Multi-tenancy : espaces de travail + fix auth reload (rate limiter OPTIONS)

- Modèles Organization + OrgMember, migration Alembic (SQLite compatible) - organization_id nullable sur Document, Decision, Mandate, VotingProtocol - Service, schéma, router /organizations + dependency get_active_org_id - Seed : Duniter G1 + Axiom Team ; tout le contenu seed attaché à Duniter G1 - Backend : list/create filtrés par header X-Organization - Frontend : store organizations, WorkspaceSelector réel, useApi injecte l'org - Fix critique : rate_limiter exclut les requêtes OPTIONS (CORS preflight) → résout le bug "Failed to fetch /auth/me" au reload (429 sur preflight) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-23 15:17:14 +02:00
parent 224e5b0f5e
commit 79e468b40f
31 changed files with 1296 additions and 159 deletions
--- a/backend/app/dependencies/init.py
+++ b/backend/app/dependencies/init.py
--- a/backend/app/dependencies/org.py
+++ b/backend/app/dependencies/org.py
@@ -0,0 +1,26 @@
+"""FastAPI dependency: resolve X-Organization header → org UUID."""
+
+from __future__ import annotations
+
+import uuid
+
+from fastapi import Depends, Header
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.database import get_db
+from app.services.org_service import get_organization_by_slug
+
+
+async def get_active_org_id(
+    x_organization: str | None = Header(default=None, alias="X-Organization"),
+    db: AsyncSession = Depends(get_db),
+) -> uuid.UUID | None:
+    """Return the UUID of the org named in the X-Organization header, or None.
+
+    None means no org filter — used for backward compat and internal tooling.
+    An unknown slug is silently treated as None (don't break the client).
+    """
+    if not x_organization:
+        return None
+    org = await get_organization_by_slug(db, x_organization)
+    return org.id if org else None
--- a/backend/app/main.py
+++ b/backend/app/main.py
@@ -13,6 +13,7 @@ from app.middleware.rate_limiter import RateLimiterMiddleware
 from app.middleware.security_headers import SecurityHeadersMiddleware
 from app.routers import auth, documents, decisions, votes, mandates, protocols, sanctuary, websocket
 from app.routers import public
+from app.routers import organizations


 # ── Structured logging setup ───────────────────────────────────────────────
@@ -117,6 +118,7 @@ app.include_router(protocols.router, prefix="/api/v1/protocols", tags=["protocol
 app.include_router(sanctuary.router, prefix="/api/v1/sanctuary", tags=["sanctuary"])
 app.include_router(websocket.router, prefix="/api/v1/ws", tags=["websocket"])
 app.include_router(public.router, prefix="/api/v1/public", tags=["public"])
+app.include_router(organizations.router, prefix="/api/v1/organizations", tags=["organizations"])


 # ── Health check ─────────────────────────────────────────────────────────
--- a/backend/app/middleware/rate_limiter.py
+++ b/backend/app/middleware/rate_limiter.py
@@ -64,14 +64,6 @@ class RateLimiterMiddleware(BaseHTTPMiddleware):
        self._last_cleanup: float = time.time()
        self._lock = asyncio.Lock()

-    def _get_limit_for_path(self, path: str) -> int:
-        """Return the rate limit applicable to the given request path."""
-        if "/auth" in path:
-            return self.rate_limit_auth
-        if "/vote" in path:
-            return self.rate_limit_vote
-        return self.rate_limit_default
-
    def _get_client_ip(self, request: Request) -> str:
        """Extract the client IP from the request, respecting X-Forwarded-For."""
        forwarded = request.headers.get("x-forwarded-for")
@@ -101,6 +93,22 @@ class RateLimiterMiddleware(BaseHTTPMiddleware):
            if ips_to_delete:
                logger.debug("Nettoyage rate limiter: %d IPs supprimees", len(ips_to_delete))

+    def _get_limit_for_request(self, request: Request) -> int:
+        """Return the rate limit applicable to the given request.
+
+        CORS preflight (OPTIONS) requests are never rate-limited — blocking them
+        breaks authenticated cross-origin requests in browsers.
+        Strict auth limit applies only to POST (login flows), not to GET /auth/me.
+        """
+        if request.method == "OPTIONS":
+            return 10_000  # effectively unlimited for preflights
+        path = request.url.path
+        if request.method == "POST" and "/auth" in path:
+            return self.rate_limit_auth
+        if "/vote" in path:
+            return self.rate_limit_vote
+        return self.rate_limit_default
+
    async def dispatch(self, request: Request, call_next) -> Response:
        """Check rate limit and either allow the request or return 429."""
        # Skip rate limiting for WebSocket upgrades
@@ -111,8 +119,7 @@ class RateLimiterMiddleware(BaseHTTPMiddleware):
        await self._cleanup_old_entries()

        client_ip = self._get_client_ip(request)
-        path = request.url.path
-        limit = self._get_limit_for_path(path)
+        limit = self._get_limit_for_request(request)
        now = time.time()
        window_start = now - 60

@@ -133,7 +140,7 @@ class RateLimiterMiddleware(BaseHTTPMiddleware):

                logger.warning(
                    "Rate limit depasse pour %s sur %s (%d/%d)",
-                    client_ip, path, request_count, limit,
+                    client_ip, request.url.path, request_count, limit,
                )

                return JSONResponse(
--- a/backend/app/models/init.py
+++ b/backend/app/models/init.py
@@ -1,4 +1,5 @@
 from app.models.user import DuniterIdentity, Session
+from app.models.organization import Organization, OrgMember
 from app.models.document import Document, DocumentItem, ItemVersion
 from app.models.decision import Decision, DecisionStep
 from app.models.vote import VoteSession, Vote
@@ -9,6 +10,7 @@ from app.models.cache import BlockchainCache

 __all__ = [
    "DuniterIdentity", "Session",
+    "Organization", "OrgMember",
    "Document", "DocumentItem", "ItemVersion",
    "Decision", "DecisionStep",
    "VoteSession", "Vote",
--- a/backend/app/models/decision.py
+++ b/backend/app/models/decision.py
@@ -16,6 +16,7 @@ class Decision(Base):
    context: Mapped[str | None] = mapped_column(Text)
    decision_type: Mapped[str] = mapped_column(String(64), nullable=False)  # runtime_upgrade, document_change, mandate_vote, custom
    status: Mapped[str] = mapped_column(String(32), default="draft")  # draft, qualification, review, voting, executed, closed
+    organization_id: Mapped[uuid.UUID | None] = mapped_column(ForeignKey("organizations.id"), nullable=True, index=True)
    voting_protocol_id: Mapped[uuid.UUID | None] = mapped_column(ForeignKey("voting_protocols.id"))
    created_by_id: Mapped[uuid.UUID | None] = mapped_column(ForeignKey("duniter_identities.id"))
    created_at: Mapped[datetime] = mapped_column(DateTime(timezone=True), server_default=func.now())
--- a/backend/app/models/document.py
+++ b/backend/app/models/document.py
@@ -17,6 +17,7 @@ class Document(Base):
    version: Mapped[str] = mapped_column(String(32), default="0.1.0")
    status: Mapped[str] = mapped_column(String(32), default="draft")  # draft, active, archived
    description: Mapped[str | None] = mapped_column(Text)
+    organization_id: Mapped[uuid.UUID | None] = mapped_column(ForeignKey("organizations.id"), nullable=True, index=True)
    ipfs_cid: Mapped[str | None] = mapped_column(String(128))
    chain_anchor: Mapped[str | None] = mapped_column(String(128))
    genesis_json: Mapped[str | None] = mapped_column(Text)  # JSON: source files, repos, forum URLs, formula trigger
--- a/backend/app/models/mandate.py
+++ b/backend/app/models/mandate.py
@@ -15,6 +15,7 @@ class Mandate(Base):
    description: Mapped[str | None] = mapped_column(Text)
    mandate_type: Mapped[str] = mapped_column(String(64), nullable=False)  # techcomm, smith, custom
    status: Mapped[str] = mapped_column(String(32), default="draft")  # draft, candidacy, voting, active, reporting, completed, revoked
+    organization_id: Mapped[uuid.UUID | None] = mapped_column(ForeignKey("organizations.id"), nullable=True, index=True)
    mandatee_id: Mapped[uuid.UUID | None] = mapped_column(ForeignKey("duniter_identities.id"))
    decision_id: Mapped[uuid.UUID | None] = mapped_column(ForeignKey("decisions.id"))
    starts_at: Mapped[datetime | None] = mapped_column(DateTime(timezone=True))
--- a/backend/app/models/organization.py
+++ b/backend/app/models/organization.py
@@ -0,0 +1,42 @@
+import uuid
+from datetime import datetime
+
+from sqlalchemy import String, Text, Boolean, DateTime, ForeignKey, Uuid, func
+from sqlalchemy.orm import Mapped, mapped_column, relationship
+
+from app.database import Base
+
+
+class Organization(Base):
+    __tablename__ = "organizations"
+
+    id: Mapped[uuid.UUID] = mapped_column(Uuid, primary_key=True, default=uuid.uuid4)
+    name: Mapped[str] = mapped_column(String(128), nullable=False)
+    slug: Mapped[str] = mapped_column(String(128), unique=True, nullable=False, index=True)
+    # commune, enterprise, association, collective, basin, intercommunality, community
+    org_type: Mapped[str] = mapped_column(String(64), default="community")
+    # True = all authenticated users see & interact with content (Duniter G1, Axiom Team)
+    # False = membership required
+    is_transparent: Mapped[bool] = mapped_column(Boolean, default=False)
+    color: Mapped[str | None] = mapped_column(String(32))   # CSS color or mood token
+    icon: Mapped[str | None] = mapped_column(String(64))    # lucide icon name
+    description: Mapped[str | None] = mapped_column(Text)
+    created_at: Mapped[datetime] = mapped_column(DateTime(timezone=True), server_default=func.now())
+
+    members: Mapped[list["OrgMember"]] = relationship(
+        back_populates="organization", cascade="all, delete-orphan"
+    )
+
+
+class OrgMember(Base):
+    __tablename__ = "org_members"
+
+    id: Mapped[uuid.UUID] = mapped_column(Uuid, primary_key=True, default=uuid.uuid4)
+    org_id: Mapped[uuid.UUID] = mapped_column(ForeignKey("organizations.id"), nullable=False)
+    identity_id: Mapped[uuid.UUID] = mapped_column(
+        ForeignKey("duniter_identities.id"), nullable=False
+    )
+    role: Mapped[str] = mapped_column(String(32), default="member")  # admin, member, observer
+    created_at: Mapped[datetime] = mapped_column(DateTime(timezone=True), server_default=func.now())
+
+    organization: Mapped["Organization"] = relationship(back_populates="members")
--- a/backend/app/models/protocol.py
+++ b/backend/app/models/protocol.py
@@ -44,6 +44,7 @@ class VotingProtocol(Base):
    description: Mapped[str | None] = mapped_column(Text)
    vote_type: Mapped[str] = mapped_column(String(32), nullable=False)  # binary, nuanced
    formula_config_id: Mapped[uuid.UUID] = mapped_column(ForeignKey("formula_configs.id"), nullable=False)
+    organization_id: Mapped[uuid.UUID | None] = mapped_column(ForeignKey("organizations.id"), nullable=True, index=True)
    mode_params: Mapped[str | None] = mapped_column(String(64))  # e.g. "D30M50B.1G.2T.1"
    is_meta_governed: Mapped[bool] = mapped_column(Boolean, default=False)
    created_at: Mapped[datetime] = mapped_column(DateTime(timezone=True), server_default=func.now())
--- a/backend/app/routers/auth.py
+++ b/backend/app/routers/auth.py
@@ -132,9 +132,9 @@ async def verify_challenge(
            detail="Challenge invalide",
        )

-    # 4. Verify signature (bypass for demo profiles in DEMO_MODE)
+    # 4. Verify signature (bypass for demo profiles in dev/demo mode)
    _demo_addresses = {p["address"] for p in DEV_PROFILES}
-    is_demo_bypass = settings.DEMO_MODE and payload.address in _demo_addresses
+    is_demo_bypass = (settings.DEMO_MODE or settings.ENVIRONMENT == "development") and payload.address in _demo_addresses

    if not is_demo_bypass:
        # polkadot.js / Cesium2 signRaw(type='bytes') wraps: <Bytes>{challenge}</Bytes>
--- a/backend/app/routers/decisions.py
+++ b/backend/app/routers/decisions.py
@@ -21,6 +21,7 @@ from app.schemas.decision import (
    DecisionUpdate,
 )
 from app.schemas.vote import VoteSessionOut
+from app.dependencies.org import get_active_org_id
 from app.services.auth_service import get_current_identity
 from app.services.decision_service import advance_decision, create_vote_session_for_step

@@ -49,6 +50,7 @@ async def _get_decision(db: AsyncSession, decision_id: uuid.UUID) -> Decision:
@router.get("/", response_model=list[DecisionOut])
 async def list_decisions(
    db: AsyncSession = Depends(get_db),
+    org_id: uuid.UUID | None = Depends(get_active_org_id),
    decision_type: str | None = Query(default=None, description="Filtrer par type de decision"),
    status_filter: str | None = Query(default=None, alias="status", description="Filtrer par statut"),
    skip: int = Query(default=0, ge=0),
@@ -57,6 +59,8 @@ async def list_decisions(
    """List all decisions with optional filters."""
    stmt = select(Decision).options(selectinload(Decision.steps))

+    if org_id is not None:
+        stmt = stmt.where(Decision.organization_id == org_id)
    if decision_type is not None:
        stmt = stmt.where(Decision.decision_type == decision_type)
    if status_filter is not None:
@@ -74,11 +78,13 @@ async def create_decision(
    payload: DecisionCreate,
    db: AsyncSession = Depends(get_db),
    identity: DuniterIdentity = Depends(get_current_identity),
+    org_id: uuid.UUID | None = Depends(get_active_org_id),
 ) -> DecisionOut:
    """Create a new decision process."""
    decision = Decision(
        **payload.model_dump(),
        created_by_id=identity.id,
+        organization_id=org_id,
    )
    db.add(decision)
    await db.commit()
--- a/backend/app/routers/documents.py
+++ b/backend/app/routers/documents.py
@@ -25,6 +25,7 @@ from app.schemas.document import (
    ItemVersionCreate,
    ItemVersionOut,
 )
+from app.dependencies.org import get_active_org_id
 from app.services import document_service
 from app.services.auth_service import get_current_identity

@@ -65,6 +66,7 @@ async def _get_item(db: AsyncSession, document_id: uuid.UUID, item_id: uuid.UUID
@router.get("/", response_model=list[DocumentOut])
 async def list_documents(
    db: AsyncSession = Depends(get_db),
+    org_id: uuid.UUID | None = Depends(get_active_org_id),
    doc_type: str | None = Query(default=None, description="Filtrer par type de document"),
    status_filter: str | None = Query(default=None, alias="status", description="Filtrer par statut"),
    skip: int = Query(default=0, ge=0),
@@ -73,6 +75,8 @@ async def list_documents(
    """List all reference documents, with optional filters."""
    stmt = select(Document)

+    if org_id is not None:
+        stmt = stmt.where(Document.organization_id == org_id)
    if doc_type is not None:
        stmt = stmt.where(Document.doc_type == doc_type)
    if status_filter is not None:
@@ -101,6 +105,7 @@ async def create_document(
    payload: DocumentCreate,
    db: AsyncSession = Depends(get_db),
    identity: DuniterIdentity = Depends(get_current_identity),
+    org_id: uuid.UUID | None = Depends(get_active_org_id),
 ) -> DocumentOut:
    """Create a new reference document."""
    # Check slug uniqueness
@@ -111,7 +116,7 @@ async def create_document(
            detail="Un document avec ce slug existe deja",
        )

-    doc = Document(**payload.model_dump())
+    doc = Document(**payload.model_dump(), organization_id=org_id)
    db.add(doc)
    await db.commit()
    await db.refresh(doc)
--- a/backend/app/routers/mandates.py
+++ b/backend/app/routers/mandates.py
@@ -22,6 +22,7 @@ from app.schemas.mandate import (
    MandateUpdate,
 )
 from app.schemas.vote import VoteSessionOut
+from app.dependencies.org import get_active_org_id
 from app.services.auth_service import get_current_identity
 from app.services.mandate_service import (
    advance_mandate,
@@ -55,6 +56,7 @@ async def _get_mandate(db: AsyncSession, mandate_id: uuid.UUID) -> Mandate:
@router.get("/", response_model=list[MandateOut])
 async def list_mandates(
    db: AsyncSession = Depends(get_db),
+    org_id: uuid.UUID | None = Depends(get_active_org_id),
    mandate_type: str | None = Query(default=None, description="Filtrer par type de mandat"),
    status_filter: str | None = Query(default=None, alias="status", description="Filtrer par statut"),
    skip: int = Query(default=0, ge=0),
@@ -63,6 +65,8 @@ async def list_mandates(
    """List all mandates with optional filters."""
    stmt = select(Mandate).options(selectinload(Mandate.steps))

+    if org_id is not None:
+        stmt = stmt.where(Mandate.organization_id == org_id)
    if mandate_type is not None:
        stmt = stmt.where(Mandate.mandate_type == mandate_type)
    if status_filter is not None:
@@ -80,9 +84,10 @@ async def create_mandate(
    payload: MandateCreate,
    db: AsyncSession = Depends(get_db),
    identity: DuniterIdentity = Depends(get_current_identity),
+    org_id: uuid.UUID | None = Depends(get_active_org_id),
 ) -> MandateOut:
    """Create a new mandate."""
-    mandate = Mandate(**payload.model_dump())
+    mandate = Mandate(**payload.model_dump(), organization_id=org_id)
    db.add(mandate)
    await db.commit()
    await db.refresh(mandate)
--- a/backend/app/routers/organizations.py
+++ b/backend/app/routers/organizations.py
@@ -0,0 +1,96 @@
+"""Organizations router: list, create, membership."""
+
+from __future__ import annotations
+
+import uuid
+
+from fastapi import APIRouter, Depends, HTTPException, status
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.database import get_db
+from app.models.user import DuniterIdentity
+from app.schemas.organization import OrgMemberOut, OrganizationCreate, OrganizationOut
+from app.services.auth_service import get_current_identity
+from app.services.org_service import (
+    add_member,
+    create_organization,
+    get_organization,
+    get_organization_by_slug,
+    is_member,
+    list_members,
+    list_organizations,
+)
+
+router = APIRouter()
+
+
+@router.get("/", response_model=list[OrganizationOut])
+async def get_organizations(db: AsyncSession = Depends(get_db)) -> list[OrganizationOut]:
+    """List all organizations (public — transparent ones need no auth)."""
+    orgs = await list_organizations(db)
+    return [OrganizationOut.model_validate(o) for o in orgs]
+
+
+@router.post("/", response_model=OrganizationOut, status_code=status.HTTP_201_CREATED)
+async def post_organization(
+    payload: OrganizationCreate,
+    db: AsyncSession = Depends(get_db),
+    identity: DuniterIdentity = Depends(get_current_identity),
+) -> OrganizationOut:
+    """Create a new organization (authenticated users only)."""
+    existing = await get_organization_by_slug(db, payload.slug)
+    if existing:
+        raise HTTPException(
+            status_code=status.HTTP_409_CONFLICT,
+            detail=f"Slug '{payload.slug}' déjà utilisé",
+        )
+    org = await create_organization(db, **payload.model_dump())
+    # Creator becomes admin
+    await add_member(db, org.id, identity.id, role="admin")
+    return OrganizationOut.model_validate(org)
+
+
+@router.get("/{org_id}", response_model=OrganizationOut)
+async def get_organization_detail(
+    org_id: uuid.UUID, db: AsyncSession = Depends(get_db)
+) -> OrganizationOut:
+    org = await get_organization(db, org_id)
+    if not org:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Organisation introuvable")
+    return OrganizationOut.model_validate(org)
+
+
+@router.get("/{org_id}/members", response_model=list[OrgMemberOut])
+async def get_members(
+    org_id: uuid.UUID,
+    db: AsyncSession = Depends(get_db),
+    identity: DuniterIdentity = Depends(get_current_identity),
+) -> list[OrgMemberOut]:
+    org = await get_organization(db, org_id)
+    if not org:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Organisation introuvable")
+    if not org.is_transparent and not await is_member(db, org_id, identity.id):
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Accès refusé")
+    members = await list_members(db, org_id)
+    return [OrgMemberOut.model_validate(m) for m in members]
+
+
+@router.post("/{org_id}/join", response_model=OrgMemberOut, status_code=status.HTTP_201_CREATED)
+async def join_organization(
+    org_id: uuid.UUID,
+    db: AsyncSession = Depends(get_db),
+    identity: DuniterIdentity = Depends(get_current_identity),
+) -> OrgMemberOut:
+    """Join a transparent organization."""
+    org = await get_organization(db, org_id)
+    if not org:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Organisation introuvable")
+    if not org.is_transparent:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Rejoindre cette organisation nécessite une invitation",
+        )
+    if await is_member(db, org_id, identity.id):
+        raise HTTPException(status_code=status.HTTP_409_CONFLICT, detail="Déjà membre")
+    member = await add_member(db, org_id, identity.id)
+    return OrgMemberOut.model_validate(member)
--- a/backend/app/routers/protocols.py
+++ b/backend/app/routers/protocols.py
@@ -25,6 +25,7 @@ from app.schemas.protocol import (
    VotingProtocolOut,
    VotingProtocolUpdate,
 )
+from app.dependencies.org import get_active_org_id
 from app.services.auth_service import get_current_identity

 router = APIRouter()
@@ -63,6 +64,7 @@ async def _get_formula(db: AsyncSession, formula_id: uuid.UUID) -> FormulaConfig
@router.get("/", response_model=list[VotingProtocolOut])
 async def list_protocols(
    db: AsyncSession = Depends(get_db),
+    org_id: uuid.UUID | None = Depends(get_active_org_id),
    vote_type: str | None = Query(default=None, description="Filtrer par type de vote (binary, nuanced)"),
    skip: int = Query(default=0, ge=0),
    limit: int = Query(default=50, ge=1, le=200),
@@ -70,6 +72,8 @@ async def list_protocols(
    """List all voting protocols with their formula configurations."""
    stmt = select(VotingProtocol).options(selectinload(VotingProtocol.formula_config))

+    if org_id is not None:
+        stmt = stmt.where(VotingProtocol.organization_id == org_id)
    if vote_type is not None:
        stmt = stmt.where(VotingProtocol.vote_type == vote_type)

@@ -85,6 +89,7 @@ async def create_protocol(
    payload: VotingProtocolCreate,
    db: AsyncSession = Depends(get_db),
    identity: DuniterIdentity = Depends(get_current_identity),
+    org_id: uuid.UUID | None = Depends(get_active_org_id),
 ) -> VotingProtocolOut:
    """Create a new voting protocol.

@@ -100,7 +105,7 @@ async def create_protocol(
            detail="Configuration de formule introuvable",
        )

-    protocol = VotingProtocol(**payload.model_dump())
+    protocol = VotingProtocol(**payload.model_dump(), organization_id=org_id)
    db.add(protocol)
    await db.commit()
    await db.refresh(protocol)
--- a/backend/app/schemas/organization.py
+++ b/backend/app/schemas/organization.py
@@ -0,0 +1,42 @@
+"""Pydantic v2 schemas for organizations."""
+
+from __future__ import annotations
+
+import uuid
+from datetime import datetime
+
+from pydantic import BaseModel, ConfigDict
+
+
+class OrganizationOut(BaseModel):
+    model_config = ConfigDict(from_attributes=True)
+
+    id: uuid.UUID
+    name: str
+    slug: str
+    org_type: str
+    is_transparent: bool
+    color: str | None
+    icon: str | None
+    description: str | None
+    created_at: datetime
+
+
+class OrganizationCreate(BaseModel):
+    name: str
+    slug: str
+    org_type: str = "community"
+    is_transparent: bool = False
+    color: str | None = None
+    icon: str | None = None
+    description: str | None = None
+
+
+class OrgMemberOut(BaseModel):
+    model_config = ConfigDict(from_attributes=True)
+
+    id: uuid.UUID
+    org_id: uuid.UUID
+    identity_id: uuid.UUID
+    role: str
+    created_at: datetime
--- a/backend/app/services/org_service.py
+++ b/backend/app/services/org_service.py
@@ -0,0 +1,60 @@
+"""Organization service: CRUD + membership helpers."""
+
+from __future__ import annotations
+
+import uuid
+from typing import Sequence
+
+from sqlalchemy import select
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.models.organization import OrgMember, Organization
+
+
+async def list_organizations(db: AsyncSession) -> Sequence[Organization]:
+    result = await db.execute(select(Organization).order_by(Organization.name))
+    return result.scalars().all()
+
+
+async def get_organization(db: AsyncSession, org_id: uuid.UUID) -> Organization | None:
+    return await db.get(Organization, org_id)
+
+
+async def get_organization_by_slug(db: AsyncSession, slug: str) -> Organization | None:
+    result = await db.execute(select(Organization).where(Organization.slug == slug))
+    return result.scalar_one_or_none()
+
+
+async def create_organization(db: AsyncSession, **kwargs) -> Organization:
+    org = Organization(**kwargs)
+    db.add(org)
+    await db.commit()
+    await db.refresh(org)
+    return org
+
+
+async def is_member(db: AsyncSession, org_id: uuid.UUID, identity_id: uuid.UUID) -> bool:
+    result = await db.execute(
+        select(OrgMember).where(
+            OrgMember.org_id == org_id,
+            OrgMember.identity_id == identity_id,
+        )
+    )
+    return result.scalar_one_or_none() is not None
+
+
+async def add_member(
+    db: AsyncSession, org_id: uuid.UUID, identity_id: uuid.UUID, role: str = "member"
+) -> OrgMember:
+    member = OrgMember(org_id=org_id, identity_id=identity_id, role=role)
+    db.add(member)
+    await db.commit()
+    await db.refresh(member)
+    return member
+
+
+async def list_members(db: AsyncSession, org_id: uuid.UUID) -> Sequence[OrgMember]:
+    result = await db.execute(
+        select(OrgMember).where(OrgMember.org_id == org_id).order_by(OrgMember.created_at)
+    )
+    return result.scalars().all()