테넌트 소유자, 관리자 분리

backend/internal/handler/tenant_handler.go

@@ -221,7 +221,13 @@ func (h *TenantHandler) CreateTenant(c *fiber.Ctx) error {
 		parentID = &pid
 	}
 
-	tenant, err := h.Service.RegisterTenant(c.Context(), name, slug, tenantType, req.Description, req.Domains, parentID)
+	// Extract creator ID if present
+	creatorID := ""
+	if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok {
+		creatorID = profile.ID
+	}
+
+	tenant, err := h.Service.RegisterTenant(c.Context(), name, slug, tenantType, req.Description, req.Domains, parentID, creatorID)
 	if err != nil {
 		if strings.Contains(err.Error(), "already exists") {
 			return errorJSON(c, fiber.StatusConflict, err.Error())
@@ -423,20 +429,28 @@ func (h *TenantHandler) ListAdmins(c *fiber.Ctx) error {
 		}
 		userID := strings.TrimPrefix(rel.SubjectID, "User:")
 
-		// Fetch user details from Kratos
-		identity, err := h.KratosAdmin.GetIdentity(c.Context(), userID)
-		if err != nil {
-			admins = append(admins, adminInfo{ID: userID, Name: "Unknown", Email: "Unknown"})
-			continue
-		}
+		// Fetch user details - Try Kratos first, then local DB
+		name := "Unknown"
+		email := "Unknown"
 
-		name := ""
-		if n, ok := identity.Traits["name"].(string); ok {
-			name = n
-		}
-		email := ""
-		if e, ok := identity.Traits["email"].(string); ok {
-			email = e
+		identity, err := h.KratosAdmin.GetIdentity(c.Context(), userID)
+		if err == nil && identity != nil {
+			if n, ok := identity.Traits["name"].(string); ok {
+				name = n
+			}
+			if e, ok := identity.Traits["email"].(string); ok {
+				email = e
+			}
+		} else if h.UserRepo != nil {
+			// Fallback to local DB (useful for Mock users or users not yet synced/migrated to Kratos)
+			user, err := h.UserRepo.FindByID(c.Context(), userID)
+			if err == nil && user != nil {
+				name = user.Name
+				email = user.Email
+			} else if userID == "00000000-0000-0000-0000-000000000000" {
+				name = "Dev Mock User"
+				email = "mock@hmac.kr"
+			}
 		}
 
 		admins = append(admins, adminInfo{
@@ -464,6 +478,14 @@ func (h *TenantHandler) AddAdmin(c *fiber.Ctx) error {
 			Subject:   "User:" + userID,
 			Action:    domain.KetoOutboxActionCreate,
 		})
+		// Also add as member for UI visibility/ReBAC logic
+		_ = h.KetoOutbox.Create(c.Context(), &domain.KetoOutbox{
+			Namespace: "Tenant",
+			Object:    tenantID,
+			Relation:  "members",
+			Subject:   "User:" + userID,
+			Action:    domain.KetoOutboxActionCreate,
+		})
 	}
 
 	return c.SendStatus(fiber.StatusOK)
@@ -489,6 +511,113 @@ func (h *TenantHandler) RemoveAdmin(c *fiber.Ctx) error {
 	return c.SendStatus(fiber.StatusNoContent)
 }
 
+func (h *TenantHandler) ListOwners(c *fiber.Ctx) error {
+	tenantID := c.Params("id")
+	if tenantID == "" {
+		return errorJSON(c, fiber.StatusBadRequest, "tenant id is required")
+	}
+
+	// Fetch owners from Keto
+	relations, err := h.Keto.ListRelations(c.Context(), "Tenant", tenantID, "owners", "")
+	if err != nil {
+		return errorJSON(c, fiber.StatusInternalServerError, err.Error())
+	}
+
+	type ownerInfo struct {
+		ID    string `json:"id"`
+		Name  string `json:"name"`
+		Email string `json:"email"`
+	}
+	owners := []ownerInfo{}
+
+	for _, rel := range relations {
+		if !strings.HasPrefix(rel.SubjectID, "User:") {
+			continue
+		}
+		userID := strings.TrimPrefix(rel.SubjectID, "User:")
+
+		// Fetch user details - Try Kratos first, then local DB
+		name := "Unknown"
+		email := "Unknown"
+
+		identity, err := h.KratosAdmin.GetIdentity(c.Context(), userID)
+		if err == nil && identity != nil {
+			if n, ok := identity.Traits["name"].(string); ok {
+				name = n
+			}
+			if e, ok := identity.Traits["email"].(string); ok {
+				email = e
+			}
+		} else if h.UserRepo != nil {
+			// Fallback to local DB
+			user, err := h.UserRepo.FindByID(c.Context(), userID)
+			if err == nil && user != nil {
+				name = user.Name
+				email = user.Email
+			} else if userID == "00000000-0000-0000-0000-000000000000" {
+				name = "Dev Mock User"
+				email = "mock@hmac.kr"
+			}
+		}
+
+		owners = append(owners, ownerInfo{
+			ID:    userID,
+			Name:  name,
+			Email: email,
+		})
+	}
+
+	return c.JSON(owners)
+}
+
+func (h *TenantHandler) AddOwner(c *fiber.Ctx) error {
+	tenantID := c.Params("id")
+	userID := c.Params("userId")
+	if tenantID == "" || userID == "" {
+		return errorJSON(c, fiber.StatusBadRequest, "tenantId and userId are required")
+	}
+
+	if h.KetoOutbox != nil {
+		_ = h.KetoOutbox.Create(c.Context(), &domain.KetoOutbox{
+			Namespace: "Tenant",
+			Object:    tenantID,
+			Relation:  "owners",
+			Subject:   "User:" + userID,
+			Action:    domain.KetoOutboxActionCreate,
+		})
+		// Also add as member for UI visibility/ReBAC logic
+		_ = h.KetoOutbox.Create(c.Context(), &domain.KetoOutbox{
+			Namespace: "Tenant",
+			Object:    tenantID,
+			Relation:  "members",
+			Subject:   "User:" + userID,
+			Action:    domain.KetoOutboxActionCreate,
+		})
+	}
+
+	return c.SendStatus(fiber.StatusOK)
+}
+
+func (h *TenantHandler) RemoveOwner(c *fiber.Ctx) error {
+	tenantID := c.Params("id")
+	userID := c.Params("userId")
+	if tenantID == "" || userID == "" {
+		return errorJSON(c, fiber.StatusBadRequest, "tenantId and userId are required")
+	}
+
+	if h.KetoOutbox != nil {
+		_ = h.KetoOutbox.Create(c.Context(), &domain.KetoOutbox{
+			Namespace: "Tenant",
+			Object:    tenantID,
+			Relation:  "owners",
+			Subject:   "User:" + userID,
+			Action:    domain.KetoOutboxActionDelete,
+		})
+	}
+
+	return c.SendStatus(fiber.StatusNoContent)
+}
+
 func mapTenantSummary(t domain.Tenant) tenantSummary {
 	domains := make([]string, 0, len(t.Domains))
 	for _, d := range t.Domains {