-primary);
+  color: var(--text-muted);
+  font-size: 0.75rem;
+}
+
+/* Responsive */
+@media (max-width: 768px) {
+  .dependency-graph-modal {
+    padding: 0;
+  }
+
+  .dependency-graph-content {
+    height: 100vh;
+    border-radius: 0;
+    max-width: none;
+  }
+
+  .dependency-graph-header {
+    flex-wrap: wrap;
+  }
+
+  .dependency-graph-info {
+    flex-basis: 100%;
+    order: 3;
+    margin-top: 8px;
+  }
+}

frontend/src/components/DependencyGraph.tsx

@@ -0,0 +1,323 @@
+import { useState, useEffect, useCallback, useRef } from 'react';
+import { useNavigate } from 'react-router-dom';
+import { ResolvedArtifact, DependencyResolutionResponse, Dependency } from '../types';
+import { resolveDependencies, getArtifactDependencies } from '../api';
+import './DependencyGraph.css';
+
+interface DependencyGraphProps {
+  projectName: string;
+  packageName: string;
+  tagName: string;
+  onClose: () => void;
+}
+
+interface GraphNode {
+  id: string;
+  project: string;
+  package: string;
+  version: string | null;
+  size: number;
+  depth: number;
+  children: GraphNode[];
+  isRoot?: boolean;
+}
+
+function formatBytes(bytes: number): string {
+  if (bytes === 0) return '0 B';
+  const k = 1024;
+  const sizes = ['B', 'KB', 'MB', 'GB'];
+  const i = Math.floor(Math.log(bytes) / Math.log(k));
+  return parseFloat((bytes / Math.pow(k, i)).toFixed(1)) + ' ' + sizes[i];
+}
+
+function DependencyGraph({ projectName, packageName, tagName, onClose }: DependencyGraphProps) {
+  const navigate = useNavigate();
+  const containerRef = useRef<HTMLDivElement>(null);
+
+  const [loading, setLoading] = useState(true);
+  const [error, setError] = useState<string | null>(null);
+  const [resolution, setResolution] = useState<DependencyResolutionResponse | null>(null);
+  const [graphRoot, setGraphRoot] = useState<GraphNode | null>(null);
+  const [hoveredNode, setHoveredNode] = useState<GraphNode | null>(null);
+  const [zoom, setZoom] = useState(1);
+  const [pan, setPan] = useState({ x: 0, y: 0 });
+  const [isDragging, setIsDragging] = useState(false);
+  const [dragStart, setDragStart] = useState({ x: 0, y: 0 });
+  const [collapsedNodes, setCollapsedNodes] = useState<Set<string>>(new Set());
+
+  // Build graph structure from resolution data
+  const buildGraph = useCallback(async (resolutionData: DependencyResolutionResponse) => {
+    const artifactMap = new Map<string, ResolvedArtifact>();
+    resolutionData.resolved.forEach(artifact => {
+      artifactMap.set(artifact.artifact_id, artifact);
+    });
+
+    // Fetch dependencies for each artifact to build the tree
+    const depsMap = new Map<string, Dependency[]>();
+
+    for (const artifact of resolutionData.resolved) {
+      try {
+        const deps = await getArtifactDependencies(artifact.artifact_id);
+        depsMap.set(artifact.artifact_id, deps.dependencies);
+      } catch {
+        depsMap.set(artifact.artifact_id, []);
+      }
+    }
+
+    // Find the root artifact (the requested one)
+    const rootArtifact = resolutionData.resolved.find(
+      a => a.project === resolutionData.requested.project &&
+           a.package === resolutionData.requested.package
+    );
+
+    if (!rootArtifact) {
+      return null;
+    }
+
+    // Build tree recursively
+    const visited = new Set<string>();
+
+    const buildNode = (artifact: ResolvedArtifact, depth: number): GraphNode => {
+      const nodeId = `${artifact.project}/${artifact.package}`;
+      visited.add(artifact.artifact_id);
+
+      const deps = depsMap.get(artifact.artifact_id) || [];
+      const children: GraphNode[] = [];
+
+      for (const dep of deps) {
+        // Find the resolved artifact for this dependency
+        const childArtifact = resolutionData.resolved.find(
+          a => a.project === dep.project && a.package === dep.package
+        );
+
+        if (childArtifact && !visited.has(childArtifact.artifact_id)) {
+          children.push(buildNode(childArtifact, depth + 1));
+        }
+      }
+
+      return {
+        id: nodeId,
+        project: artifact.project,
+        package: artifact.package,
+        version: artifact.version || artifact.tag,
+        size: artifact.size,
+        depth,
+        children,
+        isRoot: depth === 0,
+      };
+    };
+
+    return buildNode(rootArtifact, 0);
+  }, []);
+
+  useEffect(() => {
+    async function loadData() {
+      setLoading(true);
+      setError(null);
+
+      try {
+        const result = await resolveDependencies(projectName, packageName, tagName);
+        setResolution(result);
+
+        const graph = await buildGraph(result);
+        setGraphRoot(graph);
+      } catch (err) {
+        if (err instanceof Error) {
+          // Check if it's a resolution error
+          try {
+            const errorData = JSON.parse(err.message);
+            if (errorData.error === 'circular_dependency') {
+              setError(`Circular dependency detected: ${errorData.cycle?.join(' → ')}`);
+            } else if (errorData.error === 'dependency_conflict') {
+              setError(`Dependency conflict: ${errorData.message}`);
+            } else {
+              setError(err.message);
+            }
+          } catch {
+            setError(err.message);
+          }
+        } else {
+          setError('Failed to load dependency graph');
+        }
+      } finally {
+        setLoading(false);
+      }
+    }
+
+    loadData();
+  }, [projectName, packageName, tagName, buildGraph]);
+
+  const handleNodeClick = (node: GraphNode) => {
+    navigate(`/project/${node.project}/${node.package}`);
+    onClose();
+  };
+
+  const handleNodeToggle = (node: GraphNode, e: React.MouseEvent) => {
+    e.stopPropagation();
+    setCollapsedNodes(prev => {
+      const next = new Set(prev);
+      if (next.has(node.id)) {
+        next.delete(node.id);
+      } else {
+        next.add(node.id);
+      }
+      return next;
+    });
+  };
+
+  const handleWheel = (e: React.WheelEvent) => {
+    e.preventDefault();
+    const delta = e.deltaY > 0 ? -0.1 : 0.1;
+    setZoom(z => Math.max(0.25, Math.min(2, z + delta)));
+  };
+
+  const handleMouseDown = (e: React.MouseEvent) => {
+    if (e.target === containerRef.current || (e.target as HTMLElement).classList.contains('graph-canvas')) {
+      setIsDragging(true);
+      setDragStart({ x: e.clientX - pan.x, y: e.clientY - pan.y });
+    }
+  };
+
+  const handleMouseMove = (e: React.MouseEvent) => {
+    if (isDragging) {
+      setPan({ x: e.clientX - dragStart.x, y: e.clientY - dragStart.y });
+    }
+  };
+
+  const handleMouseUp = () => {
+    setIsDragging(false);
+  };
+
+  const resetView = () => {
+    setZoom(1);
+    setPan({ x: 0, y: 0 });
+  };
+
+  const renderNode = (node: GraphNode, index: number = 0): JSX.Element => {
+    const isCollapsed = collapsedNodes.has(node.id);
+    const hasChildren = node.children.length > 0;
+
+    return (
+      <div key={`${node.id}-${index}`} className="graph-node-container">
+        <div
+          className={`graph-node ${node.isRoot ? 'graph-node--root' : ''} ${hoveredNode?.id === node.id ? 'graph-node--hovered' : ''}`}
+          onClick={() => handleNodeClick(node)}
+          onMouseEnter={() => setHoveredNode(node)}
+          onMouseLeave={() => setHoveredNode(null)}
+        >
+          <div className="graph-node__header">
+            <span className="graph-node__name">{node.project}/{node.package}</span>
+            {hasChildren && (
+              <button
+                className="graph-node__toggle"
+                onClick={(e) => handleNodeToggle(node, e)}
+                title={isCollapsed ? 'Expand' : 'Collapse'}
+              >
+                {isCollapsed ? '+' : '-'}
+              </button>
+            )}
+          </div>
+          <div className="graph-node__details">
+            {node.version && <span className="graph-node__version">@ {node.version}</span>}
+            <span className="graph-node__size">{formatBytes(node.size)}</span>
+          </div>
+        </div>
+
+        {hasChildren && !isCollapsed && (
+          <div className="graph-children">
+            <div className="graph-connector"></div>
+            <div className="graph-children-list">
+              {node.children.map((child, i) => renderNode(child, i))}
+            </div>
+          </div>
+        )}
+      </div>
+    );
+  };
+
+  return (
+    <div className="dependency-graph-modal" onClick={onClose}>
+      <div className="dependency-graph-content" onClick={e => e.stopPropagation()}>
+        <div className="dependency-graph-header">
+          <h2>Dependency Graph</h2>
+          <div className="dependency-graph-info">
+            <span>{projectName}/{packageName} @ {tagName}</span>
+            {resolution && (
+              <span className="graph-stats">
+                {resolution.artifact_count} packages • {formatBytes(resolution.total_size)} total
+              </span>
+            )}
+          </div>
+          <button className="close-btn" onClick={onClose} title="Close">
+            <svg width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+              <line x1="18" y1="6" x2="6" y2="18"></line>
+              <line x1="6" y1="6" x2="18" y2="18"></line>
+            </svg>
+          </button>
+        </div>
+
+        <div className="dependency-graph-toolbar">
+          <button className="btn btn-secondary btn-small" onClick={() => setZoom(z => Math.min(2, z + 0.25))}>
+            Zoom In
+          </button>
+          <button className="btn btn-secondary btn-small" onClick={() => setZoom(z => Math.max(0.25, z - 0.25))}>
+            Zoom Out
+          </button>
+          <button className="btn btn-secondary btn-small" onClick={resetView}>
+            Reset View
+          </button>
+          <span className="zoom-level">{Math.round(zoom * 100)}%</span>
+        </div>
+
+        <div
+          ref={containerRef}
+          className="dependency-graph-container"
+          onWheel={handleWheel}
+          onMouseDown={handleMouseDown}
+          onMouseMove={handleMouseMove}
+          onMouseUp={handleMouseUp}
+          onMouseLeave={handleMouseUp}
+        >
+          {loading ? (
+            <div className="graph-loading">
+              <div className="spinner"></div>
+              <span>Resolving dependencies...</span>
+            </div>
+          ) : error ? (
+            <div className="graph-error">
+              <svg width="48" height="48" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+                <circle cx="12" cy="12" r="10"></circle>
+                <line x1="12" y1="8" x2="12" y2="12"></line>
+                <line x1="12" y1="16" x2="12.01" y2="16"></line>
+              </svg>
+              <p>{error}</p>
+            </div>
+          ) : graphRoot ? (
+            <div
+              className="graph-canvas"
+              style={{
+                transform: `translate(${pan.x}px, ${pan.y}px) scale(${zoom})`,
+                cursor: isDragging ? 'grabbing' : 'grab',
+              }}
+            >
+              {renderNode(graphRoot)}
+            </div>
+          ) : (
+            <div className="graph-empty">No dependencies to display</div>
+          )}
+        </div>
+
+        {hoveredNode && (
+          <div className="graph-tooltip">
+            <strong>{hoveredNode.project}/{hoveredNode.package}</strong>
+            {hoveredNode.version && <div>Version: {hoveredNode.version}</div>}
+            <div>Size: {formatBytes(hoveredNode.size)}</div>
+            <div className="tooltip-hint">Click to navigate</div>
+          </div>
+        )}
+      </div>
+    </div>
+  );
+}
+
+export default DependencyGraph;

frontend/src/components/Layout.css

@@ -284,7 +284,11 @@
 .footer-brand {
   display: flex;
   align-items: center;
-  gap: 12px;
+  gap: 8px;
+}
+
+.footer-icon {
+  color: var(--accent-primary);
 }
 
 .footer-logo {
@@ -292,6 +296,10 @@
   color: var(--text-primary);
 }
 
+.footer-separator {
+  color: var(--text-muted);
+}
+
 .footer-tagline {
   color: var(--text-secondary);
   font-size: 0.875rem;

frontend/src/components/Layout.tsx

@@ -2,6 +2,8 @@ import { ReactNode, useState, useRef, useEffect } from 'react';
 import { Link, NavLink, useLocation, useNavigate } from 'react-router-dom';
 import { useAuth } from '../contexts/AuthContext';
 import { GlobalSearch } from './GlobalSearch';
+import { listTeams } from '../api';
+import { TeamDetail } from '../types';
 import './Layout.css';
 
 interface LayoutProps {
@@ -13,8 +15,22 @@ function Layout({ children }: LayoutProps) {
   const navigate = useNavigate();
   const { user, loading, logout } = useAuth();
   const [showUserMenu, setShowUserMenu] = useState(false);
+  const [userTeams, setUserTeams] = useState<TeamDetail[]>([]);
   const menuRef = useRef<HTMLDivElement>(null);
 
+  // Fetch user's teams
+  useEffect(() => {
+    if (user) {
+      listTeams({ limit: 10 }).then(data => {
+        setUserTeams(data.items);
+      }).catch(() => {
+        setUserTeams([]);
+      });
+    } else {
+      setUserTeams([]);
+    }
+  }, [user]);
+
   // Close menu when clicking outside
   useEffect(() => {
     function handleClickOutside(event: MouseEvent) {
@@ -77,6 +93,20 @@ function Layout({ children }: LayoutProps) {
               </svg>
               Dashboard
             </Link>
+            {user && userTeams.length > 0 && (
+              <Link
+                to={userTeams.length === 1 ? `/teams/${userTeams[0].slug}` : '/teams'}
+                className={location.pathname.startsWith('/teams') ? 'active' : ''}
+              >
+                <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+                  <path d="M17 21v-2a4 4 0 0 0-4-4H5a4 4 0 0 0-4 4v2"/>
+                  <circle cx="9" cy="7" r="4"/>
+                  <path d="M23 21v-2a4 4 0 0 0-3-3.87"/>
+                  <path d="M16 3.13a4 4 0 0 1 0 7.75"/>
+                </svg>
+                {userTeams.length === 1 ? 'Team' : 'Teams'}
+              </Link>
+            )}
             <a href="/docs" className="nav-link-muted">
               <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
                 <path d="M14 2H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2V8z"/>
@@ -188,12 +218,21 @@ function Layout({ children }: LayoutProps) {
       <footer className="footer">
         <div className="container footer-content">
           <div className="footer-brand">
+            <svg className="footer-icon" width="18" height="18" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
+              <path d="M6 14 Q6 8 3 8 Q6 4 6 4 Q6 4 9 8 Q6 8 6 14" fill="currentColor" opacity="0.6"/>
+              <rect x="5.25" y="13" width="1.5" height="4" fill="currentColor" opacity="0.6"/>
+              <path d="M12 12 Q12 5 8 5 Q12 1 12 1 Q12 1 16 5 Q12 5 12 12" fill="currentColor"/>
+              <rect x="11.25" y="11" width="1.5" height="5" fill="currentColor"/>
+              <path d="M18 14 Q18 8 15 8 Q18 4 18 4 Q18 4 21 8 Q18 8 18 14" fill="currentColor" opacity="0.6"/>
+              <rect x="17.25" y="13" width="1.5" height="4" fill="currentColor" opacity="0.6"/>
+              <ellipse cx="12" cy="19" rx="9" ry="1.5" fill="currentColor" opacity="0.3"/>
+            </svg>
             <span className="footer-logo">Orchard</span>
+            <span className="footer-separator">·</span>
             <span className="footer-tagline">Content-Addressable Storage</span>
           </div>
           <div className="footer-links">
             <a href="/docs">Documentation</a>
-            <a href="/api/v1">API</a>
           </div>
         </div>
       </footer>

frontend/src/components/TeamSelector.css

@@ -0,0 +1,163 @@
+.team-selector {
+  position: relative;
+}
+
+.team-selector-trigger {
+  display: flex;
+  align-items: center;
+  gap: 0.5rem;
+  padding: 0.375rem 0.75rem;
+  background: var(--bg-secondary);
+  border: 1px solid var(--border-primary);
+  border-radius: var(--radius-md);
+  color: var(--text-primary);
+  font-size: 0.875rem;
+  cursor: pointer;
+  transition: all 0.15s ease;
+  min-width: 160px;
+}
+
+.team-selector-trigger:hover:not(:disabled) {
+  background: var(--bg-tertiary);
+  border-color: var(--border-secondary);
+}
+
+.team-selector-trigger:disabled {
+  opacity: 0.6;
+  cursor: not-allowed;
+}
+
+.team-selector-name {
+  flex: 1;
+  text-align: left;
+  overflow: hidden;
+  text-overflow: ellipsis;
+  white-space: nowrap;
+}
+
+.team-selector-chevron {
+  transition: transform 0.15s ease;
+  flex-shrink: 0;
+}
+
+.team-selector-chevron.open {
+  transform: rotate(180deg);
+}
+
+.team-selector-dropdown {
+  position: absolute;
+  top: 100%;
+  left: 0;
+  right: 0;
+  min-width: 240px;
+  margin-top: 0.25rem;
+  background: var(--bg-secondary);
+  border: 1px solid var(--border-primary);
+  border-radius: var(--radius-md);
+  box-shadow: var(--shadow-lg);
+  z-index: 100;
+  overflow: hidden;
+}
+
+.team-selector-empty {
+  padding: 1rem;
+  text-align: center;
+  color: var(--text-muted);
+}
+
+.team-selector-empty p {
+  margin: 0 0 0.75rem;
+  font-size: 0.875rem;
+}
+
+.team-selector-create-link {
+  color: var(--accent-primary);
+  font-size: 0.875rem;
+  text-decoration: none;
+}
+
+.team-selector-create-link:hover {
+  text-decoration: underline;
+}
+
+.team-selector-list {
+  list-style: none;
+  margin: 0;
+  padding: 0.25rem 0;
+  max-height: 280px;
+  overflow-y: auto;
+}
+
+.team-selector-item {
+  display: flex;
+  align-items: center;
+  gap: 0.5rem;
+  width: 100%;
+  padding: 0.5rem 0.75rem;
+  background: none;
+  border: none;
+  color: var(--text-primary);
+  font-size: 0.875rem;
+  cursor: pointer;
+  text-align: left;
+  transition: background 0.1s ease;
+}
+
+.team-selector-item:hover {
+  background: var(--bg-hover);
+}
+
+.team-selector-item.selected {
+  background: rgba(16, 185, 129, 0.1);
+}
+
+.team-selector-item-info {
+  flex: 1;
+  min-width: 0;
+}
+
+.team-selector-item-name {
+  display: block;
+  font-weight: 500;
+  overflow: hidden;
+  text-overflow: ellipsis;
+  white-space: nowrap;
+}
+
+.team-selector-item-meta {
+  display: block;
+  font-size: 0.75rem;
+  color: var(--text-muted);
+}
+
+.team-selector-item-role {
+  font-size: 0.75rem;
+  text-transform: capitalize;
+  flex-shrink: 0;
+}
+
+.team-selector-footer {
+  display: flex;
+  justify-content: space-between;
+  padding: 0.5rem 0.75rem;
+  border-top: 1px solid var(--border-primary);
+  background: var(--bg-tertiary);
+}
+
+.team-selector-link {
+  font-size: 0.8125rem;
+  color: var(--text-muted);
+  text-decoration: none;
+}
+
+.team-selector-link:hover {
+  color: var(--text-primary);
+}
+
+.team-selector-link-primary {
+  color: var(--accent-primary);
+}
+
+.team-selector-link-primary:hover {
+  color: var(--accent-primary-hover);
+}

frontend/src/components/TeamSelector.tsx

@@ -0,0 +1,141 @@
+import { useState, useRef, useEffect } from 'react';
+import { Link } from 'react-router-dom';
+import { useTeam } from '../contexts/TeamContext';
+import { useAuth } from '../contexts/AuthContext';
+import { TeamDetail } from '../types';
+import './TeamSelector.css';
+
+export function TeamSelector() {
+  const { user } = useAuth();
+  const { teams, currentTeam, loading, setCurrentTeam } = useTeam();
+  const [isOpen, setIsOpen] = useState(false);
+  const dropdownRef = useRef<HTMLDivElement>(null);
+
+  // Close dropdown when clicking outside
+  useEffect(() => {
+    function handleClickOutside(event: MouseEvent) {
+      if (dropdownRef.current && !dropdownRef.current.contains(event.target as Node)) {
+        setIsOpen(false);
+      }
+    }
+    document.addEventListener('mousedown', handleClickOutside);
+    return () => document.removeEventListener('mousedown', handleClickOutside);
+  }, []);
+
+  // Don't show if not authenticated
+  if (!user) {
+    return null;
+  }
+
+  const handleTeamSelect = (team: TeamDetail) => {
+    setCurrentTeam(team);
+    setIsOpen(false);
+  };
+
+  const roleColors: Record<string, string> = {
+    owner: 'var(--color-success)',
+    admin: 'var(--color-primary)',
+    member: 'var(--color-text-muted)',
+  };
+
+  return (
+    <div className="team-selector" ref={dropdownRef}>
+      <button
+        className="team-selector-trigger"
+        onClick={() => setIsOpen(!isOpen)}
+        disabled={loading}
+        aria-expanded={isOpen}
+        aria-haspopup="listbox"
+      >
+        <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+          <path d="M17 21v-2a4 4 0 0 0-4-4H5a4 4 0 0 0-4 4v2"/>
+          <circle cx="9" cy="7" r="4"/>
+          <path d="M23 21v-2a4 4 0 0 0-3-3.87"/>
+          <path d="M16 3.13a4 4 0 0 1 0 7.75"/>
+        </svg>
+        <span className="team-selector-name">
+          {loading ? 'Loading...' : currentTeam?.name || 'Select Team'}
+        </span>
+        <svg
+          className={`team-selector-chevron ${isOpen ? 'open' : ''}`}
+          width="12"
+          height="12"
+          viewBox="0 0 24 24"
+          fill="none"
+          stroke="currentColor"
+          strokeWidth="2"
+        >
+          <polyline points="6 9 12 15 18 9"/>
+        </svg>
+      </button>
+
+      {isOpen && (
+        <div className="team-selector-dropdown" role="listbox">
+          {teams.length === 0 ? (
+            <div className="team-selector-empty">
+              <p>You're not a member of any teams yet.</p>
+              <Link
+                to="/teams/new"
+                className="team-selector-create-link"
+                onClick={() => setIsOpen(false)}
+              >
+                Create your first team
+              </Link>
+            </div>
+          ) : (
+            <>
+              <ul className="team-selector-list">
+                {teams.map(team => (
+                  <li key={team.id}>
+                    <button
+                      className={`team-selector-item ${currentTeam?.id === team.id ? 'selected' : ''}`}
+                      onClick={() => handleTeamSelect(team)}
+                      role="option"
+                      aria-selected={currentTeam?.id === team.id}
+                    >
+                      <div className="team-selector-item-info">
+                        <span className="team-selector-item-name">{team.name}</span>
+                        <span className="team-selector-item-meta">
+                          {team.project_count} project{team.project_count !== 1 ? 's' : ''}
+                        </span>
+                      </div>
+                      {team.user_role && (
+                        <span
+                          className="team-selector-item-role"
+                          style={{ color: roleColors[team.user_role] || roleColors.member }}
+                        >
+                          {team.user_role}
+                        </span>
+                      )}
+                      {currentTeam?.id === team.id && (
+                        <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+                          <polyline points="20 6 9 17 4 12"/>
+                        </svg>
+                      )}
+                    </button>
+                  </li>
+                ))}
+              </ul>
+              <div className="team-selector-footer">
+                <Link
+                  to="/teams"
+                  className="team-selector-link"
+                  onClick={() => setIsOpen(false)}
+                >
+                  View all teams
+                </Link>
+                <Link
+                  to="/teams/new"
+                  className="team-selector-link team-selector-link-primary"
+                  onClick={() => setIsOpen(false)}
+                >
+                  + New Team
+                </Link>
+              </div>
+            </>
+          )}
+        </div>
+      )}
+    </div>
+  );
+}

frontend/src/components/UserAutocomplete.css

@@ -0,0 +1,105 @@
+.user-autocomplete {
+  position: relative;
+  width: 100%;
+}
+
+.user-autocomplete__input-wrapper {
+  position: relative;
+}
+
+.user-autocomplete__input {
+  width: 100%;
+  padding: 0.625rem 2.5rem 0.625rem 0.75rem;
+  border: 1px solid var(--border-primary);
+  border-radius: var(--radius-md);
+  background: var(--bg-tertiary);
+  color: var(--text-primary);
+  font-size: 0.875rem;
+}
+
+.user-autocomplete__input:focus {
+  outline: none;
+  border-color: var(--accent-primary);
+  box-shadow: 0 0 0 3px rgba(16, 185, 129, 0.2);
+}
+
+.user-autocomplete__spinner {
+  position: absolute;
+  right: 0.75rem;
+  top: 50%;
+  transform: translateY(-50%);
+  width: 16px;
+  height: 16px;
+  border: 2px solid var(--border-primary);
+  border-top-color: var(--accent-primary);
+  border-radius: 50%;
+  animation: spin 0.6s linear infinite;
+}
+
+@keyframes spin {
+  to { transform: translateY(-50%) rotate(360deg); }
+}
+
+.user-autocomplete__dropdown {
+  position: absolute;
+  top: 100%;
+  left: 0;
+  right: 0;
+  margin-top: 4px;
+  padding: 0.25rem;
+  background: var(--bg-secondary);
+  border: 1px solid var(--border-primary);
+  border-radius: var(--radius-md);
+  box-shadow: var(--shadow-lg);
+  z-index: 100;
+  max-height: 240px;
+  overflow-y: auto;
+  list-style: none;
+}
+
+.user-autocomplete__option {
+  display: flex;
+  align-items: center;
+  gap: 0.75rem;
+  padding: 0.5rem 0.75rem;
+  border-radius: var(--radius-sm);
+  cursor: pointer;
+  transition: background 0.1s;
+}
+
+.user-autocomplete__option:hover,
+.user-autocomplete__option.selected {
+  background: var(--bg-hover);
+}
+
+.user-autocomplete__avatar {
+  width: 32px;
+  height: 32px;
+  border-radius: 50%;
+  background: var(--accent-primary);
+  color: white;
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  font-weight: 600;
+  font-size: 0.875rem;
+  flex-shrink: 0;
+}
+
+.user-autocomplete__user-info {
+  display: flex;
+  flex-direction: column;
+  min-width: 0;
+}
+
+.user-autocomplete__username {
+  font-weight: 500;
+  color: var(--text-primary);
+}
+
+.user-autocomplete__admin-badge {
+  font-size: 0.6875rem;
+  color: var(--text-muted);
+  text-transform: uppercase;
+  letter-spacing: 0.025em;
+}

frontend/src/components/UserAutocomplete.tsx

@@ -0,0 +1,171 @@
+import { useState, useEffect, useRef, useCallback } from 'react';
+import { searchUsers, UserSearchResult } from '../api';
+import './UserAutocomplete.css';
+
+interface UserAutocompleteProps {
+  value: string;
+  onChange: (username: string) => void;
+  placeholder?: string;
+  disabled?: boolean;
+  autoFocus?: boolean;
+}
+
+export function UserAutocomplete({
+  value,
+  onChange,
+  placeholder = 'Search users...',
+  disabled = false,
+  autoFocus = false,
+}: UserAutocompleteProps) {
+  const [query, setQuery] = useState(value);
+  const [results, setResults] = useState<UserSearchResult[]>([]);
+  const [loading, setLoading] = useState(false);
+  const [isOpen, setIsOpen] = useState(false);
+  const [selectedIndex, setSelectedIndex] = useState(-1);
+  const containerRef = useRef<HTMLDivElement>(null);
+  const inputRef = useRef<HTMLInputElement>(null);
+  const debounceRef = useRef<ReturnType<typeof setTimeout>>();
+
+  // Search for users with debounce
+  const doSearch = useCallback(async (searchQuery: string) => {
+    if (searchQuery.length < 1) {
+      setResults([]);
+      setIsOpen(false);
+      return;
+    }
+
+    setLoading(true);
+    try {
+      const users = await searchUsers(searchQuery);
+      setResults(users);
+      setIsOpen(users.length > 0);
+      setSelectedIndex(-1);
+    } catch {
+      setResults([]);
+      setIsOpen(false);
+    } finally {
+      setLoading(false);
+    }
+  }, []);
+
+  // Handle input change with debounce
+  const handleInputChange = (e: React.ChangeEvent<HTMLInputElement>) => {
+    const newValue = e.target.value;
+    setQuery(newValue);
+    onChange(newValue); // Update parent immediately for form validation
+
+    // Debounce the search
+    if (debounceRef.current) {
+      clearTimeout(debounceRef.current);
+    }
+    debounceRef.current = setTimeout(() => {
+      doSearch(newValue);
+    }, 200);
+  };
+
+  // Handle selecting a user
+  const handleSelect = (user: UserSearchResult) => {
+    setQuery(user.username);
+    onChange(user.username);
+    setIsOpen(false);
+    setResults([]);
+    inputRef.current?.focus();
+  };
+
+  // Handle keyboard navigation
+  const handleKeyDown = (e: React.KeyboardEvent) => {
+    if (!isOpen) return;
+
+    switch (e.key) {
+      case 'ArrowDown':
+        e.preventDefault();
+        setSelectedIndex(prev => (prev < results.length - 1 ? prev + 1 : prev));
+        break;
+      case 'ArrowUp':
+        e.preventDefault();
+        setSelectedIndex(prev => (prev > 0 ? prev - 1 : -1));
+        break;
+      case 'Enter':
+        e.preventDefault();
+        if (selectedIndex >= 0 && results[selectedIndex]) {
+          handleSelect(results[selectedIndex]);
+        }
+        break;
+      case 'Escape':
+        setIsOpen(false);
+        break;
+    }
+  };
+
+  // Close dropdown when clicking outside
+  useEffect(() => {
+    const handleClickOutside = (e: MouseEvent) => {
+      if (containerRef.current && !containerRef.current.contains(e.target as Node)) {
+        setIsOpen(false);
+      }
+    };
+
+    document.addEventListener('mousedown', handleClickOutside);
+    return () => document.removeEventListener('mousedown', handleClickOutside);
+  }, []);
+
+  // Sync external value changes
+  useEffect(() => {
+    setQuery(value);
+  }, [value]);
+
+  // Cleanup debounce on unmount
+  useEffect(() => {
+    return () => {
+      if (debounceRef.current) {
+        clearTimeout(debounceRef.current);
+      }
+    };
+  }, []);
+
+  return (
+    <div className="user-autocomplete" ref={containerRef}>
+      <div className="user-autocomplete__input-wrapper">
+        <input
+          ref={inputRef}
+          type="text"
+          value={query}
+          onChange={handleInputChange}
+          onKeyDown={handleKeyDown}
+          onFocus={() => query.length >= 1 && results.length > 0 && setIsOpen(true)}
+          placeholder={placeholder}
+          disabled={disabled}
+          autoFocus={autoFocus}
+          autoComplete="off"
+          className="user-autocomplete__input"
+        />
+        {loading && (
+          <div className="user-autocomplete__spinner" />
+        )}
+      </div>
+
+      {isOpen && results.length > 0 && (
+        <ul className="user-autocomplete__dropdown">
+          {results.map((user, index) => (
+            <li
+              key={user.id}
+              className={`user-autocomplete__option ${index === selectedIndex ? 'selected' : ''}`}
+              onClick={() => handleSelect(user)}
+              onMouseEnter={() => setSelectedIndex(index)}
+            >
+              <div className="user-autocomplete__avatar">
+                {user.username.charAt(0).toUpperCase()}
+              </div>
+              <div className="user-autocomplete__user-info">
+                <span className="user-autocomplete__username">{user.username}</span>
+                {user.is_admin && (
+                  <span className="user-autocomplete__admin-badge">Admin</span>
+                )}
+              </div>
+            </li>
+          ))}
+        </ul>
+      )}
+    </div>
+  );
+}

frontend/src/contexts/TeamContext.tsx

@@ -0,0 +1,110 @@
+import { createContext, useContext, useState, useEffect, useCallback, ReactNode } from 'react';
+import { TeamDetail } from '../types';
+import { listTeams } from '../api';
+import { useAuth } from './AuthContext';
+
+const SELECTED_TEAM_KEY = 'orchard_selected_team';
+
+interface TeamContextType {
+  teams: TeamDetail[];
+  currentTeam: TeamDetail | null;
+  loading: boolean;
+  error: string | null;
+  setCurrentTeam: (team: TeamDetail | null) => void;
+  refreshTeams: () => Promise<void>;
+  clearError: () => void;
+}
+
+const TeamContext = createContext<TeamContextType | undefined>(undefined);
+
+interface TeamProviderProps {
+  children: ReactNode;
+}
+
+export function TeamProvider({ children }: TeamProviderProps) {
+  const { user } = useAuth();
+  const [teams, setTeams] = useState<TeamDetail[]>([]);
+  const [currentTeam, setCurrentTeamState] = useState<TeamDetail | null>(null);
+  const [loading, setLoading] = useState(false);
+  const [error, setError] = useState<string | null>(null);
+
+  const loadTeams = useCallback(async () => {
+    if (!user) {
+      setTeams([]);
+      setCurrentTeamState(null);
+      return;
+    }
+
+    setLoading(true);
+    setError(null);
+    try {
+      const response = await listTeams({ limit: 100 });
+      setTeams(response.items);
+
+      // Try to restore previously selected team
+      const savedSlug = localStorage.getItem(SELECTED_TEAM_KEY);
+      if (savedSlug) {
+        const savedTeam = response.items.find(t => t.slug === savedSlug);
+        if (savedTeam) {
+          setCurrentTeamState(savedTeam);
+          return;
+        }
+      }
+
+      // Auto-select first team if none selected
+      if (response.items.length > 0 && !currentTeam) {
+        setCurrentTeamState(response.items[0]);
+        localStorage.setItem(SELECTED_TEAM_KEY, response.items[0].slug);
+      }
+    } catch (err) {
+      const message = err instanceof Error ? err.message : 'Failed to load teams';
+      setError(message);
+    } finally {
+      setLoading(false);
+    }
+  }, [user, currentTeam]);
+
+  // Load teams when user changes
+  useEffect(() => {
+    loadTeams();
+  }, [user]); // eslint-disable-line react-hooks/exhaustive-deps
+
+  const setCurrentTeam = useCallback((team: TeamDetail | null) => {
+    setCurrentTeamState(team);
+    if (team) {
+      localStorage.setItem(SELECTED_TEAM_KEY, team.slug);
+    } else {
+      localStorage.removeItem(SELECTED_TEAM_KEY);
+    }
+  }, []);
+
+  const refreshTeams = useCallback(async () => {
+    await loadTeams();
+  }, [loadTeams]);
+
+  const clearError = useCallback(() => {
+    setError(null);
+  }, []);
+
+  return (
+    <TeamContext.Provider value={{
+      teams,
+      currentTeam,
+      loading,
+      error,
+      setCurrentTeam,
+      refreshTeams,
+      clearError,
+    }}>
+      {children}
+    </TeamContext.Provider>
+  );
+}
+
+export function useTeam() {
+  const context = useContext(TeamContext);
+  if (context === undefined) {
+    throw new Error('useTeam must be used within a TeamProvider');
+  }
+  return context;
+}

frontend/src/pages/Home.css

@@ -358,6 +358,12 @@
   gap: 4px;
 }
 
+.page-header__actions {
+  display: flex;
+  align-items: center;
+  gap: 12px;
+}
+
 /* Package card styles */
 .package-card__header {
   display: flex;

frontend/src/pages/Home.tsx

@@ -179,6 +179,7 @@ function Home() {
         </form>
       )}
 
+      {user && (
         <div className="list-controls">
           <FilterDropdown
             label="Visibility"
@@ -187,8 +188,9 @@ function Home() {
             onChange={handleVisibilityChange}
           />
         </div>
+      )}
 
-      {hasActiveFilters && (
+      {user && hasActiveFilters && (
         <FilterChipGroup onClearAll={clearFilters}>
           {visibility && (
             <FilterChip

frontend/src/pages/PackagePage.css

@@ -127,6 +127,12 @@ h2 {
   font-size: 0.75rem;
 }
 
+/* Action buttons in table */
+.action-buttons {
+  display: flex;
+  gap: 8px;
+}
+
 /* Download by Artifact ID Section */
 .download-by-id-section {
   margin-top: 32px;
@@ -424,6 +430,340 @@ tr:hover .copy-btn {
   white-space: nowrap;
 }
 
+/* Dependencies Section */
+.dependencies-section {
+  margin-top: 32px;
+  background: var(--bg-secondary);
+}
+
+.dependencies-header {
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  margin-bottom: 12px;
+}
+
+.dependencies-header h3 {
+  margin: 0;
+  color: var(--text-primary);
+  font-size: 1rem;
+  font-weight: 600;
+}
+
+.dependencies-controls {
+  display: flex;
+  align-items: center;
+  gap: 8px;
+}
+
+.dependencies-controls .btn {
+  display: inline-flex;
+  align-items: center;
+}
+
+.dependencies-tag-select {
+  margin-bottom: 16px;
+}
+
+.tag-selector {
+  padding: 8px 12px;
+  background: var(--bg-tertiary);
+  border: 1px solid var(--border-primary);
+  border-radius: var(--radius-md);
+  color: var(--text-primary);
+  font-size: 0.875rem;
+  cursor: pointer;
+  min-width: 200px;
+}
+
+.tag-selector:focus {
+  outline: none;
+  border-color: var(--accent-primary);
+}
+
+.deps-loading {
+  color: var(--text-muted);
+  font-size: 0.875rem;
+  padding: 16px 0;
+}
+
+.deps-error {
+  color: var(--error-color, #ef4444);
+  font-size: 0.875rem;
+  padding: 12px 16px;
+  background: rgba(239, 68, 68, 0.1);
+  border-radius: var(--radius-md);
+}
+
+.deps-empty {
+  color: var(--text-muted);
+  font-size: 0.875rem;
+  padding: 16px 0;
+}
+
+.deps-summary {
+  color: var(--text-secondary);
+  font-size: 0.875rem;
+  margin-bottom: 12px;
+}
+
+.deps-summary strong {
+  color: var(--accent-primary);
+}
+
+.deps-items {
+  list-style: none;
+  margin: 0;
+  padding: 0;
+  display: flex;
+  flex-direction: column;
+  gap: 8px;
+}
+
+.dep-item {
+  display: flex;
+  align-items: center;
+  gap: 12px;
+  padding: 12px 16px;
+  background: var(--bg-tertiary);
+  border-radius: var(--radius-md);
+  border: 1px solid var(--border-primary);
+}
+
+.dep-link {
+  color: var(--accent-primary);
+  font-weight: 500;
+  text-decoration: none;
+  font-family: 'JetBrains Mono', 'Fira Code', 'Consolas', monospace;
+  font-size: 0.875rem;
+}
+
+.dep-link:hover {
+  text-decoration: underline;
+}
+
+.dep-constraint {
+  color: var(--text-muted);
+  font-size: 0.8125rem;
+  font-family: 'JetBrains Mono', 'Fira Code', 'Consolas', monospace;
+}
+
+.dep-status {
+  margin-left: auto;
+  font-size: 0.875rem;
+  font-weight: 600;
+}
+
+.dep-status--ok {
+  color: var(--success-color, #10b981);
+}
+
+.dep-status--missing {
+  color: var(--warning-color, #f59e0b);
+}
+
+/* Tag name link in table */
+.tag-name-link {
+  color: var(--accent-primary);
+  transition: opacity var(--transition-fast);
+}
+
+.tag-name-link:hover {
+  opacity: 0.8;
+}
+
+.tag-name-link.selected {
+  text-decoration: underline;
+}
+
+/* Used By (Reverse Dependencies) Section */
+.used-by-section {
+  margin-top: 32px;
+  background: var(--bg-secondary);
+}
+
+.used-by-section h3 {
+  margin-bottom: 16px;
+  color: var(--text-primary);
+  font-size: 1rem;
+  font-weight: 600;
+}
+
+.reverse-dep-item {
+  display: flex;
+  align-items: center;
+  gap: 12px;
+  flex-wrap: wrap;
+}
+
+.dep-version {
+  color: var(--accent-primary);
+  font-family: 'JetBrains Mono', 'Fira Code', 'Consolas', monospace;
+  font-size: 0.8125rem;
+  background: rgba(16, 185, 129, 0.1);
+  padding: 2px 8px;
+  border-radius: var(--radius-sm);
+}
+
+.dep-requires {
+  color: var(--text-muted);
+  font-size: 0.8125rem;
+  font-family: 'JetBrains Mono', 'Fira Code', 'Consolas', monospace;
+  margin-left: auto;
+}
+
+.reverse-deps-pagination {
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  gap: 16px;
+  margin-top: 16px;
+  padding-top: 16px;
+  border-top: 1px solid var(--border-primary);
+}
+
+.pagination-info {
+  color: var(--text-secondary);
+  font-size: 0.875rem;
+}
+
+/* Ensure File Modal */
+.modal-overlay {
+  position: fixed;
+  top: 0;
+  left: 0;
+  right: 0;
+  bottom: 0;
+  background: rgba(0, 0, 0, 0.7);
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  z-index: 1000;
+  padding: 20px;
+}
+
+.ensure-file-modal {
+  background: var(--bg-secondary);
+  border: 1px solid var(--border-primary);
+  border-radius: var(--radius-lg);
+  max-width: 700px;
+  width: 100%;
+  max-height: 80vh;
+  display: flex;
+  flex-direction: column;
+  box-shadow: 0 20px 50px rgba(0, 0, 0, 0.5);
+}
+
+.ensure-file-header {
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  padding: 16px 20px;
+  border-bottom: 1px solid var(--border-primary);
+}
+
+.ensure-file-header h3 {
+  margin: 0;
+  color: var(--text-primary);
+  font-size: 1rem;
+  font-weight: 600;
+}
+
+.ensure-file-actions {
+  display: flex;
+  align-items: center;
+  gap: 8px;
+}
+
+.ensure-file-actions .copy-btn {
+  opacity: 1;
+  width: 32px;
+  height: 32px;
+}
+
+.modal-close {
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  width: 32px;
+  height: 32px;
+  padding: 0;
+  background: transparent;
+  border: none;
+  border-radius: var(--radius-sm);
+  color: var(--text-muted);
+  cursor: pointer;
+  transition: all var(--transition-fast);
+}
+
+.modal-close:hover {
+  background: var(--bg-hover);
+  color: var(--text-primary);
+}
+
+.ensure-file-content {
+  flex: 1;
+  overflow: auto;
+  padding: 20px;
+}
+
+.ensure-file-loading {
+  color: var(--text-muted);
+  text-align: center;
+  padding: 40px 20px;
+}
+
+.ensure-file-error {
+  color: var(--error-color, #ef4444);
+  padding: 16px;
+  background: rgba(239, 68, 68, 0.1);
+  border-radius: var(--radius-md);
+}
+
+.ensure-file-empty {
+  color: var(--text-muted);
+  text-align: center;
+  padding: 40px 20px;
+  font-style: italic;
+}
+
+.ensure-file-yaml {
+  margin: 0;
+  padding: 16px;
+  background: #0d0d0f;
+  border: 1px solid var(--border-primary);
+  border-radius: var(--radius-md);
+  overflow-x: auto;
+}
+
+.ensure-file-yaml code {
+  font-family: 'JetBrains Mono', 'Fira Code', 'Consolas', monospace;
+  font-size: 0.8125rem;
+  color: #e2e8f0;
+  white-space: pre;
+}
+
+.ensure-file-footer {
+  padding: 16px 20px;
+  border-top: 1px solid var(--border-primary);
+  background: var(--bg-tertiary);
+  border-radius: 0 0 var(--radius-lg) var(--radius-lg);
+}
+
+.ensure-file-hint {
+  margin: 0;
+  color: var(--text-muted);
+  font-size: 0.8125rem;
+}
+
+.ensure-file-hint code {
+  background: rgba(0, 0, 0, 0.2);
+  padding: 2px 6px;
+  border-radius: var(--radius-sm);
+  font-family: 'JetBrains Mono', 'Fira Code', 'Consolas', monospace;
+  color: var(--accent-primary);
+}
+
 /* Responsive adjustments */
 @media (max-width: 768px) {
   .upload-form {
@@ -439,4 +779,18 @@ tr:hover .copy-btn {
     flex-wrap: wrap;
     gap: 12px;
   }
+
+  .dependencies-header {
+    flex-direction: column;
+    align-items: flex-start;
+    gap: 12px;
+  }
+
+  .tag-selector {
+    width: 100%;
+  }
+
+  .ensure-file-modal {
+    max-height: 90vh;
+  }
 }

frontend/src/pages/PackagePage.tsx

@@ -1,7 +1,7 @@
 import { useState, useEffect, useCallback } from 'react';
-import { useParams, useSearchParams, useNavigate, useLocation } from 'react-router-dom';
+import { useParams, useSearchParams, useNavigate, useLocation, Link } from 'react-router-dom';
-import { TagDetail, Package, PaginatedResponse, AccessLevel } from '../types';
+import { TagDetail, Package, PaginatedResponse, AccessLevel, Dependency, DependentInfo } from '../types';
-import { listTags, getDownloadUrl, getPackage, getMyProjectAccess, createTag, UnauthorizedError, ForbiddenError } from '../api';
+import { listTags, getDownloadUrl, getPackage, getMyProjectAccess, createTag, getArtifactDependencies, getReverseDependencies, getEnsureFile, UnauthorizedError, ForbiddenError } from '../api';
 import { Breadcrumb } from '../components/Breadcrumb';
 import { Badge } from '../components/Badge';
 import { SearchInput } from '../components/SearchInput';
@@ -10,6 +10,7 @@ import { DataTable } from '../components/DataTable';
 import { Pagination } from '../components/Pagination';
 import { DragDropUpload, UploadResult } from '../components/DragDropUpload';
 import { useAuth } from '../contexts/AuthContext';
+import DependencyGraph from '../components/DependencyGraph';
 import './Home.css';
 import './PackagePage.css';
 
@@ -68,6 +69,30 @@ function PackagePage() {
   const [createTagArtifactId, setCreateTagArtifactId] = useState('');
   const [createTagLoading, setCreateTagLoading] = useState(false);
 
+  // Dependencies state
+  const [selectedTag, setSelectedTag] = useState<TagDetail | null>(null);
+  const [dependencies, setDependencies] = useState<Dependency[]>([]);
+  const [depsLoading, setDepsLoading] = useState(false);
+  const [depsError, setDepsError] = useState<string | null>(null);
+
+  // Reverse dependencies state
+  const [reverseDeps, setReverseDeps] = useState<DependentInfo[]>([]);
+  const [reverseDepsLoading, setReverseDepsLoading] = useState(false);
+  const [reverseDepsError, setReverseDepsError] = useState<string | null>(null);
+  const [reverseDepsPage, setReverseDepsPage] = useState(1);
+  const [reverseDepsTotal, setReverseDepsTotal] = useState(0);
+  const [reverseDepsHasMore, setReverseDepsHasMore] = useState(false);
+
+  // Dependency graph modal state
+  const [showGraph, setShowGraph] = useState(false);
+
+  // Ensure file modal state
+  const [showEnsureFile, setShowEnsureFile] = useState(false);
+  const [ensureFileContent, setEnsureFileContent] = useState<string | null>(null);
+  const [ensureFileLoading, setEnsureFileLoading] = useState(false);
+  const [ensureFileError, setEnsureFileError] = useState<string | null>(null);
+  const [ensureFileTagName, setEnsureFileTagName] = useState<string | null>(null);
+
   // Derived permissions
   const canWrite = accessLevel === 'write' || accessLevel === 'admin';
 
@@ -128,6 +153,98 @@ function PackagePage() {
     loadData();
   }, [loadData]);
 
+  // Auto-select tag when tags are loaded (prefer version from URL, then first tag)
+  // Re-run when package changes to pick up new tags
+  useEffect(() => {
+    if (tagsData?.items && tagsData.items.length > 0) {
+      const versionParam = searchParams.get('version');
+      if (versionParam) {
+        // Find tag matching the version parameter
+        const matchingTag = tagsData.items.find(t => t.version === versionParam);
+        if (matchingTag) {
+          setSelectedTag(matchingTag);
+          setDependencies([]);
+          return;
+        }
+      }
+      // Fall back to first tag
+      setSelectedTag(tagsData.items[0]);
+      setDependencies([]);
+    }
+  }, [tagsData, searchParams, projectName, packageName]);
+
+  // Fetch dependencies when selected tag changes
+  const fetchDependencies = useCallback(async (artifactId: string) => {
+    setDepsLoading(true);
+    setDepsError(null);
+    try {
+      const result = await getArtifactDependencies(artifactId);
+      setDependencies(result.dependencies);
+    } catch (err) {
+      setDepsError(err instanceof Error ? err.message : 'Failed to load dependencies');
+      setDependencies([]);
+    } finally {
+      setDepsLoading(false);
+    }
+  }, []);
+
+  useEffect(() => {
+    if (selectedTag) {
+      fetchDependencies(selectedTag.artifact_id);
+    }
+  }, [selectedTag, fetchDependencies]);
+
+  // Fetch reverse dependencies
+  const fetchReverseDeps = useCallback(async (pageNum: number = 1) => {
+    if (!projectName || !packageName) return;
+
+    setReverseDepsLoading(true);
+    setReverseDepsError(null);
+    try {
+      const result = await getReverseDependencies(projectName, packageName, { page: pageNum, limit: 10 });
+      setReverseDeps(result.dependents);
+      setReverseDepsTotal(result.pagination.total);
+      setReverseDepsHasMore(result.pagination.has_more);
+      setReverseDepsPage(pageNum);
+    } catch (err) {
+      setReverseDepsError(err instanceof Error ? err.message : 'Failed to load reverse dependencies');
+      setReverseDeps([]);
+    } finally {
+      setReverseDepsLoading(false);
+    }
+  }, [projectName, packageName]);
+
+  useEffect(() => {
+    if (projectName && packageName && !loading) {
+      fetchReverseDeps(1);
+    }
+  }, [projectName, packageName, loading, fetchReverseDeps]);
+
+  // Fetch ensure file for a specific tag
+  const fetchEnsureFileForTag = useCallback(async (tagName: string) => {
+    if (!projectName || !packageName) return;
+
+    setEnsureFileTagName(tagName);
+    setEnsureFileLoading(true);
+    setEnsureFileError(null);
+    try {
+      const content = await getEnsureFile(projectName, packageName, tagName);
+      setEnsureFileContent(content);
+      setShowEnsureFile(true);
+    } catch (err) {
+      setEnsureFileError(err instanceof Error ? err.message : 'Failed to load ensure file');
+      setShowEnsureFile(true);
+    } finally {
+      setEnsureFileLoading(false);
+    }
+  }, [projectName, packageName]);
+
+  // Fetch ensure file for selected tag
+  const fetchEnsureFile = useCallback(async () => {
+    if (!selectedTag) return;
+    fetchEnsureFileForTag(selectedTag.name);
+  }, [selectedTag, fetchEnsureFileForTag]);
+
   // Keyboard navigation - go back with backspace
   useEffect(() => {
     const handleKeyDown = (e: KeyboardEvent) => {
@@ -202,12 +319,24 @@ function PackagePage() {
   const tags = tagsData?.items || [];
   const pagination = tagsData?.pagination;
 
+  const handleTagSelect = (tag: TagDetail) => {
+    setSelectedTag(tag);
+  };
+
   const columns = [
     {
       key: 'name',
       header: 'Tag',
       sortable: true,
-      render: (t: TagDetail) => <strong>{t.name}</strong>,
+      render: (t: TagDetail) => (
+        <strong
+          className={`tag-name-link ${selectedTag?.id === t.id ? 'selected' : ''}`}
+          onClick={() => handleTagSelect(t)}
+          style={{ cursor: 'pointer' }}
+        >
+          {t.name}
+        </strong>
+      ),
     },
     {
       key: 'version',
@@ -261,6 +390,14 @@ function PackagePage() {
       key: 'actions',
       header: 'Actions',
       render: (t: TagDetail) => (
+        <div className="action-buttons">
+          <button
+            className="btn btn-secondary btn-small"
+            onClick={() => fetchEnsureFileForTag(t.name)}
+            title="View orchard.ensure file"
+          >
+            Ensure
+          </button>
           <a
             href={getDownloadUrl(projectName!, packageName!, t.name)}
             className="btn btn-secondary btn-small"
@@ -268,6 +405,7 @@ function PackagePage() {
           >
             Download
           </a>
+        </div>
       ),
     },
   ];
@@ -439,6 +577,166 @@ function PackagePage() {
         />
       )}
 
+      {/* Dependencies Section */}
+      {tags.length > 0 && (
+        <div className="dependencies-section card">
+          <div className="dependencies-header">
+            <h3>Dependencies</h3>
+            <div className="dependencies-controls">
+              {selectedTag && (
+                <>
+                  <button
+                    className="btn btn-secondary btn-small"
+                    onClick={fetchEnsureFile}
+                    disabled={ensureFileLoading}
+                    title="View orchard.ensure file"
+                  >
+                    <svg width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2" style={{ marginRight: '6px' }}>
+                      <path d="M14 2H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2V8z"></path>
+                      <polyline points="14 2 14 8 20 8"></polyline>
+                      <line x1="16" y1="13" x2="8" y2="13"></line>
+                      <line x1="16" y1="17" x2="8" y2="17"></line>
+                      <polyline points="10 9 9 9 8 9"></polyline>
+                    </svg>
+                    {ensureFileLoading ? 'Loading...' : 'View Ensure File'}
+                  </button>
+                  <button
+                    className="btn btn-secondary btn-small"
+                    onClick={() => setShowGraph(true)}
+                    title="View full dependency tree"
+                  >
+                    <svg width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2" style={{ marginRight: '6px' }}>
+                      <circle cx="12" cy="12" r="3"></circle>
+                      <circle cx="4" cy="4" r="2"></circle>
+                      <circle cx="20" cy="4" r="2"></circle>
+                      <circle cx="4" cy="20" r="2"></circle>
+                      <circle cx="20" cy="20" r="2"></circle>
+                      <line x1="9.5" y1="9.5" x2="5.5" y2="5.5"></line>
+                      <line x1="14.5" y1="9.5" x2="18.5" y2="5.5"></line>
+                      <line x1="9.5" y1="14.5" x2="5.5" y2="18.5"></line>
+                      <line x1="14.5" y1="14.5" x2="18.5" y2="18.5"></line>
+                    </svg>
+                    View Graph
+                  </button>
+                </>
+              )}
+            </div>
+          </div>
+          <div className="dependencies-tag-select">
+            {selectedTag && (
+              <select
+                className="tag-selector"
+                value={selectedTag.id}
+                onChange={(e) => {
+                  const tag = tags.find(t => t.id === e.target.value);
+                  if (tag) setSelectedTag(tag);
+                }}
+              >
+                {tags.map(t => (
+                  <option key={t.id} value={t.id}>
+                    {t.name}{t.version ? ` (${t.version})` : ''}
+                  </option>
+                ))}
+              </select>
+            )}
+          </div>
+
+          {depsLoading ? (
+            <div className="deps-loading">Loading dependencies...</div>
+          ) : depsError ? (
+            <div className="deps-error">{depsError}</div>
+          ) : dependencies.length === 0 ? (
+            <div className="deps-empty">
+              {selectedTag ? (
+                <span><strong>{selectedTag.name}</strong> has no dependencies</span>
+              ) : (
+                <span>No dependencies</span>
+              )}
+            </div>
+          ) : (
+            <div className="deps-list">
+              <div className="deps-summary">
+                <strong>{selectedTag?.name}</strong> has {dependencies.length} {dependencies.length === 1 ? 'dependency' : 'dependencies'}:
+              </div>
+              <ul className="deps-items">
+                {dependencies.map((dep) => (
+                  <li key={dep.id} className="dep-item">
+                    <Link
+                      to={`/project/${dep.project}/${dep.package}`}
+                      className="dep-link"
+                    >
+                      {dep.project}/{dep.package}
+                    </Link>
+                    <span className="dep-constraint">
+                      @ {dep.version || dep.tag}
+                    </span>
+                    <span className="dep-status dep-status--ok" title="Package exists">
+                      &#10003;
+                    </span>
+                  </li>
+                ))}
+              </ul>
+            </div>
+          )}
+        </div>
+      )}
+
+      {/* Used By (Reverse Dependencies) Section */}
+      <div className="used-by-section card">
+        <h3>Used By</h3>
+
+        {reverseDepsLoading ? (
+          <div className="deps-loading">Loading reverse dependencies...</div>
+        ) : reverseDepsError ? (
+          <div className="deps-error">{reverseDepsError}</div>
+        ) : reverseDeps.length === 0 ? (
+          <div className="deps-empty">No packages depend on this package</div>
+        ) : (
+          <div className="reverse-deps-list">
+            <div className="deps-summary">
+              {reverseDepsTotal} {reverseDepsTotal === 1 ? 'package depends' : 'packages depend'} on this:
+            </div>
+            <ul className="deps-items">
+              {reverseDeps.map((dep) => (
+                <li key={dep.artifact_id} className="dep-item reverse-dep-item">
+                  <Link
+                    to={`/project/${dep.project}/${dep.package}${dep.version ? `?version=${dep.version}` : ''}`}
+                    className="dep-link"
+                  >
+                    {dep.project}/{dep.package}
+                    {dep.version && (
+                      <span className="dep-version">v{dep.version}</span>
+                    )}
+                  </Link>
+                  <span className="dep-requires">
+                    requires @ {dep.constraint_value}
+                  </span>
+                </li>
+              ))}
+            </ul>
+            {(reverseDepsHasMore || reverseDepsPage > 1) && (
+              <div className="reverse-deps-pagination">
+                <button
+                  className="btn btn-secondary btn-small"
+                  onClick={() => fetchReverseDeps(reverseDepsPage - 1)}
+                  disabled={reverseDepsPage <= 1 || reverseDepsLoading}
+                >
+                  Previous
+                </button>
+                <span className="pagination-info">Page {reverseDepsPage}</span>
+                <button
+                  className="btn btn-secondary btn-small"
+                  onClick={() => fetchReverseDeps(reverseDepsPage + 1)}
+                  disabled={!reverseDepsHasMore || reverseDepsLoading}
+                >
+                  Next
+                </button>
+              </div>
+            )}
+          </div>
+        )}
+      </div>
+
       <div className="download-by-id-section card">
         <h3>Download by Artifact ID</h3>
         <div className="download-by-id-form">
@@ -522,6 +820,58 @@ function PackagePage() {
           <code>curl -O {window.location.origin}/api/v1/project/{projectName}/{packageName}/+/v1.0.0</code>
         </pre>
       </div>
+
+      {/* Dependency Graph Modal */}
+      {showGraph && selectedTag && (
+        <DependencyGraph
+          projectName={projectName!}
+          packageName={packageName!}
+          tagName={selectedTag.name}
+          onClose={() => setShowGraph(false)}
+        />
+      )}
+
+      {/* Ensure File Modal */}
+      {showEnsureFile && (
+        <div className="modal-overlay" onClick={() => setShowEnsureFile(false)}>
+          <div className="ensure-file-modal" onClick={(e) => e.stopPropagation()}>
+            <div className="ensure-file-header">
+              <h3>orchard.ensure for {ensureFileTagName}</h3>
+              <div className="ensure-file-actions">
+                {ensureFileContent && (
+                  <CopyButton text={ensureFileContent} />
+                )}
+                <button
+                  className="modal-close"
+                  onClick={() => setShowEnsureFile(false)}
+                  title="Close"
+                >
+                  <svg width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+                    <line x1="18" y1="6" x2="6" y2="18"></line>
+                    <line x1="6" y1="6" x2="18" y2="18"></line>
+                  </svg>
+                </button>
+              </div>
+            </div>
+            <div className="ensure-file-content">
+              {ensureFileLoading ? (
+                <div className="ensure-file-loading">Loading...</div>
+              ) : ensureFileError ? (
+                <div className="ensure-file-error">{ensureFileError}</div>
+              ) : ensureFileContent ? (
+                <pre className="ensure-file-yaml"><code>{ensureFileContent}</code></pre>
+              ) : (
+                <div className="ensure-file-empty">No dependencies defined for this artifact.</div>
+              )}
+            </div>
+            <div className="ensure-file-footer">
+              <p className="ensure-file-hint">
+                Save this as <code>orchard.ensure</code> in your project root to declare dependencies.
+              </p>
+            </div>
+          </div>
+        </div>
+      )}
     </div>
   );
 }

frontend/src/pages/ProjectPage.tsx

@@ -8,7 +8,6 @@ import { DataTable } from '../components/DataTable';
 import { SearchInput } from '../components/SearchInput';
 import { FilterChip, FilterChipGroup } from '../components/FilterChip';
 import { Pagination } from '../components/Pagination';
-import { AccessManagement } from '../components/AccessManagement';
 import { useAuth } from '../contexts/AuthContext';
 import './Home.css';
 
@@ -211,6 +210,20 @@ function ProjectPage() {
             <span className="meta-item">by {project.created_by}</span>
           </div>
         </div>
+        <div className="page-header__actions">
+          {canAdmin && !project.team_id && (
+            <button
+              className="btn btn-secondary"
+              onClick={() => navigate(`/project/${projectName}/settings`)}
+              title="Project Settings"
+            >
+              <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2" strokeLinecap="round" strokeLinejoin="round">
+                <circle cx="12" cy="12" r="3" />
+                <path d="M19.4 15a1.65 1.65 0 0 0 .33 1.82l.06.06a2 2 0 0 1 0 2.83 2 2 0 0 1-2.83 0l-.06-.06a1.65 1.65 0 0 0-1.82-.33 1.65 1.65 0 0 0-1 1.51V21a2 2 0 0 1-2 2 2 2 0 0 1-2-2v-.09A1.65 1.65 0 0 0 9 19.4a1.65 1.65 0 0 0-1.82.33l-.06.06a2 2 0 0 1-2.83 0 2 2 0 0 1 0-2.83l.06-.06a1.65 1.65 0 0 0 .33-1.82 1.65 1.65 0 0 0-1.51-1H3a2 2 0 0 1-2-2 2 2 0 0 1 2-2h.09A1.65 1.65 0 0 0 4.6 9a1.65 1.65 0 0 0-.33-1.82l-.06-.06a2 2 0 0 1 0-2.83 2 2 0 0 1 2.83 0l.06.06a1.65 1.65 0 0 0 1.82.33H9a1.65 1.65 0 0 0 1-1.51V3a2 2 0 0 1 2-2 2 2 0 0 1 2 2v.09a1.65 1.65 0 0 0 1 1.51 1.65 1.65 0 0 0 1.82-.33l.06-.06a2 2 0 0 1 2.83 0 2 2 0 0 1 0 2.83l-.06.06a1.65 1.65 0 0 0-.33 1.82V9a1.65 1.65 0 0 0 1.51 1H21a2 2 0 0 1 2 2 2 2 0 0 1-2 2h-.09a1.65 1.65 0 0 0-1.51 1z" />
+              </svg>
+              Settings
+            </button>
+          )}
           {canWrite ? (
             <button className="btn btn-primary" onClick={() => setShowForm(!showForm)}>
               {showForm ? 'Cancel' : '+ New Package'}
@@ -221,6 +234,7 @@ function ProjectPage() {
             </span>
           ) : null}
         </div>
+      </div>
 
       {error && <div className="error-message">{error}</div>}
 
@@ -371,10 +385,6 @@ function ProjectPage() {
           onPageChange={handlePageChange}
         />
       )}
-
-      {canAdmin && projectName && (
-        <AccessManagement projectName={projectName} />
-      )}
     </div>
   );
 }

frontend/src/pages/ProjectSettingsPage.css

@@ -0,0 +1,476 @@
+.project-settings-page {
+  max-width: 900px;
+  margin: 0 auto;
+}
+
+.project-settings-header {
+  margin-bottom: 32px;
+}
+
+.project-settings-header h1 {
+  font-size: 1.75rem;
+  font-weight: 600;
+  color: var(--text-primary);
+  margin-bottom: 8px;
+  letter-spacing: -0.02em;
+}
+
+.project-settings-subtitle {
+  color: var(--text-tertiary);
+  font-size: 0.9375rem;
+}
+
+.project-settings-loading {
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  gap: 12px;
+  padding: 64px 24px;
+  color: var(--text-tertiary);
+  font-size: 0.9375rem;
+}
+
+.project-settings-spinner {
+  width: 20px;
+  height: 20px;
+  border: 2px solid var(--border-secondary);
+  border-top-color: var(--accent-primary);
+  border-radius: 50%;
+  animation: project-settings-spin 0.6s linear infinite;
+}
+
+@keyframes project-settings-spin {
+  to {
+    transform: rotate(360deg);
+  }
+}
+
+.project-settings-error {
+  display: flex;
+  align-items: center;
+  gap: 10px;
+  background: var(--error-bg);
+  border: 1px solid rgba(239, 68, 68, 0.2);
+  color: var(--error);
+  padding: 12px 16px;
+  border-radius: var(--radius-md);
+  margin-bottom: 24px;
+  font-size: 0.875rem;
+}
+
+.project-settings-success {
+  display: flex;
+  align-items: center;
+  gap: 10px;
+  background: var(--success-bg);
+  border: 1px solid rgba(34, 197, 94, 0.2);
+  color: var(--success);
+  padding: 12px 16px;
+  border-radius: var(--radius-md);
+  margin-bottom: 24px;
+  font-size: 0.875rem;
+  animation: project-settings-fade-in 0.2s ease;
+}
+
+@keyframes project-settings-fade-in {
+  from {
+    opacity: 0;
+    transform: translateY(-8px);
+  }
+  to {
+    opacity: 1;
+    transform: translateY(0);
+  }
+}
+
+.project-settings-section {
+  background: var(--bg-secondary);
+  border: 1px solid var(--border-primary);
+  border-radius: var(--radius-lg);
+  padding: 24px;
+  margin-bottom: 24px;
+}
+
+.project-settings-section h2 {
+  font-size: 1.125rem;
+  font-weight: 600;
+  color: var(--text-primary);
+  margin-bottom: 20px;
+  padding-bottom: 16px;
+  border-bottom: 1px solid var(--border-primary);
+}
+
+.project-settings-form {
+  display: flex;
+  flex-direction: column;
+  gap: 16px;
+}
+
+.project-settings-form-group {
+  display: flex;
+  flex-direction: column;
+  gap: 6px;
+}
+
+.project-settings-form-group label {
+  font-size: 0.8125rem;
+  font-weight: 500;
+  color: var(--text-secondary);
+}
+
+.project-settings-form-group textarea,
+.project-settings-form-group input[type="text"] {
+  padding: 12px 14px;
+  background: var(--bg-tertiary);
+  border: 1px solid var(--border-primary);
+  border-radius: var(--radius-md);
+  font-size: 0.875rem;
+  color: var(--text-primary);
+  transition: all var(--transition-fast);
+  font-family: inherit;
+  resize: vertical;
+}
+
+.project-settings-form-group textarea {
+  min-height: 100px;
+}
+
+.project-settings-form-group textarea::placeholder,
+.project-settings-form-group input::placeholder {
+  color: var(--text-muted);
+}
+
+.project-settings-form-group textarea:hover:not(:disabled),
+.project-settings-form-group input:hover:not(:disabled) {
+  border-color: var(--border-secondary);
+  background: var(--bg-elevated);
+}
+
+.project-settings-form-group textarea:focus,
+.project-settings-form-group input:focus {
+  outline: none;
+  border-color: var(--accent-primary);
+  box-shadow: 0 0 0 3px rgba(16, 185, 129, 0.15);
+  background: var(--bg-elevated);
+}
+
+.project-settings-form-group textarea:disabled,
+.project-settings-form-group input:disabled {
+  opacity: 0.6;
+  cursor: not-allowed;
+}
+
+.project-settings-checkbox-group {
+  flex-direction: row;
+  align-items: center;
+}
+
+.project-settings-checkbox-label {
+  display: flex;
+  align-items: center;
+  gap: 10px;
+  cursor: pointer;
+  font-size: 0.875rem;
+  font-weight: 400;
+  color: var(--text-secondary);
+  user-select: none;
+}
+
+.project-settings-checkbox-label input[type="checkbox"] {
+  position: absolute;
+  opacity: 0;
+  width: 0;
+  height: 0;
+}
+
+.project-settings-checkbox-custom {
+  width: 18px;
+  height: 18px;
+  background: var(--bg-tertiary);
+  border: 1px solid var(--border-secondary);
+  border-radius: var(--radius-sm);
+  transition: all var(--transition-fast);
+  position: relative;
+  flex-shrink: 0;
+}
+
+.project-settings-checkbox-label input[type="checkbox"]:checked + .project-settings-checkbox-custom {
+  background: var(--accent-primary);
+  border-color: var(--accent-primary);
+}
+
+.project-settings-checkbox-label input[type="checkbox"]:checked + .project-settings-checkbox-custom::after {
+  content: '';
+  position: absolute;
+  left: 5px;
+  top: 2px;
+  width: 5px;
+  height: 9px;
+  border: solid white;
+  border-width: 0 2px 2px 0;
+  transform: rotate(45deg);
+}
+
+.project-settings-checkbox-label input[type="checkbox"]:focus + .project-settings-checkbox-custom {
+  box-shadow: 0 0 0 3px rgba(16, 185, 129, 0.15);
+}
+
+.project-settings-checkbox-label:hover .project-settings-checkbox-custom {
+  border-color: var(--accent-primary);
+}
+
+.project-settings-form-actions {
+  display: flex;
+  justify-content: flex-end;
+  gap: 12px;
+  margin-top: 8px;
+}
+
+.project-settings-save-button {
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  gap: 8px;
+  padding: 10px 18px;
+  background: var(--accent-gradient);
+  border: none;
+  border-radius: var(--radius-md);
+  font-size: 0.875rem;
+  font-weight: 500;
+  color: white;
+  cursor: pointer;
+  transition: all var(--transition-fast);
+  min-width: 120px;
+}
+
+.project-settings-save-button:hover:not(:disabled) {
+  transform: translateY(-1px);
+  box-shadow: var(--shadow-sm), 0 0 20px rgba(16, 185, 129, 0.2);
+}
+
+.project-settings-save-button:disabled {
+  opacity: 0.5;
+  cursor: not-allowed;
+  transform: none;
+}
+
+.project-settings-button-spinner {
+  width: 14px;
+  height: 14px;
+  border: 2px solid rgba(255, 255, 255, 0.3);
+  border-top-color: white;
+  border-radius: 50%;
+  animation: project-settings-spin 0.6s linear infinite;
+}
+
+/* Danger Zone */
+.project-settings-danger-zone {
+  background: var(--bg-secondary);
+  border: 1px solid rgba(239, 68, 68, 0.3);
+  border-radius: var(--radius-lg);
+  padding: 24px;
+  margin-bottom: 24px;
+}
+
+.project-settings-danger-zone h2 {
+  font-size: 1.125rem;
+  font-weight: 600;
+  color: var(--error);
+  margin-bottom: 20px;
+  padding-bottom: 16px;
+  border-bottom: 1px solid rgba(239, 68, 68, 0.2);
+}
+
+.project-settings-danger-item {
+  display: flex;
+  justify-content: space-between;
+  align-items: flex-start;
+  gap: 24px;
+}
+
+.project-settings-danger-info h3 {
+  font-size: 0.9375rem;
+  font-weight: 600;
+  color: var(--text-primary);
+  margin-bottom: 4px;
+}
+
+.project-settings-danger-info p {
+  color: var(--text-tertiary);
+  font-size: 0.8125rem;
+  max-width: 400px;
+}
+
+.project-settings-delete-button {
+  padding: 10px 18px;
+  background: transparent;
+  border: 1px solid rgba(239, 68, 68, 0.3);
+  border-radius: var(--radius-md);
+  font-size: 0.875rem;
+  font-weight: 500;
+  color: var(--error);
+  cursor: pointer;
+  transition: all var(--transition-fast);
+  flex-shrink: 0;
+}
+
+.project-settings-delete-button:hover:not(:disabled) {
+  background: var(--error-bg);
+  border-color: rgba(239, 68, 68, 0.5);
+}
+
+.project-settings-delete-button:disabled {
+  opacity: 0.5;
+  cursor: not-allowed;
+}
+
+/* Delete Confirmation */
+.project-settings-delete-confirm {
+  margin-top: 20px;
+  padding-top: 20px;
+  border-top: 1px solid rgba(239, 68, 68, 0.2);
+  animation: project-settings-fade-in 0.2s ease;
+}
+
+.project-settings-delete-confirm p {
+  color: var(--text-secondary);
+  font-size: 0.875rem;
+  margin-bottom: 12px;
+}
+
+.project-settings-delete-confirm strong {
+  color: var(--text-primary);
+  font-family: 'JetBrains Mono', 'Fira Code', 'SF Mono', Monaco, monospace;
+  background: var(--bg-tertiary);
+  padding: 2px 6px;
+  border-radius: var(--radius-sm);
+}
+
+.project-settings-delete-confirm-input {
+  width: 100%;
+  padding: 12px 14px;
+  background: var(--bg-tertiary);
+  border: 1px solid var(--border-primary);
+  border-radius: var(--radius-md);
+  font-size: 0.875rem;
+  color: var(--text-primary);
+  transition: all var(--transition-fast);
+  margin-bottom: 16px;
+}
+
+.project-settings-delete-confirm-input:focus {
+  outline: none;
+  border-color: var(--error);
+  box-shadow: 0 0 0 3px rgba(239, 68, 68, 0.15);
+}
+
+.project-settings-delete-confirm-input::placeholder {
+  color: var(--text-muted);
+}
+
+.project-settings-delete-confirm-actions {
+  display: flex;
+  gap: 12px;
+}
+
+.project-settings-confirm-delete-button {
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  gap: 8px;
+  padding: 10px 18px;
+  background: var(--error);
+  border: none;
+  border-radius: var(--radius-md);
+  font-size: 0.875rem;
+  font-weight: 500;
+  color: white;
+  cursor: pointer;
+  transition: all var(--transition-fast);
+  min-width: 120px;
+}
+
+.project-settings-confirm-delete-button:hover:not(:disabled) {
+  opacity: 0.9;
+}
+
+.project-settings-confirm-delete-button:disabled {
+  opacity: 0.5;
+  cursor: not-allowed;
+}
+
+.project-settings-cancel-button {
+  padding: 10px 18px;
+  background: transparent;
+  border: 1px solid var(--border-primary);
+  border-radius: var(--radius-md);
+  font-size: 0.875rem;
+  font-weight: 500;
+  color: var(--text-secondary);
+  cursor: pointer;
+  transition: all var(--transition-fast);
+}
+
+.project-settings-cancel-button:hover:not(:disabled) {
+  background: var(--bg-hover);
+  border-color: var(--border-secondary);
+  color: var(--text-primary);
+}
+
+.project-settings-cancel-button:disabled {
+  opacity: 0.5;
+  cursor: not-allowed;
+}
+
+.project-settings-delete-spinner {
+  width: 14px;
+  height: 14px;
+  border: 2px solid rgba(255, 255, 255, 0.3);
+  border-top-color: white;
+  border-radius: 50%;
+  animation: project-settings-spin 0.6s linear infinite;
+}
+
+/* Access denied */
+.project-settings-access-denied {
+  display: flex;
+  flex-direction: column;
+  align-items: center;
+  justify-content: center;
+  padding: 80px 24px;
+  text-align: center;
+}
+
+.project-settings-access-denied h2 {
+  font-size: 1.5rem;
+  font-weight: 600;
+  color: var(--text-primary);
+  margin-bottom: 12px;
+}
+
+.project-settings-access-denied p {
+  color: var(--text-tertiary);
+  font-size: 0.9375rem;
+  max-width: 400px;
+}
+
+/* Responsive */
+@media (max-width: 768px) {
+  .project-settings-danger-item {
+    flex-direction: column;
+    gap: 16px;
+  }
+
+  .project-settings-delete-button {
+    align-self: flex-start;
+  }
+
+  .project-settings-delete-confirm-actions {
+    flex-direction: column;
+  }
+
+  .project-settings-confirm-delete-button,
+  .project-settings-cancel-button {
+    width: 100%;
+  }
+}

frontend/src/pages/ProjectSettingsPage.tsx

@@ -0,0 +1,304 @@
+import { useState, useEffect, useCallback } from 'react';
+import { useParams, useNavigate } from 'react-router-dom';
+import { Project } from '../types';
+import {
+  getProject,
+  updateProject,
+  deleteProject,
+  getMyProjectAccess,
+  UnauthorizedError,
+  ForbiddenError,
+} from '../api';
+import { Breadcrumb } from '../components/Breadcrumb';
+import { useAuth } from '../contexts/AuthContext';
+import './ProjectSettingsPage.css';
+
+function ProjectSettingsPage() {
+  const { projectName } = useParams<{ projectName: string }>();
+  const navigate = useNavigate();
+  const { user } = useAuth();
+
+  const [project, setProject] = useState<Project | null>(null);
+  const [loading, setLoading] = useState(true);
+  const [error, setError] = useState<string | null>(null);
+  const [success, setSuccess] = useState<string | null>(null);
+  const [accessDenied, setAccessDenied] = useState(false);
+  const [canAdmin, setCanAdmin] = useState(false);
+
+  // General settings form state
+  const [description, setDescription] = useState('');
+  const [isPublic, setIsPublic] = useState(false);
+  const [saving, setSaving] = useState(false);
+
+  // Delete confirmation state
+  const [showDeleteConfirm, setShowDeleteConfirm] = useState(false);
+  const [deleteConfirmText, setDeleteConfirmText] = useState('');
+  const [deleting, setDeleting] = useState(false);
+
+  const loadData = useCallback(async () => {
+    if (!projectName) return;
+
+    try {
+      setLoading(true);
+      setAccessDenied(false);
+      const [projectData, accessResult] = await Promise.all([
+        getProject(projectName),
+        getMyProjectAccess(projectName),
+      ]);
+      setProject(projectData);
+      setDescription(projectData.description || '');
+      setIsPublic(projectData.is_public);
+
+      const hasAdminAccess = accessResult.access_level === 'admin';
+      setCanAdmin(hasAdminAccess);
+
+      if (!hasAdminAccess) {
+        setAccessDenied(true);
+      }
+
+      setError(null);
+    } catch (err) {
+      if (err instanceof UnauthorizedError) {
+        navigate('/login', { state: { from: `/project/${projectName}/settings` } });
+        return;
+      }
+      if (err instanceof ForbiddenError) {
+        setAccessDenied(true);
+        setLoading(false);
+        return;
+      }
+      setError(err instanceof Error ? err.message : 'Failed to load project');
+    } finally {
+      setLoading(false);
+    }
+  }, [projectName, navigate]);
+
+  useEffect(() => {
+    loadData();
+  }, [loadData]);
+
+  const handleSaveSettings = async (e: React.FormEvent) => {
+    e.preventDefault();
+    if (!projectName) return;
+
+    try {
+      setSaving(true);
+      setError(null);
+      const updatedProject = await updateProject(projectName, {
+        description: description || undefined,
+        is_public: isPublic,
+      });
+      setProject(updatedProject);
+      setSuccess('Settings saved successfully');
+      setTimeout(() => setSuccess(null), 3000);
+    } catch (err) {
+      setError(err instanceof Error ? err.message : 'Failed to save settings');
+    } finally {
+      setSaving(false);
+    }
+  };
+
+  const handleDeleteProject = async () => {
+    if (!projectName || deleteConfirmText !== projectName) return;
+
+    try {
+      setDeleting(true);
+      setError(null);
+      await deleteProject(projectName);
+      navigate('/');
+    } catch (err) {
+      setError(err instanceof Error ? err.message : 'Failed to delete project');
+      setDeleting(false);
+    }
+  };
+
+  const handleCancelDelete = () => {
+    setShowDeleteConfirm(false);
+    setDeleteConfirmText('');
+  };
+
+  if (loading) {
+    return (
+      <div className="project-settings-page">
+        <Breadcrumb
+          items={[
+            { label: 'Projects', href: '/' },
+            { label: projectName || '', href: `/project/${projectName}` },
+            { label: 'Settings' },
+          ]}
+        />
+        <div className="project-settings-loading">
+          <div className="project-settings-spinner" />
+          <span>Loading...</span>
+        </div>
+      </div>
+    );
+  }
+
+  if (accessDenied || !canAdmin) {
+    return (
+      <div className="project-settings-page">
+        <Breadcrumb
+          items={[
+            { label: 'Projects', href: '/' },
+            { label: projectName || '', href: `/project/${projectName}` },
+            { label: 'Settings' },
+          ]}
+        />
+        <div className="project-settings-access-denied">
+          <h2>Access Denied</h2>
+          <p>You must be a project admin to access settings.</p>
+          {!user && (
+            <p style={{ marginTop: '16px' }}>
+              <a href="/login" className="btn btn-primary">
+                Sign in
+              </a>
+            </p>
+          )}
+        </div>
+      </div>
+    );
+  }
+
+  if (!project) {
+    return (
+      <div className="project-settings-page">
+        <Breadcrumb
+          items={[
+            { label: 'Projects', href: '/' },
+            { label: projectName || '' },
+          ]}
+        />
+        <div className="project-settings-error">Project not found</div>
+      </div>
+    );
+  }
+
+  return (
+    <div className="project-settings-page">
+      <Breadcrumb
+        items={[
+          { label: 'Projects', href: '/' },
+          { label: project.name, href: `/project/${project.name}` },
+          { label: 'Settings' },
+        ]}
+      />
+
+      <div className="project-settings-header">
+        <h1>Project Settings</h1>
+        <p className="project-settings-subtitle">Manage settings for {project.name}</p>
+      </div>
+
+      {error && <div className="project-settings-error">{error}</div>}
+      {success && <div className="project-settings-success">{success}</div>}
+
+      {/* General Settings Section */}
+      <div className="project-settings-section">
+        <h2>General</h2>
+        <form className="project-settings-form" onSubmit={handleSaveSettings}>
+          <div className="project-settings-form-group">
+            <label htmlFor="description">Description</label>
+            <textarea
+              id="description"
+              value={description}
+              onChange={(e) => setDescription(e.target.value)}
+              placeholder="Describe your project..."
+              disabled={saving}
+            />
+          </div>
+
+          <div className="project-settings-form-group project-settings-checkbox-group">
+            <label className="project-settings-checkbox-label">
+              <input
+                type="checkbox"
+                checked={isPublic}
+                onChange={(e) => setIsPublic(e.target.checked)}
+                disabled={saving}
+              />
+              <span className="project-settings-checkbox-custom" />
+              <span>Public project (visible to everyone)</span>
+            </label>
+          </div>
+
+          <div className="project-settings-form-actions">
+            <button type="submit" className="project-settings-save-button" disabled={saving}>
+              {saving ? (
+                <>
+                  <span className="project-settings-button-spinner" />
+                  Saving...
+                </>
+              ) : (
+                'Save Changes'
+              )}
+            </button>
+          </div>
+        </form>
+      </div>
+
+      {/* Danger Zone Section */}
+      <div className="project-settings-danger-zone">
+        <h2>Danger Zone</h2>
+        <div className="project-settings-danger-item">
+          <div className="project-settings-danger-info">
+            <h3>Delete this project</h3>
+            <p>
+              Once you delete a project, there is no going back. This will permanently delete the
+              project, all packages, artifacts, and tags.
+            </p>
+          </div>
+          {!showDeleteConfirm && (
+            <button
+              className="project-settings-delete-button"
+              onClick={() => setShowDeleteConfirm(true)}
+              disabled={deleting}
+            >
+              Delete Project
+            </button>
+          )}
+        </div>
+
+        {showDeleteConfirm && (
+          <div className="project-settings-delete-confirm">
+            <p>
+              Type <strong>{project.name}</strong> to confirm deletion:
+            </p>
+            <input
+              type="text"
+              className="project-settings-delete-confirm-input"
+              value={deleteConfirmText}
+              onChange={(e) => setDeleteConfirmText(e.target.value)}
+              placeholder={project.name}
+              disabled={deleting}
+              autoFocus
+            />
+            <div className="project-settings-delete-confirm-actions">
+              <button
+                className="project-settings-confirm-delete-button"
+                onClick={handleDeleteProject}
+                disabled={deleting || deleteConfirmText !== project.name}
+              >
+                {deleting ? (
+                  <>
+                    <span className="project-settings-delete-spinner" />
+                    Deleting...
+                  </>
+                ) : (
+                  'Yes, delete this project'
+                )}
+              </button>
+              <button
+                className="project-settings-cancel-button"
+                onClick={handleCancelDelete}
+                disabled={deleting}
+              >
+                Cancel
+              </button>
+            </div>
+          </div>
+        )}
+      </div>
+    </div>
+  );
+}
+
+export default ProjectSettingsPage;

frontend/src/pages/TeamDashboardPage.css

@@ -0,0 +1,270 @@
+.team-dashboard {
+  padding: 1.5rem 0;
+}
+
+.team-header {
+  display: flex;
+  justify-content: space-between;
+  align-items: flex-start;
+  gap: 1.5rem;
+  margin-bottom: 2rem;
+}
+
+.team-header-left {
+  flex: 1;
+}
+
+.team-header-title {
+  display: flex;
+  align-items: center;
+  gap: 0.75rem;
+  margin-bottom: 0.5rem;
+}
+
+.team-header h1 {
+  margin: 0;
+  font-size: 1.5rem;
+  font-weight: 600;
+}
+
+.team-slug {
+  font-size: 0.875rem;
+  color: var(--text-muted);
+}
+
+.team-description {
+  margin: 0 0 0.5rem;
+  color: var(--text-secondary);
+  font-size: 0.9375rem;
+  max-width: 600px;
+}
+
+.team-header-actions {
+  display: flex;
+  gap: 0.5rem;
+  flex-shrink: 0;
+}
+
+.team-section {
+  margin-top: 2rem;
+}
+
+.section-header {
+  display: flex;
+  justify-content: space-between;
+  align-items: center;
+  margin-bottom: 1rem;
+}
+
+.section-header h2 {
+  margin: 0;
+  font-size: 1.25rem;
+}
+
+/* Table utility classes */
+.text-muted {
+  color: var(--text-muted);
+}
+
+.btn-ghost {
+  background: transparent;
+  color: var(--text-muted);
+  border: none;
+  padding: 0.375rem;
+  cursor: pointer;
+  border-radius: var(--radius-sm);
+}
+
+.btn-ghost:hover {
+  background: var(--bg-tertiary);
+  color: var(--text-primary);
+}
+
+.section-footer {
+  margin-top: 1rem;
+  text-align: center;
+}
+
+.view-all-link {
+  font-size: 0.875rem;
+  color: var(--accent-primary);
+  text-decoration: none;
+}
+
+.view-all-link:hover {
+  text-decoration: underline;
+}
+
+/* States */
+.loading-state,
+.error-state {
+  text-align: center;
+  padding: 4rem 2rem;
+}
+
+.error-state h2 {
+  margin: 0 0 0.5rem;
+}
+
+.error-state p {
+  margin: 0 0 1.5rem;
+  color: var(--text-muted);
+}
+
+.empty-state {
+  text-align: center;
+  padding: 2rem;
+  background: var(--bg-secondary);
+  border: 1px dashed var(--border-primary);
+  border-radius: var(--radius-md);
+  color: var(--text-muted);
+}
+
+.empty-state p {
+  margin: 0;
+}
+
+.empty-hint {
+  margin-top: 0.5rem !important;
+  font-size: 0.875rem;
+}
+
+/* Buttons */
+.btn {
+  display: inline-flex;
+  align-items: center;
+  gap: 0.5rem;
+  padding: 0.5rem 1rem;
+  border: none;
+  border-radius: var(--radius-md);
+  font-size: 0.875rem;
+  font-weight: 500;
+  cursor: pointer;
+  text-decoration: none;
+  transition: all 0.15s ease;
+}
+
+.btn-sm {
+  padding: 0.375rem 0.75rem;
+  font-size: 0.8125rem;
+}
+
+.btn-primary {
+  background: var(--accent-primary);
+  color: white;
+}
+
+.btn-primary:hover {
+  background: var(--accent-primary-hover);
+}
+
+.btn-secondary {
+  background: var(--bg-tertiary);
+  color: var(--text-primary);
+  border: 1px solid var(--border-primary);
+}
+
+.btn-secondary:hover {
+  background: var(--bg-hover);
+}
+
+/* Modal */
+.modal-overlay {
+  position: fixed;
+  inset: 0;
+  background: rgba(0, 0, 0, 0.7);
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  z-index: 1000;
+  padding: 1rem;
+}
+
+.modal-content {
+  background: var(--bg-secondary);
+  border: 1px solid var(--border-primary);
+  border-radius: var(--radius-lg);
+  padding: 1.5rem;
+  width: 100%;
+  max-width: 480px;
+  max-height: 90vh;
+  box-shadow: var(--shadow-lg);
+  overflow-y: auto;
+}
+
+.modal-content h2 {
+  margin: 0 0 1.5rem;
+  font-size: 1.25rem;
+  color: var(--text-primary);
+}
+
+/* Form */
+.form-group {
+  margin-bottom: 1rem;
+}
+
+.form-group label {
+  display: block;
+  margin-bottom: 0.5rem;
+  font-weight: 500;
+  font-size: 0.875rem;
+  color: var(--text-primary);
+}
+
+.form-group input[type="text"],
+.form-group textarea {
+  width: 100%;
+  padding: 0.625rem 0.75rem;
+  border: 1px solid var(--border-primary);
+  border-radius: var(--radius-md);
+  background: var(--bg-tertiary);
+  color: var(--text-primary);
+  font-size: 0.875rem;
+}
+
+.form-group input:focus,
+.form-group textarea:focus {
+  outline: none;
+  border-color: var(--accent-primary);
+  box-shadow: 0 0 0 3px rgba(16, 185, 129, 0.2);
+}
+
+.form-group textarea {
+  resize: vertical;
+  min-height: 80px;
+}
+
+.checkbox-group label {
+  display: flex;
+  align-items: center;
+  gap: 0.5rem;
+  cursor: pointer;
+}
+
+.checkbox-group input[type="checkbox"] {
+  width: 1rem;
+  height: 1rem;
+}
+
+.form-hint {
+  display: block;
+  font-size: 0.8125rem;
+  color: var(--text-muted);
+  margin-top: 0.375rem;
+}
+
+.form-actions {
+  display: flex;
+  justify-content: flex-end;
+  gap: 0.75rem;
+  margin-top: 1.5rem;
+}
+
+.btn:disabled {
+  opacity: 0.6;
+  cursor: not-allowed;
+}
+
+.empty-state .btn {
+  margin-top: 1rem;
+}

frontend/src/pages/TeamDashboardPage.tsx

@@ -0,0 +1,279 @@
+import { useState, useEffect, useCallback } from 'react';
+import { Link, useParams, useNavigate } from 'react-router-dom';
+import { TeamDetail, Project, PaginatedResponse } from '../types';
+import { getTeam, listTeamProjects, createProject } from '../api';
+import { useAuth } from '../contexts/AuthContext';
+import { Badge } from '../components/Badge';
+import { Breadcrumb } from '../components/Breadcrumb';
+import { DataTable } from '../components/DataTable';
+import './TeamDashboardPage.css';
+
+function TeamDashboardPage() {
+  const { slug } = useParams<{ slug: string }>();
+  const navigate = useNavigate();
+  const { user } = useAuth();
+  const [team, setTeam] = useState<TeamDetail | null>(null);
+  const [projects, setProjects] = useState<PaginatedResponse<Project> | null>(null);
+  const [loading, setLoading] = useState(true);
+  const [error, setError] = useState<string | null>(null);
+  const [showProjectForm, setShowProjectForm] = useState(false);
+  const [newProject, setNewProject] = useState({ name: '', description: '', is_public: true });
+  const [creating, setCreating] = useState(false);
+
+  const loadTeamData = useCallback(async () => {
+    if (!slug) return;
+    try {
+      setLoading(true);
+      const [teamData, projectsData] = await Promise.all([
+        getTeam(slug),
+        listTeamProjects(slug, { limit: 10 }),
+      ]);
+      setTeam(teamData);
+      setProjects(projectsData);
+      setError(null);
+    } catch (err) {
+      setError(err instanceof Error ? err.message : 'Failed to load team');
+    } finally {
+      setLoading(false);
+    }
+  }, [slug]);
+
+  useEffect(() => {
+    loadTeamData();
+  }, [loadTeamData]);
+
+  async function handleCreateProject(e: React.FormEvent) {
+    e.preventDefault();
+    if (!team) return;
+    try {
+      setCreating(true);
+      const project = await createProject({ ...newProject, team_id: team.id });
+      setNewProject({ name: '', description: '', is_public: true });
+      setShowProjectForm(false);
+      navigate(`/project/${project.name}`);
+    } catch (err) {
+      setError(err instanceof Error ? err.message : 'Failed to create project');
+    } finally {
+      setCreating(false);
+    }
+  }
+
+  if (loading) {
+    return (
+      <div className="team-dashboard">
+        <div className="loading-state">Loading team...</div>
+      </div>
+    );
+  }
+
+  if (error || !team) {
+    return (
+      <div className="team-dashboard">
+        <div className="error-state">
+          <h2>Error loading team</h2>
+          <p>{error || 'Team not found'}</p>
+          <Link to="/teams" className="btn btn-primary">Back to Teams</Link>
+        </div>
+      </div>
+    );
+  }
+
+  const isAdminOrOwner = team.user_role === 'owner' || team.user_role === 'admin' || user?.is_admin;
+
+  const roleVariants: Record<string, 'success' | 'info' | 'default'> = {
+    owner: 'success',
+    admin: 'info',
+    member: 'default',
+  };
+
+  return (
+    <div className="team-dashboard">
+      <Breadcrumb
+        items={[
+          { label: 'Teams', href: '/teams' },
+          { label: team.name },
+        ]}
+      />
+
+      <div className="team-header">
+        <div className="team-header-left">
+          <div className="team-header-title">
+            <h1>{team.name}</h1>
+            {team.user_role && (
+              <Badge variant={roleVariants[team.user_role] || 'default'}>
+                {team.user_role}
+              </Badge>
+            )}
+            <span className="team-slug">@{team.slug}</span>
+          </div>
+          {team.description && (
+            <p className="team-description">{team.description}</p>
+          )}
+        </div>
+        {isAdminOrOwner && (
+          <div className="team-header-actions">
+            <Link to={`/teams/${slug}/members`} className="btn btn-secondary">
+              <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+                <path d="M17 21v-2a4 4 0 0 0-4-4H5a4 4 0 0 0-4 4v2"/>
+                <circle cx="9" cy="7" r="4"/>
+                <path d="M23 21v-2a4 4 0 0 0-3-3.87"/>
+                <path d="M16 3.13a4 4 0 0 1 0 7.75"/>
+              </svg>
+              Members
+            </Link>
+            <Link to={`/teams/${slug}/settings`} className="btn btn-secondary">
+              <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+                <circle cx="12" cy="12" r="3"/>
+                <path d="M19.4 15a1.65 1.65 0 0 0 .33 1.82l.06.06a2 2 0 0 1 0 2.83 2 2 0 0 1-2.83 0l-.06-.06a1.65 1.65 0 0 0-1.82-.33 1.65 1.65 0 0 0-1 1.51V21a2 2 0 0 1-2 2 2 2 0 0 1-2-2v-.09A1.65 1.65 0 0 0 9 19.4a1.65 1.65 0 0 0-1.82.33l-.06.06a2 2 0 0 1-2.83 0 2 2 0 0 1 0-2.83l.06-.06a1.65 1.65 0 0 0 .33-1.82 1.65 1.65 0 0 0-1.51-1H3a2 2 0 0 1-2-2 2 2 0 0 1 2-2h.09A1.65 1.65 0 0 0 4.6 9a1.65 1.65 0 0 0-.33-1.82l-.06-.06a2 2 0 0 1 0-2.83 2 2 0 0 1 2.83 0l.06.06a1.65 1.65 0 0 0 1.82.33H9a1.65 1.65 0 0 0 1-1.51V3a2 2 0 0 1 2-2 2 2 0 0 1 2 2v.09a1.65 1.65 0 0 0 1 1.51 1.65 1.65 0 0 0 1.82-.33l.06-.06a2 2 0 0 1 2.83 0 2 2 0 0 1 0 2.83l-.06.06a1.65 1.65 0 0 0-.33 1.82V9a1.65 1.65 0 0 0 1.51 1H21a2 2 0 0 1 2 2 2 2 0 0 1-2 2h-.09a1.65 1.65 0 0 0-1.51 1z"/>
+              </svg>
+              Settings
+            </Link>
+          </div>
+        )}
+      </div>
+
+      {showProjectForm && (
+        <div className="modal-overlay" onClick={() => setShowProjectForm(false)}>
+          <div className="modal-content" onClick={e => e.stopPropagation()}>
+            <h2>Create New Project</h2>
+            <form onSubmit={handleCreateProject}>
+              <div className="form-group">
+                <label htmlFor="project-name">Project Name</label>
+                <input
+                  id="project-name"
+                  type="text"
+                  value={newProject.name}
+                  onChange={e => setNewProject({ ...newProject, name: e.target.value })}
+                  placeholder="my-project"
+                  required
+                  autoFocus
+                />
+              </div>
+              <div className="form-group">
+                <label htmlFor="project-description">Description (optional)</label>
+                <textarea
+                  id="project-description"
+                  value={newProject.description}
+                  onChange={e => setNewProject({ ...newProject, description: e.target.value })}
+                  placeholder="What is this project for?"
+                  rows={3}
+                />
+              </div>
+              <div className="form-group checkbox-group">
+                <label>
+                  <input
+                    type="checkbox"
+                    checked={newProject.is_public}
+                    onChange={e => setNewProject({ ...newProject, is_public: e.target.checked })}
+                  />
+                  Public project
+                </label>
+                <span className="form-hint">Public projects are visible to everyone</span>
+              </div>
+              <div className="form-actions">
+                <button type="button" className="btn btn-secondary" onClick={() => setShowProjectForm(false)}>
+                  Cancel
+                </button>
+                <button type="submit" className="btn btn-primary" disabled={creating}>
+                  {creating ? 'Creating...' : 'Create Project'}
+                </button>
+              </div>
+            </form>
+          </div>
+        </div>
+      )}
+
+      <div className="team-section">
+        <div className="section-header">
+          <h2>Projects</h2>
+          {isAdminOrOwner && (
+            <button className="btn btn-primary btn-sm" onClick={() => setShowProjectForm(true)}>
+              + New Project
+            </button>
+          )}
+        </div>
+
+        {projects?.items.length === 0 ? (
+          <div className="empty-state">
+            <p>No projects in this team yet.</p>
+            {isAdminOrOwner && (
+              <button className="btn btn-primary" onClick={() => setShowProjectForm(true)}>
+                Create Project
+              </button>
+            )}
+          </div>
+        ) : (
+          <DataTable
+            data={projects?.items || []}
+            keyExtractor={(project) => project.id}
+            onRowClick={(project) => navigate(`/project/${project.name}`)}
+            columns={[
+              {
+                key: 'name',
+                header: 'Name',
+                render: (project) => (
+                  <Link
+                    to={`/project/${project.name}`}
+                    className="cell-name"
+                    onClick={(e) => e.stopPropagation()}
+                  >
+                    {project.name}
+                  </Link>
+                ),
+              },
+              {
+                key: 'description',
+                header: 'Description',
+                className: 'cell-description',
+                render: (project) => project.description || <span className="text-muted">—</span>,
+              },
+              {
+                key: 'visibility',
+                header: 'Visibility',
+                render: (project) => (
+                  <Badge variant={project.is_public ? 'public' : 'private'}>
+                    {project.is_public ? 'Public' : 'Private'}
+                  </Badge>
+                ),
+              },
+              {
+                key: 'created_by',
+                header: 'Created By',
+                render: (project) => <span className="text-muted">{project.created_by}</span>,
+              },
+              ...(isAdminOrOwner ? [{
+                key: 'actions',
+                header: '',
+                render: (project: Project) => (
+                  <button
+                    className="btn btn-sm btn-ghost"
+                    onClick={(e) => {
+                      e.stopPropagation();
+                      navigate(`/project/${project.name}/settings`);
+                    }}
+                    title="Settings"
+                  >
+                    <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+                      <circle cx="12" cy="12" r="3"/>
+                      <path d="M19.4 15a1.65 1.65 0 0 0 .33 1.82l.06.06a2 2 0 0 1 0 2.83 2 2 0 0 1-2.83 0l-.06-.06a1.65 1.65 0 0 0-1.82-.33 1.65 1.65 0 0 0-1 1.51V21a2 2 0 0 1-2 2 2 2 0 0 1-2-2v-.09A1.65 1.65 0 0 0 9 19.4a1.65 1.65 0 0 0-1.82.33l-.06.06a2 2 0 0 1-2.83 0 2 2 0 0 1 0-2.83l.06-.06a1.65 1.65 0 0 0 .33-1.82 1.65 1.65 0 0 0-1.51-1H3a2 2 0 0 1-2-2 2 2 0 0 1 2-2h.09A1.65 1.65 0 0 0 4.6 9a1.65 1.65 0 0 0-.33-1.82l-.06-.06a2 2 0 0 1 0-2.83 2 2 0 0 1 2.83 0l.06.06a1.65 1.65 0 0 0 1.82.33H9a1.65 1.65 0 0 0 1-1.51V3a2 2 0 0 1 2-2 2 2 0 0 1 2 2v.09a1.65 1.65 0 0 0 1 1.51 1.65 1.65 0 0 0 1.82-.33l.06-.06a2 2 0 0 1 2.83 0 2 2 0 0 1 0 2.83l-.06.06a1.65 1.65 0 0 0-.33 1.82V9a1.65 1.65 0 0 0 1.51 1H21a2 2 0 0 1 2 2 2 2 0 0 1-2 2h-.09a1.65 1.65 0 0 0-1.51 1z"/>
+                    </svg>
+                  </button>
+                ),
+              }] : []),
+            ]}
+          />
+        )}
+
+        {projects && projects.pagination.total > 10 && (
+          <div className="section-footer">
+            <Link to={`/teams/${slug}/projects`} className="view-all-link">
+              View all {projects.pagination.total} projects
+            </Link>
+          </div>
+        )}
+      </div>
+    </div>
+  );
+}
+
+export default TeamDashboardPage;

frontend/src/pages/TeamMembersPage.css

@@ -0,0 +1,247 @@
+.team-members {
+  padding: 1.5rem 0;
+  max-width: 800px;
+  margin: 0 auto;
+}
+
+.page-header {
+  display: flex;
+  justify-content: space-between;
+  align-items: center;
+  margin-bottom: 1.5rem;
+  gap: 1rem;
+}
+
+.page-header h1 {
+  margin: 0;
+  font-size: 1.75rem;
+}
+
+/* Member cell in table */
+.member-cell {
+  display: flex;
+  align-items: center;
+  gap: 0.75rem;
+}
+
+.member-avatar {
+  width: 40px;
+  height: 40px;
+  border-radius: 50%;
+  background: var(--accent-primary);
+  color: white;
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  font-weight: 600;
+  font-size: 1rem;
+  flex-shrink: 0;
+}
+
+.member-details {
+  display: flex;
+  flex-direction: column;
+  min-width: 0;
+}
+
+.member-username {
+  font-weight: 500;
+  display: flex;
+  align-items: center;
+  gap: 0.5rem;
+}
+
+.you-badge {
+  font-size: 0.75rem;
+  font-weight: normal;
+  color: var(--text-muted);
+}
+
+.member-email {
+  font-size: 0.8125rem;
+  color: var(--text-muted);
+  overflow: hidden;
+  text-overflow: ellipsis;
+  white-space: nowrap;
+}
+
+.text-muted {
+  color: var(--text-muted);
+}
+
+.role-select {
+  padding: 0.375rem 0.75rem;
+  border: 1px solid var(--border-primary);
+  border-radius: var(--radius-md);
+  font-size: 0.875rem;
+  background: var(--bg-tertiary);
+  color: var(--text-primary);
+  cursor: pointer;
+}
+
+.role-select:focus {
+  outline: none;
+  border-color: var(--accent-primary);
+}
+
+/* Messages */
+.error-message {
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  padding: 0.75rem 1rem;
+  margin-bottom: 1rem;
+  background: var(--error-bg);
+  border: 1px solid var(--error);
+  border-radius: var(--radius-md);
+  color: var(--error);
+  font-size: 0.875rem;
+}
+
+.error-dismiss {
+  background: none;
+  border: none;
+  font-size: 1.25rem;
+  cursor: pointer;
+  color: inherit;
+  padding: 0;
+  line-height: 1;
+}
+
+/* States */
+.loading-state,
+.error-state {
+  text-align: center;
+  padding: 4rem 2rem;
+}
+
+.error-state h2 {
+  margin: 0 0 0.5rem;
+}
+
+.error-state p {
+  margin: 0 0 1.5rem;
+  color: var(--text-muted);
+}
+
+/* Modal */
+.modal-overlay {
+  position: fixed;
+  top: 0;
+  left: 0;
+  right: 0;
+  bottom: 0;
+  background: rgba(0, 0, 0, 0.7);
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  z-index: 1000;
+  padding: 1rem;
+}
+
+.modal-content {
+  background: var(--bg-secondary);
+  border: 1px solid var(--border-primary);
+  border-radius: var(--radius-lg);
+  padding: 1.5rem;
+  width: 100%;
+  max-width: 400px;
+  box-shadow: var(--shadow-lg);
+}
+
+.modal-content h2 {
+  margin: 0 0 1.5rem;
+  font-size: 1.25rem;
+  color: var(--text-primary);
+}
+
+/* Form */
+.form-group {
+  margin-bottom: 1rem;
+}
+
+.form-group label {
+  display: block;
+  margin-bottom: 0.375rem;
+  font-weight: 500;
+  font-size: 0.875rem;
+  color: var(--text-primary);
+}
+
+.form-group input,
+.form-group select {
+  width: 100%;
+  padding: 0.5rem 0.75rem;
+  border: 1px solid var(--border-primary);
+  border-radius: var(--radius-md);
+  font-size: 0.9375rem;
+  background: var(--bg-tertiary);
+  color: var(--text-primary);
+}
+
+.form-group input:focus,
+.form-group select:focus {
+  outline: none;
+  border-color: var(--accent-primary);
+  box-shadow: 0 0 0 2px rgba(16, 185, 129, 0.2);
+}
+
+.form-actions {
+  display: flex;
+  justify-content: flex-end;
+  gap: 0.75rem;
+  margin-top: 1.5rem;
+}
+
+/* Buttons */
+.btn {
+  display: inline-flex;
+  align-items: center;
+  gap: 0.5rem;
+  padding: 0.5rem 1rem;
+  border: none;
+  border-radius: var(--radius-md);
+  font-size: 0.875rem;
+  font-weight: 500;
+  cursor: pointer;
+  text-decoration: none;
+  transition: all 0.15s ease;
+}
+
+.btn:disabled {
+  opacity: 0.6;
+  cursor: not-allowed;
+}
+
+.btn-primary {
+  background: var(--accent-primary);
+  color: white;
+}
+
+.btn-primary:hover:not(:disabled) {
+  background: var(--accent-primary-hover);
+}
+
+.btn-secondary {
+  background: var(--bg-tertiary);
+  color: var(--text-primary);
+  border: 1px solid var(--border-primary);
+}
+
+.btn-secondary:hover:not(:disabled) {
+  background: var(--bg-hover);
+}
+
+.btn-icon {
+  padding: 0.375rem;
+}
+
+.btn-danger-ghost {
+  background: transparent;
+  color: var(--text-muted);
+}
+
+.btn-danger-ghost:hover:not(:disabled) {
+  background: var(--error-bg);
+  color: var(--error);
+}

frontend/src/pages/TeamMembersPage.tsx

@@ -0,0 +1,311 @@
+import { useState, useEffect, useCallback } from 'react';
+import { useParams, Link } from 'react-router-dom';
+import { TeamDetail, TeamMember, TeamMemberCreate, TeamRole } from '../types';
+import {
+  getTeam,
+  listTeamMembers,
+  addTeamMember,
+  updateTeamMember,
+  removeTeamMember,
+} from '../api';
+import { useAuth } from '../contexts/AuthContext';
+import { Badge } from '../components/Badge';
+import { Breadcrumb } from '../components/Breadcrumb';
+import { DataTable } from '../components/DataTable';
+import { UserAutocomplete } from '../components/UserAutocomplete';
+import './TeamMembersPage.css';
+
+function TeamMembersPage() {
+  const { slug } = useParams<{ slug: string }>();
+  const { user } = useAuth();
+  const [team, setTeam] = useState<TeamDetail | null>(null);
+  const [members, setMembers] = useState<TeamMember[]>([]);
+  const [loading, setLoading] = useState(true);
+  const [error, setError] = useState<string | null>(null);
+  const [showAddForm, setShowAddForm] = useState(false);
+  const [adding, setAdding] = useState(false);
+  const [newMember, setNewMember] = useState<TeamMemberCreate>({ username: '', role: 'member' });
+  const [editingMember, setEditingMember] = useState<string | null>(null);
+  const [removingMember, setRemovingMember] = useState<string | null>(null);
+
+  const loadData = useCallback(async () => {
+    if (!slug) return;
+    try {
+      setLoading(true);
+      const [teamData, membersData] = await Promise.all([
+        getTeam(slug),
+        listTeamMembers(slug),
+      ]);
+      setTeam(teamData);
+      setMembers(membersData);
+      setError(null);
+    } catch (err) {
+      setError(err instanceof Error ? err.message : 'Failed to load team');
+    } finally {
+      setLoading(false);
+    }
+  }, [slug]);
+
+  useEffect(() => {
+    loadData();
+  }, [loadData]);
+
+  async function handleAddMember(e: React.FormEvent) {
+    e.preventDefault();
+    if (!slug) return;
+    try {
+      setAdding(true);
+      setError(null);
+      await addTeamMember(slug, newMember);
+      setNewMember({ username: '', role: 'member' });
+      setShowAddForm(false);
+      loadData();
+    } catch (err) {
+      setError(err instanceof Error ? err.message : 'Failed to add member');
+    } finally {
+      setAdding(false);
+    }
+  }
+
+  async function handleRoleChange(username: string, newRole: TeamRole) {
+    if (!slug) return;
+    try {
+      setEditingMember(username);
+      setError(null);
+      await updateTeamMember(slug, username, { role: newRole });
+      loadData();
+    } catch (err) {
+      setError(err instanceof Error ? err.message : 'Failed to update member');
+    } finally {
+      setEditingMember(null);
+    }
+  }
+
+  async function handleRemoveMember(username: string) {
+    if (!slug) return;
+    if (!confirm(`Remove ${username} from the team?`)) return;
+    try {
+      setRemovingMember(username);
+      setError(null);
+      await removeTeamMember(slug, username);
+      loadData();
+    } catch (err) {
+      setError(err instanceof Error ? err.message : 'Failed to remove member');
+    } finally {
+      setRemovingMember(null);
+    }
+  }
+
+  if (loading) {
+    return (
+      <div className="team-members">
+        <div className="loading-state">Loading team members...</div>
+      </div>
+    );
+  }
+
+  if (error && !team) {
+    return (
+      <div className="team-members">
+        <div className="error-state">
+          <h2>Error loading team</h2>
+          <p>{error}</p>
+          <Link to="/teams" className="btn btn-primary">Back to Teams</Link>
+        </div>
+      </div>
+    );
+  }
+
+  if (!team) return null;
+
+  const isOwner = team.user_role === 'owner' || user?.is_admin;
+  const isAdmin = team.user_role === 'admin' || isOwner;
+
+  const roleVariants: Record<string, 'success' | 'info' | 'default'> = {
+    owner: 'success',
+    admin: 'info',
+    member: 'default',
+  };
+
+  const roles: TeamRole[] = ['owner', 'admin', 'member'];
+
+  return (
+    <div className="team-members">
+      <Breadcrumb
+        items={[
+          { label: 'Teams', href: '/teams' },
+          { label: team.name, href: `/teams/${slug}` },
+          { label: 'Members' },
+        ]}
+      />
+
+      <div className="page-header">
+        <h1>Team Members</h1>
+        {isAdmin && (
+          <button className="btn btn-primary" onClick={() => setShowAddForm(true)}>
+            <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+              <path d="M16 21v-2a4 4 0 0 0-4-4H5a4 4 0 0 0-4 4v2"/>
+              <circle cx="8.5" cy="7" r="4"/>
+              <line x1="20" y1="8" x2="20" y2="14"/>
+              <line x1="23" y1="11" x2="17" y2="11"/>
+            </svg>
+            Invite Member
+          </button>
+        )}
+      </div>
+
+      {error && (
+        <div className="error-message">
+          {error}
+          <button onClick={() => setError(null)} className="error-dismiss">&times;</button>
+        </div>
+      )}
+
+      {showAddForm && (
+        <div className="modal-overlay" onClick={() => setShowAddForm(false)}>
+          <div className="modal-content" onClick={e => e.stopPropagation()}>
+            <h2>Invite Member</h2>
+            <form onSubmit={handleAddMember}>
+              <div className="form-group">
+                <label htmlFor="username">Username</label>
+                <UserAutocomplete
+                  value={newMember.username}
+                  onChange={(username) => setNewMember({ ...newMember, username })}
+                  placeholder="Search for a user..."
+                  autoFocus
+                />
+              </div>
+              <div className="form-group">
+                <label htmlFor="role">Role</label>
+                <select
+                  id="role"
+                  value={newMember.role}
+                  onChange={e => setNewMember({ ...newMember, role: e.target.value as TeamRole })}
+                >
+                  <option value="member">Member - Can view team projects</option>
+                  <option value="admin">Admin - Can manage team settings and members</option>
+                  {isOwner && (
+                    <option value="owner">Owner - Full control, can delete team</option>
+                  )}
+                </select>
+              </div>
+              <div className="form-actions">
+                <button type="button" className="btn btn-secondary" onClick={() => setShowAddForm(false)}>
+                  Cancel
+                </button>
+                <button type="submit" className="btn btn-primary" disabled={adding}>
+                  {adding ? 'Adding...' : 'Add Member'}
+                </button>
+              </div>
+            </form>
+          </div>
+        </div>
+      )}
+
+      <DataTable
+        data={members}
+        keyExtractor={(member) => member.id}
+        emptyMessage="No members in this team yet."
+        columns={[
+          {
+            key: 'member',
+            header: 'Member',
+            render: (member) => {
+              const isCurrentUser = user?.username === member.username;
+              return (
+                <div className="member-cell">
+                  <div className="member-avatar">
+                    {member.username.charAt(0).toUpperCase()}
+                  </div>
+                  <div className="member-details">
+                    <span className="member-username">
+                      {member.username}
+                      {isCurrentUser && <span className="you-badge">(you)</span>}
+                    </span>
+                    {member.email && (
+                      <span className="member-email">{member.email}</span>
+                    )}
+                  </div>
+                </div>
+              );
+            },
+          },
+          {
+            key: 'role',
+            header: 'Role',
+            render: (member) => {
+              const isCurrentUser = user?.username === member.username;
+              const canModify = isAdmin && !isCurrentUser && (isOwner || member.role !== 'owner');
+
+              if (canModify) {
+                return (
+                  <select
+                    value={member.role}
+                    onChange={e => handleRoleChange(member.username, e.target.value as TeamRole)}
+                    disabled={editingMember === member.username}
+                    className="role-select"
+                    onClick={e => e.stopPropagation()}
+                  >
+                    {roles.map(role => (
+                      <option
+                        key={role}
+                        value={role}
+                        disabled={role === 'owner' && !isOwner}
+                      >
+                        {role.charAt(0).toUpperCase() + role.slice(1)}
+                      </option>
+                    ))}
+                  </select>
+                );
+              }
+              return (
+                <Badge variant={roleVariants[member.role] || 'default'}>
+                  {member.role}
+                </Badge>
+              );
+            },
+          },
+          {
+            key: 'joined',
+            header: 'Joined',
+            render: (member) => (
+              <span className="text-muted">
+                {new Date(member.created_at).toLocaleDateString()}
+              </span>
+            ),
+          },
+          ...(isAdmin ? [{
+            key: 'actions',
+            header: '',
+            render: (member: TeamMember) => {
+              const isCurrentUser = user?.username === member.username;
+              const canModify = isAdmin && !isCurrentUser && (isOwner || member.role !== 'owner');
+
+              if (!canModify) return null;
+
+              return (
+                <button
+                  className="btn btn-icon btn-danger-ghost"
+                  onClick={(e) => {
+                    e.stopPropagation();
+                    handleRemoveMember(member.username);
+                  }}
+                  disabled={removingMember === member.username}
+                  title="Remove member"
+                >
+                  <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+                    <path d="M3 6h18"/>
+                    <path d="M19 6v14a2 2 0 0 1-2 2H7a2 2 0 0 1-2-2V6"/>
+                    <path d="M8 6V4a2 2 0 0 1 2-2h4a2 2 0 0 1 2 2v2"/>
+                  </svg>
+                </button>
+              );
+            },
+          }] : []),
+        ]}
+      />
+    </div>
+  );
+}
+
+export default TeamMembersPage;

frontend/src/pages/TeamSettingsPage.css

@@ -0,0 +1,239 @@
+.team-settings {
+  padding: 1.5rem 0;
+  max-width: 640px;
+  margin: 0 auto;
+}
+
+.team-settings h1 {
+  margin: 0 0 1.5rem;
+  font-size: 1.75rem;
+}
+
+.settings-form {
+  margin-bottom: 2rem;
+}
+
+.form-section {
+  background: var(--bg-secondary);
+  border: 1px solid var(--border-primary);
+  border-radius: var(--radius-lg);
+  padding: 1.5rem;
+  margin-bottom: 1.5rem;
+}
+
+.form-section h2 {
+  margin: 0 0 1rem;
+  font-size: 1.125rem;
+  color: var(--text-primary);
+}
+
+.form-group {
+  margin-bottom: 1rem;
+}
+
+.form-group label {
+  display: block;
+  margin-bottom: 0.375rem;
+  font-weight: 500;
+  font-size: 0.875rem;
+  color: var(--text-primary);
+}
+
+.form-group input,
+.form-group textarea {
+  width: 100%;
+  padding: 0.5rem 0.75rem;
+  border: 1px solid var(--border-primary);
+  border-radius: var(--radius-md);
+  font-size: 0.9375rem;
+  background: var(--bg-tertiary);
+  color: var(--text-primary);
+}
+
+.form-group input:focus,
+.form-group textarea:focus {
+  outline: none;
+  border-color: var(--accent-primary);
+  box-shadow: 0 0 0 2px rgba(16, 185, 129, 0.2);
+}
+
+.input-disabled {
+  background: var(--bg-elevated) !important;
+  color: var(--text-muted) !important;
+  cursor: not-allowed;
+}
+
+.form-hint {
+  display: block;
+  margin-top: 0.25rem;
+  font-size: 0.8125rem;
+  color: var(--text-muted);
+}
+
+/* Danger zone */
+.danger-zone {
+  border-color: var(--error);
+  background: var(--error-bg);
+}
+
+.danger-zone h2 {
+  color: var(--error);
+}
+
+.danger-warning {
+  margin: 0 0 1rem;
+  font-size: 0.875rem;
+  color: var(--text-secondary);
+}
+
+/* Messages */
+.error-message {
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  padding: 0.75rem 1rem;
+  margin-bottom: 1rem;
+  background: var(--error-bg);
+  border: 1px solid var(--error);
+  border-radius: var(--radius-md);
+  color: var(--error);
+  font-size: 0.875rem;
+}
+
+.error-dismiss {
+  background: none;
+  border: none;
+  font-size: 1.25rem;
+  cursor: pointer;
+  color: inherit;
+  padding: 0;
+  line-height: 1;
+}
+
+.success-message {
+  padding: 0.75rem 1rem;
+  margin-bottom: 1rem;
+  background: var(--success-bg);
+  border: 1px solid var(--success);
+  border-radius: var(--radius-md);
+  color: var(--success);
+  font-size: 0.875rem;
+}
+
+/* States */
+.loading-state,
+.error-state {
+  text-align: center;
+  padding: 4rem 2rem;
+}
+
+.error-state h2 {
+  margin: 0 0 0.5rem;
+}
+
+.error-state p {
+  margin: 0 0 1.5rem;
+  color: var(--text-muted);
+}
+
+/* Modal */
+.modal-overlay {
+  position: fixed;
+  top: 0;
+  left: 0;
+  right: 0;
+  bottom: 0;
+  background: rgba(0, 0, 0, 0.7);
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  z-index: 1000;
+  padding: 1rem;
+}
+
+.modal-content {
+  background: var(--bg-secondary);
+  border: 1px solid var(--border-primary);
+  border-radius: var(--radius-lg);
+  padding: 1.5rem;
+  width: 100%;
+  max-width: 400px;
+  box-shadow: var(--shadow-lg);
+}
+
+.modal-content h2 {
+  margin: 0 0 1rem;
+  font-size: 1.25rem;
+  color: var(--error);
+}
+
+.modal-content p {
+  margin: 0 0 1rem;
+  font-size: 0.9375rem;
+  color: var(--text-secondary);
+}
+
+.delete-confirm-input {
+  width: 100%;
+  padding: 0.5rem 0.75rem;
+  border: 1px solid var(--border-primary);
+  border-radius: var(--radius-md);
+  font-size: 0.9375rem;
+  margin-bottom: 1rem;
+  background: var(--bg-tertiary);
+  color: var(--text-primary);
+}
+
+.form-actions {
+  display: flex;
+  justify-content: flex-end;
+  gap: 0.75rem;
+}
+
+/* Buttons */
+.btn {
+  display: inline-flex;
+  align-items: center;
+  gap: 0.5rem;
+  padding: 0.5rem 1rem;
+  border: none;
+  border-radius: var(--radius-md);
+  font-size: 0.875rem;
+  font-weight: 500;
+  cursor: pointer;
+  text-decoration: none;
+  transition: all 0.15s ease;
+}
+
+.btn:disabled {
+  opacity: 0.6;
+  cursor: not-allowed;
+}
+
+.btn-primary {
+  background: var(--accent-primary);
+  color: white;
+}
+
+.btn-primary:hover:not(:disabled) {
+  background: var(--accent-primary-hover);
+}
+
+.btn-secondary {
+  background: var(--bg-tertiary);
+  color: var(--text-primary);
+  border: 1px solid var(--border-primary);
+}
+
+.btn-secondary:hover:not(:disabled) {
+  background: var(--bg-hover);
+}
+
+.btn-danger {
+  background: var(--error);
+  color: white;
+}
+
+.btn-danger:hover:not(:disabled) {
+  background: #b91c1c;
+}

frontend/src/pages/TeamSettingsPage.tsx

@@ -0,0 +1,251 @@
+import { useState, useEffect, useCallback } from 'react';
+import { useParams, useNavigate, Link } from 'react-router-dom';
+import { TeamDetail, TeamUpdate } from '../types';
+import { getTeam, updateTeam, deleteTeam } from '../api';
+import { useAuth } from '../contexts/AuthContext';
+import { Breadcrumb } from '../components/Breadcrumb';
+import './TeamSettingsPage.css';
+
+function TeamSettingsPage() {
+  const { slug } = useParams<{ slug: string }>();
+  const navigate = useNavigate();
+  const { user } = useAuth();
+  const [team, setTeam] = useState<TeamDetail | null>(null);
+  const [loading, setLoading] = useState(true);
+  const [saving, setSaving] = useState(false);
+  const [deleting, setDeleting] = useState(false);
+  const [error, setError] = useState<string | null>(null);
+  const [successMessage, setSuccessMessage] = useState<string | null>(null);
+  const [showDeleteConfirm, setShowDeleteConfirm] = useState(false);
+  const [deleteConfirmText, setDeleteConfirmText] = useState('');
+
+  const [formData, setFormData] = useState<TeamUpdate>({
+    name: '',
+    description: '',
+  });
+
+  const loadTeam = useCallback(async () => {
+    if (!slug) return;
+    try {
+      setLoading(true);
+      const teamData = await getTeam(slug);
+      setTeam(teamData);
+      setFormData({
+        name: teamData.name,
+        description: teamData.description || '',
+      });
+      setError(null);
+    } catch (err) {
+      setError(err instanceof Error ? err.message : 'Failed to load team');
+    } finally {
+      setLoading(false);
+    }
+  }, [slug]);
+
+  useEffect(() => {
+    loadTeam();
+  }, [loadTeam]);
+
+  async function handleSubmit(e: React.FormEvent) {
+    e.preventDefault();
+    if (!slug || !team) return;
+
+    try {
+      setSaving(true);
+      setError(null);
+      const updatedTeam = await updateTeam(slug, formData);
+      setTeam(updatedTeam);
+      setSuccessMessage('Settings saved successfully');
+      setTimeout(() => setSuccessMessage(null), 3000);
+    } catch (err) {
+      setError(err instanceof Error ? err.message : 'Failed to save settings');
+    } finally {
+      setSaving(false);
+    }
+  }
+
+  async function handleDelete() {
+    if (!slug || !team) return;
+    if (deleteConfirmText !== team.slug) return;
+
+    try {
+      setDeleting(true);
+      await deleteTeam(slug);
+      navigate('/teams');
+    } catch (err) {
+      setError(err instanceof Error ? err.message : 'Failed to delete team');
+      setShowDeleteConfirm(false);
+    } finally {
+      setDeleting(false);
+    }
+  }
+
+  if (loading) {
+    return (
+      <div className="team-settings">
+        <div className="loading-state">Loading team settings...</div>
+      </div>
+    );
+  }
+
+  if (error && !team) {
+    return (
+      <div className="team-settings">
+        <div className="error-state">
+          <h2>Error loading team</h2>
+          <p>{error}</p>
+          <Link to="/teams" className="btn btn-primary">Back to Teams</Link>
+        </div>
+      </div>
+    );
+  }
+
+  if (!team) return null;
+
+  const isOwner = team.user_role === 'owner' || user?.is_admin;
+  const isAdmin = team.user_role === 'admin' || isOwner;
+
+  if (!isAdmin) {
+    return (
+      <div className="team-settings">
+        <div className="error-state">
+          <h2>Access Denied</h2>
+          <p>You need admin privileges to access team settings.</p>
+          <Link to={`/teams/${slug}`} className="btn btn-primary">Back to Team</Link>
+        </div>
+      </div>
+    );
+  }
+
+  return (
+    <div className="team-settings">
+      <Breadcrumb
+        items={[
+          { label: 'Teams', href: '/teams' },
+          { label: team.name, href: `/teams/${slug}` },
+          { label: 'Settings' },
+        ]}
+      />
+
+      <h1>Team Settings</h1>
+
+      {error && (
+        <div className="error-message">
+          {error}
+          <button onClick={() => setError(null)} className="error-dismiss">&times;</button>
+        </div>
+      )}
+
+      {successMessage && (
+        <div className="success-message">
+          {successMessage}
+        </div>
+      )}
+
+      <form onSubmit={handleSubmit} className="settings-form">
+        <div className="form-section">
+          <h2>General</h2>
+
+          <div className="form-group">
+            <label htmlFor="team-name">Team Name</label>
+            <input
+              id="team-name"
+              type="text"
+              value={formData.name}
+              onChange={e => setFormData({ ...formData, name: e.target.value })}
+              required
+            />
+          </div>
+
+          <div className="form-group">
+            <label htmlFor="team-slug">Slug</label>
+            <input
+              id="team-slug"
+              type="text"
+              value={team.slug}
+              disabled
+              className="input-disabled"
+            />
+            <span className="form-hint">Team slug cannot be changed</span>
+          </div>
+
+          <div className="form-group">
+            <label htmlFor="team-description">Description</label>
+            <textarea
+              id="team-description"
+              value={formData.description}
+              onChange={e => setFormData({ ...formData, description: e.target.value })}
+              rows={3}
+              placeholder="What is this team for?"
+            />
+          </div>
+
+          <button type="submit" className="btn btn-primary" disabled={saving}>
+            {saving ? 'Saving...' : 'Save Changes'}
+          </button>
+        </div>
+      </form>
+
+      {isOwner && (
+        <div className="form-section danger-zone">
+          <h2>Danger Zone</h2>
+          <p className="danger-warning">
+            Deleting a team is permanent and cannot be undone.
+            You must move or delete all projects in this team first.
+          </p>
+          <button
+            type="button"
+            className="btn btn-danger"
+            onClick={() => setShowDeleteConfirm(true)}
+          >
+            Delete Team
+          </button>
+        </div>
+      )}
+
+      {showDeleteConfirm && (
+        <div className="modal-overlay" onClick={() => setShowDeleteConfirm(false)}>
+          <div className="modal-content" onClick={e => e.stopPropagation()}>
+            <h2>Delete Team</h2>
+            <p>
+              This will permanently delete the team <strong>{team.name}</strong>.
+              This action cannot be undone.
+            </p>
+            <p>
+              To confirm, type <strong>{team.slug}</strong> below:
+            </p>
+            <input
+              type="text"
+              value={deleteConfirmText}
+              onChange={e => setDeleteConfirmText(e.target.value)}
+              placeholder={team.slug}
+              className="delete-confirm-input"
+            />
+            <div className="form-actions">
+              <button
+                type="button"
+                className="btn btn-secondary"
+                onClick={() => {
+                  setShowDeleteConfirm(false);
+                  setDeleteConfirmText('');
+                }}
+              >
+                Cancel
+              </button>
+              <button
+                type="button"
+                className="btn btn-danger"
+                disabled={deleteConfirmText !== team.slug || deleting}
+                onClick={handleDelete}
+              >
+                {deleting ? 'Deleting...' : 'Delete Team'}
+              </button>
+            </div>
+          </div>
+        </div>
+      )}
+    </div>
+  );
+}
+
+export default TeamSettingsPage;

frontend/src/pages/TeamsPage.css

@@ -0,0 +1,376 @@
+.teams-page {
+  padding: 1.5rem 0;
+  max-width: 1200px;
+  margin: 0 auto;
+}
+
+/* Header */
+.teams-header {
+  display: flex;
+  justify-content: space-between;
+  align-items: center;
+  margin-bottom: 1.5rem;
+  gap: 1rem;
+}
+
+.teams-header h1 {
+  margin: 0;
+  font-size: 1.5rem;
+  font-weight: 600;
+}
+
+/* Search */
+.teams-search {
+  position: relative;
+  margin-bottom: 1.5rem;
+}
+
+.teams-search__icon {
+  position: absolute;
+  left: 0.875rem;
+  top: 50%;
+  transform: translateY(-50%);
+  color: var(--text-muted);
+  pointer-events: none;
+}
+
+.teams-search__input {
+  width: 100%;
+  padding: 0.625rem 2.5rem 0.625rem 2.75rem;
+  border: 1px solid var(--border-primary);
+  border-radius: var(--radius-md);
+  background: var(--bg-primary);
+  color: var(--text-primary);
+  font-size: 0.875rem;
+}
+
+.teams-search__input:focus {
+  outline: none;
+  border-color: var(--accent-primary);
+  box-shadow: 0 0 0 3px rgba(16, 185, 129, 0.2);
+}
+
+.teams-search__input::placeholder {
+  color: var(--text-muted);
+}
+
+.teams-search__clear {
+  position: absolute;
+  right: 0.5rem;
+  top: 50%;
+  transform: translateY(-50%);
+  background: none;
+  border: none;
+  padding: 0.375rem;
+  cursor: pointer;
+  color: var(--text-muted);
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  border-radius: var(--radius-sm);
+}
+
+.teams-search__clear:hover {
+  color: var(--text-primary);
+  background: var(--bg-secondary);
+}
+
+/* Error */
+.teams-error {
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  padding: 0.75rem 1rem;
+  margin-bottom: 1rem;
+  background: var(--error-bg);
+  border: 1px solid var(--error);
+  border-radius: var(--radius-md);
+  color: var(--error);
+  font-size: 0.875rem;
+}
+
+.teams-error__dismiss {
+  background: none;
+  border: none;
+  font-size: 1.25rem;
+  cursor: pointer;
+  color: inherit;
+  padding: 0;
+  line-height: 1;
+}
+
+/* Loading */
+.teams-loading {
+  display: flex;
+  flex-direction: column;
+  align-items: center;
+  gap: 1rem;
+  padding: 4rem 2rem;
+  color: var(--text-muted);
+}
+
+.teams-loading__spinner {
+  width: 32px;
+  height: 32px;
+  border: 3px solid var(--border-primary);
+  border-top-color: var(--accent-primary);
+  border-radius: 50%;
+  animation: teams-spin 0.8s linear infinite;
+}
+
+@keyframes teams-spin {
+  to { transform: rotate(360deg); }
+}
+
+/* Empty State */
+.teams-empty-state {
+  text-align: center;
+  padding: 4rem 2rem;
+  background: var(--bg-secondary);
+  border-radius: var(--radius-lg);
+  border: 1px solid var(--border-primary);
+}
+
+.teams-empty-icon {
+  color: var(--text-muted);
+  margin-bottom: 1rem;
+}
+
+.teams-empty-state h2 {
+  margin: 0 0 0.5rem;
+  font-size: 1.25rem;
+}
+
+.teams-empty-state p {
+  margin: 0 0 1.5rem;
+  color: var(--text-muted);
+}
+
+/* Table cell styles */
+
+.team-name-cell {
+  display: flex;
+  flex-direction: column;
+  gap: 0.125rem;
+}
+
+.team-name-link {
+  font-weight: 500;
+  color: var(--text-primary);
+  text-decoration: none;
+}
+
+.team-name-link:hover {
+  color: var(--accent-primary);
+}
+
+.team-slug {
+  font-size: 0.8125rem;
+  color: var(--text-muted);
+}
+
+.team-description-cell {
+  color: var(--text-secondary);
+  max-width: 300px;
+  overflow: hidden;
+  text-overflow: ellipsis;
+  white-space: nowrap;
+}
+
+.text-muted {
+  color: var(--text-muted);
+}
+
+/* Modal */
+.modal-overlay {
+  position: fixed;
+  top: 0;
+  left: 0;
+  right: 0;
+  bottom: 0;
+  background: rgba(0, 0, 0, 0.7);
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  z-index: 1000;
+  padding: 1rem;
+}
+
+.modal-content {
+  background: var(--bg-secondary);
+  border: 1px solid var(--border-primary);
+  border-radius: var(--radius-lg);
+  width: 100%;
+  max-width: 480px;
+  box-shadow: var(--shadow-lg);
+  overflow: hidden;
+}
+
+.modal-header {
+  display: flex;
+  justify-content: space-between;
+  align-items: center;
+  padding: 1.25rem 1.5rem;
+  border-bottom: 1px solid var(--border-primary);
+}
+
+.modal-header h2 {
+  margin: 0;
+  font-size: 1.125rem;
+  font-weight: 600;
+  color: var(--text-primary);
+}
+
+.modal-close {
+  background: none;
+  border: none;
+  padding: 0.25rem;
+  cursor: pointer;
+  color: var(--text-muted);
+  display: flex;
+  border-radius: var(--radius-sm);
+}
+
+.modal-close:hover {
+  color: var(--text-primary);
+  background: var(--bg-hover);
+}
+
+.modal-content form {
+  padding: 1.5rem;
+}
+
+/* Form */
+.form-group {
+  margin-bottom: 1rem;
+}
+
+.form-group label {
+  display: block;
+  margin-bottom: 0.375rem;
+  font-weight: 500;
+  font-size: 0.875rem;
+  color: var(--text-primary);
+}
+
+.form-group .optional {
+  font-weight: 400;
+  color: var(--text-muted);
+}
+
+.form-group input,
+.form-group textarea {
+  width: 100%;
+  padding: 0.625rem 0.75rem;
+  border: 1px solid var(--border-primary);
+  border-radius: var(--radius-md);
+  font-size: 0.875rem;
+  background: var(--bg-tertiary);
+  color: var(--text-primary);
+}
+
+.form-group input:focus,
+.form-group textarea:focus {
+  outline: none;
+  border-color: var(--accent-primary);
+  box-shadow: 0 0 0 3px rgba(16, 185, 129, 0.2);
+}
+
+.input-with-prefix {
+  display: flex;
+  align-items: stretch;
+}
+
+.input-prefix {
+  display: flex;
+  align-items: center;
+  padding: 0 0.75rem;
+  background: var(--bg-elevated);
+  border: 1px solid var(--border-primary);
+  border-right: none;
+  border-radius: var(--radius-md) 0 0 var(--radius-md);
+  color: var(--text-muted);
+  font-size: 0.875rem;
+}
+
+.input-with-prefix input {
+  border-radius: 0 var(--radius-md) var(--radius-md) 0;
+}
+
+.form-hint {
+  display: block;
+  margin-top: 0.25rem;
+  font-size: 0.75rem;
+  color: var(--text-muted);
+}
+
+.form-actions {
+  display: flex;
+  justify-content: flex-end;
+  gap: 0.75rem;
+  margin-top: 1.5rem;
+  padding-top: 1rem;
+  border-top: 1px solid var(--border-primary);
+}
+
+/* Buttons */
+.btn {
+  display: inline-flex;
+  align-items: center;
+  gap: 0.5rem;
+  padding: 0.5rem 1rem;
+  border: none;
+  border-radius: var(--radius-md);
+  font-size: 0.875rem;
+  font-weight: 500;
+  cursor: pointer;
+  transition: all 0.15s ease;
+}
+
+.btn:disabled {
+  opacity: 0.6;
+  cursor: not-allowed;
+}
+
+.btn-primary {
+  background: var(--accent-primary);
+  color: white;
+}
+
+.btn-primary:hover:not(:disabled) {
+  background: var(--accent-primary-hover);
+}
+
+.btn-secondary {
+  background: var(--bg-tertiary);
+  color: var(--text-primary);
+  border: 1px solid var(--border-primary);
+}
+
+.btn-secondary:hover:not(:disabled) {
+  background: var(--bg-hover);
+}
+
+/* Responsive */
+@media (max-width: 640px) {
+  .teams-header {
+    flex-direction: column;
+    align-items: stretch;
+  }
+
+  .teams-header .btn {
+    justify-content: center;
+  }
+
+  .teams-stats {
+    justify-content: space-around;
+  }
+
+  .teams-table-container {
+    overflow-x: auto;
+  }
+
+  .teams-table {
+    min-width: 600px;
+  }
+}

frontend/src/pages/TeamsPage.tsx

@@ -0,0 +1,310 @@
+import { useState, useEffect, useCallback } from 'react';
+import { Link, useNavigate } from 'react-router-dom';
+import { TeamDetail, TeamCreate, PaginatedResponse } from '../types';
+import { listTeams, createTeam } from '../api';
+import { useAuth } from '../contexts/AuthContext';
+import { Badge } from '../components/Badge';
+import { DataTable } from '../components/DataTable';
+import './TeamsPage.css';
+
+function TeamsPage() {
+  const navigate = useNavigate();
+  const { user } = useAuth();
+  const [teamsData, setTeamsData] = useState<PaginatedResponse<TeamDetail> | null>(null);
+  const [loading, setLoading] = useState(true);
+  const [error, setError] = useState<string | null>(null);
+  const [showForm, setShowForm] = useState(false);
+  const [newTeam, setNewTeam] = useState<TeamCreate>({ name: '', slug: '', description: '' });
+  const [creating, setCreating] = useState(false);
+  const [slugManuallySet, setSlugManuallySet] = useState(false);
+  const [searchQuery, setSearchQuery] = useState('');
+
+  const loadTeams = useCallback(async () => {
+    try {
+      setLoading(true);
+      const data = await listTeams({ limit: 100 });
+      setTeamsData(data);
+      setError(null);
+    } catch (err) {
+      setError(err instanceof Error ? err.message : 'Failed to load teams');
+    } finally {
+      setLoading(false);
+    }
+  }, []);
+
+  useEffect(() => {
+    loadTeams();
+  }, [loadTeams]);
+
+  // Auto-generate slug from name
+  const handleNameChange = (name: string) => {
+    setNewTeam(prev => ({
+      ...prev,
+      name,
+      slug: slugManuallySet ? prev.slug : name.toLowerCase().replace(/[^a-z0-9]+/g, '-').replace(/^-|-$/g, ''),
+    }));
+  };
+
+  const handleSlugChange = (slug: string) => {
+    setSlugManuallySet(true);
+    setNewTeam(prev => ({ ...prev, slug }));
+  };
+
+  async function handleCreateTeam(e: React.FormEvent) {
+    e.preventDefault();
+    try {
+      setCreating(true);
+      const team = await createTeam(newTeam);
+      setNewTeam({ name: '', slug: '', description: '' });
+      setSlugManuallySet(false);
+      setShowForm(false);
+      navigate(`/teams/${team.slug}`);
+    } catch (err) {
+      setError(err instanceof Error ? err.message : 'Failed to create team');
+    } finally {
+      setCreating(false);
+    }
+  }
+
+  const closeModal = () => {
+    setShowForm(false);
+    setNewTeam({ name: '', slug: '', description: '' });
+    setSlugManuallySet(false);
+  };
+
+  // Filter teams by search
+  const filteredTeams = teamsData?.items.filter(team =>
+    team.name.toLowerCase().includes(searchQuery.toLowerCase()) ||
+    team.slug.toLowerCase().includes(searchQuery.toLowerCase()) ||
+    (team.description?.toLowerCase().includes(searchQuery.toLowerCase()))
+  ) || [];
+
+  const totalTeams = teamsData?.items.length || 0;
+
+  const roleConfig: Record<string, { variant: 'success' | 'info' | 'default'; label: string }> = {
+    owner: { variant: 'success', label: 'Owner' },
+    admin: { variant: 'info', label: 'Admin' },
+    member: { variant: 'default', label: 'Member' },
+  };
+
+  if (!user) {
+    return (
+      <div className="teams-page">
+        <div className="teams-empty-state">
+          <div className="teams-empty-icon">
+            <svg width="64" height="64" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="1.5">
+              <path d="M17 21v-2a4 4 0 0 0-4-4H5a4 4 0 0 0-4 4v2"/>
+              <circle cx="9" cy="7" r="4"/>
+              <path d="M23 21v-2a4 4 0 0 0-3-3.87"/>
+              <path d="M16 3.13a4 4 0 0 1 0 7.75"/>
+            </svg>
+          </div>
+          <h2>Sign in to view your teams</h2>
+          <p>Teams help you organize projects and collaborate with others.</p>
+          <Link to="/login" className="btn btn-primary">Sign In</Link>
+        </div>
+      </div>
+    );
+  }
+
+  return (
+    <div className="teams-page">
+      {/* Header */}
+      <div className="teams-header">
+        <h1>Teams</h1>
+        <button className="btn btn-primary" onClick={() => setShowForm(true)}>
+          <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+            <line x1="12" y1="5" x2="12" y2="19" />
+            <line x1="5" y1="12" x2="19" y2="12" />
+          </svg>
+          Create Team
+        </button>
+      </div>
+
+      {/* Search */}
+      {!loading && totalTeams > 3 && (
+        <div className="teams-search">
+          <svg className="teams-search__icon" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+            <circle cx="11" cy="11" r="8"/>
+            <line x1="21" y1="21" x2="16.65" y2="16.65"/>
+          </svg>
+          <input
+            type="text"
+            placeholder="Search teams..."
+            value={searchQuery}
+            onChange={(e) => setSearchQuery(e.target.value)}
+            className="teams-search__input"
+          />
+          {searchQuery && (
+            <button className="teams-search__clear" onClick={() => setSearchQuery('')}>
+              <svg width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+                <line x1="18" y1="6" x2="6" y2="18"/>
+                <line x1="6" y1="6" x2="18" y2="18"/>
+              </svg>
+            </button>
+          )}
+        </div>
+      )}
+
+      {error && (
+        <div className="teams-error">
+          {error}
+          <button onClick={() => setError(null)} className="teams-error__dismiss">&times;</button>
+        </div>
+      )}
+
+      {/* Create Team Modal */}
+      {showForm && (
+        <div className="modal-overlay" onClick={closeModal}>
+          <div className="modal-content" onClick={e => e.stopPropagation()}>
+            <div className="modal-header">
+              <h2>Create New Team</h2>
+              <button className="modal-close" onClick={closeModal}>
+                <svg width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+                  <line x1="18" y1="6" x2="6" y2="18"/>
+                  <line x1="6" y1="6" x2="18" y2="18"/>
+                </svg>
+              </button>
+            </div>
+            <form onSubmit={handleCreateTeam}>
+              <div className="form-group">
+                <label htmlFor="team-name">Team Name</label>
+                <input
+                  id="team-name"
+                  type="text"
+                  value={newTeam.name}
+                  onChange={e => handleNameChange(e.target.value)}
+                  placeholder="Engineering"
+                  required
+                  autoFocus
+                />
+              </div>
+              <div className="form-group">
+                <label htmlFor="team-slug">URL Slug</label>
+                <div className="input-with-prefix">
+                  <span className="input-prefix">@</span>
+                  <input
+                    id="team-slug"
+                    type="text"
+                    value={newTeam.slug}
+                    onChange={e => handleSlugChange(e.target.value)}
+                    placeholder="engineering"
+                    pattern="^[a-z0-9][a-z0-9-]*[a-z0-9]$|^[a-z0-9]$"
+                    title="Lowercase letters, numbers, and hyphens only"
+                    required
+                  />
+                </div>
+                <span className="form-hint">Used in URLs. Lowercase letters, numbers, and hyphens.</span>
+              </div>
+              <div className="form-group">
+                <label htmlFor="team-description">Description <span className="optional">(optional)</span></label>
+                <textarea
+                  id="team-description"
+                  value={newTeam.description}
+                  onChange={e => setNewTeam({ ...newTeam, description: e.target.value })}
+                  placeholder="What is this team for?"
+                  rows={3}
+                />
+              </div>
+              <div className="form-actions">
+                <button type="button" className="btn btn-secondary" onClick={closeModal}>
+                  Cancel
+                </button>
+                <button type="submit" className="btn btn-primary" disabled={creating}>
+                  {creating ? 'Creating...' : 'Create Team'}
+                </button>
+              </div>
+            </form>
+          </div>
+        </div>
+      )}
+
+      {/* Content */}
+      {loading ? (
+        <div className="teams-loading">
+          <div className="teams-loading__spinner" />
+          <span>Loading teams...</span>
+        </div>
+      ) : filteredTeams.length === 0 ? (
+        <div className="teams-empty-state">
+          <div className="teams-empty-icon">
+            <svg width="64" height="64" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="1.5">
+              <path d="M17 21v-2a4 4 0 0 0-4-4H5a4 4 0 0 0-4 4v2"/>
+              <circle cx="9" cy="7" r="4"/>
+              <path d="M23 21v-2a4 4 0 0 0-3-3.87"/>
+              <path d="M16 3.13a4 4 0 0 1 0 7.75"/>
+            </svg>
+          </div>
+          {searchQuery ? (
+            <>
+              <h2>No teams found</h2>
+              <p>No teams match "{searchQuery}"</p>
+              <button className="btn btn-secondary" onClick={() => setSearchQuery('')}>
+                Clear search
+              </button>
+            </>
+          ) : (
+            <>
+              <h2>No teams yet</h2>
+              <p>Create your first team to start organizing your projects.</p>
+              <button className="btn btn-primary" onClick={() => setShowForm(true)}>
+                Create Team
+              </button>
+            </>
+          )}
+        </div>
+      ) : (
+        <DataTable
+          data={filteredTeams}
+          keyExtractor={(team) => team.id}
+          onRowClick={(team) => navigate(`/teams/${team.slug}`)}
+          columns={[
+            {
+              key: 'name',
+              header: 'Name',
+              render: (team) => (
+                <div className="team-name-cell">
+                  <Link
+                    to={`/teams/${team.slug}`}
+                    className="cell-name"
+                    onClick={(e) => e.stopPropagation()}
+                  >
+                    {team.name}
+                  </Link>
+                  <span className="team-slug">@{team.slug}</span>
+                </div>
+              ),
+            },
+            {
+              key: 'description',
+              header: 'Description',
+              className: 'cell-description',
+              render: (team) => team.description || <span className="text-muted">—</span>,
+            },
+            {
+              key: 'role',
+              header: 'Role',
+              render: (team) => team.user_role ? (
+                <Badge variant={roleConfig[team.user_role]?.variant || 'default'}>
+                  {roleConfig[team.user_role]?.label || team.user_role}
+                </Badge>
+              ) : null,
+            },
+            {
+              key: 'members',
+              header: 'Members',
+              render: (team) => <span className="text-muted">{team.member_count}</span>,
+            },
+            {
+              key: 'projects',
+              header: 'Projects',
+              render: (team) => <span className="text-muted">{team.project_count}</span>,
+            },
+          ]}
+        />
+      )}
+    </div>
+  );
+}
+
+export default TeamsPage;

frontend/src/types.ts

@@ -12,6 +12,10 @@ export interface Project {
   // Access level info (populated when listing projects)
   access_level?: AccessLevel | null;
   is_owner?: boolean;
+  // Team info
+  team_id?: string | null;
+  team_slug?: string | null;
+  team_name?: string | null;
 }
 
 export interface TagSummary {
@@ -316,6 +320,8 @@ export interface UserUpdate {
 }
 
 // Access Permission types
+export type AccessSource = 'explicit' | 'team';
+
 export interface AccessPermission {
   id: string;
   project_id: string;
@@ -323,6 +329,9 @@ export interface AccessPermission {
   level: AccessLevel;
   created_at: string;
   expires_at: string | null;
+  source?: AccessSource;  // "explicit" or "team"
+  team_slug?: string;     // Team slug if source is "team"
+  team_role?: string;     // Team role if source is "team"
 }
 
 export interface AccessPermissionCreate {
@@ -373,3 +382,124 @@ export interface OIDCStatus {
   enabled: boolean;
   issuer_url?: string;
 }
+
+// Dependency types
+export interface Dependency {
+  id: string;
+  artifact_id: string;
+  project: string;
+  package: string;
+  version: string | null;
+  tag: string | null;
+  created_at: string;
+}
+
+export interface ArtifactDependenciesResponse {
+  artifact_id: string;
+  dependencies: Dependency[];
+}
+
+export interface DependentInfo {
+  artifact_id: string;
+  project: string;
+  package: string;
+  version: string | null;
+  constraint_type: 'version' | 'tag';
+  constraint_value: string;
+}
+
+export interface ReverseDependenciesResponse {
+  project: string;
+  package: string;
+  dependents: DependentInfo[];
+  pagination: {
+    page: number;
+    limit: number;
+    total: number;
+    total_pages: number;
+    has_more: boolean;
+  };
+}
+
+// Dependency Resolution types
+export interface ResolvedArtifact {
+  artifact_id: string;
+  project: string;
+  package: string;
+  version: string | null;
+  tag: string | null;
+  size: number;
+  download_url: string;
+}
+
+export interface DependencyResolutionResponse {
+  requested: {
+    project: string;
+    package: string;
+    ref: string;
+  };
+  resolved: ResolvedArtifact[];
+  total_size: number;
+  artifact_count: number;
+}
+
+export interface DependencyResolutionError {
+  error: 'circular_dependency' | 'dependency_conflict' | 'not_found';
+  message: string;
+  cycle?: string[];
+  conflicts?: Array<{
+    project: string;
+    package: string;
+    requirements: Array<{
+      version: string;
+      required_by: Array<{ path: string }>;
+    }>;
+  }>;
+}
+
+// Team types
+export type TeamRole = 'owner' | 'admin' | 'member';
+
+export interface Team {
+  id: string;
+  name: string;
+  slug: string;
+  description: string | null;
+  created_at: string;
+  updated_at: string;
+  member_count: number;
+  project_count: number;
+}
+
+export interface TeamDetail extends Team {
+  user_role: TeamRole | null;
+}
+
+export interface TeamMember {
+  id: string;
+  user_id: string;
+  username: string;
+  email: string | null;
+  role: TeamRole;
+  created_at: string;
+}
+
+export interface TeamCreate {
+  name: string;
+  slug: string;
+  description?: string;
+}
+
+export interface TeamUpdate {
+  name?: string;
+  description?: string;
+}
+
+export interface TeamMemberCreate {
+  username: string;
+  role: TeamRole;
+}
+
+export interface TeamMemberUpdate {
+  role: TeamRole;
+}

helm/orchard/templates/_helpers.tpl

@@ -141,3 +141,16 @@ MinIO secret name
 {{- printf "%s-s3-secret" (include "orchard.fullname" .) }}
 {{- end }}
 {{- end }}
+
+{{/*
+Auth secret name (for admin password)
+*/}}
+{{- define "orchard.auth.secretName" -}}
+{{- if and .Values.orchard.auth .Values.orchard.auth.existingSecret }}
+{{- .Values.orchard.auth.existingSecret }}
+{{- else if and .Values.orchard.auth .Values.orchard.auth.secretsManager .Values.orchard.auth.secretsManager.enabled }}
+{{- printf "%s-auth-credentials" (include "orchard.fullname" .) }}
+{{- else }}
+{{- printf "%s-auth-secret" (include "orchard.fullname" .) }}
+{{- end }}
+{{- end }}

helm/orchard/templates/deployment.yaml

@@ -69,6 +69,8 @@ spec:
               containerPort: {{ .Values.orchard.server.port }}
               protocol: TCP
           env:
+            - name: ORCHARD_ENV
+              value: {{ .Values.orchard.env | default "development" | quote }}
             - name: ORCHARD_SERVER_HOST
               value: {{ .Values.orchard.server.host | quote }}
             - name: ORCHARD_SERVER_PORT
@@ -126,20 +128,49 @@ spec:
               value: {{ .Values.orchard.rateLimit.login | quote }}
             {{- end }}
             {{- end }}
-          {{- if and .Values.orchard.database.secretsManager .Values.orchard.database.secretsManager.enabled }}
+            {{- if .Values.orchard.database.poolSize }}
+            - name: ORCHARD_DATABASE_POOL_SIZE
+              value: {{ .Values.orchard.database.poolSize | quote }}
+            {{- end }}
+            {{- if .Values.orchard.database.maxOverflow }}
+            - name: ORCHARD_DATABASE_MAX_OVERFLOW
+              value: {{ .Values.orchard.database.maxOverflow | quote }}
+            {{- end }}
+            {{- if .Values.orchard.database.poolTimeout }}
+            - name: ORCHARD_DATABASE_POOL_TIMEOUT
+              value: {{ .Values.orchard.database.poolTimeout | quote }}
+            {{- end }}
+            {{- if .Values.orchard.auth }}
+            {{- if or .Values.orchard.auth.secretsManager .Values.orchard.auth.existingSecret .Values.orchard.auth.adminPassword }}
+            - name: ORCHARD_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "orchard.auth.secretName" . }}
+                  key: admin-password
+            {{- end }}
+            {{- end }}
+          {{- if or (and .Values.orchard.database.secretsManager .Values.orchard.database.secretsManager.enabled) (and .Values.orchard.auth .Values.orchard.auth.secretsManager .Values.orchard.auth.secretsManager.enabled) }}
           volumeMounts:
+            {{- if and .Values.orchard.database.secretsManager .Values.orchard.database.secretsManager.enabled }}
             - name: db-secrets
-              mountPath: /mnt/secrets-store
+              mountPath: /mnt/secrets-store/db
               readOnly: true
             {{- end }}
+            {{- if and .Values.orchard.auth .Values.orchard.auth.secretsManager .Values.orchard.auth.secretsManager.enabled }}
+            - name: auth-secrets
+              mountPath: /mnt/secrets-store/auth
+              readOnly: true
+            {{- end }}
+          {{- end }}
           livenessProbe:
             {{- toYaml .Values.livenessProbe | nindent 12 }}
           readinessProbe:
             {{- toYaml .Values.readinessProbe | nindent 12 }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
-      {{- if and .Values.orchard.database.secretsManager .Values.orchard.database.secretsManager.enabled }}
+      {{- if or (and .Values.orchard.database.secretsManager .Values.orchard.database.secretsManager.enabled) (and .Values.orchard.auth .Values.orchard.auth.secretsManager .Values.orchard.auth.secretsManager.enabled) }}
       volumes:
+        {{- if and .Values.orchard.database.secretsManager .Values.orchard.database.secretsManager.enabled }}
         - name: db-secrets
           csi:
             driver: secrets-store.csi.k8s.io
@@ -147,6 +178,15 @@ spec:
             volumeAttributes:
               secretProviderClass: {{ include "orchard.fullname" . }}-db-secret
         {{- end }}
+        {{- if and .Values.orchard.auth .Values.orchard.auth.secretsManager .Values.orchard.auth.secretsManager.enabled }}
+        - name: auth-secrets
+          csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: {{ include "orchard.fullname" . }}-auth-secret
+        {{- end }}
+      {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

helm/orchard/templates/secret-provider-class.yaml

@@ -25,3 +25,27 @@ spec:
         - objectName: db-password
           key: password
 {{- end }}
+---
+{{- if and .Values.orchard.auth .Values.orchard.auth.secretsManager .Values.orchard.auth.secretsManager.enabled }}
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: {{ include "orchard.fullname" . }}-auth-secret
+  labels:
+    {{- include "orchard.labels" . | nindent 4 }}
+spec:
+  provider: aws
+  parameters:
+    objects: |
+      - objectName: "{{ .Values.orchard.auth.secretsManager.secretArn }}"
+        objectType: "secretsmanager"
+        jmesPath:
+          - path: admin_password
+            objectAlias: admin-password
+  secretObjects:
+    - secretName: {{ include "orchard.fullname" . }}-auth-credentials
+      type: Opaque
+      data:
+        - objectName: admin-password
+          key: admin-password
+{{- end }}

helm/orchard/templates/secret.yaml

@@ -22,3 +22,15 @@ data:
   access-key-id: {{ .Values.orchard.s3.accessKeyId | b64enc | quote }}
   secret-access-key: {{ .Values.orchard.s3.secretAccessKey | b64enc | quote }}
 {{- end }}
+---
+{{- if and .Values.orchard.auth .Values.orchard.auth.adminPassword (not .Values.orchard.auth.existingSecret) (not (and .Values.orchard.auth.secretsManager .Values.orchard.auth.secretsManager.enabled)) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "orchard.fullname" . }}-auth-secret
+  labels:
+    {{- include "orchard.labels" . | nindent 4 }}
+type: Opaque
+data:
+  admin-password: {{ .Values.orchard.auth.adminPassword | b64enc | quote }}
+{{- end }}

helm/orchard/values-dev.yaml

@@ -53,15 +53,16 @@ ingress:
       hosts:
         - orchard-dev.common.global.bsf.tools  # Overridden by CI
 
-# Lighter resources for ephemeral environments
+# Resources for dev/feature environments
+# Bumped to handle concurrent integration tests
 # Note: memory requests must equal limits per cluster policy
 resources:
   limits:
-    cpu: 250m
+    cpu: 500m
-    memory: 256Mi
+    memory: 512Mi
   requests:
-    cpu: 100m
+    cpu: 200m
-    memory: 256Mi
+    memory: 512Mi
 
 livenessProbe:
   httpGet:
@@ -85,10 +86,15 @@ tolerations: []
 affinity: {}
 
 orchard:
+  env: "development"  # Allows seed data for testing
   server:
     host: "0.0.0.0"
     port: 8080
 
+  # Authentication settings
+  # Admin password is set via CI variable (DEV_ADMIN_PASSWORD) passed as --set flag
+  # This keeps the password out of version control
+
   database:
     host: ""
     port: 5432
@@ -98,6 +104,10 @@ orchard:
     sslmode: disable
     existingSecret: ""
     existingSecretPasswordKey: "password"
+    # Increased pool settings for concurrent integration tests
+    poolSize: 10
+    maxOverflow: 20
+    poolTimeout: 60
 
   s3:
     endpoint: ""
@@ -133,15 +143,16 @@ postgresql:
   primary:
     persistence:
       enabled: false
-    # Resources with memory requests = limits per cluster policy
+    # Bumped resources for concurrent integration tests
+    # Note: memory requests must equal limits per cluster policy
     resourcesPreset: "none"
     resources:
       limits:
-        cpu: 250m
+        cpu: 500m
-        memory: 256Mi
+        memory: 512Mi
       requests:
-        cpu: 100m
+        cpu: 200m
-        memory: 256Mi
+        memory: 512Mi
   # Volume permissions init container
   volumePermissions:
     resourcesPreset: "none"
@@ -167,15 +178,16 @@ minio:
   defaultBuckets: "orchard-artifacts"
   persistence:
     enabled: false
-  # Resources with memory requests = limits per cluster policy
+  # Bumped resources for concurrent integration tests
+  # Note: memory requests must equal limits per cluster policy
   resourcesPreset: "none"  # Disable preset to use explicit resources
   resources:
     limits:
-      cpu: 250m
+      cpu: 500m
-      memory: 256Mi
+      memory: 512Mi
     requests:
-      cpu: 100m
+      cpu: 200m
-      memory: 256Mi
+      memory: 512Mi
   # Init container resources
   defaultInitContainers:
     volumePermissions:

helm/orchard/values-prod.yaml

@@ -88,10 +88,18 @@ tolerations: []
 affinity: {}
 
 orchard:
+  env: "production"  # Disables seed data
   server:
     host: "0.0.0.0"
     port: 8080
 
+  # Authentication settings
+  auth:
+    # Admin password from AWS Secrets Manager
+    secretsManager:
+      enabled: true
+      secretArn: "arn:aws-us-gov:secretsmanager:us-gov-west-1:052673043337:secret:orch-prod-creds-0nhqkY"
+
   # Database configuration - uses AWS Secrets Manager via CSI driver
   database:
     host: "orchard-prd.cluster-cvw3jzjkozoc.us-gov-west-1.rds.amazonaws.com"

helm/orchard/values-stage.yaml

@@ -90,10 +90,15 @@ affinity: {}
 
 # Orchard server configuration
 orchard:
+  env: "development"  # Allows seed data for testing
   server:
     host: "0.0.0.0"
     port: 8080
 
+  # Authentication settings
+  # Admin password is set via CI variable (STAGE_ADMIN_PASSWORD) passed as --set flag
+  # This keeps the password out of version control
+
   # Database configuration - uses AWS Secrets Manager via CSI driver
   database:
     host: "orchard-stage.cluster-cvw3jzjkozoc.us-gov-west-1.rds.amazonaws.com"

helm/orchard/values.yaml

@@ -120,6 +120,17 @@ orchard:
     mode: "presigned"  # presigned, redirect, or proxy
     presignedUrlExpiry: 3600  # Presigned URL expiry in seconds
 
+  # Authentication settings
+  auth:
+    # Option 1: Plain admin password (creates K8s secret)
+    adminPassword: ""
+    # Option 2: Use existing K8s secret (must have 'admin-password' key)
+    existingSecret: ""
+    # Option 3: AWS Secrets Manager
+    # secretsManager:
+    #   enabled: false
+    #   secretArn: ""  # Secret must have 'admin_password' field
+
 # PostgreSQL subchart configuration
 postgresql:
   enabled: true

migrations/008_artifact_dependencies.sql

@@ -0,0 +1,48 @@
+-- Migration 008: Artifact Dependencies
+-- Adds support for declaring dependencies between artifacts
+-- Part of Package Dependency Management feature (#76)
+
+-- Create artifact_dependencies table
+CREATE TABLE IF NOT EXISTS artifact_dependencies (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    artifact_id VARCHAR(64) NOT NULL REFERENCES artifacts(id) ON DELETE CASCADE,
+    dependency_project VARCHAR(255) NOT NULL,
+    dependency_package VARCHAR(255) NOT NULL,
+    version_constraint VARCHAR(255),
+    tag_constraint VARCHAR(255),
+    created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+
+    -- Exactly one of version_constraint or tag_constraint must be set
+    CONSTRAINT check_constraint_type CHECK (
+        (version_constraint IS NOT NULL AND tag_constraint IS NULL) OR
+        (version_constraint IS NULL AND tag_constraint IS NOT NULL)
+    ),
+
+    -- Each artifact can only have one dependency on a specific project/package
+    CONSTRAINT unique_artifact_dependency UNIQUE (artifact_id, dependency_project, dependency_package)
+);
+
+-- Index for fast lookups by artifact_id (get all deps for an artifact)
+CREATE INDEX IF NOT EXISTS idx_artifact_dependencies_artifact_id
+    ON artifact_dependencies(artifact_id);
+
+-- Index for reverse dependency lookups (find what depends on a package)
+CREATE INDEX IF NOT EXISTS idx_artifact_dependencies_target
+    ON artifact_dependencies(dependency_project, dependency_package);
+
+-- Index for finding dependencies with specific version constraints
+CREATE INDEX IF NOT EXISTS idx_artifact_dependencies_version
+    ON artifact_dependencies(dependency_project, dependency_package, version_constraint)
+    WHERE version_constraint IS NOT NULL;
+
+-- Index for finding dependencies with specific tag constraints
+CREATE INDEX IF NOT EXISTS idx_artifact_dependencies_tag
+    ON artifact_dependencies(dependency_project, dependency_package, tag_constraint)
+    WHERE tag_constraint IS NOT NULL;
+
+COMMENT ON TABLE artifact_dependencies IS 'Stores dependencies declared by artifacts on other packages';
+COMMENT ON COLUMN artifact_dependencies.artifact_id IS 'The artifact that declares this dependency';
+COMMENT ON COLUMN artifact_dependencies.dependency_project IS 'Project name of the dependency';
+COMMENT ON COLUMN artifact_dependencies.dependency_package IS 'Package name of the dependency';
+COMMENT ON COLUMN artifact_dependencies.version_constraint IS 'Exact version required (mutually exclusive with tag_constraint)';
+COMMENT ON COLUMN artifact_dependencies.tag_constraint IS 'Tag name required (mutually exclusive with version_constraint)';

migrations/009_teams.sql

@@ -0,0 +1,62 @@
+-- Migration 009: Teams and Multi-Tenancy
+-- Adds support for team-based multi-tenancy
+-- Part of Multi-Tenancy with Teams feature
+
+-- Create teams table
+CREATE TABLE IF NOT EXISTS teams (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    name VARCHAR(255) NOT NULL,
+    slug VARCHAR(255) NOT NULL UNIQUE,
+    description TEXT,
+    created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    updated_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    created_by VARCHAR(255) NOT NULL,
+    settings JSONB DEFAULT '{}'::jsonb,
+
+    -- Slug must be lowercase alphanumeric with hyphens
+    CONSTRAINT check_team_slug_format CHECK (slug ~ '^[a-z0-9][a-z0-9-]*[a-z0-9]$' OR slug ~ '^[a-z0-9]$')
+);
+
+-- Create team_memberships table
+CREATE TABLE IF NOT EXISTS team_memberships (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    team_id UUID NOT NULL REFERENCES teams(id) ON DELETE CASCADE,
+    user_id UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+    role VARCHAR(20) NOT NULL DEFAULT 'member',
+    created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    invited_by VARCHAR(255),
+
+    -- Each user can only be a member of a team once
+    CONSTRAINT unique_team_membership UNIQUE (team_id, user_id),
+
+    -- Role must be one of: owner, admin, member
+    CONSTRAINT check_team_role CHECK (role IN ('owner', 'admin', 'member'))
+);
+
+-- Add team_id column to projects table (nullable for migration compatibility)
+ALTER TABLE projects ADD COLUMN IF NOT EXISTS team_id UUID REFERENCES teams(id) ON DELETE SET NULL;
+
+-- Indexes for teams table
+CREATE INDEX IF NOT EXISTS idx_teams_slug ON teams(slug);
+CREATE INDEX IF NOT EXISTS idx_teams_created_by ON teams(created_by);
+CREATE INDEX IF NOT EXISTS idx_teams_created_at ON teams(created_at);
+
+-- Indexes for team_memberships table
+CREATE INDEX IF NOT EXISTS idx_team_memberships_team_id ON team_memberships(team_id);
+CREATE INDEX IF NOT EXISTS idx_team_memberships_user_id ON team_memberships(user_id);
+CREATE INDEX IF NOT EXISTS idx_team_memberships_role ON team_memberships(role);
+CREATE INDEX IF NOT EXISTS idx_team_memberships_team_role ON team_memberships(team_id, role);
+
+-- Index for projects team_id
+CREATE INDEX IF NOT EXISTS idx_projects_team_id ON projects(team_id);
+
+-- Comments
+COMMENT ON TABLE teams IS 'Teams serve as organizational containers for projects';
+COMMENT ON COLUMN teams.slug IS 'URL-friendly unique identifier (lowercase alphanumeric with hyphens)';
+COMMENT ON COLUMN teams.settings IS 'JSON object for team-specific settings';
+
+COMMENT ON TABLE team_memberships IS 'Maps users to teams with their roles';
+COMMENT ON COLUMN team_memberships.role IS 'User role in the team: owner, admin, or member';
+COMMENT ON COLUMN team_memberships.invited_by IS 'Username of the user who invited this member';
+
+COMMENT ON COLUMN projects.team_id IS 'Optional team that owns this project';

migrations/009b_migrate_projects.sql

@@ -0,0 +1,99 @@
+-- Migration 009b: Migrate Existing Projects to Personal Teams
+-- Creates personal teams for existing users and assigns their projects to those teams.
+-- This migration is idempotent and can be run multiple times safely.
+
+-- Create personal teams for users who own projects but don't have a personal team yet
+INSERT INTO teams (name, slug, description, created_by, settings)
+SELECT DISTINCT
+    u.username || '''s Team' AS name,
+    LOWER(u.username) || '-personal' AS slug,
+    'Personal team for ' || u.username AS description,
+    u.username AS created_by,
+    '{"personal": true}'::jsonb AS settings
+FROM users u
+JOIN projects p ON p.created_by = u.username
+WHERE NOT EXISTS (
+    SELECT 1 FROM teams t
+    WHERE t.slug = LOWER(u.username) || '-personal'
+)
+AND p.team_id IS NULL
+ON CONFLICT (slug) DO NOTHING;
+
+-- Add users as owners of their personal teams
+INSERT INTO team_memberships (team_id, user_id, role, invited_by)
+SELECT
+    t.id AS team_id,
+    u.id AS user_id,
+    'owner' AS role,
+    u.username AS invited_by
+FROM teams t
+JOIN users u ON t.created_by = u.username
+WHERE t.slug LIKE '%-personal'
+AND NOT EXISTS (
+    SELECT 1 FROM team_memberships tm
+    WHERE tm.team_id = t.id
+    AND tm.user_id = u.id
+)
+ON CONFLICT DO NOTHING;
+
+-- Assign projects without a team to their creator's personal team
+UPDATE projects p
+SET team_id = t.id
+FROM teams t
+WHERE t.slug = LOWER(p.created_by) || '-personal'
+AND p.team_id IS NULL;
+
+-- Handle orphaned projects (created_by doesn't match any user)
+-- Create a special orphaned projects team if there are any
+DO $$
+DECLARE
+    orphan_count INTEGER;
+    orphan_team_id UUID;
+BEGIN
+    -- Count orphaned projects
+    SELECT COUNT(*) INTO orphan_count
+    FROM projects p
+    WHERE p.team_id IS NULL
+    AND NOT EXISTS (
+        SELECT 1 FROM users u WHERE u.username = p.created_by
+    );
+
+    IF orphan_count > 0 THEN
+        -- Create or get the orphaned projects team
+        INSERT INTO teams (name, slug, description, created_by, settings)
+        VALUES (
+            'Orphaned Projects',
+            'orphaned-projects',
+            'Projects whose original creators no longer exist',
+            'system',
+            '{"system": true}'::jsonb
+        )
+        ON CONFLICT (slug) DO UPDATE SET name = teams.name
+        RETURNING id INTO orphan_team_id;
+
+        -- Assign orphaned projects to this team
+        UPDATE projects
+        SET team_id = orphan_team_id
+        WHERE team_id IS NULL
+        AND NOT EXISTS (
+            SELECT 1 FROM users u WHERE u.username = projects.created_by
+        );
+
+        RAISE NOTICE 'Migrated % orphaned project(s) to orphaned-projects team', orphan_count;
+    END IF;
+END $$;
+
+-- Log migration results
+DO $$
+DECLARE
+    teams_created INTEGER;
+    memberships_created INTEGER;
+    projects_migrated INTEGER;
+BEGIN
+    SELECT COUNT(*) INTO teams_created FROM teams WHERE slug LIKE '%-personal';
+    SELECT COUNT(*) INTO memberships_created FROM team_memberships;
+    SELECT COUNT(*) INTO projects_migrated FROM projects WHERE team_id IS NOT NULL;
+
+    RAISE NOTICE 'Migration complete: % personal teams, % memberships, % projects with teams',
+        teams_created, memberships_created, projects_migrated;
+END $$;