feat(api): Sweep remaining single-org assumptions in OSS

[jp-agenta]

Context

After the org-creation PR (#4673), OSS can have multiple organizations, but several code paths still assume exactly one: bare-API-key auth resolves "the" workspace by picking the oldest row, organization/workspace listings return everything in the database instead of the user's memberships, the admin API refuses to delete the legacy oss-default org, and the web sidebar keeps the org switcher disabled outside EE. Sequencing step 4 of the convergence plan.

Changes

API:

• get_default_workspace_id(user_id) (workspace owned by the user, falling back to their oldest membership) moves from db_manager_ee to OSS db_manager; the is_ee() fork in the auth middleware's bare-key path collapses to one call. The OSS-only get_default_workspace_id_oss() (oldest workspace in the whole DB) and get_oss_organization() are deleted.
• GET /organizations/ (OSS branch) now lists the requesting user's organizations via the membership join, with each org's workspaces attached, instead of all orgs plus the first workspace in the database. GET /organizations/{id} scopes its workspace and invitation lookups to the requested org rather than request.state.project_id. GET /workspaces/ returns the user's workspaces instead of all of them.
• Admin API: the oss-default singleton guards are gone (the legacy org is a normal org now; deleting it follows EE semantics), and admin_create_organization always inserts a new row instead of collapsing onto the singleton slug in OSS.

Web (ListOfOrgs.tsx): organization selection is enabled in OSS, the "New organization" item and the owner submenu (transfer/rename/delete) are no longer EE-gated, and the label shows the selected organization's name instead of the hard-coded "Agenta". The Organization settings tab stays EE-gated (its content is domain verification and SSO, which remain EE features).

Tests / notes

• ruff format and ruff check pass; the edited component passes prettier and introduces no tsc errors.
• The get_default_workspace_id unit tests move to oss/tests/pytest/unit/services/test_db_manager.py (the function moved OSS-ward, so patching db_manager_ee's engine no longer reached it). The admin org create/delete round-trip returns to the OSS acceptance suite now that the singleton delete guard is gone.
• Playwright auth bootstrap unified: OSS no longer does the owner-signup + invite + re-login dance; both editions sign up a fresh user directly. AGENTA_TEST_OSS_OWNER_EMAIL remains as an optional fixed-account login for persistent CI deployments.
• Admin membership delete/swap endpoints stay EE-gated; they were not part of the singleton sweep and can be ungated separately if OSS needs them.
• Stacked on feat(api): Add OSS org-creation path and EE-shaped signup flow #4673.

What to QA

• OSS with two orgs (create one via the sidebar): the org switcher lists both, switching works, and each org's sidebar shows only its own workspaces and members.
• Authenticate with a bare API key (no project/workspace query params): requests resolve to the key owner's workspace, not the deployment's oldest workspace.
• As org owner, rename / transfer / delete an org from the sidebar submenu in OSS.
• Regression: a user invited into someone else's org sees that org in the switcher alongside their own.

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
agenta-documentation	Ready	Preview, Comment	Jun 14, 2026 6:39pm

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 9ca80d2f-cd12-4d17-898b-988f0a33440e

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat(api): Sweep remaining single-org assumptions in OSS' clearly and accurately summarizes the main objective—removing remaining single-organization assumptions from the OSS edition.
Docstring Coverage	✅ Passed	Docstring coverage is 90.91% which is sufficient. The required threshold is 60.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The PR description clearly relates to the changeset, detailing removal of single-org assumptions and refactoring workspace/organization resolution across API and web components.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/oss-singleton-sweep

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

api/oss/src/middlewares/auth.py (1)

626-691: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Enforce explicit-scope membership checks in OSS too.

The project_member_exists / workspace_member_exists gate still only runs under is_ee(). After removing OSS singleton assumptions, any authenticated OSS user can pass another organization's project_id or workspace_id in the query string and this middleware will mint a scoped secret token without proving membership in that resource.

api/oss/src/routers/organization_router.py (1)

76-110: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Populate workspaces_by_org before serializing the EE response.

This branch initializes workspaces_by_org = {} and never fills it, so every EE organization now returns workspaces: []. Any client code that relies on Organization.workspaces to keep org/workspace selection in sync loses that relationship.

api/oss/src/routers/workspace_router.py (1)

164-168: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Use the route's workspace_id for OSS removals.

The OSS branch ignores the path parameter and forwards request.state.project_id to db_manager.remove_user_from_workspace(). After this PR, callers can target a different workspace than their ambient auth scope, so /workspaces/{workspace_id}/users/ can remove memberships/invitations from the wrong workspace context.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: fda5621b-f8ce-4759-949b-2ed3c92035e4

📥 Commits

Reviewing files that changed from the base of the PR and between 0c8a441 and ab96500.

📒 Files selected for processing (7)

• api/ee/src/services/db_manager_ee.py
• api/oss/src/core/accounts/service.py
• api/oss/src/middlewares/auth.py
• api/oss/src/routers/organization_router.py
• api/oss/src/routers/workspace_router.py
• api/oss/src/services/db_manager.py
• web/oss/src/components/Sidebar/components/ListOfOrgs.tsx

💤 Files with no reviewable changes (1)

• api/oss/src/core/accounts/service.py

[github-actions]

Railway Preview Environment

Preview URL	https://gateway-production-6bf6.up.railway.app/w
Image tag	pr-4675-8fae8fc
Status	Failed
Railway logs	Open logs
Logs	View workflow run
Updated at 2026-06-14T18:46:07.991Z