feat(team): Show org members with project access (least privilege model)

mjunaidca · claude · mjunaidca · commit ddc51da2e639 · 2025-12-12T05:43:38.000+05:00
Changes: - SSO: Add /api/organizations/[orgId]/members endpoint to expose org members - API: New /api/workers endpoint merges SSO members with project assignments - Web: Redesigned /workers page as "Team" page focused on access management Key features: - Org membership ≠ Project access (principle of least privilege) - Shows all org members with their current project assignments - "Pending Access" warning for members without any project access - "Add to Project" dropdown for quick access grants - Real-time data from SSO (no sync needed) - Removed AI Agents section (managed separately at /agents) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
diff --git a/apps/api/src/taskflow_api/main.py b/apps/api/src/taskflow_api/main.py
@@ -17,7 +17,7 @@
 from .chatkit_store import RequestContext  # noqa: E402
 from .config import settings  # noqa: E402
 from .database import create_db_and_tables  # noqa: E402
-from .routers import agents, audit, health, jobs, members, projects, tasks  # noqa: E402
+from .routers import agents, audit, health, jobs, members, projects, tasks, workers  # noqa: E402
 
 # Configure logging
 logging.basicConfig(
@@ -132,6 +132,7 @@ async def general_exception_handler(request: Request, exc: Exception) -> JSONRes
 app.include_router(tasks.router)  # Has its own prefixes defined
 app.include_router(audit.router, prefix="/api")
 app.include_router(jobs.router)  # Dapr Jobs callbacks at /api/jobs
+app.include_router(workers.router, prefix="/api/workers")  # Worker sync operations
 
 
 @app.post("/chatkit")
diff --git a/apps/api/src/taskflow_api/routers/__init__.py b/apps/api/src/taskflow_api/routers/__init__.py
@@ -1,6 +1,6 @@
 """FastAPI routers."""
 
-from . import agents, audit, health, jobs, members, projects, tasks
+from . import agents, audit, health, jobs, members, projects, tasks, workers
 
 __all__ = [
     "agents",
@@ -10,4 +10,5 @@
     "members",
     "projects",
     "tasks",
+    "workers",
 ]
diff --git a/apps/api/src/taskflow_api/routers/workers.py b/apps/api/src/taskflow_api/routers/workers.py
@@ -0,0 +1,202 @@
+"""Worker endpoints - org members with project assignments (least privilege model).
+
+Philosophy: Org membership ≠ Project access
+- SSO is source of truth for "who's in the org"
+- TaskFlow is source of truth for "who can access what project"
+- This endpoint merges both views for the workers page
+"""
+
+import logging
+from typing import Literal
+
+import httpx
+from fastapi import APIRouter, Depends, HTTPException, Request
+from pydantic import BaseModel
+from sqlmodel import select
+from sqlmodel.ext.asyncio.session import AsyncSession
+
+from ..auth import CurrentUser, get_current_user, get_tenant_id
+from ..config import settings
+from ..database import get_session
+from ..models.project import Project, ProjectMember
+from ..models.worker import Worker
+from ..services.user_setup import ensure_user_setup
+
+logger = logging.getLogger(__name__)
+
+router = APIRouter(tags=["Workers"])
+
+
+class ProjectInfo(BaseModel):
+    """Project summary for worker display."""
+    id: int
+    name: str
+    role: str
+
+
+class OrgMemberWithProjects(BaseModel):
+    """Organization member with their project assignments."""
+    user_id: str
+    email: str
+    name: str
+    image: str | None
+    org_role: str  # owner/admin/member in org
+    projects: list[ProjectInfo]
+    has_project_access: bool
+
+
+class WorkerListResponse(BaseModel):
+    """Combined view of org members and agents."""
+    org_members: list[OrgMemberWithProjects]
+    agents: list[dict]
+    total_members: int
+    total_agents: int
+    unassigned_count: int
+
+
+@router.get("", response_model=WorkerListResponse)
+async def list_workers(
+    request: Request,
+    session: AsyncSession = Depends(get_session),
+    user: CurrentUser = Depends(get_current_user),
+) -> WorkerListResponse:
+    """List all org members with their project assignments.
+
+    Fetches org members from SSO and merges with project assignments.
+    Shows who has access to which projects (least privilege view).
+
+    Returns:
+    - org_members: All org members with their project assignments
+    - agents: All registered AI agents
+    - unassigned_count: Members with no project access yet
+    """
+    await ensure_user_setup(session, user)
+    tenant_id = get_tenant_id(user, request)
+
+    logger.info("[WORKERS] Fetching org members for tenant: %s", tenant_id)
+
+    # Get Authorization header to forward to SSO
+    auth_header = request.headers.get("Authorization")
+    if not auth_header:
+        raise HTTPException(status_code=401, detail="Missing Authorization header")
+
+    # Step 1: Fetch org members from SSO
+    sso_url = f"{settings.sso_url}/api/organizations/{tenant_id}/members"
+
+    try:
+        async with httpx.AsyncClient(timeout=30.0) as client:
+            response = await client.get(
+                sso_url,
+                headers={
+                    "Authorization": auth_header,
+                    "Cookie": request.headers.get("Cookie", ""),
+                },
+            )
+
+            if response.status_code == 401:
+                raise HTTPException(status_code=401, detail="SSO authentication failed")
+            if response.status_code == 403:
+                raise HTTPException(
+                    status_code=403, detail="Not a member of this organization"
+                )
+            if response.status_code != 200:
+                logger.error("[WORKERS] SSO returned %d: %s", response.status_code, response.text)
+                raise HTTPException(
+                    status_code=502,
+                    detail=f"Failed to fetch org members from SSO: {response.status_code}",
+                )
+
+            sso_data = response.json()
+
+    except httpx.RequestError as e:
+        logger.error("[WORKERS] SSO request failed: %s", e)
+        raise HTTPException(
+            status_code=502,
+            detail=f"Failed to connect to SSO: {e}",
+        )
+
+    org_members_raw = sso_data.get("members", [])
+    logger.info("[WORKERS] Found %d org members from SSO", len(org_members_raw))
+
+    # Step 2: Get all projects for this tenant
+    stmt = select(Project).where(Project.tenant_id == tenant_id)
+    result = await session.exec(stmt)
+    projects = {p.id: p for p in result.all()}
+
+    # Step 3: Get all project memberships for this tenant's projects
+    # Map: user_id -> list of (project_id, role)
+    user_project_map: dict[str, list[tuple[int, str]]] = {}
+
+    for project_id in projects:
+        stmt = select(ProjectMember, Worker).join(Worker).where(
+            ProjectMember.project_id == project_id
+        )
+        result = await session.exec(stmt)
+        for membership, worker in result.all():
+            if worker.user_id:
+                if worker.user_id not in user_project_map:
+                    user_project_map[worker.user_id] = []
+                user_project_map[worker.user_id].append((project_id, membership.role))
+
+    # Step 4: Build response - merge SSO members with project assignments
+    org_members_with_projects: list[OrgMemberWithProjects] = []
+    unassigned_count = 0
+
+    for member in org_members_raw:
+        user_id = member.get("userId", "")
+        user_projects = user_project_map.get(user_id, [])
+
+        project_infos = [
+            ProjectInfo(
+                id=pid,
+                name=projects[pid].name,
+                role=role,
+            )
+            for pid, role in user_projects
+            if pid in projects
+        ]
+
+        has_access = len(project_infos) > 0
+        if not has_access:
+            unassigned_count += 1
+
+        org_members_with_projects.append(
+            OrgMemberWithProjects(
+                user_id=user_id,
+                email=member.get("email", ""),
+                name=member.get("name") or member.get("email", "").split("@")[0],
+                image=member.get("image"),
+                org_role=member.get("role", "member"),
+                projects=project_infos,
+                has_project_access=has_access,
+            )
+        )
+
+    # Step 5: Get all agents (agents are global, not tied to users)
+    stmt = select(Worker).where(Worker.type == "agent")
+    result = await session.exec(stmt)
+    agents = [
+        {
+            "id": w.id,
+            "handle": w.handle,
+            "name": w.name,
+            "type": w.type,
+            "description": w.description,
+        }
+        for w in result.all()
+    ]
+
+    logger.info(
+        "[WORKERS] Response: %d org members (%d unassigned), %d agents",
+        len(org_members_with_projects),
+        unassigned_count,
+        len(agents),
+    )
+
+    return WorkerListResponse(
+        org_members=org_members_with_projects,
+        agents=agents,
+        total_members=len(org_members_with_projects),
+        total_agents=len(agents),
+        unassigned_count=unassigned_count,
+    )
diff --git a/apps/sso/src/app/api/organizations/[orgId]/members/route.ts b/apps/sso/src/app/api/organizations/[orgId]/members/route.ts
@@ -0,0 +1,77 @@
+/**
+ * API endpoint to list organization members.
+ *
+ * Used by TaskFlow API to sync org members as workers.
+ * Requires the user to be a member of the organization.
+ */
+
+import { auth } from "@/lib/auth";
+import { headers } from "next/headers";
+import { NextResponse } from "next/server";
+import { db } from "@/lib/db";
+import { member, user } from "@/lib/db/schema-export";
+import { eq, and } from "drizzle-orm";
+
+export async function GET(
+  request: Request,
+  { params }: { params: Promise<{ orgId: string }> }
+) {
+  const session = await auth.api.getSession({
+    headers: await headers(),
+  });
+
+  if (!session) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+
+  const { orgId } = await params;
+
+  try {
+    // Verify user is member of this organization
+    const userMembership = await db.query.member.findFirst({
+      where: and(
+        eq(member.organizationId, orgId),
+        eq(member.userId, session.user.id)
+      ),
+    });
+
+    if (!userMembership) {
+      return NextResponse.json(
+        { error: "Not a member of this organization" },
+        { status: 403 }
+      );
+    }
+
+    // Fetch all members with user details
+    const members = await db
+      .select({
+        userId: user.id,
+        email: user.email,
+        name: user.name,
+        image: user.image,
+        role: member.role,
+        joinedAt: member.createdAt,
+      })
+      .from(member)
+      .innerJoin(user, eq(member.userId, user.id))
+      .where(eq(member.organizationId, orgId));
+
+    return NextResponse.json({
+      organizationId: orgId,
+      members: members.map((m: typeof members[number]) => ({
+        userId: m.userId,
+        email: m.email,
+        name: m.name,
+        image: m.image,
+        role: m.role,
+        joinedAt: m.joinedAt?.toISOString() || null,
+      })),
+    });
+  } catch (error) {
+    console.error("Failed to fetch organization members:", error);
+    return NextResponse.json(
+      { error: "Internal server error" },
+      { status: 500 }
+    );
+  }
+}
diff --git a/apps/web/src/app/workers/page.tsx b/apps/web/src/app/workers/page.tsx
diff --git a/apps/web/src/lib/api.ts b/apps/web/src/lib/api.ts
