fix(backend): stamp org-scoped organizationId on MCP group template server imports | ENG-213

[betterclever]

Summary

Fixes a multi-tenant isolation bug where importTemplate created mcp_servers rows with organization_id = NULL, causing all orgs to share the same template server instances (Org A enabling/disabling a tool affected Org B).

• Controller (mcp-groups.controller.ts): un-discards @CurrentAuth() on importTemplate, throws UnauthorizedException early if auth or organizationId is missing, passes auth.organizationId to the service
• Service (mcp-groups.service.ts): importTemplate now accepts organizationId: string (non-nullable) and threads it to syncTemplate
• Seeding service (mcp-groups-seeding.service.ts): syncTemplate gains an organizationId: string | null = null param (default null for backward compat); createGroupFromTemplate, updateGroupFromTemplate, and createServer all stamp organizationId on inserted server rows
• syncAllTemplates (admin startup bootstrap) explicitly passes null — platform-seeded servers remain globally visible via the existing OR org_id IS NULL fallback in the repo

Test plan

• mcp-groups-seeding.service.spec.ts — create path stamps organizationId; bootstrap path stamps null; update path stamps organizationId on new server inserts; skip path inserts nothing; unknown slug throws
• mcp-groups.controller.spec.ts — null auth throws UnauthorizedException; null organizationId throws UnauthorizedException; valid auth passes organizationId to service
• Full test suite: 642 pass, 0 fail

Closes ENG-213

🤖 Generated with Claude Code

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0407032012

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Seed per-org servers even when template hash is unchanged

importTemplate now passes organizationId into syncTemplate, but syncTemplate still short-circuits on the global mcp_groups.templateHash and does not verify that the calling org already has server rows; once one org has imported a slug, another org importing the same version can get skipped and no org-scoped servers are created for it. Because /mcp-servers queries are organization-filtered (org_id = current OR org_id IS NULL), that org can end up with no usable servers despite a successful import response.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Preserve tenant isolation when updating existing template servers

Only the insert branch now writes organizationId; when updateGroupFromTemplate finds an existing server by name, it updates that row without setting/scoping organizationId, so shared (NULL) or other-org rows remain reused and mutable during org imports. This means a template update/import path can still operate on non-tenant-scoped server records, undermining the isolation this change is intended to enforce.

Useful? React with 👍 / 👎.