M1: OrgBoard — organizations, teams, seats, the board & cartable

OrgBoard module (references SharedKernel only; RBAC via ICurrentUser/IPermissionService):
- Organization, Team, Seat (human/open/ai), WorkItem (board task: type, status, assignee,
  parent) entities; internal OrgBoardDbContext (schema "orgboard") + InitialOrgBoard
  migration; design-time factory. (WorkItem avoids the System.Threading.Tasks.Task clash.)
- Endpoints under /api/orgboard, every mutation permission-checked at the scope chain
  [team, org]: POST /organizations, POST/GET /teams, POST /tasks, GET /board (columns
  backlog->in progress->in review->done), PATCH /tasks/{id}/move, /assign, GET /cartable.

Test isolation: integration tests now use IClassFixture so each class gets its own
pgvector container (the bootstrap-once rule made a shared container collide).

Verified: build green; ArchitectureTests 8/8 (OrgBoard references only SharedKernel);
IntegrationTests 12/12 incl. a new board flow — owner sets up org+team, creates/moves/
assigns a task, sees it on the board and in the cartable; an invited Member can view the
board but is 403'd from creating a team.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

src/Modules/TeamUp.Modules.OrgBoard/Endpoints/OrgBoardEndpoints.cs

@@ -0,0 +1,223 @@
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Routing;
+using Microsoft.EntityFrameworkCore;
+using TeamUp.Modules.OrgBoard.Domain;
+using TeamUp.Modules.OrgBoard.Persistence;
+using TeamUp.SharedKernel.Access;
+using TeamUp.SharedKernel.Modularity;
+
+namespace TeamUp.Modules.OrgBoard.Endpoints;
+
+internal static class OrgBoardEndpoints
+{
+    public static void Map(IEndpointRouteBuilder endpoints)
+    {
+        var group = endpoints.MapGroup("/api/orgboard").WithTags("OrgBoard");
+
+        group.MapGet("/ping", () => TypedResults.Ok(new ModulePing("orgboard")));
+        group.MapPost("/organizations", CreateOrganization).RequireAuthorization();
+        group.MapPost("/teams", CreateTeam).RequireAuthorization();
+        group.MapGet("/teams", ListTeams).RequireAuthorization();
+        group.MapPost("/tasks", CreateTask).RequireAuthorization();
+        group.MapGet("/board", GetBoard).RequireAuthorization();
+        group.MapPatch("/tasks/{id:guid}/move", MoveTask).RequireAuthorization();
+        group.MapPatch("/tasks/{id:guid}/assign", AssignTask).RequireAuthorization();
+        group.MapGet("/cartable", Cartable).RequireAuthorization();
+    }
+
+    private static TaskResponse ToResponse(WorkItem item) => new(
+        item.Id, item.TeamId, item.Title, item.Description,
+        item.Type.ToString(), item.Status.ToString(), item.AssigneeKind.ToString(),
+        item.AssigneeId, item.ParentId);
+
+    private static async Task<IResult> CreateOrganization(
+        CreateOrganizationRequest request, IPermissionService permissions,
+        OrgBoardDbContext db, TimeProvider clock, CancellationToken ct)
+    {
+        if (!permissions.Has(Capability.CreateProductsAndTeams, ScopeRef.Org(request.OrganizationId)))
+        {
+            return Results.Forbid();
+        }
+
+        if (string.IsNullOrWhiteSpace(request.Name))
+        {
+            return Results.BadRequest("Name is required.");
+        }
+
+        var organization = await db.Organizations.FirstOrDefaultAsync(o => o.Id == request.OrganizationId, ct);
+        if (organization is null)
+        {
+            organization = new Organization(request.OrganizationId, request.Name.Trim(), clock.GetUtcNow());
+            db.Organizations.Add(organization);
+        }
+        else
+        {
+            organization.Rename(request.Name.Trim());
+        }
+
+        await db.SaveChangesAsync(ct);
+        return Results.Ok(new OrganizationResponse(organization.Id, organization.Name));
+    }
+
+    private static async Task<IResult> CreateTeam(
+        CreateTeamRequest request, IPermissionService permissions,
+        OrgBoardDbContext db, TimeProvider clock, CancellationToken ct)
+    {
+        if (!permissions.Has(Capability.CreateProductsAndTeams, ScopeRef.Org(request.OrganizationId)))
+        {
+            return Results.Forbid();
+        }
+
+        if (string.IsNullOrWhiteSpace(request.Name))
+        {
+            return Results.BadRequest("Name is required.");
+        }
+
+        if (!await db.Organizations.AnyAsync(o => o.Id == request.OrganizationId, ct))
+        {
+            return Results.BadRequest("Organization does not exist; create it first.");
+        }
+
+        var team = new Team(request.OrganizationId, request.Name.Trim(), clock.GetUtcNow());
+        db.Teams.Add(team);
+        await db.SaveChangesAsync(ct);
+        return Results.Ok(new TeamResponse(team.Id, team.OrganizationId, team.Name));
+    }
+
+    private static async Task<IResult> ListTeams(
+        Guid organizationId, IPermissionService permissions, OrgBoardDbContext db, CancellationToken ct)
+    {
+        if (!permissions.Has(Capability.ViewBoard, ScopeRef.Org(organizationId)))
+        {
+            return Results.Forbid();
+        }
+
+        var teams = await db.Teams
+            .Where(t => t.OrganizationId == organizationId)
+            .OrderBy(t => t.CreatedAtUtc)
+            .Select(t => new TeamResponse(t.Id, t.OrganizationId, t.Name))
+            .ToListAsync(ct);
+
+        return Results.Ok(teams);
+    }
+
+    private static async Task<IResult> CreateTask(
+        CreateTaskRequest request, ICurrentUser user, IPermissionService permissions,
+        OrgBoardDbContext db, TimeProvider clock, CancellationToken ct)
+    {
+        var team = await db.Teams.FirstOrDefaultAsync(t => t.Id == request.TeamId, ct);
+        if (team is null)
+        {
+            return Results.NotFound("Team not found.");
+        }
+
+        if (!permissions.Has(Capability.WorkTasks, ScopeRef.Team(team.Id), ScopeRef.Org(team.OrganizationId)))
+        {
+            return Results.Forbid();
+        }
+
+        if (string.IsNullOrWhiteSpace(request.Title))
+        {
+            return Results.BadRequest("Title is required.");
+        }
+
+        var item = new WorkItem(team.Id, request.Title.Trim(), request.Description, request.Type, user.MemberId, clock.GetUtcNow());
+        db.WorkItems.Add(item);
+        await db.SaveChangesAsync(ct);
+        return Results.Ok(ToResponse(item));
+    }
+
+    private static async Task<IResult> GetBoard(
+        Guid teamId, IPermissionService permissions, OrgBoardDbContext db, CancellationToken ct)
+    {
+        var team = await db.Teams.FirstOrDefaultAsync(t => t.Id == teamId, ct);
+        if (team is null)
+        {
+            return Results.NotFound("Team not found.");
+        }
+
+        if (!permissions.Has(Capability.ViewBoard, ScopeRef.Team(team.Id), ScopeRef.Org(team.OrganizationId)))
+        {
+            return Results.Forbid();
+        }
+
+        var items = await db.WorkItems.Where(w => w.TeamId == teamId).OrderBy(w => w.CreatedAtUtc).ToListAsync(ct);
+        var columns = Enum.GetValues<WorkItemStatus>()
+            .Select(status => new BoardColumn(
+                status.ToString(),
+                items.Where(i => i.Status == status).Select(ToResponse).ToList()))
+            .ToList();
+
+        return Results.Ok(new BoardResponse(teamId, columns));
+    }
+
+    private static async Task<IResult> MoveTask(
+        Guid id, MoveTaskRequest request, IPermissionService permissions,
+        OrgBoardDbContext db, TimeProvider clock, CancellationToken ct)
+    {
+        var (item, team, error) = await LoadItemWithTeam(db, id, ct);
+        if (error is not null)
+        {
+            return error;
+        }
+
+        if (!permissions.Has(Capability.WorkTasks, ScopeRef.Team(team!.Id), ScopeRef.Org(team.OrganizationId)))
+        {
+            return Results.Forbid();
+        }
+
+        item!.MoveTo(request.Status, clock.GetUtcNow());
+        await db.SaveChangesAsync(ct);
+        return Results.Ok(ToResponse(item));
+    }
+
+    private static async Task<IResult> AssignTask(
+        Guid id, AssignTaskRequest request, IPermissionService permissions,
+        OrgBoardDbContext db, TimeProvider clock, CancellationToken ct)
+    {
+        var (item, team, error) = await LoadItemWithTeam(db, id, ct);
+        if (error is not null)
+        {
+            return error;
+        }
+
+        if (!permissions.Has(Capability.WorkTasks, ScopeRef.Team(team!.Id), ScopeRef.Org(team.OrganizationId)))
+        {
+            return Results.Forbid();
+        }
+
+        item!.AssignToMember(request.MemberId, clock.GetUtcNow());
+        await db.SaveChangesAsync(ct);
+        return Results.Ok(ToResponse(item));
+    }
+
+    private static async Task<IResult> Cartable(ICurrentUser user, OrgBoardDbContext db, CancellationToken ct)
+    {
+        var memberId = user.MemberId;
+        var items = await db.WorkItems
+            .Where(w => w.AssigneeKind == AssigneeKind.Member && w.AssigneeId == memberId)
+            .OrderByDescending(w => w.UpdatedAtUtc)
+            .ToListAsync(ct);
+
+        return Results.Ok(items.Select(ToResponse).ToList());
+    }
+
+    private static async Task<(WorkItem? Item, Team? Team, IResult? Error)> LoadItemWithTeam(
+        OrgBoardDbContext db, Guid itemId, CancellationToken ct)
+    {
+        var item = await db.WorkItems.FirstOrDefaultAsync(w => w.Id == itemId, ct);
+        if (item is null)
+        {
+            return (null, null, Results.NotFound("Task not found."));
+        }
+
+        var team = await db.Teams.FirstOrDefaultAsync(t => t.Id == item.TeamId, ct);
+        if (team is null)
+        {
+            return (null, null, Results.NotFound("Team not found."));
+        }
+
+        return (item, team, null);
+    }
+}