feat: add team admin CLI + migration 007 (settings, cooldowns, create_team RPC)

New `gstack team` CLI with create, members, set subcommands.
Migration adds team_settings (admin-only), alert_cooldowns (edge-fn
dedup), and create_team() SECURITY DEFINER RPC for atomic team +
first member creation. 9 tests.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

supabase/migrations/007_team_settings_and_functions.sql

@@ -0,0 +1,94 @@
+-- 007_team_settings_and_functions.sql — Team settings, alert cooldowns, and RPC functions.
+--
+-- Adds:
+-- 1. team_settings (key-value per team, admin-only)
+-- 2. alert_cooldowns (dedup for regression alerts, edge-fn only)
+-- 3. create_team() RPC (SECURITY DEFINER — atomic team + first member creation)
+
+-- ─── team_settings ──────────────────────────────────────────
+
+create table if not exists team_settings (
+  team_id uuid references teams(id) on delete cascade,
+  key text not null,
+  value text not null,
+  updated_at timestamptz default now(),
+  primary key (team_id, key)
+);
+
+alter table team_settings enable row level security;
+
+-- Admins can read settings
+create policy "admin_read_settings" on team_settings
+  for select using (
+    team_id in (
+      select team_id from team_members
+      where user_id = auth.uid() and role in ('owner', 'admin')
+    )
+  );
+
+-- Admins can write settings
+create policy "admin_write_settings" on team_settings
+  for all using (
+    team_id in (
+      select team_id from team_members
+      where user_id = auth.uid() and role in ('owner', 'admin')
+    )
+  );
+
+-- ─── alert_cooldowns ────────────────────────────────────────
+
+create table if not exists alert_cooldowns (
+  team_id uuid references teams(id) on delete cascade,
+  repo_slug text not null,
+  alert_type text not null,
+  last_sent_at timestamptz not null default now(),
+  primary key (team_id, repo_slug, alert_type)
+);
+
+-- No RLS — only accessed by edge functions via service_role key.
+-- Edge functions bypass RLS anyway, but we explicitly leave it disabled
+-- since no user should query this table directly.
+
+-- ─── create_team() RPC ──────────────────────────────────────
+
+-- SECURITY DEFINER: runs as the table owner, bypassing RLS.
+-- This solves the chicken-and-egg problem: to INSERT the first
+-- team_member, you'd need to already be a member (which the
+-- admins_manage_members policy requires). This function does
+-- both atomically.
+--
+-- Called via: POST /rest/v1/rpc/create_team
+-- Body: { "team_slug": "my-team", "team_name": "My Team" }
+
+create or replace function create_team(team_slug text, team_name text)
+returns uuid
+language plpgsql
+security definer
+set search_path = public
+as $$
+declare
+  new_team_id uuid;
+begin
+  -- Validate inputs
+  if team_slug is null or length(trim(team_slug)) = 0 then
+    raise exception 'team_slug cannot be empty';
+  end if;
+  if team_name is null or length(trim(team_name)) = 0 then
+    raise exception 'team_name cannot be empty';
+  end if;
+  if auth.uid() is null then
+    raise exception 'must be authenticated';
+  end if;
+
+  -- Create team
+  insert into teams (slug, name)
+  values (trim(team_slug), trim(team_name))
+  returning id into new_team_id;
+
+  -- Add caller as owner
+  insert into team_members (team_id, user_id, role)
+  values (new_team_id, auth.uid(), 'owner');
+
+  return new_team_id;
+end;
+$$;