feat(rbac): grant org-admin to super-admins team members

Members of the bootstrapped `super-admins` team now receive org-admin
authority by writing the `team:super-admins#admin -> admin ->
organization:<key>` tuple during team bootstrap. This lets super-admins
manage and share any resource (e.g. create/transfer custom MCP tools)
without per-resource grants. Idempotent: existing teams are topped up on
the next bootstrap. Covered by new unit tests.

Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Sri Aradhyula <sraradhy@cisco.com>
Co-authored-by: Cursor <cursoragent@cursor.com>

Author: sriaradhyula

ui/src/lib/rbac/__tests__/super-admins-org-admin-link.test.ts

@@ -0,0 +1,161 @@
+/**
+ * @jest-environment node
+ *
+ * Verifies that `ensureSuperAdminsTeam` wires the Super Admins team to confer
+ * organization-admin by writing the userset tuple
+ * `team:super-admins#admin -> admin -> organization:<key>`.
+ *
+ * assisted-by Cursor claude-opus-4-7
+ */
+
+const mockGetCollection = jest.fn();
+const mockWriteOpenFgaTuples = jest.fn();
+const mockResolveKeycloakUserSubject = jest.fn();
+const mockWriteTeamMembershipTuples = jest.fn();
+const mockMongoRoleToOpenFgaRelations = jest.fn();
+const mockUpsertTeamMembershipSource = jest.fn();
+const mockLoadActiveTeamMembers = jest.fn();
+
+jest.mock("@/lib/mongodb", () => ({
+  getCollection: (...args: unknown[]) => mockGetCollection(...args),
+  isMongoDBConfigured: true,
+}));
+
+jest.mock("@/lib/rbac/openfga", () => ({
+  writeOpenFgaTuples: (...args: unknown[]) => mockWriteOpenFgaTuples(...args),
+}));
+
+jest.mock("@/lib/rbac/team-membership-sync", () => ({
+  resolveKeycloakUserSubject: (...args: unknown[]) => mockResolveKeycloakUserSubject(...args),
+  writeTeamMembershipTuples: (...args: unknown[]) => mockWriteTeamMembershipTuples(...args),
+  mongoRoleToOpenFgaRelations: (...args: unknown[]) => mockMongoRoleToOpenFgaRelations(...args),
+}));
+
+jest.mock("@/lib/rbac/team-membership-source-store", () => ({
+  upsertTeamMembershipSource: (...args: unknown[]) => mockUpsertTeamMembershipSource(...args),
+}));
+
+jest.mock("@/lib/rbac/team-membership-store", () => ({
+  loadActiveTeamMembers: (...args: unknown[]) => mockLoadActiveTeamMembers(...args),
+}));
+
+const ORG_ADMIN_LINK_TUPLE = {
+  user: "team:super-admins#admin",
+  relation: "admin",
+  object: "organization:caipe",
+};
+
+describe("ensureSuperAdminsTeam org-admin linkage", () => {
+  const originalEnv = { ...process.env };
+
+  beforeEach(() => {
+    jest.resetModules();
+    jest.clearAllMocks();
+    process.env = { ...originalEnv };
+    delete process.env.CAIPE_ORG_KEY;
+
+    mockResolveKeycloakUserSubject.mockResolvedValue("sub-a");
+    mockMongoRoleToOpenFgaRelations.mockReturnValue(["admin"]);
+    mockWriteTeamMembershipTuples.mockResolvedValue(undefined);
+    mockUpsertTeamMembershipSource.mockResolvedValue(undefined);
+    mockLoadActiveTeamMembers.mockResolvedValue([]);
+    mockWriteOpenFgaTuples.mockImplementation(async (input: { writes: unknown[] }) => ({
+      enabled: true,
+      writes: input.writes.length,
+      deletes: 0,
+    }));
+  });
+
+  afterAll(() => {
+    process.env = originalEnv;
+  });
+
+  it("writes the org-admin linkage tuple when creating the team", async () => {
+    mockGetCollection.mockResolvedValue({
+      findOne: jest.fn().mockResolvedValue(null),
+      insertOne: jest.fn().mockResolvedValue({ insertedId: "team-id-1" }),
+      updateOne: jest.fn().mockResolvedValue({}),
+    });
+
+    const { ensureSuperAdminsTeam } = await import("../super-admins-team");
+    const result = await ensureSuperAdminsTeam({
+      members: [{ email: "a@cisco.com", userSubject: "sub-a" }],
+      actor: "test",
+    });
+
+    expect(result.status).toBe("created");
+    expect(mockWriteOpenFgaTuples).toHaveBeenCalledWith({
+      writes: [ORG_ADMIN_LINK_TUPLE],
+      deletes: [],
+    });
+  });
+
+  it("writes the org-admin linkage tuple even when the team already exists", async () => {
+    mockGetCollection.mockResolvedValue({
+      findOne: jest.fn().mockResolvedValue({ _id: "team-id-1", slug: "super-admins", created_at: new Date() }),
+      insertOne: jest.fn(),
+      updateOne: jest.fn().mockResolvedValue({}),
+    });
+    // Member already present, so the run is a noop for membership.
+    mockLoadActiveTeamMembers.mockResolvedValue([{ user_email: "a@cisco.com" }]);
+
+    const { ensureSuperAdminsTeam } = await import("../super-admins-team");
+    const result = await ensureSuperAdminsTeam({
+      members: [{ email: "a@cisco.com", userSubject: "sub-a" }],
+      actor: "test",
+    });
+
+    expect(result.status).toBe("noop");
+    expect(mockWriteOpenFgaTuples).toHaveBeenCalledWith({
+      writes: [ORG_ADMIN_LINK_TUPLE],
+      deletes: [],
+    });
+  });
+
+  it("honors a custom org key via CAIPE_ORG_KEY", async () => {
+    process.env.CAIPE_ORG_KEY = "grid";
+    mockGetCollection.mockResolvedValue({
+      findOne: jest.fn().mockResolvedValue(null),
+      insertOne: jest.fn().mockResolvedValue({ insertedId: "team-id-1" }),
+      updateOne: jest.fn().mockResolvedValue({}),
+    });
+
+    const { ensureSuperAdminsTeam } = await import("../super-admins-team");
+    await ensureSuperAdminsTeam({
+      members: [{ email: "a@cisco.com", userSubject: "sub-a" }],
+      actor: "test",
+    });
+
+    expect(mockWriteOpenFgaTuples).toHaveBeenCalledWith({
+      writes: [{ user: "team:super-admins#admin", relation: "admin", object: "organization:grid" }],
+      deletes: [],
+    });
+  });
+
+  it("captures linkage failures in warnings without throwing", async () => {
+    mockWriteOpenFgaTuples.mockRejectedValue(new Error("pdp unavailable"));
+    mockGetCollection.mockResolvedValue({
+      findOne: jest.fn().mockResolvedValue(null),
+      insertOne: jest.fn().mockResolvedValue({ insertedId: "team-id-1" }),
+      updateOne: jest.fn().mockResolvedValue({}),
+    });
+
+    const { ensureSuperAdminsTeam } = await import("../super-admins-team");
+    const result = await ensureSuperAdminsTeam({
+      members: [{ email: "a@cisco.com", userSubject: "sub-a" }],
+      actor: "test",
+    });
+
+    expect(result.warnings).toEqual(
+      expect.arrayContaining([expect.stringContaining("super-admins org-admin linkage")]),
+    );
+  });
+
+  it("skips entirely when no bootstrap admins are configured", async () => {
+    const { ensureSuperAdminsTeam } = await import("../super-admins-team");
+    const result = await ensureSuperAdminsTeam({ members: [], actor: "test" });
+
+    expect(result.status).toBe("skipped");
+    expect(mockWriteOpenFgaTuples).not.toHaveBeenCalled();
+  });
+});

ui/src/lib/rbac/super-admins-team.ts

@@ -26,6 +26,8 @@ import {
 } from "@/lib/rbac/team-membership-sync";
 import { upsertTeamMembershipSource } from "@/lib/rbac/team-membership-source-store";
 import { loadActiveTeamMembers } from "@/lib/rbac/team-membership-store";
+import { writeOpenFgaTuples } from "@/lib/rbac/openfga";
+import { organizationObjectId } from "@/lib/rbac/organization";
 import type { TeamMembershipSource } from "@/types/identity-group-sync";
 
 export const SUPER_ADMINS_TEAM_SLUG = "super-admins";
@@ -87,6 +89,40 @@ interface TeamDoc {
   members?: TeamMemberDoc[];
 }
 
+/**
+ * Idempotently grant every admin of the Super Admins team organization-admin
+ * rights by writing the userset tuple
+ * `team:super-admins#admin -> admin -> organization:<key>`.
+ *
+ * The OpenFGA model already declares `organization#admin: [..., team#admin]`,
+ * so this single tuple makes membership in `super-admins` confer full
+ * org-admin (which `can_manage organization` resolves through). Because the
+ * team model implies `member` from `admin`, and the bootstrap seeds every
+ * Super Admin as `team#admin`, this covers all members of the team.
+ *
+ * `writeOpenFgaTuples` filters out tuples that already exist, so this is a
+ * cheap no-op on every subsequent startup. Failures are captured into the
+ * caller's `warnings` array rather than thrown, matching the
+ * never-throw contract of the surrounding bootstrap.
+ */
+async function ensureSuperAdminsOrgAdminLink(warnings: string[]): Promise<void> {
+  try {
+    await writeOpenFgaTuples({
+      writes: [
+        {
+          user: `team:${SUPER_ADMINS_TEAM_SLUG}#admin`,
+          relation: "admin",
+          object: organizationObjectId(),
+        },
+      ],
+      deletes: [],
+    });
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    warnings.push(`super-admins org-admin linkage: failed to write OpenFGA tuple: ${message}`);
+  }
+}
+
 function emptySkipped(reason: string): SuperAdminsBootstrapResult {
   return {
     status: "skipped",
@@ -123,6 +159,11 @@ export async function ensureSuperAdminsTeam(
   const warnings: string[] = [];
   const teams = await getCollection<TeamDoc>("teams");
 
+  // Make membership in the Super Admins team confer organization-admin. This
+  // is independent of the Mongo team document, so we do it up front and it
+  // applies whether we create the team below or top up an existing one.
+  await ensureSuperAdminsOrgAdminLink(warnings);
+
   // Resolve missing Keycloak subjects on the fly so the helper is callable
   // outside of `reconcileBootstrapAdmins` too (e.g. from a test or admin
   // tool). When `userSubject` is already populated we trust it.