feat: add organization-related models and update schemas for organization management

backend/app/api/board_groups.py

@@ -9,8 +9,7 @@ from sqlalchemy import delete, func, update
 from sqlmodel import col, select
 from sqlmodel.ext.asyncio.session import AsyncSession
 
-from app.api.deps import ActorContext, require_admin_auth, require_admin_or_agent
-from app.core.auth import AuthContext
+from app.api.deps import ActorContext, require_admin_or_agent, require_org_admin, require_org_member
 from app.core.time import utcnow
 from app.db import crud
 from app.db.pagination import paginate
@@ -29,6 +28,14 @@ from app.schemas.pagination import DefaultLimitOffsetPage
 from app.schemas.view_models import BoardGroupSnapshot
 from app.services.agent_provisioning import DEFAULT_HEARTBEAT_CONFIG, sync_gateway_agent_heartbeats
 from app.services.board_group_snapshot import build_group_snapshot
+from app.services.organizations import (
+    board_access_filter,
+    get_member,
+    is_org_admin,
+    list_accessible_board_ids,
+    member_all_boards_read,
+    member_all_boards_write,
+)
 
 router = APIRouter(prefix="/board-groups", tags=["board-groups"])
 
@@ -38,12 +45,56 @@ def _slugify(value: str) -> str:
     return slug or uuid4().hex
 
 
+async def _require_group_access(
+    session: AsyncSession,
+    *,
+    group_id: UUID,
+    member,
+    write: bool,
+) -> BoardGroup:
+    group = await session.get(BoardGroup, group_id)
+    if group is None:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND)
+    if group.organization_id != member.organization_id:
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)
+
+    if write and member_all_boards_write(member):
+        return group
+    if not write and member_all_boards_read(member):
+        return group
+
+    board_ids = list(
+        await session.exec(select(Board.id).where(col(Board.board_group_id) == group_id))
+    )
+    if not board_ids:
+        if is_org_admin(member):
+            return group
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)
+
+    allowed_ids = await list_accessible_board_ids(session, member=member, write=write)
+    if not set(board_ids).intersection(set(allowed_ids)):
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)
+    return group
+
+
 @router.get("", response_model=DefaultLimitOffsetPage[BoardGroupRead])
 async def list_board_groups(
     session: AsyncSession = Depends(get_session),
-    auth: AuthContext = Depends(require_admin_auth),
+    ctx=Depends(require_org_member),
 ) -> DefaultLimitOffsetPage[BoardGroupRead]:
-    statement = select(BoardGroup).order_by(func.lower(col(BoardGroup.name)).asc())
+    if member_all_boards_read(ctx.member):
+        statement = select(BoardGroup).where(
+            col(BoardGroup.organization_id) == ctx.organization.id
+        )
+    else:
+        accessible_boards = select(Board.board_group_id).where(
+            board_access_filter(ctx.member, write=False)
+        )
+        statement = select(BoardGroup).where(
+            col(BoardGroup.organization_id) == ctx.organization.id,
+            col(BoardGroup.id).in_(accessible_boards),
+        )
+    statement = statement.order_by(func.lower(col(BoardGroup.name)).asc())
     return await paginate(session, statement)
 
 
@@ -51,11 +102,12 @@ async def list_board_groups(
 async def create_board_group(
     payload: BoardGroupCreate,
     session: AsyncSession = Depends(get_session),
-    auth: AuthContext = Depends(require_admin_auth),
+    ctx=Depends(require_org_admin),
 ) -> BoardGroup:
     data = payload.model_dump()
     if not (data.get("slug") or "").strip():
         data["slug"] = _slugify(data.get("name") or "")
+    data["organization_id"] = ctx.organization.id
     return await crud.create(session, BoardGroup, **data)
 
 
@@ -63,12 +115,9 @@ async def create_board_group(
 async def get_board_group(
     group_id: UUID,
     session: AsyncSession = Depends(get_session),
-    auth: AuthContext = Depends(require_admin_auth),
+    ctx=Depends(require_org_member),
 ) -> BoardGroup:
-    group = await session.get(BoardGroup, group_id)
-    if group is None:
-        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND)
-    return group
+    return await _require_group_access(session, group_id=group_id, member=ctx.member, write=False)
 
 
 @router.get("/{group_id}/snapshot", response_model=BoardGroupSnapshot)
@@ -77,20 +126,22 @@ async def get_board_group_snapshot(
     include_done: bool = False,
     per_board_task_limit: int = 5,
     session: AsyncSession = Depends(get_session),
-    auth: AuthContext = Depends(require_admin_auth),
+    ctx=Depends(require_org_member),
 ) -> BoardGroupSnapshot:
-    group = await session.get(BoardGroup, group_id)
-    if group is None:
-        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND)
+    group = await _require_group_access(session, group_id=group_id, member=ctx.member, write=False)
     if per_board_task_limit < 0:
         raise HTTPException(status_code=status.HTTP_422_UNPROCESSABLE_ENTITY)
-    return await build_group_snapshot(
+    snapshot = await build_group_snapshot(
         session,
         group=group,
         exclude_board_id=None,
         include_done=include_done,
         per_board_task_limit=per_board_task_limit,
     )
+    if not member_all_boards_read(ctx.member) and snapshot.boards:
+        allowed_ids = set(await list_accessible_board_ids(session, member=ctx.member, write=False))
+        snapshot.boards = [item for item in snapshot.boards if item.board.id in allowed_ids]
+    return snapshot
 
 
 @router.post("/{group_id}/heartbeat", response_model=BoardGroupHeartbeatApplyResult)
@@ -104,7 +155,23 @@ async def apply_board_group_heartbeat(
     if group is None:
         raise HTTPException(status_code=status.HTTP_404_NOT_FOUND)
 
-    if actor.actor_type == "agent":
+    if actor.actor_type == "user":
+        if actor.user is None:
+            raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED)
+        member = await get_member(
+            session,
+            user_id=actor.user.id,
+            organization_id=group.organization_id,
+        )
+        if member is None or not is_org_admin(member):
+            raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)
+        await _require_group_access(
+            session,
+            group_id=group_id,
+            member=member,
+            write=True,
+        )
+    elif actor.actor_type == "agent":
         agent = actor.agent
         if agent is None:
             raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED)
@@ -188,11 +255,9 @@ async def update_board_group(
     payload: BoardGroupUpdate,
     group_id: UUID,
     session: AsyncSession = Depends(get_session),
-    auth: AuthContext = Depends(require_admin_auth),
+    ctx=Depends(require_org_admin),
 ) -> BoardGroup:
-    group = await session.get(BoardGroup, group_id)
-    if group is None:
-        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND)
+    group = await _require_group_access(session, group_id=group_id, member=ctx.member, write=True)
     updates = payload.model_dump(exclude_unset=True)
     if "slug" in updates and updates["slug"] is not None and not updates["slug"].strip():
         updates["slug"] = _slugify(updates.get("name") or group.name)
@@ -206,11 +271,9 @@ async def update_board_group(
 async def delete_board_group(
     group_id: UUID,
     session: AsyncSession = Depends(get_session),
-    auth: AuthContext = Depends(require_admin_auth),
+    ctx=Depends(require_org_admin),
 ) -> OkResponse:
-    group = await session.get(BoardGroup, group_id)
-    if group is None:
-        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND)
+    group = await _require_group_access(session, group_id=group_id, member=ctx.member, write=True)
 
     # Boards reference groups, so clear the FK first to keep deletes simple.
     await session.execute(