feat(sub-org): sub-organization menu selector UI/UX improvements

backend/src/ee/routes/v1/sub-org-router.ts

@@ -2,8 +2,10 @@ import { z } from "zod";
 
 import { OrganizationsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { SubOrgOrderBy } from "@app/ee/services/sub-org/sub-org-types";
 import { ApiDocsTags, SUB_ORGANIZATIONS } from "@app/lib/api-docs";
 import { pick } from "@app/lib/fn";
+import { OrderByDirection } from "@app/lib/types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { GenericResourceNameSchema, slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -27,6 +29,7 @@ export const registerSubOrgRouter = async (server: FastifyZodProvider) => {
     },
     schema: {
       hide: false,
+      operationId: "createSubOrganization",
       tags: [ApiDocsTags.SubOrganizations],
       description: "Create a sub organization",
       security: [
@@ -49,7 +52,7 @@ export const registerSubOrgRouter = async (server: FastifyZodProvider) => {
       const { organization } = await server.services.subOrganization.createSubOrg({
         name: req.body.name,
         slug: req.body.slug,
-        permissionActor: req.permission
+        permission: req.permission
       });
 
       await server.services.auditLog.createAuditLog({
@@ -76,6 +79,7 @@ export const registerSubOrgRouter = async (server: FastifyZodProvider) => {
     },
     schema: {
       hide: false,
+      operationId: "listSubOrganizations",
       tags: [ApiDocsTags.SubOrganizations],
       description: "List of sub organizations",
       security: [
@@ -86,6 +90,12 @@ export const registerSubOrgRouter = async (server: FastifyZodProvider) => {
       querystring: z.object({
         limit: z.coerce.number().min(1).max(1000).default(25).describe(SUB_ORGANIZATIONS.LIST.limit),
         offset: z.coerce.number().min(0).default(0).describe(SUB_ORGANIZATIONS.LIST.offset),
+        search: z.string().trim().optional().describe(SUB_ORGANIZATIONS.LIST.search),
+        orderBy: z.nativeEnum(SubOrgOrderBy).default(SubOrgOrderBy.Name).describe(SUB_ORGANIZATIONS.LIST.orderBy),
+        orderDirection: z
+          .nativeEnum(OrderByDirection)
+          .default(OrderByDirection.ASC)
+          .describe(SUB_ORGANIZATIONS.LIST.orderDirection),
         isAccessible: z
           .enum(["true", "false"])
           .optional()
@@ -94,22 +104,26 @@ export const registerSubOrgRouter = async (server: FastifyZodProvider) => {
       }),
       response: {
         200: z.object({
-          organizations: sanitizedSubOrganizationSchema.array()
+          organizations: sanitizedSubOrganizationSchema.array(),
+          totalCount: z.number()
         })
       }
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
-      const { organizations } = await server.services.subOrganization.listSubOrgs({
-        permissionActor: req.permission,
+      const { organizations, totalCount } = await server.services.subOrganization.listSubOrgs({
+        permission: req.permission,
         data: {
           limit: req.query.limit,
           offset: req.query.offset,
+          search: req.query.search,
+          orderBy: req.query.orderBy,
+          orderDirection: req.query.orderDirection,
           isAccessible: req.query.isAccessible
         }
       });
 
-      return { organizations };
+      return { organizations, totalCount };
     }
   });
 
@@ -121,6 +135,7 @@ export const registerSubOrgRouter = async (server: FastifyZodProvider) => {
     },
     schema: {
       hide: false,
+      operationId: "updateSubOrganization",
       tags: [ApiDocsTags.SubOrganizations],
       description: "Update a sub organization",
       security: [
@@ -151,7 +166,7 @@ export const registerSubOrgRouter = async (server: FastifyZodProvider) => {
         subOrgId: req.params.subOrgId,
         name: req.body.name,
         slug: req.body.slug,
-        permissionActor: req.permission
+        permission: req.permission
       });
 
       await server.services.auditLog.createAuditLog({
@@ -169,4 +184,100 @@ export const registerSubOrgRouter = async (server: FastifyZodProvider) => {
       return { organization };
     }
   });
+
+  server.route({
+    method: "POST",
+    url: "/:subOrgId/memberships",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      hide: false,
+      operationId: "createSubOrganizationMembership",
+      tags: [ApiDocsTags.SubOrganizations],
+      description: "Join a sub organization",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        subOrgId: z.string().trim().describe(SUB_ORGANIZATIONS.JOIN.subOrgId)
+      }),
+      response: {
+        200: z.object({
+          organization: sanitizedSubOrganizationSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { organization } = await server.services.subOrganization.joinSubOrg({
+        subOrgId: req.params.subOrgId,
+        permission: req.permission
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.JOIN_SUB_ORGANIZATION,
+          metadata: {
+            ...pick(organization, ["name", "slug"]),
+            organizationId: organization.id
+          }
+        }
+      });
+
+      return { organization };
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: "/:subOrgId",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      hide: false,
+      operationId: "deleteSubOrganization",
+      tags: [ApiDocsTags.SubOrganizations],
+      description: "Delete a sub organization",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        subOrgId: z.string().trim().describe(SUB_ORGANIZATIONS.DELETE.subOrgId)
+      }),
+      response: {
+        200: z.object({
+          organization: sanitizedSubOrganizationSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { organization } = await server.services.subOrganization.deleteSubOrg({
+        subOrgId: req.params.subOrgId,
+        permission: req.permission
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.DELETE_SUB_ORGANIZATION,
+          metadata: {
+            ...pick(organization, ["name", "slug"]),
+            organizationId: organization.id
+          }
+        }
+      });
+
+      return { organization };
+    }
+  });
 };

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -167,6 +167,8 @@ export enum EventType {
 
   CREATE_SUB_ORGANIZATION = "create-sub-organization",
   UPDATE_SUB_ORGANIZATION = "update-sub-organization",
+  DELETE_SUB_ORGANIZATION = "delete-sub-organization",
+  JOIN_SUB_ORGANIZATION = "join-sub-organization",
 
   CREATE_IDENTITY = "create-identity",
   UPDATE_IDENTITY = "update-identity",
@@ -805,6 +807,24 @@ interface UpdateSubOrganizationEvent {
   };
 }
 
+interface DeleteSubOrganizationEvent {
+  type: EventType.DELETE_SUB_ORGANIZATION;
+  metadata: {
+    name: string;
+    slug: string;
+    organizationId: string;
+  };
+}
+
+interface JoinSubOrganizationEvent {
+  type: EventType.JOIN_SUB_ORGANIZATION;
+  metadata: {
+    name: string;
+    slug: string;
+    organizationId: string;
+  };
+}
+
 type TSecretMetadata = { key: string; value: string }[];
 
 interface GetSecretEvent {
@@ -5186,6 +5206,8 @@ interface ListDynamicSecretLeasesEvent {
 export type Event =
   | CreateSubOrganizationEvent
   | UpdateSubOrganizationEvent
+  | DeleteSubOrganizationEvent
+  | JoinSubOrganizationEvent
   | GetSecretsEvent
   | GetSecretEvent
   | CreateSecretEvent

backend/src/ee/services/permission/org-permission.ts

@@ -17,6 +17,8 @@ export enum OrgPermissionActions {
 
 export enum OrgPermissionSubOrgActions {
   Create = "create",
+  Edit = "edit",
+  Delete = "delete",
   DirectAccess = "direct-access",
   LinkGroup = "link-group"
 }
@@ -196,12 +198,9 @@ export const OrgPermissionSchema = z.discriminatedUnion("subject", [
   }),
   z.object({
     subject: z.literal(OrgPermissionSubjects.SubOrganization).describe("The entity this permission pertains to."),
-    // Use CASL_ACTION_SCHEMA_ENUM so OpenAPI anyOf structure matches reference (string enum + array), avoiding oasdiff breaking change
-    action: CASL_ACTION_SCHEMA_ENUM([
-      OrgPermissionSubOrgActions.Create,
-      OrgPermissionSubOrgActions.DirectAccess,
-      OrgPermissionSubOrgActions.LinkGroup
-    ]).describe("Describe what action an entity can take.")
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionSubOrgActions).describe(
+      "Describe what action an entity can take."
+    )
   }),
   z.object({
     subject: z.literal(OrgPermissionSubjects.Member).describe("The entity this permission pertains to."),
@@ -328,6 +327,8 @@ const buildAdminPermission = () => {
   can(OrgPermissionActions.Create, OrgPermissionSubjects.Project);
 
   can(OrgPermissionSubOrgActions.Create, OrgPermissionSubjects.SubOrganization);
+  can(OrgPermissionSubOrgActions.Edit, OrgPermissionSubjects.SubOrganization);
+  can(OrgPermissionSubOrgActions.Delete, OrgPermissionSubjects.SubOrganization);
   can(OrgPermissionSubOrgActions.DirectAccess, OrgPermissionSubjects.SubOrganization);
   can(OrgPermissionSubOrgActions.LinkGroup, OrgPermissionSubjects.SubOrganization);