feat(phase-3): workstream 1 — Multi-Tenancy

Introduces full multi-tenant organization model to AgentIdP: Schema: - 6 migrations: organizations + organization_members tables; organization_id FK added to agents, credentials, audit_logs; PostgreSQL RLS policies on all three tables; system org seed + backfill API: - 6 new /api/v1/organizations endpoints (CRUD + members) gated by admin:orgs scope - OPA scopes.json updated with 6 new org endpoint → admin:orgs mappings Implementation: - OrgRepository, OrgService, OrgController, createOrgsRouter - OrgContextMiddleware: sets app.organization_id session variable so RLS enforces per-request org isolation at the database layer - JWT payload extended with organization_id claim; auth.ts backfills org_system for backward-compatible tokens - New error classes: OrgNotFoundError, OrgHasActiveAgentsError, AlreadyMemberError Tests: 373 passing, 80.64% branch coverage, zero any types Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-30 00:29:32 +00:00
parent cb7d079ef6
commit d252097f71
31 changed files with 3043 additions and 35 deletions
--- a/policies/authz.rego
+++ b/policies/authz.rego
@@ -69,6 +69,18 @@ normalise_path(path) := "/api/v1/audit" if {
    path == "/api/v1/audit"
 }

+normalise_path(path) := "/api/v1/organizations/:id/members" if {
+    regex.match(`^/api/v1/organizations/[^/]+/members$`, path)
+}
+
+normalise_path(path) := "/api/v1/organizations/:id" if {
+    regex.match(`^/api/v1/organizations/[^/]+$`, path)
+}
+
+normalise_path(path) := "/api/v1/organizations" if {
+    path == "/api/v1/organizations"
+}
+
 # ─── Core allow rule ──────────────────────────────────────────────────────────
 # allow = true if every required scope for the endpoint is present in input.scopes.

--- a/policies/data/scopes.json
+++ b/policies/data/scopes.json
@@ -12,6 +12,12 @@
    "POST:/api/v1/token/introspect":                       ["tokens:read"],
    "POST:/api/v1/token/revoke":                           ["tokens:read"],
    "GET:/api/v1/audit":                                   ["audit:read"],
-    "GET:/api/v1/audit/:id":                               ["audit:read"]
+    "GET:/api/v1/audit/:id":                               ["audit:read"],
+    "POST:/api/v1/organizations":                          ["admin:orgs"],
+    "GET:/api/v1/organizations":                           ["admin:orgs"],
+    "GET:/api/v1/organizations/:id":                       ["admin:orgs"],
+    "PATCH:/api/v1/organizations/:id":                     ["admin:orgs"],
+    "DELETE:/api/v1/organizations/:id":                    ["admin:orgs"],
+    "POST:/api/v1/organizations/:id/members":              ["admin:orgs"]
  }
 }