From 530e7af4d961b1509057d0e92b8151a8a2b21717 Mon Sep 17 00:00:00 2001
From: Jacob Owens <jacobowens75@gmail.com>
Date: Tue, 10 Mar 2026 07:44:14 -0700
Subject: [PATCH 1/6] feat: add role-based permissions system with channel
 edit/delete
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Define guild roles (owner, admin, warden, member) using Better Auth's
  createAccessControl with type-safe permission statements
- Add channel update (PATCH) and delete (DELETE) API endpoints with
  permission checks on all mutating channel endpoints
- Add edit/delete channel dialogs gated behind role permissions
- Warden can create/edit channels but only owner/admin can delete
- Gate drag-and-drop reordering and context menu behind canManage check
- Fix auth route wildcard pattern (** → *) for Hono compatibility
- Invalidate active guild member query on guild switch for correct roles
- Display "Citizen" for member role and "Warden" for warden in UI
---
 CLAUDE.md                                     |   3 +
 ROADMAP.md                                    |   3 +-
 apps/api/src/app.ts                           |   4 +-
 apps/api/src/lib/permissions.ts               |  45 +++++
 apps/api/src/routes/v1/channels/handlers.ts   |  53 +++++
 apps/api/src/routes/v1/channels/index.ts      |   2 +
 apps/api/src/routes/v1/channels/routes.ts     |  55 +++++
 apps/api/src/routes/v1/channels/schema.ts     |  16 +-
 .../sidebar/channel-panel/channel-list.tsx    | 189 ++++++++++++------
 .../channel-panel/delete-channel-dialog.tsx   |  82 ++++++++
 .../channel-panel/edit-channel-dialog.tsx     | 125 ++++++++++++
 .../right-panel/guild-members-panel.tsx       |  11 +-
 apps/web/src/lib/permissions.ts               |  16 ++
 .../src/routes/_authenticated/$guildSlug.tsx  |  12 +-
 packages/auth/package.json                    |   3 +-
 packages/auth/src/lib/auth-client.ts          |   8 +
 packages/auth/src/lib/auth.ts                 |  14 ++
 packages/auth/src/lib/permissions.ts          |  45 +++++
 packages/ui/src/components/alert-dialog.tsx   |  13 +-
 19 files changed, 627 insertions(+), 72 deletions(-)
 create mode 100644 apps/api/src/lib/permissions.ts
 create mode 100644 apps/web/src/components/sidebar/channel-panel/delete-channel-dialog.tsx
 create mode 100644 apps/web/src/components/sidebar/channel-panel/edit-channel-dialog.tsx
 create mode 100644 apps/web/src/lib/permissions.ts
 create mode 100644 packages/auth/src/lib/permissions.ts

diff --git a/CLAUDE.md b/CLAUDE.md
index 514d31c..ae6804b 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -74,3 +74,6 @@ All CSS lives in `packages/ui`. Apps do NOT have their own `globals.css`.
 ./lib/*          → ./src/lib/*.ts
 ./hooks/*        → ./src/hooks/*.ts
 ```
+
+PS. If u add/edit routes in the API, make sure to build the API Client as the frontend relies on this being built to be up to date.
+Otherwise you will receive errors when type checking
diff --git a/ROADMAP.md b/ROADMAP.md
index c056629..db36c7c 100644
--- a/ROADMAP.md
+++ b/ROADMAP.md
@@ -26,7 +26,7 @@
 - [x] Message editing UI
 - [x] User profiles (bio, custom status, avatar upload)
 - [ ] Channel edit/delete
-- [x] Settings pages
+- [x] User settings page
 
 ## Phase 2 — Permissions & Moderation
 
@@ -57,6 +57,7 @@
 - [ ] Thread support
 - [ ] Notification preferences
 - [ ] Error handling & loading state improvements
+- [ ] Other settings pages
 
 ## Phase 6 — Infrastructure
 
diff --git a/apps/api/src/app.ts b/apps/api/src/app.ts
index 6667ffa..06ed05d 100644
--- a/apps/api/src/app.ts
+++ b/apps/api/src/app.ts
@@ -19,7 +19,9 @@ app.use(
   })
 )
 
-app.on(["GET", "POST"], "/api/auth/**", (c) => auth.handler(c.req.raw))
+app.on(["POST", "GET"], "/api/auth/*", (c) => {
+  return auth.handler(c.req.raw)
+})
 
 configureOpenAPI(app)
 
diff --git a/apps/api/src/lib/permissions.ts b/apps/api/src/lib/permissions.ts
new file mode 100644
index 0000000..c46b400
--- /dev/null
+++ b/apps/api/src/lib/permissions.ts
@@ -0,0 +1,45 @@
+import { auth } from "@repo/auth"
+import type { statement } from "@repo/auth/permissions"
+import { HTTPException } from "hono/http-exception"
+import * as HttpStatusCodes from "@/lib/helpers/http/status-codes"
+
+// ── Type-Safe Permission Types ──────────────────────────────────────
+
+export type StatementKey = keyof typeof statement
+
+export type PermissionForStatement<T extends StatementKey> =
+  (typeof statement)[T][number]
+
+// ── Permission Check ──────────────────────────────────────
+
+/**
+ * Checks if the current user has the specified permissions in their active guild.
+ * Uses better-auth's hasPermission API.
+ *
+ * Throws an HTTPException with 403 if the user lacks the required permissions.
+ *
+ * @example
+ * const allowed = await checkPermission(c.req.raw.headers, "channel", ["update"])
+ * if (!allowed) throw new HTTPException(403)
+ */
+export async function checkPermission<
+  TResource extends StatementKey,
+  TPermissions extends readonly PermissionForStatement<TResource>[],
+>(headers: Headers, resource: TResource, permissions: TPermissions) {
+  const result = await auth.api.hasPermission({
+    headers,
+    body: {
+      permissions: {
+        [resource]: [...permissions],
+      },
+    },
+  })
+
+  if (!result.success) {
+    throw new HTTPException(HttpStatusCodes.FORBIDDEN, {
+      message: `You do not have permission to ${permissions.join("/")} ${resource}`,
+    })
+  }
+
+  return true
+}
diff --git a/apps/api/src/routes/v1/channels/handlers.ts b/apps/api/src/routes/v1/channels/handlers.ts
index b1dff78..22aef92 100644
--- a/apps/api/src/routes/v1/channels/handlers.ts
+++ b/apps/api/src/routes/v1/channels/handlers.ts
@@ -2,14 +2,17 @@ import { db } from "@repo/db"
 import { channel } from "@repo/db/schema"
 import { and, asc, eq, inArray } from "drizzle-orm"
 import * as HttpStatusCodes from "@/lib/helpers/http/status-codes"
+import { checkPermission } from "@/lib/permissions"
 import { fetchMessagePage } from "@/lib/queries/messages"
 import type { AppRouteHandler } from "@/lib/types/app-types"
 import type {
   CreateChannelRoute,
+  DeleteChannelRoute,
   GetChannelRoute,
   ListChannelMessagesRoute,
   ListChannelsRoute,
   ReorderChannelsRoute,
+  UpdateChannelRoute,
 } from "./routes"
 
 export const listChannels: AppRouteHandler<ListChannelsRoute> = async (c) => {
@@ -55,6 +58,8 @@ export const listChannels: AppRouteHandler<ListChannelsRoute> = async (c) => {
 }
 
 export const createChannel: AppRouteHandler<CreateChannelRoute> = async (c) => {
+  await checkPermission(c.req.raw.headers, "channel", ["create"])
+
   const guild = c.var.guild
   const body = c.req.valid("json")
 
@@ -80,6 +85,8 @@ export const createChannel: AppRouteHandler<CreateChannelRoute> = async (c) => {
 export const reorderChannels: AppRouteHandler<ReorderChannelsRoute> = async (
   c
 ) => {
+  await checkPermission(c.req.raw.headers, "channel", ["update"])
+
   const guild = c.var.guild
   const { channels: updates } = c.req.valid("json")
 
@@ -134,6 +141,52 @@ export const getChannel: AppRouteHandler<GetChannelRoute> = async (c) => {
   return c.json(ch, HttpStatusCodes.OK)
 }
 
+export const updateChannel: AppRouteHandler<UpdateChannelRoute> = async (c) => {
+  await checkPermission(c.req.raw.headers, "channel", ["update"])
+
+  const guild = c.var.guild
+  const { channelId } = c.req.valid("param")
+  const body = c.req.valid("json")
+
+  const updated = await db
+    .update(channel)
+    .set(body)
+    .where(and(eq(channel.id, channelId), eq(channel.guildId, guild.id)))
+    .returning()
+    .then((rows) => rows[0])
+
+  if (!updated) {
+    return c.json(
+      { success: false, message: "Channel not found" },
+      HttpStatusCodes.NOT_FOUND
+    )
+  }
+
+  return c.json(updated, HttpStatusCodes.OK)
+}
+
+export const deleteChannel: AppRouteHandler<DeleteChannelRoute> = async (c) => {
+  await checkPermission(c.req.raw.headers, "channel", ["delete"])
+
+  const guild = c.var.guild
+  const { channelId } = c.req.valid("param")
+
+  const deleted = await db
+    .delete(channel)
+    .where(and(eq(channel.id, channelId), eq(channel.guildId, guild.id)))
+    .returning({ id: channel.id })
+    .then((rows) => rows[0])
+
+  if (!deleted) {
+    return c.json(
+      { success: false, message: "Channel not found" },
+      HttpStatusCodes.NOT_FOUND
+    )
+  }
+
+  return c.json({ success: true }, HttpStatusCodes.OK)
+}
+
 export const listChannelMessages: AppRouteHandler<
   ListChannelMessagesRoute
 > = async (c) => {
diff --git a/apps/api/src/routes/v1/channels/index.ts b/apps/api/src/routes/v1/channels/index.ts
index 45264c8..5949d28 100644
--- a/apps/api/src/routes/v1/channels/index.ts
+++ b/apps/api/src/routes/v1/channels/index.ts
@@ -7,6 +7,8 @@ const channelsRouter = createRouter()
   .openapi(routes.createChannel, handlers.createChannel)
   .openapi(routes.reorderChannels, handlers.reorderChannels)
   .openapi(routes.getChannel, handlers.getChannel)
+  .openapi(routes.updateChannel, handlers.updateChannel)
+  .openapi(routes.deleteChannel, handlers.deleteChannel)
   .openapi(routes.listChannelMessages, handlers.listChannelMessages)
 
 export default channelsRouter
diff --git a/apps/api/src/routes/v1/channels/routes.ts b/apps/api/src/routes/v1/channels/routes.ts
index 2040321..6608662 100644
--- a/apps/api/src/routes/v1/channels/routes.ts
+++ b/apps/api/src/routes/v1/channels/routes.ts
@@ -13,12 +13,15 @@ import {
   channelResponseSchema,
   createChannelRequestSchema,
   createChannelResponseSchema,
+  deleteChannelResponseSchema,
   guildSlugParamsSchema,
   listChannelsResponseSchema,
   listMessagesQuerySchema,
   listMessagesResponseSchema,
   reorderChannelsRequestSchema,
   reorderChannelsResponseSchema,
+  updateChannelRequestSchema,
+  updateChannelResponseSchema,
 } from "./schema"
 
 export const listChannels = createRoute({
@@ -138,8 +141,60 @@ export const listChannelMessages = createRoute({
   },
 })
 
+export const updateChannel = createRoute({
+  path: "/guilds/{guildSlug}/channels/{channelId}",
+  method: "patch",
+  summary: "Update a channel",
+  description:
+    "Updates a channel's name, topic, or other properties. Requires channel:update permission.",
+  tags: ["Channels"],
+  middleware: [guildAuthMiddleware] as const,
+  request: {
+    params: channelParamsSchema,
+    body: jsonContent({
+      schema: updateChannelRequestSchema,
+      description: "Channel fields to update",
+    }),
+  },
+  responses: {
+    [HttpStatusCodes.OK]: jsonContent({
+      schema: updateChannelResponseSchema,
+      description: "Updated channel",
+    }),
+    [HttpStatusCodes.UNAUTHORIZED]: unauthorizedSchema,
+    [HttpStatusCodes.FORBIDDEN]: forbiddenSchema,
+    [HttpStatusCodes.NOT_FOUND]: notFoundSchema,
+    [HttpStatusCodes.INTERNAL_SERVER_ERROR]: internalServerErrorSchema,
+  },
+})
+
+export const deleteChannel = createRoute({
+  path: "/guilds/{guildSlug}/channels/{channelId}",
+  method: "delete",
+  summary: "Delete a channel",
+  description:
+    "Permanently deletes a channel and all its messages. Requires channel:delete permission.",
+  tags: ["Channels"],
+  middleware: [guildAuthMiddleware] as const,
+  request: {
+    params: channelParamsSchema,
+  },
+  responses: {
+    [HttpStatusCodes.OK]: jsonContent({
+      schema: deleteChannelResponseSchema,
+      description: "Channel deleted",
+    }),
+    [HttpStatusCodes.UNAUTHORIZED]: unauthorizedSchema,
+    [HttpStatusCodes.FORBIDDEN]: forbiddenSchema,
+    [HttpStatusCodes.NOT_FOUND]: notFoundSchema,
+    [HttpStatusCodes.INTERNAL_SERVER_ERROR]: internalServerErrorSchema,
+  },
+})
+
 export type ListChannelsRoute = typeof listChannels
 export type CreateChannelRoute = typeof createChannel
 export type ReorderChannelsRoute = typeof reorderChannels
 export type GetChannelRoute = typeof getChannel
+export type UpdateChannelRoute = typeof updateChannel
+export type DeleteChannelRoute = typeof deleteChannel
 export type ListChannelMessagesRoute = typeof listChannelMessages
diff --git a/apps/api/src/routes/v1/channels/schema.ts b/apps/api/src/routes/v1/channels/schema.ts
index 1af581c..6a6106d 100644
--- a/apps/api/src/routes/v1/channels/schema.ts
+++ b/apps/api/src/routes/v1/channels/schema.ts
@@ -1,5 +1,9 @@
 import { z } from "@hono/zod-openapi"
-import { insertChannelSchema, selectChannelSchema } from "@repo/db/schema"
+import {
+  insertChannelSchema,
+  selectChannelSchema,
+  updateChannelSchema,
+} from "@repo/db/schema"
 import {
   listMessagesQuerySchema,
   listMessagesResponseSchema,
@@ -44,6 +48,16 @@ export const createChannelRequestSchema = insertChannelSchema
 
 export const createChannelResponseSchema = selectChannelSchema
 
+// ── Update / Delete ──────────────────────────────────────────
+
+export const updateChannelRequestSchema = updateChannelSchema
+
+export const updateChannelResponseSchema = selectChannelSchema
+
+export const deleteChannelResponseSchema = z.object({
+  success: z.literal(true),
+})
+
 // ── Messages ──────────────────────────────────────────
 
 export {
diff --git a/apps/web/src/components/sidebar/channel-panel/channel-list.tsx b/apps/web/src/components/sidebar/channel-panel/channel-list.tsx
index 64602c7..9a33bdf 100644
--- a/apps/web/src/components/sidebar/channel-panel/channel-list.tsx
+++ b/apps/web/src/components/sidebar/channel-panel/channel-list.tsx
@@ -15,6 +15,8 @@ import {
   verticalListSortingStrategy,
 } from "@dnd-kit/sortable"
 import { CSS } from "@dnd-kit/utilities"
+import { authClient } from "@repo/auth/client"
+import type { GuildRole } from "@repo/auth/permissions"
 import {
   DropdownMenu,
   DropdownMenuContent,
@@ -38,6 +40,9 @@ import { AnimatePresence, motion } from "motion/react"
 import { useCallback, useState } from "react"
 import { apiClient } from "@/lib/api-client"
 import type { Channel, ListChannelsResponse } from "@/lib/api-types"
+import { canDeleteChannels, canManageChannels } from "@/lib/permissions"
+import { DeleteChannelDialog } from "./delete-channel-dialog"
+import { EditChannelDialog } from "./edit-channel-dialog"
 
 const channelIcons = {
   text: Hash,
@@ -137,6 +142,21 @@ export function ChannelList() {
     },
   })
 
+  const { data: activeMember } = useQuery({
+    queryKey: ["active-guild-member", guildSlug],
+    queryFn: async () => {
+      const res = await authClient.organization.getActiveMember()
+      return res.data
+    },
+    enabled: !!guildSlug,
+  })
+  const canManage = activeMember?.role
+    ? canManageChannels(activeMember.role as GuildRole)
+    : false
+  const canDelete = activeMember?.role
+    ? canDeleteChannels(activeMember.role as GuildRole)
+    : false
+
   const [activeItem, setActiveItem] = useState<{
     channel: Channel
     isCategory: boolean
@@ -355,15 +375,16 @@ export function ChannelList() {
           <SortableContext
             items={data.uncategorized.map((ch) => ch.id)}
             strategy={verticalListSortingStrategy}
+            disabled={!canManage}
           >
             <div>
               {data.uncategorized.map((ch) => (
                 <SortableChannelItem
                   key={ch.id}
-                  id={ch.id}
-                  name={ch.name ?? ""}
-                  type={ch.type}
+                  channel={ch}
                   active={activeChannelId === ch.id}
+                  canManage={canManage}
+                  canDelete={canDelete}
                   onClick={() =>
                     navigate({
                       to: "/$guildSlug/$channelId",
@@ -383,6 +404,7 @@ export function ChannelList() {
         <SortableContext
           items={data.categories.map((cat) => cat.id)}
           strategy={verticalListSortingStrategy}
+          disabled={!canManage}
         >
           {data.categories.map((cat) => (
             <SortableCategorySection
@@ -392,6 +414,8 @@ export function ChannelList() {
               channels={cat.channels}
               draggingCategory={activeItem?.isCategory ?? false}
               activeChannelId={activeChannelId}
+              canManage={canManage}
+              canDelete={canDelete}
               onChannelClick={(channelId) =>
                 navigate({
                   to: "/$guildSlug/$channelId",
@@ -432,6 +456,8 @@ function SortableCategorySection({
   channels,
   draggingCategory,
   activeChannelId,
+  canManage,
+  canDelete,
   onChannelClick,
 }: {
   id: string
@@ -439,6 +465,8 @@ function SortableCategorySection({
   channels: Channel[]
   draggingCategory: boolean
   activeChannelId?: string
+  canManage: boolean
+  canDelete: boolean
   onChannelClick?: (channelId: string) => void
 }) {
   const [collapsed, setCollapsed] = useState(false)
@@ -449,7 +477,7 @@ function SortableCategorySection({
     transform,
     transition,
     isDragging,
-  } = useSortable({ id })
+  } = useSortable({ id, disabled: !canManage })
 
   const style = {
     transform: CSS.Translate.toString(transform),
@@ -462,8 +490,7 @@ function SortableCategorySection({
       <button
         type="button"
         onClick={() => setCollapsed(!collapsed)}
-        {...attributes}
-        {...listeners}
+        {...(canManage ? { ...attributes, ...listeners } : {})}
         className="group flex w-full items-center gap-0.5 px-1 pb-1 text-[11px] font-semibold uppercase tracking-wider text-muted-foreground hover:text-foreground cursor-pointer"
       >
         <motion.div
@@ -486,15 +513,15 @@ function SortableCategorySection({
             <SortableContext
               items={channels.map((ch) => ch.id)}
               strategy={verticalListSortingStrategy}
-              disabled={draggingCategory}
+              disabled={!canManage || draggingCategory}
             >
               {channels.map((ch) => (
                 <SortableChannelItem
                   key={ch.id}
-                  id={ch.id}
-                  name={ch.name ?? ""}
-                  type={ch.type}
+                  channel={ch}
                   active={activeChannelId === ch.id}
+                  canManage={canManage}
+                  canDelete={canDelete}
                   onClick={() => onChannelClick?.(ch.id)}
                 />
               ))}
@@ -507,16 +534,16 @@ function SortableCategorySection({
 }
 
 function SortableChannelItem({
-  id,
-  name,
-  type,
+  channel: ch,
   active = false,
+  canManage,
+  canDelete,
   onClick,
 }: {
-  id: string
-  name: string
-  type: string
+  channel: Channel
   active?: boolean
+  canManage: boolean
+  canDelete: boolean
   onClick?: () => void
 }) {
   const {
@@ -526,9 +553,11 @@ function SortableChannelItem({
     transform,
     transition,
     isDragging,
-  } = useSortable({ id })
+  } = useSortable({ id: ch.id, disabled: !canManage })
 
   const [menuOpen, setMenuOpen] = useState(false)
+  const [editOpen, setEditOpen] = useState(false)
+  const [deleteOpen, setDeleteOpen] = useState(false)
 
   const style = {
     transform: CSS.Translate.toString(transform),
@@ -537,52 +566,90 @@ function SortableChannelItem({
   }
 
   return (
-    // biome-ignore lint/a11y/noStaticElementInteractions: dnd-kit requires a div here
-    // biome-ignore lint/a11y/useKeyWithClickEvents: dnd-kit handles keyboard interactions
-    <div
-      ref={setNodeRef}
-      style={style}
-      onClick={onClick}
-      {...attributes}
-      {...listeners}
-      className={cn(
-        "group relative flex w-full items-center gap-2 rounded-lg px-2 py-[6px] text-[14px] hover:bg-foreground/[0.06] cursor-pointer",
-        active && "bg-foreground/[0.06] font-medium text-foreground",
-        !active && "text-muted-foreground",
-        menuOpen && "bg-foreground/[0.06]"
+    <>
+      {/* biome-ignore lint/a11y/noStaticElementInteractions: dnd-kit requires a div here */}
+      {/* biome-ignore lint/a11y/useKeyWithClickEvents: dnd-kit handles keyboard interactions */}
+      <div
+        ref={setNodeRef}
+        style={style}
+        onClick={onClick}
+        {...(canManage ? { ...attributes, ...listeners } : {})}
+        className={cn(
+          "group relative flex w-full items-center gap-2 rounded-lg px-2 py-[6px] text-[14px] hover:bg-foreground/[0.06] cursor-pointer",
+          active && "bg-foreground/[0.06] font-medium text-foreground",
+          !active && "text-muted-foreground",
+          menuOpen && "bg-foreground/[0.06]"
+        )}
+      >
+        {active && (
+          <div className="absolute left-0 top-1/2 h-4 w-[3px] -translate-y-1/2 rounded-r-full bg-primary" />
+        )}
+        <ChannelIcon type={ch.type} />
+        <span className="truncate">{ch.name}</span>
+        {canManage && (
+          <DropdownMenu open={menuOpen} onOpenChange={setMenuOpen}>
+            <DropdownMenuTrigger
+              onClick={(e) => e.stopPropagation()}
+              className={cn(
+                "ml-auto flex size-5 items-center justify-center rounded opacity-0 hover:bg-foreground/10 group-hover:opacity-100",
+                menuOpen && "opacity-100"
+              )}
+            >
+              <MoreHorizontal className="size-4 shrink-0" />
+            </DropdownMenuTrigger>
+            <DropdownMenuContent side="bottom" align="start">
+              <DropdownMenuItem
+                onClick={(e) => {
+                  e.stopPropagation()
+                  setMenuOpen(false)
+                  setEditOpen(true)
+                }}
+              >
+                Edit Channel
+              </DropdownMenuItem>
+              <DropdownMenuItem
+                onClick={(e) => {
+                  e.stopPropagation()
+                  navigator.clipboard.writeText(ch.id)
+                  setMenuOpen(false)
+                }}
+              >
+                Copy Channel ID
+              </DropdownMenuItem>
+              {canDelete && (
+                <>
+                  <DropdownMenuSeparator />
+                  <DropdownMenuItem
+                    onClick={(e) => {
+                      e.stopPropagation()
+                      setMenuOpen(false)
+                      setDeleteOpen(true)
+                    }}
+                    className="text-destructive focus:text-destructive"
+                  >
+                    Delete Channel
+                  </DropdownMenuItem>
+                </>
+              )}
+            </DropdownMenuContent>
+          </DropdownMenu>
+        )}
+      </div>
+      {canManage && (
+        <EditChannelDialog
+          channel={ch}
+          open={editOpen}
+          onOpenChange={setEditOpen}
+        />
       )}
-    >
-      {active && (
-        <div className="absolute left-0 top-1/2 h-4 w-[3px] -translate-y-1/2 rounded-r-full bg-primary" />
+      {canDelete && (
+        <DeleteChannelDialog
+          channel={ch}
+          open={deleteOpen}
+          onOpenChange={setDeleteOpen}
+        />
       )}
-      <ChannelIcon type={type} />
-      <span className="truncate">{name}</span>
-      <DropdownMenu open={menuOpen} onOpenChange={setMenuOpen}>
-        <DropdownMenuTrigger
-          onClick={(e) => e.stopPropagation()}
-          className={cn(
-            "ml-auto flex size-5 items-center justify-center rounded opacity-0 hover:bg-foreground/10 group-hover:opacity-100",
-            menuOpen && "opacity-100"
-          )}
-        >
-          <MoreHorizontal className="size-4 shrink-0" />
-        </DropdownMenuTrigger>
-        <DropdownMenuContent side="bottom" align="start">
-          {/* TODO: handleEditChannel */}
-          <DropdownMenuItem disabled>Edit Channel</DropdownMenuItem>
-          {/* TODO: handleCopyChannelId */}
-          <DropdownMenuItem disabled>Copy Channel ID</DropdownMenuItem>
-          <DropdownMenuSeparator />
-          {/* TODO: handleDeleteChannel — requires confirmation */}
-          <DropdownMenuItem
-            disabled
-            className="text-destructive focus:text-destructive"
-          >
-            Delete Channel
-          </DropdownMenuItem>
-        </DropdownMenuContent>
-      </DropdownMenu>
-    </div>
+    </>
   )
 }
 
diff --git a/apps/web/src/components/sidebar/channel-panel/delete-channel-dialog.tsx b/apps/web/src/components/sidebar/channel-panel/delete-channel-dialog.tsx
new file mode 100644
index 0000000..3932708
--- /dev/null
+++ b/apps/web/src/components/sidebar/channel-panel/delete-channel-dialog.tsx
@@ -0,0 +1,82 @@
+import {
+  AlertDialog,
+  AlertDialogAction,
+  AlertDialogCancel,
+  AlertDialogContent,
+  AlertDialogDescription,
+  AlertDialogFooter,
+  AlertDialogHeader,
+  AlertDialogTitle,
+} from "@repo/ui/components/alert-dialog"
+import { useMutation, useQueryClient } from "@tanstack/react-query"
+import { useNavigate, useParams } from "@tanstack/react-router"
+import { apiClient } from "@/lib/api-client"
+import type { Channel } from "@/lib/api-types"
+
+export function DeleteChannelDialog({
+  channel,
+  open,
+  onOpenChange,
+}: {
+  channel: Channel
+  open: boolean
+  onOpenChange: (open: boolean) => void
+}) {
+  const { guildSlug, channelId: activeChannelId } = useParams({
+    strict: false,
+  })
+  const queryClient = useQueryClient()
+  const navigate = useNavigate()
+
+  const deleteMutation = useMutation({
+    mutationFn: async () => {
+      const res = await apiClient.v1.guilds[":guildSlug"].channels[
+        ":channelId"
+      ].$delete({
+        param: { guildSlug: guildSlug as string, channelId: channel.id },
+      })
+      if (!res.ok) {
+        throw new Error("Failed to delete channel")
+      }
+      return res.json()
+    },
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ["channels", guildSlug] })
+      onOpenChange(false)
+
+      // If we deleted the active channel, navigate to guild root
+      if (activeChannelId === channel.id) {
+        navigate({
+          to: "/$guildSlug",
+          params: { guildSlug: guildSlug as string },
+        })
+      }
+    },
+  })
+
+  return (
+    <AlertDialog open={open} onOpenChange={onOpenChange}>
+      <AlertDialogContent>
+        <AlertDialogHeader>
+          <AlertDialogTitle>Delete Channel</AlertDialogTitle>
+          <AlertDialogDescription>
+            Are you sure you want to delete{" "}
+            <span className="font-semibold">#{channel.name}</span>? This will
+            permanently delete all messages in this channel. This action cannot
+            be undone.
+          </AlertDialogDescription>
+        </AlertDialogHeader>
+        <AlertDialogFooter>
+          <AlertDialogCancel>Cancel</AlertDialogCancel>
+          <AlertDialogAction
+            onClick={() => deleteMutation.mutate()}
+            loading={deleteMutation.isPending}
+            variant="destructive"
+          >
+            Delete Channel
+          </AlertDialogAction>
+        </AlertDialogFooter>
+      </AlertDialogContent>
+    </AlertDialog>
+  )
+}
diff --git a/apps/web/src/components/sidebar/channel-panel/edit-channel-dialog.tsx b/apps/web/src/components/sidebar/channel-panel/edit-channel-dialog.tsx
new file mode 100644
index 0000000..38c21cc
--- /dev/null
+++ b/apps/web/src/components/sidebar/channel-panel/edit-channel-dialog.tsx
@@ -0,0 +1,125 @@
+import { Button } from "@repo/ui/components/button"
+import {
+  Dialog,
+  DialogContent,
+  DialogDescription,
+  DialogFooter,
+  DialogHeader,
+  DialogTitle,
+} from "@repo/ui/components/dialog"
+import { Input } from "@repo/ui/components/input"
+import { Label } from "@repo/ui/components/label"
+import { Textarea } from "@repo/ui/components/textarea"
+import { useMutation, useQueryClient } from "@tanstack/react-query"
+import { useParams } from "@tanstack/react-router"
+import { useEffect, useState } from "react"
+import { apiClient } from "@/lib/api-client"
+import type { Channel } from "@/lib/api-types"
+
+export function EditChannelDialog({
+  channel,
+  open,
+  onOpenChange,
+}: {
+  channel: Channel
+  open: boolean
+  onOpenChange: (open: boolean) => void
+}) {
+  const { guildSlug } = useParams({ strict: false })
+  const queryClient = useQueryClient()
+
+  const [name, setName] = useState(channel.name ?? "")
+  const [topic, setTopic] = useState(channel.topic ?? "")
+
+  useEffect(() => {
+    if (open) {
+      setName(channel.name ?? "")
+      setTopic(channel.topic ?? "")
+    }
+  }, [open, channel.name, channel.topic])
+
+  const updateMutation = useMutation({
+    mutationFn: async () => {
+      const res = await apiClient.v1.guilds[":guildSlug"].channels[
+        ":channelId"
+      ].$patch({
+        param: { guildSlug: guildSlug as string, channelId: channel.id },
+        json: { name, topic: topic || undefined },
+      })
+      if (!res.ok) {
+        throw new Error("Failed to update channel")
+      }
+      return res.json()
+    },
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ["channels", guildSlug] })
+      queryClient.invalidateQueries({
+        queryKey: ["channel", guildSlug, channel.id],
+      })
+      onOpenChange(false)
+    },
+  })
+
+  const hasChanges =
+    name !== (channel.name ?? "") || topic !== (channel.topic ?? "")
+  const isValid = name.trim().length > 0
+
+  return (
+    <Dialog open={open} onOpenChange={onOpenChange}>
+      <DialogContent className="sm:max-w-md">
+        <DialogHeader>
+          <DialogTitle>Edit Channel</DialogTitle>
+          <DialogDescription>
+            Update the channel name and topic.
+          </DialogDescription>
+        </DialogHeader>
+        <form
+          onSubmit={(e) => {
+            e.preventDefault()
+            if (hasChanges && isValid) {
+              updateMutation.mutate()
+            }
+          }}
+          className="space-y-4"
+        >
+          <div className="space-y-2">
+            <Label htmlFor="channel-name">Name</Label>
+            <Input
+              id="channel-name"
+              value={name}
+              onChange={(e) => setName(e.target.value)}
+              maxLength={100}
+              autoFocus
+            />
+          </div>
+          <div className="space-y-2">
+            <Label htmlFor="channel-topic">Topic</Label>
+            <Textarea
+              id="channel-topic"
+              value={topic}
+              onChange={(e) => setTopic(e.target.value)}
+              maxLength={1024}
+              placeholder="What's this channel about?"
+              rows={3}
+            />
+          </div>
+          <DialogFooter>
+            <Button
+              type="button"
+              variant="ghost"
+              onClick={() => onOpenChange(false)}
+            >
+              Cancel
+            </Button>
+            <Button
+              type="submit"
+              disabled={!hasChanges || !isValid || updateMutation.isPending}
+            >
+              {updateMutation.isPending ? "Saving..." : "Save"}
+            </Button>
+          </DialogFooter>
+        </form>
+      </DialogContent>
+    </Dialog>
+  )
+}
diff --git a/apps/web/src/components/sidebar/right-panel/guild-members-panel.tsx b/apps/web/src/components/sidebar/right-panel/guild-members-panel.tsx
index 5359432..4deaa98 100644
--- a/apps/web/src/components/sidebar/right-panel/guild-members-panel.tsx
+++ b/apps/web/src/components/sidebar/right-panel/guild-members-panel.tsx
@@ -24,9 +24,16 @@ const statusLabel: Record<GuildMemberPresence["status"], string> = {
   offline: "Offline",
 }
 
+const roleDisplayNames: Record<string, string> = {
+  owner: "Owner",
+  admin: "Admin",
+  warden: "Warden",
+  member: "Citizen",
+}
+
 function formatRole(role: GuildMemberPresence["role"]) {
-  if (!role) return "Member"
-  return role.charAt(0).toUpperCase() + role.slice(1)
+  if (!role) return "Citizen"
+  return roleDisplayNames[role] ?? role.charAt(0).toUpperCase() + role.slice(1)
 }
 
 function MembersSkeleton() {
diff --git a/apps/web/src/lib/permissions.ts b/apps/web/src/lib/permissions.ts
new file mode 100644
index 0000000..54b8620
--- /dev/null
+++ b/apps/web/src/lib/permissions.ts
@@ -0,0 +1,16 @@
+import { authClient } from "@repo/auth/client"
+import type { GuildRole } from "@repo/auth/permissions"
+
+export function canManageChannels(role: GuildRole): boolean {
+  return authClient.organization.checkRolePermission({
+    permissions: { channel: ["update"] },
+    role,
+  })
+}
+
+export function canDeleteChannels(role: GuildRole): boolean {
+  return authClient.organization.checkRolePermission({
+    permissions: { channel: ["delete"] },
+    role,
+  })
+}
diff --git a/apps/web/src/routes/_authenticated/$guildSlug.tsx b/apps/web/src/routes/_authenticated/$guildSlug.tsx
index eb6e055..69052d3 100644
--- a/apps/web/src/routes/_authenticated/$guildSlug.tsx
+++ b/apps/web/src/routes/_authenticated/$guildSlug.tsx
@@ -1,5 +1,5 @@
 import { authClient } from "@repo/auth/client"
-import { useQuery } from "@tanstack/react-query"
+import { useQuery, useQueryClient } from "@tanstack/react-query"
 import { createFileRoute, Outlet } from "@tanstack/react-router"
 import { useEffect, useMemo } from "react"
 
@@ -30,11 +30,17 @@ function GuildLayout() {
     [guilds, guildSlug]
   )
 
+  const queryClient = useQueryClient()
+
   useEffect(() => {
     if (!guild) return
     if (activeOrg?.id === guild.id) return
-    authClient.organization.setActive({ organizationId: guild.id })
-  }, [guild, activeOrg?.id])
+    authClient.organization.setActive({ organizationId: guild.id }).then(() => {
+      queryClient.invalidateQueries({
+        queryKey: ["active-guild-member", guildSlug],
+      })
+    })
+  }, [guild, activeOrg?.id, guildSlug, queryClient])
 
   if (guildsLoading) {
     return (
diff --git a/packages/auth/package.json b/packages/auth/package.json
index 60174b3..0d9ad68 100644
--- a/packages/auth/package.json
+++ b/packages/auth/package.json
@@ -17,6 +17,7 @@
   "exports": {
     ".": "./src/lib/auth.ts",
     "./client": "./src/lib/auth-client.ts",
-    "./utils": "./src/lib/auth-utils.ts"
+    "./utils": "./src/lib/auth-utils.ts",
+    "./permissions": "./src/lib/permissions.ts"
   }
 }
diff --git a/packages/auth/src/lib/auth-client.ts b/packages/auth/src/lib/auth-client.ts
index f8f74a5..6e2d721 100644
--- a/packages/auth/src/lib/auth-client.ts
+++ b/packages/auth/src/lib/auth-client.ts
@@ -9,11 +9,19 @@ import {
 } from "better-auth/client/plugins"
 import { createAuthClient } from "better-auth/react"
 import type { auth } from "./auth.js"
+import { ac, admin, member, owner, warden } from "./permissions"
 
 export const authClient = createAuthClient({
   baseURL: env.NEXT_PUBLIC_API_URL,
   plugins: [
     organizationClient({
+      ac,
+      roles: {
+        owner,
+        admin,
+        warden,
+        member,
+      },
       schema: inferOrgAdditionalFields<typeof auth>(),
     }),
     adminClient(),
diff --git a/packages/auth/src/lib/auth.ts b/packages/auth/src/lib/auth.ts
index 58772dc..e4e6030 100644
--- a/packages/auth/src/lib/auth.ts
+++ b/packages/auth/src/lib/auth.ts
@@ -3,6 +3,13 @@ import { env } from "@repo/env/server"
 import { drizzleAdapter } from "better-auth/adapters/drizzle"
 import { betterAuth } from "better-auth/minimal"
 import { admin, organization, twoFactor, username } from "better-auth/plugins"
+import {
+  ac,
+  admin as adminRole,
+  member as memberRole,
+  owner as ownerRole,
+  warden,
+} from "./permissions"
 
 const defaultGuildChannels = {
   uncategorized: [
@@ -123,6 +130,13 @@ export const auth = betterAuth({
   },
   plugins: [
     organization({
+      ac,
+      roles: {
+        owner: ownerRole,
+        admin: adminRole,
+        warden,
+        member: memberRole,
+      },
       schema: {
         organization: {
           modelName: "guild",
diff --git a/packages/auth/src/lib/permissions.ts b/packages/auth/src/lib/permissions.ts
new file mode 100644
index 0000000..885afd2
--- /dev/null
+++ b/packages/auth/src/lib/permissions.ts
@@ -0,0 +1,45 @@
+import { createAccessControl } from "better-auth/plugins/access"
+import {
+  adminAc,
+  defaultStatements,
+  memberAc,
+  ownerAc,
+} from "better-auth/plugins/organization/access"
+
+const statement = {
+  ...defaultStatements,
+  channel: ["create", "update", "delete"],
+  message: ["delete"], // delete others' messages (own messages are always deletable)
+} as const
+
+const ac = createAccessControl(statement)
+
+const owner = ac.newRole({
+  channel: ["create", "update", "delete"],
+  message: ["delete"],
+  ...ownerAc.statements,
+})
+
+const admin = ac.newRole({
+  channel: ["create", "update", "delete"],
+  message: ["delete"],
+  ...adminAc.statements,
+})
+
+// Warden (moderator) — can create/update channels and moderate messages
+const warden = ac.newRole({
+  channel: ["create", "update"],
+  message: ["delete"],
+  ...memberAc.statements,
+})
+
+// Member (citizen) — basic access only, displayed as "Citizen" in UI
+const member = ac.newRole({
+  ...memberAc.statements,
+})
+
+const roles = { owner, admin, warden, member }
+
+export type GuildRole = keyof typeof roles
+
+export { ac, admin, member, owner, roles, statement, warden }
diff --git a/packages/ui/src/components/alert-dialog.tsx b/packages/ui/src/components/alert-dialog.tsx
index e819882..2e7fe49 100644
--- a/packages/ui/src/components/alert-dialog.tsx
+++ b/packages/ui/src/components/alert-dialog.tsx
@@ -2,6 +2,7 @@
 
 import { Button } from "@repo/ui/components/button"
 import { cn } from "@repo/ui/lib/utils"
+import { Loader2 } from "lucide-react"
 import { AlertDialog as AlertDialogPrimitive } from "radix-ui"
 import type * as React from "react"
 
@@ -147,16 +148,24 @@ function AlertDialogAction({
   className,
   variant = "default",
   size = "default",
+  loading = false,
+  children,
   ...props
 }: React.ComponentProps<typeof AlertDialogPrimitive.Action> &
-  Pick<React.ComponentProps<typeof Button>, "variant" | "size">) {
+  Pick<React.ComponentProps<typeof Button>, "variant" | "size"> & {
+    loading?: boolean
+  }) {
   return (
     <Button variant={variant} size={size} asChild>
       <AlertDialogPrimitive.Action
         data-slot="alert-dialog-action"
         className={cn(className)}
+        disabled={loading || props.disabled}
         {...props}
-      />
+      >
+        {loading && <Loader2 className="mr-2 size-4 animate-spin" />}
+        {children}
+      </AlertDialogPrimitive.Action>
     </Button>
   )
 }

From 84f86ff421a1fd492f9792ff567feec6ff68f5de Mon Sep 17 00:00:00 2001
From: Jacob Owens <jacobowens75@gmail.com>
Date: Wed, 11 Mar 2026 14:50:41 -0700
Subject: [PATCH 2/6] feat:add guild moderation roles, bans, timeouts, rate
 limits, and member management UI

---
 ROADMAP.md                                    |   3 +-
 apps/api/src/lib/permissions.ts               |  85 ++-
 apps/api/src/routes/v1/guilds/handlers.ts     | 411 +++++++++++-
 apps/api/src/routes/v1/guilds/index.ts        |  11 +-
 apps/api/src/routes/v1/guilds/routes.ts       | 150 ++++-
 apps/api/src/routes/v1/guilds/schema.ts       |  66 ++
 apps/api/src/routes/v1/uploads/handlers.ts    |   8 +-
 apps/realtime/src/index.ts                    |  14 +
 apps/realtime/src/services/channel-access.ts  |  30 +-
 apps/realtime/src/services/messages.ts        |  11 +
 apps/realtime/src/services/rate-limit.ts      |  49 ++
 .../right-panel/guild-members-panel.tsx       | 596 ++++++++++++++++--
 .../right-panel/right-sidebar-panel.tsx       |   2 +-
 apps/web/src/lib/permissions.ts               |  56 +-
 packages/auth/src/lib/permissions.ts          | 136 +++-
 packages/db/src/schemas/guild-bans.ts         |  59 ++
 packages/db/src/schemas/guild-members.ts      |  23 +-
 packages/db/src/schemas/guilds.ts             |   2 +
 packages/db/src/schemas/index.ts              |   1 +
 packages/db/src/schemas/users.ts              |  14 +-
 20 files changed, 1620 insertions(+), 107 deletions(-)
 create mode 100644 apps/realtime/src/services/rate-limit.ts
 create mode 100644 packages/db/src/schemas/guild-bans.ts

diff --git a/ROADMAP.md b/ROADMAP.md
index db36c7c..d3275be 100644
--- a/ROADMAP.md
+++ b/ROADMAP.md
@@ -25,7 +25,7 @@
 - [x] Message deletion
 - [x] Message editing UI
 - [x] User profiles (bio, custom status, avatar upload)
-- [ ] Channel edit/delete
+- [x] Channel edit/delete
 - [x] User settings page
 
 ## Phase 2 — Permissions & Moderation
@@ -64,7 +64,6 @@
 - [ ] Structured logger (Pino/Winston) replacing `console.error`
 - [ ] Production environment management
 - [ ] Production startup guard for `REALTIME_CORS_ORIGIN` on localhost defaults
-- [ ] Database migration workflow
 - [ ] Monitoring & logging (observability)
 - [ ] CORS lockdown for production domains
 
diff --git a/apps/api/src/lib/permissions.ts b/apps/api/src/lib/permissions.ts
index c46b400..e2494b7 100644
--- a/apps/api/src/lib/permissions.ts
+++ b/apps/api/src/lib/permissions.ts
@@ -1,7 +1,15 @@
 import { auth } from "@repo/auth"
-import type { statement } from "@repo/auth/permissions"
+import {
+  canManageGuildAuthority,
+  type GuildAuthority,
+  guildAuthorityHasPermissions,
+  isGuildRole,
+  type PermissionRequest,
+  type statement,
+} from "@repo/auth/permissions"
 import { HTTPException } from "hono/http-exception"
 import * as HttpStatusCodes from "@/lib/helpers/http/status-codes"
+import type { Guild, GuildMember } from "@/lib/types/app-types"
 
 // ── Type-Safe Permission Types ──────────────────────────────────────
 
@@ -10,6 +18,22 @@ export type StatementKey = keyof typeof statement
 export type PermissionForStatement<T extends StatementKey> =
   (typeof statement)[T][number]
 
+function toGuildAuthority(
+  member: Pick<GuildMember, "role" | "userId">,
+  guild: Pick<Guild, "ownerId">
+): GuildAuthority {
+  if (!isGuildRole(member.role)) {
+    throw new HTTPException(HttpStatusCodes.FORBIDDEN, {
+      message: `Unknown guild role: ${member.role}`,
+    })
+  }
+
+  return {
+    role: member.role,
+    isOwner: guild.ownerId === member.userId,
+  }
+}
+
 // ── Permission Check ──────────────────────────────────────
 
 /**
@@ -43,3 +67,62 @@ export async function checkPermission<
 
   return true
 }
+
+export function assertGuildPermission(
+  member: Pick<GuildMember, "role" | "userId">,
+  guild: Pick<Guild, "ownerId">,
+  requestedPermissions: PermissionRequest
+) {
+  const authority = toGuildAuthority(member, guild)
+
+  if (!guildAuthorityHasPermissions(authority, requestedPermissions)) {
+    throw new HTTPException(HttpStatusCodes.FORBIDDEN, {
+      message: "You do not have permission to perform this action",
+    })
+  }
+
+  return authority
+}
+
+export function assertCanManageGuildMember(
+  actor: Pick<GuildMember, "role" | "userId">,
+  target: Pick<GuildMember, "role" | "userId">,
+  guild: Pick<Guild, "ownerId">
+) {
+  if (actor.userId === target.userId) {
+    throw new HTTPException(HttpStatusCodes.FORBIDDEN, {
+      message: "You cannot moderate yourself",
+    })
+  }
+
+  const actorAuthority = toGuildAuthority(actor, guild)
+  const targetAuthority = toGuildAuthority(target, guild)
+
+  if (!canManageGuildAuthority(actorAuthority, targetAuthority)) {
+    throw new HTTPException(HttpStatusCodes.FORBIDDEN, {
+      message: "You cannot moderate this member",
+    })
+  }
+
+  return {
+    actorAuthority,
+    targetAuthority,
+  }
+}
+
+export function isCommunicationDisabled(
+  member: Pick<GuildMember, "communicationDisabledUntil">
+) {
+  if (!member.communicationDisabledUntil) return false
+  return member.communicationDisabledUntil.getTime() > Date.now()
+}
+
+export function assertMemberCanCommunicate(
+  member: Pick<GuildMember, "communicationDisabledUntil">
+) {
+  if (!isCommunicationDisabled(member)) return
+
+  throw new HTTPException(HttpStatusCodes.FORBIDDEN, {
+    message: "You are temporarily timed out and cannot send messages",
+  })
+}
diff --git a/apps/api/src/routes/v1/guilds/handlers.ts b/apps/api/src/routes/v1/guilds/handlers.ts
index 8f45982..022a9e9 100644
--- a/apps/api/src/routes/v1/guilds/handlers.ts
+++ b/apps/api/src/routes/v1/guilds/handlers.ts
@@ -1,10 +1,25 @@
-import { db, eq, schema } from "@repo/db"
+import {
+  getGuildAuthorityPosition,
+  getGuildRolePosition,
+} from "@repo/auth/permissions"
+import { and, db, eq, schema } from "@repo/db"
 import { PRESENCE_ONLINE_USERS_SET_KEY } from "@repo/realtime-types"
 import { asc } from "drizzle-orm"
 import * as HttpStatusCodes from "@/lib/helpers/http/status-codes"
+import {
+  assertCanManageGuildMember,
+  assertGuildPermission,
+} from "@/lib/permissions"
 import { getRedisClient } from "@/lib/redis"
 import type { AppRouteHandler } from "@/lib/types/app-types"
-import type { ListGuildMembersRoute } from "@/routes/v1/guilds/routes"
+import type {
+  BanGuildMemberRoute,
+  ClearGuildMemberTimeoutRoute,
+  KickGuildMemberRoute,
+  ListGuildMembersRoute,
+  TimeoutGuildMemberRoute,
+  UpdateGuildMemberRoleRoute,
+} from "@/routes/v1/guilds/routes"
 
 const PRESENCE_MEMBERSHIP_CHUNK_SIZE = 250
 
@@ -37,6 +52,62 @@ async function listOnlineUserIds(userIds: string[]) {
   }
 }
 
+function toGuildMemberPresence(
+  member: {
+    userId: string
+    name: string
+    username: string | null
+    displayUsername: string | null
+    image: string | null
+    role: string
+    communicationDisabledUntil: Date | null
+    communicationDisabledReason: string | null
+  },
+  ownerId: string,
+  onlineUserIds: Set<string>
+) {
+  return {
+    userId: member.userId,
+    name: member.name,
+    username: member.username,
+    displayUsername: member.displayUsername,
+    image: member.image,
+    role: member.role,
+    isOwner: ownerId === member.userId,
+    status: onlineUserIds.has(member.userId)
+      ? ("online" as const)
+      : ("offline" as const),
+    communicationDisabledUntil:
+      member.communicationDisabledUntil?.toISOString() ?? null,
+    communicationDisabledReason: member.communicationDisabledReason,
+  }
+}
+
+async function getGuildMemberRow(guildId: string, userId: string) {
+  return db
+    .select({
+      userId: schema.guildMember.userId,
+      role: schema.guildMember.role,
+      communicationDisabledUntil: schema.guildMember.communicationDisabledUntil,
+      communicationDisabledReason:
+        schema.guildMember.communicationDisabledReason,
+      name: schema.user.name,
+      username: schema.user.username,
+      displayUsername: schema.user.displayUsername,
+      image: schema.user.image,
+    })
+    .from(schema.guildMember)
+    .innerJoin(schema.user, eq(schema.guildMember.userId, schema.user.id))
+    .where(
+      and(
+        eq(schema.guildMember.guildId, guildId),
+        eq(schema.guildMember.userId, userId)
+      )
+    )
+    .limit(1)
+    .then((rows) => rows[0] ?? null)
+}
+
 export const listGuildMembers: AppRouteHandler<ListGuildMembersRoute> = async (
   c
 ) => {
@@ -46,6 +117,9 @@ export const listGuildMembers: AppRouteHandler<ListGuildMembersRoute> = async (
     .select({
       userId: schema.guildMember.userId,
       role: schema.guildMember.role,
+      communicationDisabledUntil: schema.guildMember.communicationDisabledUntil,
+      communicationDisabledReason:
+        schema.guildMember.communicationDisabledReason,
       name: schema.user.name,
       username: schema.user.username,
       displayUsername: schema.user.displayUsername,
@@ -64,17 +138,328 @@ export const listGuildMembers: AppRouteHandler<ListGuildMembersRoute> = async (
       guildId: guild.id,
       guildSlug: guild.slug,
       guildName: guild.name,
-      members: memberRows.map((member) => ({
-        userId: member.userId,
-        name: member.name,
-        username: member.username,
-        displayUsername: member.displayUsername,
-        image: member.image,
-        role: member.role,
-        status: onlineUserIds.has(member.userId)
-          ? ("online" as const)
-          : ("offline" as const),
-      })),
+      ownerId: guild.ownerId,
+      members: memberRows.map((member) =>
+        toGuildMemberPresence(member, guild.ownerId, onlineUserIds)
+      ),
+    },
+    HttpStatusCodes.OK
+  )
+}
+
+export const updateGuildMemberRole: AppRouteHandler<
+  UpdateGuildMemberRoleRoute
+> = async (c) => {
+  const guild = c.var.guild
+  const actor = c.var.member
+  const { userId } = c.req.valid("param")
+  const { role } = c.req.valid("json")
+
+  const actorAuthority = assertGuildPermission(actor, guild, {
+    guildMember: ["role:update"],
+  })
+
+  const target = await getGuildMemberRow(guild.id, userId)
+
+  if (!target) {
+    return c.json(
+      { success: false, message: "Guild member not found" },
+      HttpStatusCodes.NOT_FOUND
+    )
+  }
+
+  assertCanManageGuildMember(actor, target, guild)
+
+  if (
+    !actorAuthority.isOwner &&
+    getGuildRolePosition(role) <= getGuildAuthorityPosition(actorAuthority)
+  ) {
+    return c.json(
+      { success: false, message: "You cannot assign that role" },
+      HttpStatusCodes.FORBIDDEN
+    )
+  }
+
+  await db
+    .update(schema.guildMember)
+    .set({ role })
+    .where(
+      and(
+        eq(schema.guildMember.guildId, guild.id),
+        eq(schema.guildMember.userId, userId)
+      )
+    )
+
+  const updatedMember = await getGuildMemberRow(guild.id, userId)
+
+  if (!updatedMember) {
+    return c.json(
+      { success: false, message: "Guild member not found" },
+      HttpStatusCodes.NOT_FOUND
+    )
+  }
+
+  const onlineUserIds = await listOnlineUserIds([updatedMember.userId])
+
+  return c.json(
+    {
+      success: true as const,
+      member: toGuildMemberPresence(
+        updatedMember,
+        guild.ownerId,
+        onlineUserIds
+      ),
+    },
+    HttpStatusCodes.OK
+  )
+}
+
+export const kickGuildMember: AppRouteHandler<KickGuildMemberRoute> = async (
+  c
+) => {
+  const guild = c.var.guild
+  const actor = c.var.member
+  const { userId } = c.req.valid("param")
+
+  assertGuildPermission(actor, guild, {
+    guildMember: ["kick"],
+  })
+
+  const target = await getGuildMemberRow(guild.id, userId)
+
+  if (!target) {
+    return c.json(
+      { success: false, message: "Guild member not found" },
+      HttpStatusCodes.NOT_FOUND
+    )
+  }
+
+  assertCanManageGuildMember(actor, target, guild)
+
+  await db
+    .delete(schema.guildMember)
+    .where(
+      and(
+        eq(schema.guildMember.guildId, guild.id),
+        eq(schema.guildMember.userId, userId)
+      )
+    )
+
+  return c.json({ success: true as const }, HttpStatusCodes.OK)
+}
+
+export const banGuildMember: AppRouteHandler<BanGuildMemberRoute> = async (
+  c
+) => {
+  const guild = c.var.guild
+  const actor = c.var.member
+  const { userId } = c.req.valid("param")
+  const { reason, expiresAt } = c.req.valid("json")
+
+  assertGuildPermission(actor, guild, {
+    guildMember: ["ban"],
+  })
+
+  const target = await getGuildMemberRow(guild.id, userId)
+
+  if (!target) {
+    return c.json(
+      { success: false, message: "Guild member not found" },
+      HttpStatusCodes.NOT_FOUND
+    )
+  }
+
+  assertCanManageGuildMember(actor, target, guild)
+
+  const expiresAtDate = expiresAt ? new Date(expiresAt) : null
+
+  const ban = await db.transaction(async (tx) => {
+    const insertedBan = await tx
+      .insert(schema.guildBan)
+      .values({
+        guildId: guild.id,
+        userId,
+        bannedBy: actor.userId,
+        reason: reason ?? null,
+        expiresAt: expiresAtDate,
+        revokedAt: null,
+        revokeReason: null,
+      })
+      .onConflictDoUpdate({
+        target: [schema.guildBan.guildId, schema.guildBan.userId],
+        set: {
+          bannedBy: actor.userId,
+          reason: reason ?? null,
+          expiresAt: expiresAtDate,
+          revokedAt: null,
+          revokeReason: null,
+        },
+      })
+      .returning({
+        userId: schema.guildBan.userId,
+        guildId: schema.guildBan.guildId,
+        bannedBy: schema.guildBan.bannedBy,
+        reason: schema.guildBan.reason,
+        expiresAt: schema.guildBan.expiresAt,
+        createdAt: schema.guildBan.createdAt,
+        revokedAt: schema.guildBan.revokedAt,
+      })
+      .then((rows) => rows[0])
+
+    await tx
+      .delete(schema.guildMember)
+      .where(
+        and(
+          eq(schema.guildMember.guildId, guild.id),
+          eq(schema.guildMember.userId, userId)
+        )
+      )
+
+    return insertedBan
+  })
+
+  if (!ban) {
+    return c.json(
+      { success: false, message: "Failed to create guild ban" },
+      HttpStatusCodes.INTERNAL_SERVER_ERROR
+    )
+  }
+
+  return c.json(
+    {
+      success: true as const,
+      ban: {
+        ...ban,
+        reason: ban.reason ?? null,
+        expiresAt: ban.expiresAt?.toISOString() ?? null,
+        createdAt: ban.createdAt.toISOString(),
+        revokedAt: ban.revokedAt?.toISOString() ?? null,
+      },
+    },
+    HttpStatusCodes.OK
+  )
+}
+
+export const timeoutGuildMember: AppRouteHandler<
+  TimeoutGuildMemberRoute
+> = async (c) => {
+  const guild = c.var.guild
+  const actor = c.var.member
+  const { userId } = c.req.valid("param")
+  const { durationMinutes, reason } = c.req.valid("json")
+
+  assertGuildPermission(actor, guild, {
+    guildMember: ["timeout"],
+  })
+
+  const target = await getGuildMemberRow(guild.id, userId)
+
+  if (!target) {
+    return c.json(
+      { success: false, message: "Guild member not found" },
+      HttpStatusCodes.NOT_FOUND
+    )
+  }
+
+  assertCanManageGuildMember(actor, target, guild)
+
+  const communicationDisabledUntil = new Date(
+    Date.now() + durationMinutes * 60 * 1000
+  )
+
+  await db
+    .update(schema.guildMember)
+    .set({
+      communicationDisabledUntil,
+      communicationDisabledBy: actor.userId,
+      communicationDisabledReason: reason ?? null,
+    })
+    .where(
+      and(
+        eq(schema.guildMember.guildId, guild.id),
+        eq(schema.guildMember.userId, userId)
+      )
+    )
+
+  const updatedMember = await getGuildMemberRow(guild.id, userId)
+
+  if (!updatedMember) {
+    return c.json(
+      { success: false, message: "Guild member not found" },
+      HttpStatusCodes.NOT_FOUND
+    )
+  }
+
+  const onlineUserIds = await listOnlineUserIds([updatedMember.userId])
+
+  return c.json(
+    {
+      success: true as const,
+      member: toGuildMemberPresence(
+        updatedMember,
+        guild.ownerId,
+        onlineUserIds
+      ),
+    },
+    HttpStatusCodes.OK
+  )
+}
+
+export const clearGuildMemberTimeout: AppRouteHandler<
+  ClearGuildMemberTimeoutRoute
+> = async (c) => {
+  const guild = c.var.guild
+  const actor = c.var.member
+  const { userId } = c.req.valid("param")
+
+  assertGuildPermission(actor, guild, {
+    guildMember: ["timeout"],
+  })
+
+  const target = await getGuildMemberRow(guild.id, userId)
+
+  if (!target) {
+    return c.json(
+      { success: false, message: "Guild member not found" },
+      HttpStatusCodes.NOT_FOUND
+    )
+  }
+
+  assertCanManageGuildMember(actor, target, guild)
+
+  await db
+    .update(schema.guildMember)
+    .set({
+      communicationDisabledUntil: null,
+      communicationDisabledBy: null,
+      communicationDisabledReason: null,
+    })
+    .where(
+      and(
+        eq(schema.guildMember.guildId, guild.id),
+        eq(schema.guildMember.userId, userId)
+      )
+    )
+
+  const updatedMember = await getGuildMemberRow(guild.id, userId)
+
+  if (!updatedMember) {
+    return c.json(
+      { success: false, message: "Guild member not found" },
+      HttpStatusCodes.NOT_FOUND
+    )
+  }
+
+  const onlineUserIds = await listOnlineUserIds([updatedMember.userId])
+
+  return c.json(
+    {
+      success: true as const,
+      member: toGuildMemberPresence(
+        updatedMember,
+        guild.ownerId,
+        onlineUserIds
+      ),
     },
     HttpStatusCodes.OK
   )
diff --git a/apps/api/src/routes/v1/guilds/index.ts b/apps/api/src/routes/v1/guilds/index.ts
index 85b26c9..809ea43 100644
--- a/apps/api/src/routes/v1/guilds/index.ts
+++ b/apps/api/src/routes/v1/guilds/index.ts
@@ -2,9 +2,12 @@ import { createRouter } from "@/lib/helpers/app/create-app"
 import * as handlers from "@/routes/v1/guilds/handlers"
 import * as routes from "@/routes/v1/guilds/routes"
 
-const guildsRouter = createRouter().openapi(
-  routes.listGuildMembers,
-  handlers.listGuildMembers
-)
+const guildsRouter = createRouter()
+  .openapi(routes.listGuildMembers, handlers.listGuildMembers)
+  .openapi(routes.updateGuildMemberRole, handlers.updateGuildMemberRole)
+  .openapi(routes.kickGuildMember, handlers.kickGuildMember)
+  .openapi(routes.banGuildMember, handlers.banGuildMember)
+  .openapi(routes.timeoutGuildMember, handlers.timeoutGuildMember)
+  .openapi(routes.clearGuildMemberTimeout, handlers.clearGuildMemberTimeout)
 
 export default guildsRouter
diff --git a/apps/api/src/routes/v1/guilds/routes.ts b/apps/api/src/routes/v1/guilds/routes.ts
index 565bd47..cca4f12 100644
--- a/apps/api/src/routes/v1/guilds/routes.ts
+++ b/apps/api/src/routes/v1/guilds/routes.ts
@@ -8,7 +8,18 @@ import {
   unauthorizedSchema,
 } from "@/lib/helpers/openapi/schemas"
 import { guildAuthMiddleware } from "@/middleware/guild-auth"
-import { guildSlugParamsSchema, listGuildMembersResponseSchema } from "./schema"
+import {
+  banGuildMemberRequestSchema,
+  banGuildMemberResponseSchema,
+  guildMemberParamsSchema,
+  guildSlugParamsSchema,
+  listGuildMembersResponseSchema,
+  moderateGuildMemberResponseSchema,
+  timeoutGuildMemberRequestSchema,
+  timeoutGuildMemberResponseSchema,
+  updateGuildMemberRoleRequestSchema,
+  updateGuildMemberRoleResponseSchema,
+} from "./schema"
 
 export const listGuildMembers = createRoute({
   path: "/guilds/{guildSlug}/members",
@@ -34,3 +45,140 @@ export const listGuildMembers = createRoute({
 })
 
 export type ListGuildMembersRoute = typeof listGuildMembers
+
+export const updateGuildMemberRole = createRoute({
+  path: "/guilds/{guildSlug}/members/{userId}/role",
+  method: "patch",
+  summary: "Update a guild member role",
+  description:
+    "Updates a guild member's built-in role. Requires member role update permission and sufficient hierarchy.",
+  tags: ["Guilds"],
+  middleware: [guildAuthMiddleware] as const,
+  request: {
+    params: guildMemberParamsSchema,
+    body: jsonContent({
+      schema: updateGuildMemberRoleRequestSchema,
+      description: "Updated built-in guild role",
+    }),
+  },
+  responses: {
+    [HttpStatusCodes.OK]: jsonContent({
+      schema: updateGuildMemberRoleResponseSchema,
+      description: "Updated guild member",
+    }),
+    [HttpStatusCodes.UNAUTHORIZED]: unauthorizedSchema,
+    [HttpStatusCodes.FORBIDDEN]: forbiddenSchema,
+    [HttpStatusCodes.NOT_FOUND]: notFoundSchema,
+    [HttpStatusCodes.INTERNAL_SERVER_ERROR]: internalServerErrorSchema,
+  },
+})
+
+export type UpdateGuildMemberRoleRoute = typeof updateGuildMemberRole
+
+export const kickGuildMember = createRoute({
+  path: "/guilds/{guildSlug}/members/{userId}/kick",
+  method: "post",
+  summary: "Kick a guild member",
+  description:
+    "Removes a member from the guild. Requires member kick permission and sufficient hierarchy.",
+  tags: ["Guilds"],
+  middleware: [guildAuthMiddleware] as const,
+  request: {
+    params: guildMemberParamsSchema,
+  },
+  responses: {
+    [HttpStatusCodes.OK]: jsonContent({
+      schema: moderateGuildMemberResponseSchema,
+      description: "Member kicked",
+    }),
+    [HttpStatusCodes.UNAUTHORIZED]: unauthorizedSchema,
+    [HttpStatusCodes.FORBIDDEN]: forbiddenSchema,
+    [HttpStatusCodes.NOT_FOUND]: notFoundSchema,
+    [HttpStatusCodes.INTERNAL_SERVER_ERROR]: internalServerErrorSchema,
+  },
+})
+
+export type KickGuildMemberRoute = typeof kickGuildMember
+
+export const banGuildMember = createRoute({
+  path: "/guilds/{guildSlug}/members/{userId}/ban",
+  method: "post",
+  summary: "Ban a guild member",
+  description:
+    "Bans a member from the guild and removes their active membership. Requires member ban permission and sufficient hierarchy.",
+  tags: ["Guilds"],
+  middleware: [guildAuthMiddleware] as const,
+  request: {
+    params: guildMemberParamsSchema,
+    body: jsonContent({
+      schema: banGuildMemberRequestSchema,
+      description: "Ban metadata",
+    }),
+  },
+  responses: {
+    [HttpStatusCodes.OK]: jsonContent({
+      schema: banGuildMemberResponseSchema,
+      description: "Member banned",
+    }),
+    [HttpStatusCodes.UNAUTHORIZED]: unauthorizedSchema,
+    [HttpStatusCodes.FORBIDDEN]: forbiddenSchema,
+    [HttpStatusCodes.NOT_FOUND]: notFoundSchema,
+    [HttpStatusCodes.INTERNAL_SERVER_ERROR]: internalServerErrorSchema,
+  },
+})
+
+export type BanGuildMemberRoute = typeof banGuildMember
+
+export const timeoutGuildMember = createRoute({
+  path: "/guilds/{guildSlug}/members/{userId}/timeout",
+  method: "post",
+  summary: "Time out a guild member",
+  description:
+    "Temporarily disables a guild member's ability to communicate. Requires member timeout permission and sufficient hierarchy.",
+  tags: ["Guilds"],
+  middleware: [guildAuthMiddleware] as const,
+  request: {
+    params: guildMemberParamsSchema,
+    body: jsonContent({
+      schema: timeoutGuildMemberRequestSchema,
+      description: "Timeout duration and optional reason",
+    }),
+  },
+  responses: {
+    [HttpStatusCodes.OK]: jsonContent({
+      schema: timeoutGuildMemberResponseSchema,
+      description: "Timed out guild member",
+    }),
+    [HttpStatusCodes.UNAUTHORIZED]: unauthorizedSchema,
+    [HttpStatusCodes.FORBIDDEN]: forbiddenSchema,
+    [HttpStatusCodes.NOT_FOUND]: notFoundSchema,
+    [HttpStatusCodes.INTERNAL_SERVER_ERROR]: internalServerErrorSchema,
+  },
+})
+
+export type TimeoutGuildMemberRoute = typeof timeoutGuildMember
+
+export const clearGuildMemberTimeout = createRoute({
+  path: "/guilds/{guildSlug}/members/{userId}/timeout",
+  method: "delete",
+  summary: "Clear a guild member timeout",
+  description:
+    "Restores a timed out member's ability to communicate. Requires member timeout permission and sufficient hierarchy.",
+  tags: ["Guilds"],
+  middleware: [guildAuthMiddleware] as const,
+  request: {
+    params: guildMemberParamsSchema,
+  },
+  responses: {
+    [HttpStatusCodes.OK]: jsonContent({
+      schema: timeoutGuildMemberResponseSchema,
+      description: "Updated guild member",
+    }),
+    [HttpStatusCodes.UNAUTHORIZED]: unauthorizedSchema,
+    [HttpStatusCodes.FORBIDDEN]: forbiddenSchema,
+    [HttpStatusCodes.NOT_FOUND]: notFoundSchema,
+    [HttpStatusCodes.INTERNAL_SERVER_ERROR]: internalServerErrorSchema,
+  },
+})
+
+export type ClearGuildMemberTimeoutRoute = typeof clearGuildMemberTimeout
diff --git a/apps/api/src/routes/v1/guilds/schema.ts b/apps/api/src/routes/v1/guilds/schema.ts
index 3876528..059f466 100644
--- a/apps/api/src/routes/v1/guilds/schema.ts
+++ b/apps/api/src/routes/v1/guilds/schema.ts
@@ -1,4 +1,5 @@
 import { z } from "@hono/zod-openapi"
+import { assignableGuildRoles } from "@repo/auth/permissions"
 import { guildSlugParamsSchema } from "@/routes/v1/channels/schema"
 
 export { guildSlugParamsSchema }
@@ -10,12 +11,77 @@ export const guildMemberPresenceSchema = z.object({
   displayUsername: z.string().nullable(),
   image: z.string().nullable(),
   role: z.string(),
+  isOwner: z.boolean(),
   status: z.enum(["online", "offline"]),
+  communicationDisabledUntil: z.string().datetime().nullable(),
+  communicationDisabledReason: z.string().nullable(),
 })
 
 export const listGuildMembersResponseSchema = z.object({
   guildId: z.string().uuid(),
   guildSlug: z.string(),
   guildName: z.string(),
+  ownerId: z.string().uuid(),
   members: z.array(guildMemberPresenceSchema),
 })
+
+export const guildMemberParamsSchema = guildSlugParamsSchema.extend({
+  userId: z
+    .string()
+    .uuid()
+    .openapi({
+      param: {
+        name: "userId",
+        in: "path",
+        required: true,
+      },
+      example: "00000000-0000-0000-0000-000000000000",
+    }),
+})
+
+export const updateGuildMemberRoleRequestSchema = z.object({
+  role: z.enum(assignableGuildRoles),
+})
+
+export const updateGuildMemberRoleResponseSchema = z.object({
+  success: z.literal(true),
+  member: guildMemberPresenceSchema,
+})
+
+export const moderateGuildMemberResponseSchema = z.object({
+  success: z.literal(true),
+})
+
+export const guildBanSchema = z.object({
+  userId: z.string().uuid(),
+  guildId: z.string().uuid(),
+  bannedBy: z.string().uuid(),
+  reason: z.string().nullable(),
+  expiresAt: z.string().datetime().nullable(),
+  createdAt: z.string().datetime(),
+  revokedAt: z.string().datetime().nullable(),
+})
+
+export const banGuildMemberRequestSchema = z.object({
+  reason: z.string().trim().min(1).max(255).nullable().optional(),
+  expiresAt: z.string().datetime().nullable().optional(),
+})
+
+export const banGuildMemberResponseSchema = z.object({
+  success: z.literal(true),
+  ban: guildBanSchema,
+})
+
+export const timeoutGuildMemberRequestSchema = z.object({
+  durationMinutes: z
+    .number()
+    .int()
+    .min(1)
+    .max(60 * 24 * 28),
+  reason: z.string().trim().min(1).max(255).nullable().optional(),
+})
+
+export const timeoutGuildMemberResponseSchema = z.object({
+  success: z.literal(true),
+  member: guildMemberPresenceSchema,
+})
diff --git a/apps/api/src/routes/v1/uploads/handlers.ts b/apps/api/src/routes/v1/uploads/handlers.ts
index 3d79650..7c74774 100644
--- a/apps/api/src/routes/v1/uploads/handlers.ts
+++ b/apps/api/src/routes/v1/uploads/handlers.ts
@@ -5,6 +5,7 @@ import { channel, channelMember, guildMember } from "@repo/db/schema"
 import { env } from "@repo/env/server"
 import { and, eq } from "drizzle-orm"
 import * as HttpStatusCodes from "@/lib/helpers/http/status-codes"
+import { assertMemberCanCommunicate } from "@/lib/permissions"
 import { s3Client } from "@/lib/s3"
 import type { AppRouteHandler } from "@/lib/types/app-types"
 import type { AvatarPresignRoute, PresignRoute } from "./routes"
@@ -41,7 +42,10 @@ export const presign: AppRouteHandler<PresignRoute> = async (c) => {
   // Guild channel — verify guild membership
   if (ch.guildId) {
     const member = await db
-      .select({ id: guildMember.id })
+      .select({
+        id: guildMember.id,
+        communicationDisabledUntil: guildMember.communicationDisabledUntil,
+      })
       .from(guildMember)
       .where(
         and(
@@ -58,6 +62,8 @@ export const presign: AppRouteHandler<PresignRoute> = async (c) => {
         HttpStatusCodes.FORBIDDEN
       )
     }
+
+    assertMemberCanCommunicate(member)
   } else if (
     DM_CHANNEL_TYPES.includes(ch.type as (typeof DM_CHANNEL_TYPES)[number])
   ) {
diff --git a/apps/realtime/src/index.ts b/apps/realtime/src/index.ts
index b1b6af3..1c1d4a0 100644
--- a/apps/realtime/src/index.ts
+++ b/apps/realtime/src/index.ts
@@ -39,6 +39,7 @@ import {
   markUserConnected,
   markUserDisconnected,
 } from "@/services/presence"
+import { enforceGuildMessageRateLimit } from "@/services/rate-limit"
 import { markChannelRead } from "@/services/read-states"
 
 type SocketData = {
@@ -302,6 +303,19 @@ io.on("connection", (socket) => {
   socket.on("message:send", async (payload, ack) => {
     try {
       const parsed = sendMessagePayloadSchema.parse(payload)
+      const accessibleChannel = await assertUserCanAccessChannel(
+        socket.data.user.id,
+        parsed.channelId
+      )
+
+      if (accessibleChannel.guildId && accessibleChannel.memberRole) {
+        await enforceGuildMessageRateLimit(redisPresenceClient, {
+          guildId: accessibleChannel.guildId,
+          userId: socket.data.user.id,
+          role: accessibleChannel.memberRole,
+        })
+      }
+
       const createdMessage = await createMessage({
         userId: socket.data.user.id,
         payload: parsed,
diff --git a/apps/realtime/src/services/channel-access.ts b/apps/realtime/src/services/channel-access.ts
index b0c1e45..db3f440 100644
--- a/apps/realtime/src/services/channel-access.ts
+++ b/apps/realtime/src/services/channel-access.ts
@@ -4,6 +4,10 @@ export type AccessibleChannel = {
   id: string
   type: (typeof schema.channel.$inferSelect)["type"]
   guildId: string | null
+  memberRole: string | null
+  memberIsOwner: boolean
+  communicationDisabledUntil: Date | null
+  communicationDisabledReason: string | null
 }
 
 export async function assertUserCanAccessChannel(
@@ -31,8 +35,16 @@ export async function assertUserCanAccessChannel(
 
   if (channelRecord.guildId) {
     const memberRecord = await db
-      .select({ id: schema.guildMember.id })
+      .select({
+        role: schema.guildMember.role,
+        communicationDisabledUntil:
+          schema.guildMember.communicationDisabledUntil,
+        communicationDisabledReason:
+          schema.guildMember.communicationDisabledReason,
+        ownerId: schema.guild.ownerId,
+      })
       .from(schema.guildMember)
+      .innerJoin(schema.guild, eq(schema.guild.id, schema.guildMember.guildId))
       .where(
         and(
           eq(schema.guildMember.guildId, channelRecord.guildId),
@@ -46,7 +58,13 @@ export async function assertUserCanAccessChannel(
       throw new Error("Forbidden")
     }
 
-    return channelRecord
+    return {
+      ...channelRecord,
+      memberRole: memberRecord.role,
+      memberIsOwner: memberRecord.ownerId === userId,
+      communicationDisabledUntil: memberRecord.communicationDisabledUntil,
+      communicationDisabledReason: memberRecord.communicationDisabledReason,
+    }
   }
 
   const dmMemberRecord = await db
@@ -65,5 +83,11 @@ export async function assertUserCanAccessChannel(
     throw new Error("Forbidden")
   }
 
-  return channelRecord
+  return {
+    ...channelRecord,
+    memberRole: null,
+    memberIsOwner: false,
+    communicationDisabledUntil: null,
+    communicationDisabledReason: null,
+  }
 }
diff --git a/apps/realtime/src/services/messages.ts b/apps/realtime/src/services/messages.ts
index 011860e..2e3c4c6 100644
--- a/apps/realtime/src/services/messages.ts
+++ b/apps/realtime/src/services/messages.ts
@@ -12,6 +12,14 @@ import {
   assertUserCanAccessChannel,
 } from "./channel-access"
 
+function assertChannelCommunicationAllowed(channel: AccessibleChannel) {
+  if (!channel.guildId) return
+  if (!channel.communicationDisabledUntil) return
+  if (channel.communicationDisabledUntil.getTime() <= Date.now()) return
+
+  throw new Error("You are temporarily timed out and cannot send messages")
+}
+
 type CreateMessageInput = {
   userId: string
   payload: SendMessagePayload
@@ -53,6 +61,7 @@ export async function createMessage(input: CreateMessageInput) {
     input.userId,
     input.payload.channelId
   )
+  assertChannelCommunicationAllowed(channelRecord)
 
   let hasReply = !!input.payload.referencedMessageId
 
@@ -248,6 +257,7 @@ export async function editMessage(
     input.userId,
     input.payload.channelId
   )
+  assertChannelCommunicationAllowed(channelRecord)
 
   const messageRecord = await db
     .select({
@@ -293,6 +303,7 @@ export async function toggleMessageReaction(input: ToggleMessageReactionInput) {
     input.userId,
     input.payload.channelId
   )
+  assertChannelCommunicationAllowed(channelRecord)
 
   const messageRecord = await db
     .select({
diff --git a/apps/realtime/src/services/rate-limit.ts b/apps/realtime/src/services/rate-limit.ts
new file mode 100644
index 0000000..666b787
--- /dev/null
+++ b/apps/realtime/src/services/rate-limit.ts
@@ -0,0 +1,49 @@
+import { getGuildMessageRateLimit, isGuildRole } from "@repo/auth/permissions"
+import type { createClient } from "redis"
+
+type RedisClient = ReturnType<typeof createClient>
+
+const WINDOW_SECONDS = 60
+const KEY_TTL_SECONDS = 90
+
+function getMessageRateLimitKey(
+  guildId: string,
+  userId: string,
+  timestamp: number
+) {
+  const currentWindow = Math.floor(timestamp / (WINDOW_SECONDS * 1000))
+  return `ratelimit:guild:${guildId}:user:${userId}:message:${currentWindow}`
+}
+
+function getRetryAfterSeconds(timestamp: number) {
+  const elapsedSeconds = Math.floor(timestamp / 1000) % WINDOW_SECONDS
+  return Math.max(1, WINDOW_SECONDS - elapsedSeconds)
+}
+
+export async function enforceGuildMessageRateLimit(
+  redis: RedisClient,
+  input: {
+    guildId: string
+    userId: string
+    role: string
+  }
+) {
+  if (!isGuildRole(input.role)) {
+    throw new Error(`Unknown guild role: ${input.role}`)
+  }
+
+  const now = Date.now()
+  const key = getMessageRateLimitKey(input.guildId, input.userId, now)
+  const nextCount = await redis.incr(key)
+
+  if (nextCount === 1) {
+    await redis.expire(key, KEY_TTL_SECONDS)
+  }
+
+  const limit = getGuildMessageRateLimit(input.role)
+  if (nextCount <= limit) return
+
+  throw new Error(
+    `Rate limit exceeded. Try again in ${getRetryAfterSeconds(now)} seconds`
+  )
+}
diff --git a/apps/web/src/components/sidebar/right-panel/guild-members-panel.tsx b/apps/web/src/components/sidebar/right-panel/guild-members-panel.tsx
index 4deaa98..44eaef2 100644
--- a/apps/web/src/components/sidebar/right-panel/guild-members-panel.tsx
+++ b/apps/web/src/components/sidebar/right-panel/guild-members-panel.tsx
@@ -1,10 +1,41 @@
+import { authClient } from "@repo/auth/client"
+import {
+  type AssignableGuildRole,
+  assignableGuildRoles,
+  type GuildRole,
+  isGuildRole,
+} from "@repo/auth/permissions"
 import type { PresenceUserUpdate } from "@repo/realtime-types"
+import {
+  AlertDialog,
+  AlertDialogAction,
+  AlertDialogCancel,
+  AlertDialogContent,
+  AlertDialogDescription,
+  AlertDialogFooter,
+  AlertDialogHeader,
+  AlertDialogTitle,
+} from "@repo/ui/components/alert-dialog"
+import { Button } from "@repo/ui/components/button"
+import {
+  DropdownMenu,
+  DropdownMenuContent,
+  DropdownMenuItem,
+  DropdownMenuRadioGroup,
+  DropdownMenuRadioItem,
+  DropdownMenuSeparator,
+  DropdownMenuSub,
+  DropdownMenuSubContent,
+  DropdownMenuSubTrigger,
+  DropdownMenuTrigger,
+} from "@repo/ui/components/dropdown-menu"
 import { ScrollArea } from "@repo/ui/components/scroll-area"
 import { Skeleton } from "@repo/ui/components/skeleton"
 import { cn } from "@repo/ui/lib/utils"
-import { useQuery, useQueryClient } from "@tanstack/react-query"
-import { Users } from "lucide-react"
-import { useEffect, useMemo } from "react"
+import { useMutation, useQuery, useQueryClient } from "@tanstack/react-query"
+import { MoreHorizontal, Users } from "lucide-react"
+import { useEffect, useMemo, useState } from "react"
+import { toast } from "sonner"
 import { UserAvatar } from "@/components/ui/user-avatar"
 import { useSocket } from "@/context/socket-context"
 import { apiClient } from "@/lib/api-client"
@@ -12,6 +43,14 @@ import type {
   GuildMemberPresence,
   ListGuildMembersResponse,
 } from "@/lib/api-types"
+import {
+  canBanGuildMembers,
+  canKickGuildMembers,
+  canManageGuildMember,
+  canTimeoutGuildMembers,
+  canUpdateGuildMemberRoles,
+  formatGuildRole,
+} from "@/lib/permissions"
 import type { GuildMembersSidebarView } from "./right-sidebar-types"
 
 const statusStyles: Record<GuildMemberPresence["status"], string> = {
@@ -24,18 +63,34 @@ const statusLabel: Record<GuildMemberPresence["status"], string> = {
   offline: "Offline",
 }
 
-const roleDisplayNames: Record<string, string> = {
-  owner: "Owner",
-  admin: "Admin",
-  warden: "Warden",
-  member: "Citizen",
+function formatRole(role: GuildMemberPresence["role"]) {
+  if (!role || !isGuildRole(role)) return "Citizen"
+  return formatGuildRole(role)
 }
 
-function formatRole(role: GuildMemberPresence["role"]) {
-  if (!role) return "Citizen"
-  return roleDisplayNames[role] ?? role.charAt(0).toUpperCase() + role.slice(1)
+function isMemberTimedOut(member: GuildMemberPresence) {
+  if (!member.communicationDisabledUntil) return false
+  return new Date(member.communicationDisabledUntil).getTime() > Date.now()
 }
 
+function formatTimeoutLabel(member: GuildMemberPresence) {
+  if (!member.communicationDisabledUntil) return null
+  const timeoutDate = new Date(member.communicationDisabledUntil)
+  if (Number.isNaN(timeoutDate.getTime())) return null
+  return `Timed out until ${timeoutDate.toLocaleString()}`
+}
+
+const timeoutOptions = [
+  { label: "10 minutes", durationMinutes: 10 },
+  { label: "1 hour", durationMinutes: 60 },
+  { label: "1 day", durationMinutes: 60 * 24 },
+] as const
+
+type ModerationDialogState =
+  | { type: "kick"; member: GuildMemberPresence }
+  | { type: "ban"; member: GuildMemberPresence }
+  | null
+
 function MembersSkeleton() {
   return (
     <div className="space-y-2 px-3 py-3">
@@ -56,10 +111,62 @@ function MembersSkeleton() {
   )
 }
 
-function MemberRow({ member }: { member: GuildMemberPresence }) {
+function MemberRow({
+  member,
+  currentUserId,
+  currentRole,
+  currentIsOwner,
+  onRoleChange,
+  onKick,
+  onBan,
+  onTimeout,
+  onClearTimeout,
+  isBusy,
+}: {
+  member: GuildMemberPresence
+  currentUserId: string | null
+  currentRole: GuildRole | null
+  currentIsOwner: boolean
+  onRoleChange: (member: GuildMemberPresence, role: AssignableGuildRole) => void
+  onKick: (member: GuildMemberPresence) => void
+  onBan: (member: GuildMemberPresence) => void
+  onTimeout: (member: GuildMemberPresence, durationMinutes: number) => void
+  onClearTimeout: (member: GuildMemberPresence) => void
+  isBusy: boolean
+}) {
+  const targetRole = isGuildRole(member.role) ? member.role : null
+  const canManageTarget =
+    currentRole && targetRole
+      ? canManageGuildMember(
+          currentRole,
+          targetRole,
+          currentIsOwner,
+          member.isOwner
+        ) && currentUserId !== member.userId
+      : false
+
+  const canUpdateRole =
+    currentRole && targetRole
+      ? canUpdateGuildMemberRoles(currentRole) && canManageTarget
+      : false
+  const canKick =
+    currentRole && targetRole
+      ? canKickGuildMembers(currentRole) && canManageTarget
+      : false
+  const canBan =
+    currentRole && targetRole
+      ? canBanGuildMembers(currentRole) && canManageTarget
+      : false
+  const canTimeout =
+    currentRole && targetRole
+      ? canTimeoutGuildMembers(currentRole) && canManageTarget
+      : false
+  const showActions = canUpdateRole || canKick || canBan || canTimeout
+  const timeoutLabel = formatTimeoutLabel(member)
+
   return (
-    <div className="flex items-center gap-2 rounded-md px-1.5 py-1.5 hover:bg-foreground/[0.04]">
-      <div className="relative">
+    <div className="flex min-w-0 items-center gap-2 rounded-md px-1.5 py-1.5 hover:bg-foreground/[0.04]">
+      <div className="relative shrink-0">
         <UserAvatar name={member.name} src={member.image} size="sm" />
         <span
           className={cn(
@@ -73,10 +180,108 @@ function MemberRow({ member }: { member: GuildMemberPresence }) {
         <div className="truncate text-[11px] text-muted-foreground">
           {formatRole(member.role)}
         </div>
+        {timeoutLabel && (
+          <div className="truncate text-[11px] text-amber-700 dark:text-amber-400">
+            {timeoutLabel}
+          </div>
+        )}
+      </div>
+      <div className="flex shrink-0 items-center gap-2 pl-2">
+        <span className="max-w-12 truncate text-[11px] text-muted-foreground">
+          {statusLabel[member.status]}
+        </span>
+        {showActions && (
+          <DropdownMenu>
+            <DropdownMenuTrigger asChild>
+              <Button
+                variant="ghost"
+                size="icon"
+                className="size-7"
+                disabled={isBusy}
+              >
+                <MoreHorizontal className="size-4" />
+                <span className="sr-only">Moderate member</span>
+              </Button>
+            </DropdownMenuTrigger>
+            <DropdownMenuContent align="end">
+              {canUpdateRole && targetRole && (
+                <DropdownMenuSub>
+                  <DropdownMenuSubTrigger>Change Role</DropdownMenuSubTrigger>
+                  <DropdownMenuSubContent>
+                    <DropdownMenuRadioGroup
+                      value={
+                        assignableGuildRoles.includes(
+                          targetRole as AssignableGuildRole
+                        )
+                          ? targetRole
+                          : "member"
+                      }
+                      onValueChange={(value) => {
+                        if (
+                          !assignableGuildRoles.includes(
+                            value as AssignableGuildRole
+                          )
+                        ) {
+                          return
+                        }
+
+                        onRoleChange(member, value as AssignableGuildRole)
+                      }}
+                    >
+                      {assignableGuildRoles.map((role) => (
+                        <DropdownMenuRadioItem key={role} value={role}>
+                          {formatGuildRole(role)}
+                        </DropdownMenuRadioItem>
+                      ))}
+                    </DropdownMenuRadioGroup>
+                  </DropdownMenuSubContent>
+                </DropdownMenuSub>
+              )}
+              {canTimeout && (
+                <DropdownMenuSub>
+                  <DropdownMenuSubTrigger>Timeout</DropdownMenuSubTrigger>
+                  <DropdownMenuSubContent>
+                    {timeoutOptions.map((option) => (
+                      <DropdownMenuItem
+                        key={option.durationMinutes}
+                        onClick={() =>
+                          onTimeout(member, option.durationMinutes)
+                        }
+                      >
+                        {option.label}
+                      </DropdownMenuItem>
+                    ))}
+                    {isMemberTimedOut(member) && (
+                      <>
+                        <DropdownMenuSeparator />
+                        <DropdownMenuItem
+                          onClick={() => onClearTimeout(member)}
+                        >
+                          Clear timeout
+                        </DropdownMenuItem>
+                      </>
+                    )}
+                  </DropdownMenuSubContent>
+                </DropdownMenuSub>
+              )}
+              {(canKick || canBan) && <DropdownMenuSeparator />}
+              {canKick && (
+                <DropdownMenuItem onClick={() => onKick(member)}>
+                  Kick member
+                </DropdownMenuItem>
+              )}
+              {canBan && (
+                <DropdownMenuItem
+                  variant="destructive"
+                  onClick={() => onBan(member)}
+                >
+                  Ban member
+                </DropdownMenuItem>
+              )}
+            </DropdownMenuContent>
+          </DropdownMenu>
+        )}
       </div>
-      <span className="text-[11px] text-muted-foreground">
-        {statusLabel[member.status]}
-      </span>
     </div>
   )
 }
@@ -84,6 +289,9 @@ function MemberRow({ member }: { member: GuildMemberPresence }) {
 export function GuildMembersPanel({ view }: { view: GuildMembersSidebarView }) {
   const socket = useSocket()
   const queryClient = useQueryClient()
+  const { data: session } = authClient.useSession()
+  const [moderationDialog, setModerationDialog] =
+    useState<ModerationDialogState>(null)
   const queryKey = useMemo(
     () => ["guild-members", view.guildSlug] as const,
     [view.guildSlug]
@@ -99,7 +307,188 @@ export function GuildMembersPanel({ view }: { view: GuildMembersSidebarView }) {
       return res.json()
     },
   })
+  const { data: activeMember } = useQuery({
+    queryKey: ["active-guild-member", view.guildSlug],
+    queryFn: async () => {
+      const res = await authClient.organization.getActiveMember()
+      return res.data
+    },
+    enabled: !!view.guildSlug,
+  })
   const guildId = data?.guildId
+  const currentUserId = session?.user?.id ?? null
+  const activeMemberRole =
+    typeof activeMember?.role === "string" ? activeMember.role : null
+  const currentRole =
+    activeMemberRole && isGuildRole(activeMemberRole) ? activeMemberRole : null
+  const currentIsOwner = data?.ownerId === currentUserId
+
+  const invalidateMembers = async () => {
+    await queryClient.invalidateQueries({ queryKey })
+  }
+
+  const updateRoleMutation = useMutation({
+    mutationFn: async (input: {
+      userId: string
+      role: AssignableGuildRole
+    }) => {
+      const res = await apiClient.v1.guilds[":guildSlug"].members[
+        ":userId"
+      ].role.$patch({
+        param: { guildSlug: view.guildSlug, userId: input.userId },
+        json: { role: input.role },
+      })
+
+      if (!res.ok) {
+        throw new Error("Failed to update guild member role")
+      }
+
+      return res.json()
+    },
+    onSuccess: async () => {
+      await invalidateMembers()
+      toast.success("Role updated")
+    },
+    onError: () => {
+      toast.error("Failed to update role")
+    },
+  })
+
+  const kickMutation = useMutation({
+    mutationFn: async (userId: string) => {
+      const res = await apiClient.v1.guilds[":guildSlug"].members[
+        ":userId"
+      ].kick.$post({
+        param: { guildSlug: view.guildSlug, userId },
+      })
+
+      if (!res.ok) {
+        throw new Error("Failed to kick member")
+      }
+    },
+    onSuccess: async () => {
+      await invalidateMembers()
+      setModerationDialog(null)
+      toast.success("Member kicked")
+    },
+    onError: () => {
+      toast.error("Failed to kick member")
+    },
+  })
+
+  const banMutation = useMutation({
+    mutationFn: async (userId: string) => {
+      const res = await apiClient.v1.guilds[":guildSlug"].members[
+        ":userId"
+      ].ban.$post({
+        param: { guildSlug: view.guildSlug, userId },
+        json: { reason: null, expiresAt: null },
+      })
+
+      if (!res.ok) {
+        throw new Error("Failed to ban member")
+      }
+    },
+    onSuccess: async () => {
+      await invalidateMembers()
+      setModerationDialog(null)
+      toast.success("Member banned")
+    },
+    onError: () => {
+      toast.error("Failed to ban member")
+    },
+  })
+
+  const timeoutMutation = useMutation({
+    mutationFn: async (input: { userId: string; durationMinutes: number }) => {
+      const res = await apiClient.v1.guilds[":guildSlug"].members[
+        ":userId"
+      ].timeout.$post({
+        param: { guildSlug: view.guildSlug, userId: input.userId },
+        json: {
+          durationMinutes: input.durationMinutes,
+          reason: null,
+        },
+      })
+
+      if (!res.ok) {
+        throw new Error("Failed to time out member")
+      }
+    },
+    onSuccess: async () => {
+      await invalidateMembers()
+      toast.success("Timeout applied")
+    },
+    onError: () => {
+      toast.error("Failed to apply timeout")
+    },
+  })
+
+  const clearTimeoutMutation = useMutation({
+    mutationFn: async (userId: string) => {
+      const res = await apiClient.v1.guilds[":guildSlug"].members[
+        ":userId"
+      ].timeout.$delete({
+        param: { guildSlug: view.guildSlug, userId },
+      })
+
+      if (!res.ok) {
+        throw new Error("Failed to clear timeout")
+      }
+    },
+    onSuccess: async () => {
+      await invalidateMembers()
+      toast.success("Timeout cleared")
+    },
+    onError: () => {
+      toast.error("Failed to clear timeout")
+    },
+  })
+
+  const isMutating =
+    updateRoleMutation.isPending ||
+    kickMutation.isPending ||
+    banMutation.isPending ||
+    timeoutMutation.isPending ||
+    clearTimeoutMutation.isPending
+
+  const handleRoleChange = (
+    member: GuildMemberPresence,
+    role: AssignableGuildRole
+  ) => {
+    if (member.role === role) return
+    updateRoleMutation.mutate({ userId: member.userId, role })
+  }
+
+  const handleKick = (member: GuildMemberPresence) => {
+    setModerationDialog({ type: "kick", member })
+  }
+
+  const handleBan = (member: GuildMemberPresence) => {
+    setModerationDialog({ type: "ban", member })
+  }
+
+  const handleTimeout = (
+    member: GuildMemberPresence,
+    durationMinutes: number
+  ) => {
+    timeoutMutation.mutate({ userId: member.userId, durationMinutes })
+  }
+
+  const handleClearTimeout = (member: GuildMemberPresence) => {
+    clearTimeoutMutation.mutate(member.userId)
+  }
+
+  const handleConfirmModeration = () => {
+    if (!moderationDialog) return
+
+    if (moderationDialog.type === "kick") {
+      kickMutation.mutate(moderationDialog.member.userId)
+      return
+    }
+
+    banMutation.mutate(moderationDialog.member.userId)
+  }
 
   useEffect(() => {
     if (!socket || !guildId) return
@@ -178,62 +567,131 @@ export function GuildMembersPanel({ view }: { view: GuildMembersSidebarView }) {
   const onlineMembers = members.filter((member) => member.status !== "offline")
   const offlineMembers = members.filter((member) => member.status === "offline")
   const guildName = data?.guildName?.trim() || "Guild"
+  const isModerationDialogOpen = moderationDialog !== null
+  const moderationDialogTitle =
+    moderationDialog?.type === "kick" ? "Kick member" : "Ban member"
+  const moderationDialogDescription =
+    moderationDialog?.type === "kick"
+      ? `Are you sure you want to kick ${moderationDialog.member.name} from this guild? They can rejoin if invited again.`
+      : moderationDialog
+        ? `Are you sure you want to ban ${moderationDialog.member.name} from this guild? They will be removed immediately and blocked from rejoining.`
+        : ""
+  const isModerationSubmitting =
+    (moderationDialog?.type === "kick" && kickMutation.isPending) ||
+    (moderationDialog?.type === "ban" && banMutation.isPending)
+  const moderationActionLabel =
+    moderationDialog?.type === "kick" ? "Kick member" : "Ban member"
 
   return (
-    <div className="flex h-full w-full flex-col bg-card">
-      <div className="border-b border-border px-4 py-3">
-        <div className="flex items-center gap-2">
-          <Users className="size-4 text-muted-foreground" />
-          <span className="text-sm font-semibold">{guildName} Members</span>
+    <>
+      <div className="flex h-full w-full flex-col bg-card">
+        <div className="border-b border-border px-4 py-3">
+          <div className="flex items-center gap-2">
+            <Users className="size-4 text-muted-foreground" />
+            <span className="text-sm font-semibold">{guildName} Members</span>
+          </div>
+          <p className="mt-1 text-xs text-muted-foreground">
+            {members.length} total members
+          </p>
         </div>
-        <p className="mt-1 text-xs text-muted-foreground">
-          {members.length} total members
-        </p>
-      </div>
 
-      {isPending ? (
-        <MembersSkeleton />
-      ) : isError ? (
-        <div className="px-4 py-3 text-sm text-muted-foreground">
-          Failed to load members.
-        </div>
-      ) : (
-        <ScrollArea className="flex-1 px-2 py-2">
-          {members.length === 0 ? (
-            <div className="px-2 py-4 text-sm text-muted-foreground">
-              No members found for this guild.
-            </div>
-          ) : (
-            <div className="space-y-4 px-1 pb-3">
-              {onlineMembers.length > 0 && (
-                <section>
-                  <div className="px-1 pb-1 text-[11px] font-semibold uppercase tracking-wider text-muted-foreground">
-                    Online - {onlineMembers.length}
-                  </div>
-                  <div className="space-y-0.5">
-                    {onlineMembers.map((member) => (
-                      <MemberRow key={member.userId} member={member} />
-                    ))}
-                  </div>
-                </section>
-              )}
+        {isPending ? (
+          <MembersSkeleton />
+        ) : isError ? (
+          <div className="px-4 py-3 text-sm text-muted-foreground">
+            Failed to load members.
+          </div>
+        ) : (
+          <ScrollArea className="min-w-0 flex-1 overflow-x-hidden px-2 py-2">
+            {members.length === 0 ? (
+              <div className="px-2 py-4 text-sm text-muted-foreground">
+                No members found for this guild.
+              </div>
+            ) : (
+              <div className="min-w-0 space-y-4 px-1 pb-3">
+                {onlineMembers.length > 0 && (
+                  <section>
+                    <div className="px-1 pb-1 text-[11px] font-semibold uppercase tracking-wider text-muted-foreground">
+                      Online - {onlineMembers.length}
+                    </div>
+                    <div className="space-y-0.5">
+                      {onlineMembers.map((member) => (
+                        <MemberRow
+                          key={member.userId}
+                          member={member}
+                          currentUserId={currentUserId}
+                          currentRole={currentRole}
+                          currentIsOwner={currentIsOwner}
+                          onRoleChange={handleRoleChange}
+                          onKick={handleKick}
+                          onBan={handleBan}
+                          onTimeout={handleTimeout}
+                          onClearTimeout={handleClearTimeout}
+                          isBusy={isMutating}
+                        />
+                      ))}
+                    </div>
+                  </section>
+                )}
 
-              {offlineMembers.length > 0 && (
-                <section>
-                  <div className="px-1 pb-1 text-[11px] font-semibold uppercase tracking-wider text-muted-foreground">
-                    Offline - {offlineMembers.length}
-                  </div>
-                  <div className="space-y-0.5">
-                    {offlineMembers.map((member) => (
-                      <MemberRow key={member.userId} member={member} />
-                    ))}
-                  </div>
-                </section>
-              )}
-            </div>
-          )}
-        </ScrollArea>
-      )}
-    </div>
+                {offlineMembers.length > 0 && (
+                  <section>
+                    <div className="px-1 pb-1 text-[11px] font-semibold uppercase tracking-wider text-muted-foreground">
+                      Offline - {offlineMembers.length}
+                    </div>
+                    <div className="space-y-0.5">
+                      {offlineMembers.map((member) => (
+                        <MemberRow
+                          key={member.userId}
+                          member={member}
+                          currentUserId={currentUserId}
+                          currentRole={currentRole}
+                          currentIsOwner={currentIsOwner}
+                          onRoleChange={handleRoleChange}
+                          onKick={handleKick}
+                          onBan={handleBan}
+                          onTimeout={handleTimeout}
+                          onClearTimeout={handleClearTimeout}
+                          isBusy={isMutating}
+                        />
+                      ))}
+                    </div>
+                  </section>
+                )}
+              </div>
+            )}
+          </ScrollArea>
+        )}
+      </div>
+      <AlertDialog
+        open={isModerationDialogOpen}
+        onOpenChange={(open) => {
+          if (!open) {
+            setModerationDialog(null)
+          }
+        }}
+      >
+        <AlertDialogContent>
+          <AlertDialogHeader>
+            <AlertDialogTitle>{moderationDialogTitle}</AlertDialogTitle>
+            <AlertDialogDescription>
+              {moderationDialogDescription}
+            </AlertDialogDescription>
+          </AlertDialogHeader>
+          <AlertDialogFooter>
+            <AlertDialogCancel disabled={isModerationSubmitting}>
+              Cancel
+            </AlertDialogCancel>
+            <AlertDialogAction
+              variant="destructive"
+              loading={isModerationSubmitting}
+              onClick={handleConfirmModeration}
+            >
+              {moderationActionLabel}
+            </AlertDialogAction>
+          </AlertDialogFooter>
+        </AlertDialogContent>
+      </AlertDialog>
+    </>
   )
 }
diff --git a/apps/web/src/components/sidebar/right-panel/right-sidebar-panel.tsx b/apps/web/src/components/sidebar/right-panel/right-sidebar-panel.tsx
index 5773e12..8af9679 100644
--- a/apps/web/src/components/sidebar/right-panel/right-sidebar-panel.tsx
+++ b/apps/web/src/components/sidebar/right-panel/right-sidebar-panel.tsx
@@ -25,7 +25,7 @@ function PlaceholderSidebar({
 
 export function RightSidebarPanel({ view }: { view: RightSidebarView }) {
   return (
-    <aside className="hidden h-full w-[320px] shrink-0 border-l border-border bg-card xl:flex">
+    <aside className="hidden h-full w-[360px] min-w-[360px] shrink-0 border-l border-border bg-card xl:flex">
       {view.type === "guild-members" && <GuildMembersPanel view={view} />}
       {view.type === "thread" && (
         <PlaceholderSidebar
diff --git a/apps/web/src/lib/permissions.ts b/apps/web/src/lib/permissions.ts
index 54b8620..446571a 100644
--- a/apps/web/src/lib/permissions.ts
+++ b/apps/web/src/lib/permissions.ts
@@ -1,16 +1,56 @@
-import { authClient } from "@repo/auth/client"
-import type { GuildRole } from "@repo/auth/permissions"
+import {
+  canManageGuildAuthority,
+  formatGuildRole,
+  type GuildRole,
+  roleHasPermissions,
+} from "@repo/auth/permissions"
 
 export function canManageChannels(role: GuildRole): boolean {
-  return authClient.organization.checkRolePermission({
-    permissions: { channel: ["update"] },
-    role,
+  return roleHasPermissions(role, {
+    channel: ["update"],
   })
 }
 
 export function canDeleteChannels(role: GuildRole): boolean {
-  return authClient.organization.checkRolePermission({
-    permissions: { channel: ["delete"] },
-    role,
+  return roleHasPermissions(role, {
+    channel: ["delete"],
   })
 }
+
+export function canUpdateGuildMemberRoles(role: GuildRole): boolean {
+  return roleHasPermissions(role, {
+    guildMember: ["role:update"],
+  })
+}
+
+export function canKickGuildMembers(role: GuildRole): boolean {
+  return roleHasPermissions(role, {
+    guildMember: ["kick"],
+  })
+}
+
+export function canBanGuildMembers(role: GuildRole): boolean {
+  return roleHasPermissions(role, {
+    guildMember: ["ban"],
+  })
+}
+
+export function canTimeoutGuildMembers(role: GuildRole): boolean {
+  return roleHasPermissions(role, {
+    guildMember: ["timeout"],
+  })
+}
+
+export function canManageGuildMember(
+  actorRole: GuildRole,
+  targetRole: GuildRole,
+  actorIsOwner = false,
+  targetIsOwner = false
+) {
+  return canManageGuildAuthority(
+    { role: actorRole, isOwner: actorIsOwner },
+    { role: targetRole, isOwner: targetIsOwner }
+  )
+}
+
+export { formatGuildRole }
diff --git a/packages/auth/src/lib/permissions.ts b/packages/auth/src/lib/permissions.ts
index 885afd2..824833e 100644
--- a/packages/auth/src/lib/permissions.ts
+++ b/packages/auth/src/lib/permissions.ts
@@ -10,26 +10,49 @@ const statement = {
   ...defaultStatements,
   channel: ["create", "update", "delete"],
   message: ["delete"], // delete others' messages (own messages are always deletable)
+  guildMember: ["kick", "ban", "timeout", "role:update"],
 } as const
 
 const ac = createAccessControl(statement)
 
+const guildPermissionGrants = {
+  owner: {
+    channel: ["create", "update", "delete"],
+    message: ["delete"],
+    guildMember: ["kick", "ban", "timeout", "role:update"],
+  },
+  admin: {
+    channel: ["create", "update", "delete"],
+    message: ["delete"],
+    guildMember: ["kick", "ban", "timeout", "role:update"],
+  },
+  warden: {
+    channel: ["create", "update"],
+    message: ["delete"],
+    guildMember: ["kick", "ban", "timeout"],
+  },
+  member: {},
+} as const
+
 const owner = ac.newRole({
   channel: ["create", "update", "delete"],
   message: ["delete"],
+  guildMember: ["kick", "ban", "timeout", "role:update"],
   ...ownerAc.statements,
 })
 
 const admin = ac.newRole({
   channel: ["create", "update", "delete"],
   message: ["delete"],
+  guildMember: ["kick", "ban", "timeout", "role:update"],
   ...adminAc.statements,
 })
 
-// Warden (moderator) — can create/update channels and moderate messages
+// Warden (moderator) — can create/update channels and moderate messages/members
 const warden = ac.newRole({
   channel: ["create", "update"],
   message: ["delete"],
+  guildMember: ["kick", "ban", "timeout"],
   ...memberAc.statements,
 })
 
@@ -40,6 +63,115 @@ const member = ac.newRole({
 
 const roles = { owner, admin, warden, member }
 
+const guildRoleLabels = {
+  owner: "Owner",
+  admin: "Admin",
+  warden: "Warden",
+  member: "Citizen",
+} as const satisfies Record<keyof typeof roles, string>
+
+const guildRolePositions = {
+  owner: 0,
+  admin: 10,
+  warden: 20,
+  member: 30,
+} as const satisfies Record<keyof typeof roles, number>
+
+const guildMessageRateLimitsPerMinute = {
+  owner: 120,
+  admin: 120,
+  warden: 60,
+  member: 30,
+} as const satisfies Record<keyof typeof roles, number>
+
+const assignableGuildRoles = ["admin", "warden", "member"] as const
+
 export type GuildRole = keyof typeof roles
+export type AssignableGuildRole = (typeof assignableGuildRoles)[number]
+export type StatementKey = keyof typeof statement
+export type PermissionRequest = {
+  [K in StatementKey]?: readonly (typeof statement)[K][number][]
+}
+export type GuildAuthority = {
+  role: GuildRole
+  isOwner?: boolean
+}
+
+export function isGuildRole(value: string): value is GuildRole {
+  return value in roles
+}
+
+export function formatGuildRole(role: GuildRole) {
+  return guildRoleLabels[role]
+}
+
+export function getGuildRolePosition(role: GuildRole) {
+  return guildRolePositions[role]
+}
+
+export function getGuildAuthorityPosition(authority: GuildAuthority) {
+  if (authority.isOwner) return guildRolePositions.owner
+  return getGuildRolePosition(authority.role)
+}
+
+export function canManageGuildAuthority(
+  actor: GuildAuthority,
+  target: GuildAuthority
+) {
+  if (target.isOwner) {
+    return actor.isOwner === true
+  }
+
+  return getGuildAuthorityPosition(actor) < getGuildAuthorityPosition(target)
+}
+
+export function roleHasPermissions(
+  role: GuildRole,
+  requestedPermissions: PermissionRequest
+) {
+  const grantedStatements = guildPermissionGrants[role] as Record<
+    string,
+    readonly string[] | undefined
+  >
+
+  for (const [resource, actions] of Object.entries(requestedPermissions)) {
+    if (!actions || actions.length === 0) continue
+
+    const grantedActions = grantedStatements[resource] ?? []
+    const grantedActionSet = new Set(grantedActions)
+
+    for (const action of actions) {
+      if (!grantedActionSet.has(action)) {
+        return false
+      }
+    }
+  }
+
+  return true
+}
+
+export function guildAuthorityHasPermissions(
+  authority: GuildAuthority,
+  requestedPermissions: PermissionRequest
+) {
+  if (authority.isOwner) return true
+  return roleHasPermissions(authority.role, requestedPermissions)
+}
+
+export function getGuildMessageRateLimit(role: GuildRole) {
+  return guildMessageRateLimitsPerMinute[role]
+}
 
-export { ac, admin, member, owner, roles, statement, warden }
+export {
+  ac,
+  admin,
+  assignableGuildRoles,
+  guildMessageRateLimitsPerMinute,
+  guildRoleLabels,
+  guildRolePositions,
+  member,
+  owner,
+  roles,
+  statement,
+  warden,
+}
diff --git a/packages/db/src/schemas/guild-bans.ts b/packages/db/src/schemas/guild-bans.ts
new file mode 100644
index 0000000..9a50a9c
--- /dev/null
+++ b/packages/db/src/schemas/guild-bans.ts
@@ -0,0 +1,59 @@
+import { relations } from "drizzle-orm"
+import {
+  index,
+  pgTable,
+  text,
+  timestamp,
+  uniqueIndex,
+  uuid,
+  varchar,
+} from "drizzle-orm/pg-core"
+import { guild } from "./guilds"
+import { user } from "./users"
+
+export const guildBan = pgTable(
+  "guild_ban",
+  {
+    id: uuid("id").defaultRandom().primaryKey(),
+    createdAt: timestamp("created_at").defaultNow().notNull(),
+    updatedAt: timestamp("updated_at")
+      .defaultNow()
+      .$onUpdate(() => new Date())
+      .notNull(),
+    guildId: uuid("guild_id")
+      .notNull()
+      .references(() => guild.id, { onDelete: "cascade" }),
+    userId: uuid("user_id")
+      .notNull()
+      .references(() => user.id, { onDelete: "cascade" }),
+    bannedBy: uuid("banned_by")
+      .notNull()
+      .references(() => user.id, { onDelete: "restrict" }),
+    reason: varchar("reason", { length: 255 }),
+    expiresAt: timestamp("expires_at"),
+    revokedAt: timestamp("revoked_at"),
+    revokeReason: text("revoke_reason"),
+  },
+  (table) => [
+    uniqueIndex("guildBan_guild_user_uidx").on(table.guildId, table.userId),
+    index("guildBan_guild_idx").on(table.guildId),
+    index("guildBan_user_idx").on(table.userId),
+  ]
+)
+
+export const guildBanRelations = relations(guildBan, ({ one }) => ({
+  guild: one(guild, {
+    fields: [guildBan.guildId],
+    references: [guild.id],
+  }),
+  user: one(user, {
+    relationName: "guildBanUser",
+    fields: [guildBan.userId],
+    references: [user.id],
+  }),
+  bannedByUser: one(user, {
+    relationName: "guildBanModerator",
+    fields: [guildBan.bannedBy],
+    references: [user.id],
+  }),
+}))
diff --git a/packages/db/src/schemas/guild-members.ts b/packages/db/src/schemas/guild-members.ts
index e8805f3..f48348f 100644
--- a/packages/db/src/schemas/guild-members.ts
+++ b/packages/db/src/schemas/guild-members.ts
@@ -1,5 +1,12 @@
 import { relations } from "drizzle-orm"
-import { index, pgTable, text, timestamp, uuid } from "drizzle-orm/pg-core"
+import {
+  index,
+  pgTable,
+  text,
+  timestamp,
+  uuid,
+  varchar,
+} from "drizzle-orm/pg-core"
 import { guild } from "./guilds"
 import { user } from "./users"
 
@@ -14,6 +21,14 @@ export const guildMember = pgTable(
       .notNull()
       .references(() => user.id, { onDelete: "cascade" }),
     role: text("role").default("member").notNull(),
+    communicationDisabledUntil: timestamp("communication_disabled_until"),
+    communicationDisabledBy: uuid("communication_disabled_by").references(
+      () => user.id,
+      { onDelete: "set null" }
+    ),
+    communicationDisabledReason: varchar("communication_disabled_reason", {
+      length: 255,
+    }),
     createdAt: timestamp("created_at").notNull(),
   },
   (table) => [
@@ -28,7 +43,13 @@ export const guildMemberRelations = relations(guildMember, ({ one }) => ({
     references: [guild.id],
   }),
   user: one(user, {
+    relationName: "guildMembershipUser",
     fields: [guildMember.userId],
     references: [user.id],
   }),
+  communicationDisabledByUser: one(user, {
+    relationName: "guildMemberModerator",
+    fields: [guildMember.communicationDisabledBy],
+    references: [user.id],
+  }),
 }))
diff --git a/packages/db/src/schemas/guilds.ts b/packages/db/src/schemas/guilds.ts
index 3697ee7..0ae2025 100644
--- a/packages/db/src/schemas/guilds.ts
+++ b/packages/db/src/schemas/guilds.ts
@@ -11,6 +11,7 @@ import {
   createSelectSchema,
   createUpdateSchema,
 } from "drizzle-zod"
+import { guildBan } from "./guild-bans"
 import { guildMember } from "./guild-members"
 import { guildRole } from "./guild-roles"
 import { invitation } from "./invitations"
@@ -37,6 +38,7 @@ export const guildRelations = relations(guild, ({ one, many }) => ({
     fields: [guild.ownerId],
     references: [user.id],
   }),
+  guildBans: many(guildBan),
   guildRoles: many(guildRole),
   guildMembers: many(guildMember),
   invitations: many(invitation),
diff --git a/packages/db/src/schemas/index.ts b/packages/db/src/schemas/index.ts
index 5362da1..682d43e 100644
--- a/packages/db/src/schemas/index.ts
+++ b/packages/db/src/schemas/index.ts
@@ -1,6 +1,7 @@
 export * from "./accounts"
 export * from "./channel-read-states"
 export * from "./channels"
+export * from "./guild-bans"
 export * from "./guild-members"
 export * from "./guild-roles"
 export * from "./guilds"
diff --git a/packages/db/src/schemas/users.ts b/packages/db/src/schemas/users.ts
index a018590..3a47ab1 100644
--- a/packages/db/src/schemas/users.ts
+++ b/packages/db/src/schemas/users.ts
@@ -8,6 +8,7 @@ import {
   varchar,
 } from "drizzle-orm/pg-core"
 import { account } from "./accounts"
+import { guildBan } from "./guild-bans"
 import { guildMember } from "./guild-members"
 import { guild } from "./guilds"
 import { invitation } from "./invitations"
@@ -41,7 +42,18 @@ export const userRelations = relations(user, ({ many }) => ({
   sessions: many(session),
   accounts: many(account),
   guilds: many(guild), // can be owners of many guilds
-  guildMembers: many(guildMember),
+  guildBans: many(guildBan, {
+    relationName: "guildBanUser",
+  }),
+  issuedGuildBans: many(guildBan, {
+    relationName: "guildBanModerator",
+  }),
+  guildMembers: many(guildMember, {
+    relationName: "guildMembershipUser",
+  }),
+  moderatedGuildMembers: many(guildMember, {
+    relationName: "guildMemberModerator",
+  }),
   invitations: many(invitation),
   twoFactors: many(twoFactor),
 }))

From b3ba19240e9d811b9fc09a9617760d339d863c30 Mon Sep 17 00:00:00 2001
From: Jacob Owens <jacobowens75@gmail.com>
Date: Wed, 11 Mar 2026 14:59:11 -0700
Subject: [PATCH 3/6] fix: changed checkPermission that used headers to
 assertPermission which uses the already authenticated member form the
 middleware to check channel access

---
 apps/api/src/lib/permissions.ts               | 11 ++--
 apps/api/src/routes/v1/channels/handlers.ts   | 30 +++++++----
 apps/api/src/routes/v1/channels/schema.ts     |  7 ++-
 .../channel-panel/edit-channel-dialog.tsx     | 21 +++++++-
 .../src/routes/_authenticated/$guildSlug.tsx  | 53 ++++++++++++++++---
 5 files changed, 98 insertions(+), 24 deletions(-)

diff --git a/apps/api/src/lib/permissions.ts b/apps/api/src/lib/permissions.ts
index e2494b7..711e1a4 100644
--- a/apps/api/src/lib/permissions.ts
+++ b/apps/api/src/lib/permissions.ts
@@ -38,13 +38,14 @@ function toGuildAuthority(
 
 /**
  * Checks if the current user has the specified permissions in their active guild.
- * Uses better-auth's hasPermission API.
- *
- * Throws an HTTPException with 403 if the user lacks the required permissions.
+ * Uses better-auth's hasPermission API and throws HTTPException(403) when the
+ * requested permission is missing.
  *
  * @example
- * const allowed = await checkPermission(c.req.raw.headers, "channel", ["update"])
- * if (!allowed) throw new HTTPException(403)
+ * await checkPermission(c.req.raw.headers, "channel", ["update"])
+ *
+ * // If the permission is missing, checkPermission(...) throws
+ * // HTTPException(403) from the internal !result.success branch.
  */
 export async function checkPermission<
   TResource extends StatementKey,
diff --git a/apps/api/src/routes/v1/channels/handlers.ts b/apps/api/src/routes/v1/channels/handlers.ts
index 22aef92..99a7386 100644
--- a/apps/api/src/routes/v1/channels/handlers.ts
+++ b/apps/api/src/routes/v1/channels/handlers.ts
@@ -2,7 +2,7 @@ import { db } from "@repo/db"
 import { channel } from "@repo/db/schema"
 import { and, asc, eq, inArray } from "drizzle-orm"
 import * as HttpStatusCodes from "@/lib/helpers/http/status-codes"
-import { checkPermission } from "@/lib/permissions"
+import { assertGuildPermission } from "@/lib/permissions"
 import { fetchMessagePage } from "@/lib/queries/messages"
 import type { AppRouteHandler } from "@/lib/types/app-types"
 import type {
@@ -58,11 +58,14 @@ export const listChannels: AppRouteHandler<ListChannelsRoute> = async (c) => {
 }
 
 export const createChannel: AppRouteHandler<CreateChannelRoute> = async (c) => {
-  await checkPermission(c.req.raw.headers, "channel", ["create"])
-
   const guild = c.var.guild
+  const member = c.var.member
   const body = c.req.valid("json")
 
+  assertGuildPermission(member, guild, {
+    channel: ["create"],
+  })
+
   const newChannel = await db
     .insert(channel)
     .values({
@@ -85,11 +88,14 @@ export const createChannel: AppRouteHandler<CreateChannelRoute> = async (c) => {
 export const reorderChannels: AppRouteHandler<ReorderChannelsRoute> = async (
   c
 ) => {
-  await checkPermission(c.req.raw.headers, "channel", ["update"])
-
   const guild = c.var.guild
+  const member = c.var.member
   const { channels: updates } = c.req.valid("json")
 
+  assertGuildPermission(member, guild, {
+    channel: ["update"],
+  })
+
   const channelIds = updates.map((u) => u.id)
   const uniqueChannelIds = [...new Set(channelIds)]
 
@@ -142,12 +148,15 @@ export const getChannel: AppRouteHandler<GetChannelRoute> = async (c) => {
 }
 
 export const updateChannel: AppRouteHandler<UpdateChannelRoute> = async (c) => {
-  await checkPermission(c.req.raw.headers, "channel", ["update"])
-
   const guild = c.var.guild
+  const member = c.var.member
   const { channelId } = c.req.valid("param")
   const body = c.req.valid("json")
 
+  assertGuildPermission(member, guild, {
+    channel: ["update"],
+  })
+
   const updated = await db
     .update(channel)
     .set(body)
@@ -166,11 +175,14 @@ export const updateChannel: AppRouteHandler<UpdateChannelRoute> = async (c) => {
 }
 
 export const deleteChannel: AppRouteHandler<DeleteChannelRoute> = async (c) => {
-  await checkPermission(c.req.raw.headers, "channel", ["delete"])
-
   const guild = c.var.guild
+  const member = c.var.member
   const { channelId } = c.req.valid("param")
 
+  assertGuildPermission(member, guild, {
+    channel: ["delete"],
+  })
+
   const deleted = await db
     .delete(channel)
     .where(and(eq(channel.id, channelId), eq(channel.guildId, guild.id)))
diff --git a/apps/api/src/routes/v1/channels/schema.ts b/apps/api/src/routes/v1/channels/schema.ts
index 6a6106d..3cb2749 100644
--- a/apps/api/src/routes/v1/channels/schema.ts
+++ b/apps/api/src/routes/v1/channels/schema.ts
@@ -50,7 +50,12 @@ export const createChannelResponseSchema = selectChannelSchema
 
 // ── Update / Delete ──────────────────────────────────────────
 
-export const updateChannelRequestSchema = updateChannelSchema
+export const updateChannelRequestSchema = updateChannelSchema.refine(
+  (value) => Object.values(value).some((field) => field !== undefined),
+  {
+    message: "At least one channel field must be provided",
+  }
+)
 
 export const updateChannelResponseSchema = selectChannelSchema
 
diff --git a/apps/web/src/components/sidebar/channel-panel/edit-channel-dialog.tsx b/apps/web/src/components/sidebar/channel-panel/edit-channel-dialog.tsx
index 38c21cc..3eda566 100644
--- a/apps/web/src/components/sidebar/channel-panel/edit-channel-dialog.tsx
+++ b/apps/web/src/components/sidebar/channel-panel/edit-channel-dialog.tsx
@@ -13,6 +13,7 @@ import { Textarea } from "@repo/ui/components/textarea"
 import { useMutation, useQueryClient } from "@tanstack/react-query"
 import { useParams } from "@tanstack/react-router"
 import { useEffect, useState } from "react"
+import { toast } from "sonner"
 import { apiClient } from "@/lib/api-client"
 import type { Channel } from "@/lib/api-types"
 
@@ -47,7 +48,20 @@ export function EditChannelDialog({
         json: { name, topic: topic || undefined },
       })
       if (!res.ok) {
-        throw new Error("Failed to update channel")
+        let message = "Failed to update channel"
+        const responseText = await res.text()
+
+        if (responseText) {
+          try {
+            const parsed = JSON.parse(responseText) as { message?: string }
+            message =
+              typeof parsed.message === "string" ? parsed.message : responseText
+          } catch {
+            message = responseText
+          }
+        }
+
+        throw new Error(message)
       }
       return res.json()
     },
@@ -58,6 +72,11 @@ export function EditChannelDialog({
       })
       onOpenChange(false)
     },
+    onError: (error) => {
+      toast.error(
+        error instanceof Error ? error.message : "Failed to update channel"
+      )
+    },
   })
 
   const hasChanges =
diff --git a/apps/web/src/routes/_authenticated/$guildSlug.tsx b/apps/web/src/routes/_authenticated/$guildSlug.tsx
index 69052d3..0ede7e6 100644
--- a/apps/web/src/routes/_authenticated/$guildSlug.tsx
+++ b/apps/web/src/routes/_authenticated/$guildSlug.tsx
@@ -1,7 +1,7 @@
 import { authClient } from "@repo/auth/client"
 import { useQuery, useQueryClient } from "@tanstack/react-query"
 import { createFileRoute, Outlet } from "@tanstack/react-router"
-import { useEffect, useMemo } from "react"
+import { useEffect, useMemo, useState } from "react"
 
 export const Route = createFileRoute("/_authenticated/$guildSlug")({
   component: GuildLayout,
@@ -9,6 +9,7 @@ export const Route = createFileRoute("/_authenticated/$guildSlug")({
 
 function GuildLayout() {
   const { guildSlug } = Route.useParams()
+  const [isSwitchingGuild, setIsSwitchingGuild] = useState(false)
 
   const { data: guilds, isPending: guildsLoading } = useQuery({
     queryKey: ["guilds"],
@@ -33,13 +34,41 @@ function GuildLayout() {
   const queryClient = useQueryClient()
 
   useEffect(() => {
-    if (!guild) return
-    if (activeOrg?.id === guild.id) return
-    authClient.organization.setActive({ organizationId: guild.id }).then(() => {
-      queryClient.invalidateQueries({
-        queryKey: ["active-guild-member", guildSlug],
-      })
-    })
+    let cancelled = false
+
+    if (!guild) {
+      setIsSwitchingGuild(false)
+      return
+    }
+
+    if (activeOrg?.id === guild.id) {
+      setIsSwitchingGuild(false)
+      return
+    }
+
+    setIsSwitchingGuild(true)
+
+    void (async () => {
+      try {
+        await authClient.organization.setActive({ organizationId: guild.id })
+        await Promise.all([
+          queryClient.invalidateQueries({
+            queryKey: ["active-guild", guildSlug],
+          }),
+          queryClient.invalidateQueries({
+            queryKey: ["active-guild-member", guildSlug],
+          }),
+        ])
+      } finally {
+        if (!cancelled) {
+          setIsSwitchingGuild(false)
+        }
+      }
+    })()
+
+    return () => {
+      cancelled = true
+    }
   }, [guild, activeOrg?.id, guildSlug, queryClient])
 
   if (guildsLoading) {
@@ -58,5 +87,13 @@ function GuildLayout() {
     )
   }
 
+  if (isSwitchingGuild || activeOrg?.id !== guild.id) {
+    return (
+      <div className="flex flex-1 items-center justify-center">
+        <span className="text-sm text-muted-foreground">Loading...</span>
+      </div>
+    )
+  }
+
   return <Outlet />
 }

From 531d1454a4e85b6b666f27d178fe9849e5bcf3f2 Mon Sep 17 00:00:00 2001
From: Jacob Owens <jacobowens75@gmail.com>
Date: Wed, 11 Mar 2026 22:08:02 -0700
Subject: [PATCH 4/6] fix: fixed various permissions issues

---
 ROADMAP.md                                    |  2 +-
 apps/api/src/lib/permissions.ts               |  9 ++--
 apps/api/src/routes/v1/channels/schema.ts     |  7 +++-
 apps/api/src/routes/v1/guilds/handlers.ts     |  3 ++
 apps/api/src/routes/v1/guilds/schema.ts       | 17 +++++++-
 apps/realtime/src/index.ts                    |  1 +
 apps/realtime/src/services/messages.ts        | 10 +++--
 .../channel-panel/edit-channel-dialog.tsx     | 20 ++++++---
 .../right-panel/guild-members-panel.tsx       | 42 +++++++++++++++++--
 .../src/routes/_authenticated/$guildSlug.tsx  | 30 +++++++++++--
 packages/auth/src/lib/permissions.ts          | 23 +---------
 11 files changed, 120 insertions(+), 44 deletions(-)

diff --git a/ROADMAP.md b/ROADMAP.md
index d3275be..7077b19 100644
--- a/ROADMAP.md
+++ b/ROADMAP.md
@@ -31,7 +31,7 @@
 ## Phase 2 — Permissions & Moderation
 
 - [ ] Granular permission system (beyond owner/admin/member)
-- [ ] Member management UI (kick, banish, silence, role assignment)
+- [~] Member management UI (kick, banish, silence, role assignment) (in progress in this PR)
 - [ ] Rate limiting enforcement (API-level + per-channel)
 - [ ] Audit logs
 
diff --git a/apps/api/src/lib/permissions.ts b/apps/api/src/lib/permissions.ts
index 711e1a4..8d4b02e 100644
--- a/apps/api/src/lib/permissions.ts
+++ b/apps/api/src/lib/permissions.ts
@@ -5,7 +5,7 @@ import {
   guildAuthorityHasPermissions,
   isGuildRole,
   type PermissionRequest,
-  type statement,
+  type StatementKey,
 } from "@repo/auth/permissions"
 import { HTTPException } from "hono/http-exception"
 import * as HttpStatusCodes from "@/lib/helpers/http/status-codes"
@@ -13,10 +13,11 @@ import type { Guild, GuildMember } from "@/lib/types/app-types"
 
 // ── Type-Safe Permission Types ──────────────────────────────────────
 
-export type StatementKey = keyof typeof statement
+export type { StatementKey }
 
-export type PermissionForStatement<T extends StatementKey> =
-  (typeof statement)[T][number]
+export type PermissionForStatement<T extends StatementKey> = NonNullable<
+  PermissionRequest[T]
+>[number]
 
 function toGuildAuthority(
   member: Pick<GuildMember, "role" | "userId">,
diff --git a/apps/api/src/routes/v1/channels/schema.ts b/apps/api/src/routes/v1/channels/schema.ts
index 3cb2749..5158294 100644
--- a/apps/api/src/routes/v1/channels/schema.ts
+++ b/apps/api/src/routes/v1/channels/schema.ts
@@ -50,7 +50,12 @@ export const createChannelResponseSchema = selectChannelSchema
 
 // ── Update / Delete ──────────────────────────────────────────
 
-export const updateChannelRequestSchema = updateChannelSchema.refine(
+const updateChannelRequestBaseSchema = updateChannelSchema.omit({
+  position: true,
+  parentId: true,
+})
+
+export const updateChannelRequestSchema = updateChannelRequestBaseSchema.refine(
   (value) => Object.values(value).some((field) => field !== undefined),
   {
     message: "At least one channel field must be provided",
diff --git a/apps/api/src/routes/v1/guilds/handlers.ts b/apps/api/src/routes/v1/guilds/handlers.ts
index 022a9e9..56fa3c8 100644
--- a/apps/api/src/routes/v1/guilds/handlers.ts
+++ b/apps/api/src/routes/v1/guilds/handlers.ts
@@ -272,11 +272,13 @@ export const banGuildMember: AppRouteHandler<BanGuildMemberRoute> = async (
   assertCanManageGuildMember(actor, target, guild)
 
   const expiresAtDate = expiresAt ? new Date(expiresAt) : null
+  const banTimestamp = new Date()
 
   const ban = await db.transaction(async (tx) => {
     const insertedBan = await tx
       .insert(schema.guildBan)
       .values({
+        createdAt: banTimestamp,
         guildId: guild.id,
         userId,
         bannedBy: actor.userId,
@@ -288,6 +290,7 @@ export const banGuildMember: AppRouteHandler<BanGuildMemberRoute> = async (
       .onConflictDoUpdate({
         target: [schema.guildBan.guildId, schema.guildBan.userId],
         set: {
+          createdAt: banTimestamp,
           bannedBy: actor.userId,
           reason: reason ?? null,
           expiresAt: expiresAtDate,
diff --git a/apps/api/src/routes/v1/guilds/schema.ts b/apps/api/src/routes/v1/guilds/schema.ts
index 059f466..5b9ff96 100644
--- a/apps/api/src/routes/v1/guilds/schema.ts
+++ b/apps/api/src/routes/v1/guilds/schema.ts
@@ -62,9 +62,24 @@ export const guildBanSchema = z.object({
   revokedAt: z.string().datetime().nullable(),
 })
 
+const optionalFutureExpiresAtSchema = z
+  .string()
+  .datetime()
+  .nullable()
+  .optional()
+  .refine(
+    (value) => {
+      if (value == null) return true
+      return new Date(value).getTime() > Date.now()
+    },
+    {
+      message: "expiresAt must be in the future",
+    }
+  )
+
 export const banGuildMemberRequestSchema = z.object({
   reason: z.string().trim().min(1).max(255).nullable().optional(),
-  expiresAt: z.string().datetime().nullable().optional(),
+  expiresAt: optionalFutureExpiresAtSchema,
 })
 
 export const banGuildMemberResponseSchema = z.object({
diff --git a/apps/realtime/src/index.ts b/apps/realtime/src/index.ts
index 1c1d4a0..0398b54 100644
--- a/apps/realtime/src/index.ts
+++ b/apps/realtime/src/index.ts
@@ -319,6 +319,7 @@ io.on("connection", (socket) => {
       const createdMessage = await createMessage({
         userId: socket.data.user.id,
         payload: parsed,
+        accessibleChannel,
       })
 
       const fanout = await buildMessageFanout({
diff --git a/apps/realtime/src/services/messages.ts b/apps/realtime/src/services/messages.ts
index 2e3c4c6..395daef 100644
--- a/apps/realtime/src/services/messages.ts
+++ b/apps/realtime/src/services/messages.ts
@@ -23,6 +23,7 @@ function assertChannelCommunicationAllowed(channel: AccessibleChannel) {
 type CreateMessageInput = {
   userId: string
   payload: SendMessagePayload
+  accessibleChannel: AccessibleChannel
 }
 
 type DeleteMessageInput = {
@@ -57,10 +58,11 @@ export type ToggleMessageReactionResult = {
 }
 
 export async function createMessage(input: CreateMessageInput) {
-  const channelRecord = await assertUserCanAccessChannel(
-    input.userId,
-    input.payload.channelId
-  )
+  if (input.accessibleChannel.id !== input.payload.channelId) {
+    throw new Error("Channel mismatch")
+  }
+
+  const channelRecord = input.accessibleChannel
   assertChannelCommunicationAllowed(channelRecord)
 
   let hasReply = !!input.payload.referencedMessageId
diff --git a/apps/web/src/components/sidebar/channel-panel/edit-channel-dialog.tsx b/apps/web/src/components/sidebar/channel-panel/edit-channel-dialog.tsx
index 3eda566..02c849f 100644
--- a/apps/web/src/components/sidebar/channel-panel/edit-channel-dialog.tsx
+++ b/apps/web/src/components/sidebar/channel-panel/edit-channel-dialog.tsx
@@ -41,10 +41,15 @@ export function EditChannelDialog({
 
   const updateMutation = useMutation({
     mutationFn: async () => {
+      if (!guildSlug) {
+        throw new Error("Missing guild slug")
+      }
+
+      const validatedGuildSlug = guildSlug
       const res = await apiClient.v1.guilds[":guildSlug"].channels[
         ":channelId"
       ].$patch({
-        param: { guildSlug: guildSlug as string, channelId: channel.id },
+        param: { guildSlug: validatedGuildSlug, channelId: channel.id },
         json: { name, topic: topic || undefined },
       })
       if (!res.ok) {
@@ -63,12 +68,17 @@ export function EditChannelDialog({
 
         throw new Error(message)
       }
-      return res.json()
+      return {
+        guildSlug: validatedGuildSlug,
+        channel: await res.json(),
+      }
     },
-    onSuccess: () => {
-      queryClient.invalidateQueries({ queryKey: ["channels", guildSlug] })
+    onSuccess: ({ guildSlug: validatedGuildSlug }) => {
+      queryClient.invalidateQueries({
+        queryKey: ["channels", validatedGuildSlug],
+      })
       queryClient.invalidateQueries({
-        queryKey: ["channel", guildSlug, channel.id],
+        queryKey: ["channel", validatedGuildSlug, channel.id],
       })
       onOpenChange(false)
     },
diff --git a/apps/web/src/components/sidebar/right-panel/guild-members-panel.tsx b/apps/web/src/components/sidebar/right-panel/guild-members-panel.tsx
index 44eaef2..bd9b28e 100644
--- a/apps/web/src/components/sidebar/right-panel/guild-members-panel.tsx
+++ b/apps/web/src/components/sidebar/right-panel/guild-members-panel.tsx
@@ -307,10 +307,24 @@ export function GuildMembersPanel({ view }: { view: GuildMembersSidebarView }) {
       return res.json()
     },
   })
-  const { data: activeMember } = useQuery({
+  const {
+    data: activeMember,
+    error: activeMemberError,
+    isError: hasActiveMemberError,
+  } = useQuery({
     queryKey: ["active-guild-member", view.guildSlug],
     queryFn: async () => {
       const res = await authClient.organization.getActiveMember()
+      if (res.error) {
+        throw new Error(
+          res.error.message ?? "Failed to verify moderation permissions"
+        )
+      }
+
+      if (!res.data) {
+        throw new Error("Failed to verify moderation permissions")
+      }
+
       return res.data
     },
     enabled: !!view.guildSlug,
@@ -320,9 +334,21 @@ export function GuildMembersPanel({ view }: { view: GuildMembersSidebarView }) {
   const activeMemberRole =
     typeof activeMember?.role === "string" ? activeMember.role : null
   const currentRole =
-    activeMemberRole && isGuildRole(activeMemberRole) ? activeMemberRole : null
+    !hasActiveMemberError && activeMemberRole && isGuildRole(activeMemberRole)
+      ? activeMemberRole
+      : null
   const currentIsOwner = data?.ownerId === currentUserId
 
+  useEffect(() => {
+    if (!hasActiveMemberError) return
+
+    toast.error(
+      activeMemberError instanceof Error
+        ? activeMemberError.message
+        : "Failed to verify moderation permissions"
+    )
+  }, [hasActiveMemberError, activeMemberError, view.guildSlug])
+
   const invalidateMembers = async () => {
     await queryClient.invalidateQueries({ queryKey })
   }
@@ -595,6 +621,13 @@ export function GuildMembersPanel({ view }: { view: GuildMembersSidebarView }) {
           </p>
         </div>
 
+        {hasActiveMemberError && (
+          <div className="border-b border-destructive/20 bg-destructive/5 px-4 py-2 text-xs text-destructive">
+            Unable to verify moderation permissions right now. Moderation
+            actions are temporarily unavailable.
+          </div>
+        )}
+
         {isPending ? (
           <MembersSkeleton />
         ) : isError ? (
@@ -685,7 +718,10 @@ export function GuildMembersPanel({ view }: { view: GuildMembersSidebarView }) {
             <AlertDialogAction
               variant="destructive"
               loading={isModerationSubmitting}
-              onClick={handleConfirmModeration}
+              onClick={(event) => {
+                event.preventDefault()
+                handleConfirmModeration()
+              }}
             >
               {moderationActionLabel}
             </AlertDialogAction>
diff --git a/apps/web/src/routes/_authenticated/$guildSlug.tsx b/apps/web/src/routes/_authenticated/$guildSlug.tsx
index 0ede7e6..1da2d9c 100644
--- a/apps/web/src/routes/_authenticated/$guildSlug.tsx
+++ b/apps/web/src/routes/_authenticated/$guildSlug.tsx
@@ -1,7 +1,7 @@
 import { authClient } from "@repo/auth/client"
 import { useQuery, useQueryClient } from "@tanstack/react-query"
 import { createFileRoute, Outlet } from "@tanstack/react-router"
-import { useEffect, useMemo, useState } from "react"
+import { useEffect, useMemo, useRef, useState } from "react"
 
 export const Route = createFileRoute("/_authenticated/$guildSlug")({
   component: GuildLayout,
@@ -10,6 +10,8 @@ export const Route = createFileRoute("/_authenticated/$guildSlug")({
 function GuildLayout() {
   const { guildSlug } = Route.useParams()
   const [isSwitchingGuild, setIsSwitchingGuild] = useState(false)
+  const latestDesiredGuildRef = useRef<string | null>(null)
+  const switchRequestRef = useRef(0)
 
   const { data: guilds, isPending: guildsLoading } = useQuery({
     queryKey: ["guilds"],
@@ -37,20 +39,36 @@ function GuildLayout() {
     let cancelled = false
 
     if (!guild) {
+      latestDesiredGuildRef.current = null
       setIsSwitchingGuild(false)
       return
     }
 
-    if (activeOrg?.id === guild.id) {
+    const desiredGuildId = guild.id
+    latestDesiredGuildRef.current = desiredGuildId
+
+    if (activeOrg?.id === desiredGuildId) {
       setIsSwitchingGuild(false)
       return
     }
 
+    const requestId = ++switchRequestRef.current
     setIsSwitchingGuild(true)
 
     void (async () => {
       try {
-        await authClient.organization.setActive({ organizationId: guild.id })
+        await authClient.organization.setActive({
+          organizationId: desiredGuildId,
+        })
+
+        if (
+          cancelled ||
+          latestDesiredGuildRef.current !== desiredGuildId ||
+          switchRequestRef.current !== requestId
+        ) {
+          return
+        }
+
         await Promise.all([
           queryClient.invalidateQueries({
             queryKey: ["active-guild", guildSlug],
@@ -60,7 +78,11 @@ function GuildLayout() {
           }),
         ])
       } finally {
-        if (!cancelled) {
+        if (
+          !cancelled &&
+          latestDesiredGuildRef.current === desiredGuildId &&
+          switchRequestRef.current === requestId
+        ) {
           setIsSwitchingGuild(false)
         }
       }
diff --git a/packages/auth/src/lib/permissions.ts b/packages/auth/src/lib/permissions.ts
index 824833e..f1677c8 100644
--- a/packages/auth/src/lib/permissions.ts
+++ b/packages/auth/src/lib/permissions.ts
@@ -15,25 +15,6 @@ const statement = {
 
 const ac = createAccessControl(statement)
 
-const guildPermissionGrants = {
-  owner: {
-    channel: ["create", "update", "delete"],
-    message: ["delete"],
-    guildMember: ["kick", "ban", "timeout", "role:update"],
-  },
-  admin: {
-    channel: ["create", "update", "delete"],
-    message: ["delete"],
-    guildMember: ["kick", "ban", "timeout", "role:update"],
-  },
-  warden: {
-    channel: ["create", "update"],
-    message: ["delete"],
-    guildMember: ["kick", "ban", "timeout"],
-  },
-  member: {},
-} as const
-
 const owner = ac.newRole({
   channel: ["create", "update", "delete"],
   message: ["delete"],
@@ -98,7 +79,7 @@ export type GuildAuthority = {
 }
 
 export function isGuildRole(value: string): value is GuildRole {
-  return value in roles
+  return Object.hasOwn(roles, value)
 }
 
 export function formatGuildRole(role: GuildRole) {
@@ -129,7 +110,7 @@ export function roleHasPermissions(
   role: GuildRole,
   requestedPermissions: PermissionRequest
 ) {
-  const grantedStatements = guildPermissionGrants[role] as Record<
+  const grantedStatements = roles[role].statements as Record<
     string,
     readonly string[] | undefined
   >

From 5f62d984dc2e86c8267c861c27c6ee793024318d Mon Sep 17 00:00:00 2001
From: Jacob Owens <jacobowens75@gmail.com>
Date: Wed, 11 Mar 2026 22:20:14 -0700
Subject: [PATCH 5/6] fix: fixed various permission bugs

---
 apps/api/src/routes/v1/channels/schema.ts     |  1 +
 apps/realtime/src/services/messages.ts        |  5 +++-
 .../right-panel/guild-members-panel.tsx       | 12 +++++++-
 .../src/routes/_authenticated/$guildSlug.tsx  | 30 ++++++++++++++++++-
 packages/auth/src/lib/permissions.ts          |  6 +++-
 5 files changed, 50 insertions(+), 4 deletions(-)

diff --git a/apps/api/src/routes/v1/channels/schema.ts b/apps/api/src/routes/v1/channels/schema.ts
index 5158294..ced8be1 100644
--- a/apps/api/src/routes/v1/channels/schema.ts
+++ b/apps/api/src/routes/v1/channels/schema.ts
@@ -53,6 +53,7 @@ export const createChannelResponseSchema = selectChannelSchema
 const updateChannelRequestBaseSchema = updateChannelSchema.omit({
   position: true,
   parentId: true,
+  type: true,
 })
 
 export const updateChannelRequestSchema = updateChannelRequestBaseSchema.refine(
diff --git a/apps/realtime/src/services/messages.ts b/apps/realtime/src/services/messages.ts
index 395daef..dbd7a44 100644
--- a/apps/realtime/src/services/messages.ts
+++ b/apps/realtime/src/services/messages.ts
@@ -17,7 +17,9 @@ function assertChannelCommunicationAllowed(channel: AccessibleChannel) {
   if (!channel.communicationDisabledUntil) return
   if (channel.communicationDisabledUntil.getTime() <= Date.now()) return
 
-  throw new Error("You are temporarily timed out and cannot send messages")
+  throw new Error(
+    "You are temporarily timed out and cannot perform this action"
+  )
 }
 
 type CreateMessageInput = {
@@ -209,6 +211,7 @@ export async function deleteMessage(
     input.userId,
     input.payload.channelId
   )
+  assertChannelCommunicationAllowed(channelRecord)
 
   const messageRecord = await db
     .select({
diff --git a/apps/web/src/components/sidebar/right-panel/guild-members-panel.tsx b/apps/web/src/components/sidebar/right-panel/guild-members-panel.tsx
index bd9b28e..345e35d 100644
--- a/apps/web/src/components/sidebar/right-panel/guild-members-panel.tsx
+++ b/apps/web/src/components/sidebar/right-panel/guild-members-panel.tsx
@@ -699,12 +699,22 @@ export function GuildMembersPanel({ view }: { view: GuildMembersSidebarView }) {
       <AlertDialog
         open={isModerationDialogOpen}
         onOpenChange={(open) => {
+          if (!open && isModerationSubmitting) {
+            return
+          }
+
           if (!open) {
             setModerationDialog(null)
           }
         }}
       >
-        <AlertDialogContent>
+        <AlertDialogContent
+          onEscapeKeyDown={(event) => {
+            if (isModerationSubmitting) {
+              event.preventDefault()
+            }
+          }}
+        >
           <AlertDialogHeader>
             <AlertDialogTitle>{moderationDialogTitle}</AlertDialogTitle>
             <AlertDialogDescription>
diff --git a/apps/web/src/routes/_authenticated/$guildSlug.tsx b/apps/web/src/routes/_authenticated/$guildSlug.tsx
index 1da2d9c..daaae91 100644
--- a/apps/web/src/routes/_authenticated/$guildSlug.tsx
+++ b/apps/web/src/routes/_authenticated/$guildSlug.tsx
@@ -2,6 +2,7 @@ import { authClient } from "@repo/auth/client"
 import { useQuery, useQueryClient } from "@tanstack/react-query"
 import { createFileRoute, Outlet } from "@tanstack/react-router"
 import { useEffect, useMemo, useRef, useState } from "react"
+import { toast } from "sonner"
 
 export const Route = createFileRoute("/_authenticated/$guildSlug")({
   component: GuildLayout,
@@ -10,6 +11,7 @@ export const Route = createFileRoute("/_authenticated/$guildSlug")({
 function GuildLayout() {
   const { guildSlug } = Route.useParams()
   const [isSwitchingGuild, setIsSwitchingGuild] = useState(false)
+  const [switchError, setSwitchError] = useState<string | null>(null)
   const latestDesiredGuildRef = useRef<string | null>(null)
   const switchRequestRef = useRef(0)
 
@@ -40,6 +42,7 @@ function GuildLayout() {
 
     if (!guild) {
       latestDesiredGuildRef.current = null
+      setSwitchError(null)
       setIsSwitchingGuild(false)
       return
     }
@@ -48,11 +51,13 @@ function GuildLayout() {
     latestDesiredGuildRef.current = desiredGuildId
 
     if (activeOrg?.id === desiredGuildId) {
+      setSwitchError(null)
       setIsSwitchingGuild(false)
       return
     }
 
     const requestId = ++switchRequestRef.current
+    setSwitchError(null)
     setIsSwitchingGuild(true)
 
     void (async () => {
@@ -77,6 +82,19 @@ function GuildLayout() {
             queryKey: ["active-guild-member", guildSlug],
           }),
         ])
+      } catch (error) {
+        if (
+          cancelled ||
+          latestDesiredGuildRef.current !== desiredGuildId ||
+          switchRequestRef.current !== requestId
+        ) {
+          return
+        }
+
+        console.error("[guild-layout] Failed to switch active guild", error)
+        const message = "Failed to switch guild. Please try again."
+        setSwitchError(message)
+        toast.error(message)
       } finally {
         if (
           !cancelled &&
@@ -109,7 +127,7 @@ function GuildLayout() {
     )
   }
 
-  if (isSwitchingGuild || activeOrg?.id !== guild.id) {
+  if (isSwitchingGuild) {
     return (
       <div className="flex flex-1 items-center justify-center">
         <span className="text-sm text-muted-foreground">Loading...</span>
@@ -117,5 +135,15 @@ function GuildLayout() {
     )
   }
 
+  if (activeOrg?.id !== guild.id) {
+    return (
+      <div className="flex flex-1 items-center justify-center">
+        <span className="text-sm text-muted-foreground">
+          {switchError ?? "Loading..."}
+        </span>
+      </div>
+    )
+  }
+
   return <Outlet />
 }
diff --git a/packages/auth/src/lib/permissions.ts b/packages/auth/src/lib/permissions.ts
index f1677c8..07d1278 100644
--- a/packages/auth/src/lib/permissions.ts
+++ b/packages/auth/src/lib/permissions.ts
@@ -65,7 +65,11 @@ const guildMessageRateLimitsPerMinute = {
   member: 30,
 } as const satisfies Record<keyof typeof roles, number>
 
-const assignableGuildRoles = ["admin", "warden", "member"] as const
+const assignableGuildRoles = [
+  "admin",
+  "warden",
+  "member",
+] as const satisfies ReadonlyArray<Exclude<keyof typeof roles, "owner">>
 
 export type GuildRole = keyof typeof roles
 export type AssignableGuildRole = (typeof assignableGuildRoles)[number]

From 67cbdfa5f980d6e117f42deee6e1ec809a2d6602 Mon Sep 17 00:00:00 2001
From: Jacob Owens <jacobowens75@gmail.com>
Date: Wed, 11 Mar 2026 22:35:09 -0700
Subject: [PATCH 6/6] fix: fixed bugs

---
 apps/api/src/routes/v1/channels/schema.ts     | 12 ++++---
 .../src/routes/_authenticated/$guildSlug.tsx  |  4 +--
 packages/auth/src/lib/permissions.ts          | 31 ++++++++++++++-----
 3 files changed, 33 insertions(+), 14 deletions(-)

diff --git a/apps/api/src/routes/v1/channels/schema.ts b/apps/api/src/routes/v1/channels/schema.ts
index ced8be1..b09a6c5 100644
--- a/apps/api/src/routes/v1/channels/schema.ts
+++ b/apps/api/src/routes/v1/channels/schema.ts
@@ -50,11 +50,13 @@ export const createChannelResponseSchema = selectChannelSchema
 
 // ── Update / Delete ──────────────────────────────────────────
 
-const updateChannelRequestBaseSchema = updateChannelSchema.omit({
-  position: true,
-  parentId: true,
-  type: true,
-})
+const updateChannelRequestBaseSchema = updateChannelSchema
+  .pick({
+    name: true,
+    topic: true,
+    rateLimitPerUser: true,
+  })
+  .strict()
 
 export const updateChannelRequestSchema = updateChannelRequestBaseSchema.refine(
   (value) => Object.values(value).some((field) => field !== undefined),
diff --git a/apps/web/src/routes/_authenticated/$guildSlug.tsx b/apps/web/src/routes/_authenticated/$guildSlug.tsx
index daaae91..47ff1f8 100644
--- a/apps/web/src/routes/_authenticated/$guildSlug.tsx
+++ b/apps/web/src/routes/_authenticated/$guildSlug.tsx
@@ -23,7 +23,7 @@ function GuildLayout() {
     },
   })
   const { data: activeOrg } = useQuery({
-    queryKey: ["active-guild", guildSlug],
+    queryKey: ["active-guild"],
     queryFn: async () => {
       const res = await authClient.organization.getFullOrganization()
       return res.data
@@ -76,7 +76,7 @@ function GuildLayout() {
 
         await Promise.all([
           queryClient.invalidateQueries({
-            queryKey: ["active-guild", guildSlug],
+            queryKey: ["active-guild"],
           }),
           queryClient.invalidateQueries({
             queryKey: ["active-guild-member", guildSlug],
diff --git a/packages/auth/src/lib/permissions.ts b/packages/auth/src/lib/permissions.ts
index 07d1278..b1c2dbc 100644
--- a/packages/auth/src/lib/permissions.ts
+++ b/packages/auth/src/lib/permissions.ts
@@ -82,6 +82,15 @@ export type GuildAuthority = {
   isOwner?: boolean
 }
 
+export function normalizeGuildAuthority(
+  authority: GuildAuthority
+): GuildAuthority & { isOwner: boolean } {
+  return {
+    ...authority,
+    isOwner: authority.role === "owner",
+  }
+}
+
 export function isGuildRole(value: string): value is GuildRole {
   return Object.hasOwn(roles, value)
 }
@@ -95,19 +104,26 @@ export function getGuildRolePosition(role: GuildRole) {
 }
 
 export function getGuildAuthorityPosition(authority: GuildAuthority) {
-  if (authority.isOwner) return guildRolePositions.owner
-  return getGuildRolePosition(authority.role)
+  const normalizedAuthority = normalizeGuildAuthority(authority)
+  if (normalizedAuthority.isOwner) return guildRolePositions.owner
+  return getGuildRolePosition(normalizedAuthority.role)
 }
 
 export function canManageGuildAuthority(
   actor: GuildAuthority,
   target: GuildAuthority
 ) {
-  if (target.isOwner) {
-    return actor.isOwner === true
+  const normalizedActor = normalizeGuildAuthority(actor)
+  const normalizedTarget = normalizeGuildAuthority(target)
+
+  if (normalizedTarget.isOwner) {
+    return normalizedActor.isOwner
   }
 
-  return getGuildAuthorityPosition(actor) < getGuildAuthorityPosition(target)
+  return (
+    getGuildAuthorityPosition(normalizedActor) <
+    getGuildAuthorityPosition(normalizedTarget)
+  )
 }
 
 export function roleHasPermissions(
@@ -139,8 +155,9 @@ export function guildAuthorityHasPermissions(
   authority: GuildAuthority,
   requestedPermissions: PermissionRequest
 ) {
-  if (authority.isOwner) return true
-  return roleHasPermissions(authority.role, requestedPermissions)
+  const normalizedAuthority = normalizeGuildAuthority(authority)
+  if (normalizedAuthority.isOwner) return true
+  return roleHasPermissions(normalizedAuthority.role, requestedPermissions)
 }
 
 export function getGuildMessageRateLimit(role: GuildRole) {