feat: add multi-organization support

app/Actions/Fortify/CreateNewUser.php

@@ -2,6 +2,7 @@
 
 namespace App\Actions\Fortify;
 
+use App\Models\Organization;
 use App\Models\User;
 use App\Services\DemoBackupService;
 use Illuminate\Support\Facades\Log;
@@ -46,14 +47,24 @@ public function create(array $input): User
 
         $createDemoBackup = ! empty($input['create_demo_backup']);
 
+        // Ensure main org exists (migration creates it, but handle fresh install)
+        $mainOrg = Organization::firstOrCreate(
+            ['is_main' => true],
+            ['name' => 'Main']
+        );
+
+        // First user is always super_admin
         $user = User::create([
             'name' => $input['name'],
             'email' => $input['email'],
             'password' => $input['password'],
-            'role' => User::ROLE_ADMIN, // First user is always admin
+            'super_admin' => true,
             'invitation_accepted_at' => now(),
         ]);
 
+        // Attach to main org as admin
+        $user->organizations()->attach($mainOrg->id, ['role' => User::ROLE_ADMIN]);
+
         if ($createDemoBackup) {
             try {
                 $this->demoBackupService->createDemoBackup();

app/Http/Controllers/Api/V1/DatabaseServerController.php

@@ -16,6 +16,7 @@
 use App\Services\Backup\Databases\DatabaseProvider;
 use App\Services\Backup\SyncBackupConfigurationsAction;
 use App\Services\Backup\TriggerBackupAction;
+use App\Services\CurrentOrganization;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
@@ -72,6 +73,8 @@ public function store(SaveDatabaseServerRequest $request): JsonResponse
 
         DatabaseServer::buildExtraConfig($validated);
 
+        $validated['organization_id'] = app(CurrentOrganization::class)->id();
+
         $server = DatabaseServer::create($validated);
         $this->syncBackupConfigurations($server, $backupsPayload, $hasBackupsPayload);
 

app/Http/Controllers/Api/V1/VolumeController.php

@@ -12,6 +12,7 @@
 use App\Http\Resources\VolumeResource;
 use App\Models\Volume;
 use App\Queries\VolumeQuery;
+use App\Services\CurrentOrganization;
 use App\Services\VolumeConnectionTester;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
 use Illuminate\Http\JsonResponse;
@@ -120,6 +121,7 @@ private function createVolume(StoreVolumeRequest $request): JsonResponse
         $volumeType = VolumeType::from($validated['type']);
 
         $validated['config'] = $volumeType->encryptSensitiveFields($validated['config']);
+        $validated['organization_id'] = app(CurrentOrganization::class)->id();
 
         $volume = Volume::create($validated);
 

app/Http/Middleware/DemoModeMiddleware.php

@@ -2,6 +2,7 @@
 
 namespace App\Http\Middleware;
 
+use App\Models\Organization;
 use App\Models\User;
 use Closure;
 use Illuminate\Http\Request;
@@ -48,17 +49,21 @@ public function handle(Request $request, Closure $next): Response
 
     /**
      * Create the demo user if it doesn't exist.
+     * Attaches to main org with demo role.
      */
     protected function ensureDemoUserExists(): void
     {
-        User::firstOrCreate(
+        $user = User::firstOrCreate(
             ['email' => config('app.demo_user_email')],
             [
                 'name' => 'Demo User',
                 'password' => bcrypt(config('app.demo_user_password')),
-                'role' => User::ROLE_DEMO,
                 'invitation_accepted_at' => now(),
             ]
         );
+
+        $user->organizations()->syncWithoutDetaching([
+            Organization::main()->id => ['role' => User::ROLE_DEMO],
+        ]);
     }
 }

app/Http/Middleware/SetCurrentOrganization.php

@@ -0,0 +1,66 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use App\Models\Agent;
+use App\Models\User;
+use App\Services\CurrentOrganization;
+use Closure;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Auth;
+use Illuminate\Support\Facades\Session;
+use Symfony\Component\HttpFoundation\Response;
+
+class SetCurrentOrganization
+{
+    public function __construct(
+        private readonly CurrentOrganization $currentOrganization
+    ) {}
+
+    public function handle(Request $request, Closure $next): Response
+    {
+        /** @var User|Agent|null $authenticatable */
+        $authenticatable = $request->user();
+
+        if ($authenticatable instanceof Agent) {
+            $this->currentOrganization->set($authenticatable->organization);
+        } elseif ($authenticatable instanceof User) {
+            $this->currentOrganization->reset();
+
+            if ($request->is('api/*')) {
+                $this->resolveApiOrganization($request, $authenticatable);
+            } else {
+                /** @var string|null $cookieOrgId */
+                $cookieOrgId = $request->cookie(CurrentOrganization::COOKIE_NAME);
+                $this->currentOrganization->resolveForUser($authenticatable, $cookieOrgId);
+            }
+
+            if (! $this->currentOrganization->isResolved()) {
+                Auth::guard('web')->logout();
+                Session::invalidate();
+                Session::regenerateToken();
+                session()->flash('error', __('Your account is not a member of any organization. Please contact an administrator.'));
+
+                return redirect()->route('login');
+            }
+        }
+
+        return $next($request);
+    }
+
+    /**
+     * Resolve organization for API requests.
+     * Aborts with 403 when the client explicitly requests an org that is invalid or inaccessible.
+     */
+    private function resolveApiOrganization(Request $request, User $user): void
+    {
+        /** @var string|null $orgId */
+        $orgId = $request->query('org_id') ?? $request->header('X-Organization-Id');
+
+        $this->currentOrganization->resolveForUser($user, $orgId);
+
+        if ($orgId && (! $this->currentOrganization->isResolved() || $this->currentOrganization->id() !== $orgId)) {
+            abort(403, 'The requested organization is not accessible.');
+        }
+    }
+}

app/Livewire/Configuration/Authentication.php

@@ -57,6 +57,11 @@ public function getSsoConfig(): array
                 'value' => config('oauth.default_role') ?: '-',
                 'description' => __('Default role for new OAuth users: viewer, member, or admin.'),
             ],
+            [
+                'env' => 'OIDC_DEFAULT_ORGANIZATION_ID',
+                'value' => config('oauth.default_organization_id') ?: '-',
+                'description' => __('Organization ID for auto-created OIDC users (defaults to main org).'),
+            ],
             [
                 'env' => 'OAUTH_AUTO_LINK_BY_EMAIL',
                 'value' => config('oauth.auto_link_by_email') ? 'true' : 'false',

app/Livewire/Configuration/Organization.php

@@ -0,0 +1,163 @@
+<?php
+
+namespace App\Livewire\Configuration;
+
+use App\Models\Organization as OrganizationModel;
+use App\Models\Scopes\OrganizationScope;
+use App\Traits\Toast;
+use Illuminate\Contracts\View\View;
+use Illuminate\Database\Eloquent\Collection;
+use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
+use Livewire\Attributes\Computed;
+use Livewire\Attributes\Title;
+use Livewire\Component;
+
+#[Title('Configuration')]
+class Organization extends Component
+{
+    use AuthorizesRequests;
+    use Toast;
+
+    public bool $showCreateModal = false;
+
+    public string $newOrgName = '';
+
+    public bool $showEditModal = false;
+
+    public ?string $editingOrgId = null;
+
+    public string $editOrgName = '';
+
+    public bool $showDeleteModal = false;
+
+    public ?string $deleteOrgId = null;
+
+    public function mount(): void
+    {
+        $this->authorize('viewAny', OrganizationModel::class);
+    }
+
+    /**
+     * @return Collection<int, OrganizationModel>
+     */
+    #[Computed]
+    public function organizations(): Collection
+    {
+        return OrganizationModel::withCount([
+            'users',
+            'databaseServers' => fn ($q) => $q->withoutGlobalScope(OrganizationScope::class),
+            'volumes' => fn ($q) => $q->withoutGlobalScope(OrganizationScope::class),
+            'agents' => fn ($q) => $q->withoutGlobalScope(OrganizationScope::class),
+        ])
+            ->orderByDesc('is_main')
+            ->orderBy('name')
+            ->get();
+    }
+
+    public function openCreateModal(): void
+    {
+        $this->newOrgName = '';
+        $this->showCreateModal = true;
+    }
+
+    public function createOrganization(): mixed
+    {
+        $this->authorize('create', OrganizationModel::class);
+
+        $this->validate([
+            'newOrgName' => 'required|string|max:255|unique:organizations,name',
+        ]);
+
+        OrganizationModel::create([
+            'name' => $this->newOrgName,
+        ]);
+
+        $this->showCreateModal = false;
+        $this->newOrgName = '';
+
+        $this->success(__('Organization created.'));
+
+        return $this->redirect(route('configuration.organizations'), navigate: true);
+    }
+
+    public function openEditModal(string $orgId): void
+    {
+        $org = OrganizationModel::findOrFail($orgId);
+
+        $this->authorize('update', $org);
+
+        $this->editingOrgId = $orgId;
+        $this->editOrgName = $org->name;
+        $this->showEditModal = true;
+    }
+
+    public function updateOrganization(): mixed
+    {
+        $org = OrganizationModel::findOrFail($this->editingOrgId);
+
+        $this->authorize('update', $org);
+
+        $this->validate([
+            'editOrgName' => 'required|string|max:255|unique:organizations,name,'.$org->id,
+        ]);
+
+        $org->update(['name' => $this->editOrgName]);
+
+        $this->showEditModal = false;
+        $this->editingOrgId = null;
+
+        $this->success(__('Organization updated.'));
+
+        return $this->redirect(route('configuration.organizations'), navigate: true);
+    }
+
+    public function confirmDelete(string $orgId): void
+    {
+        $org = OrganizationModel::withCount([
+            'databaseServers' => fn ($q) => $q->withoutGlobalScope(OrganizationScope::class),
+            'volumes' => fn ($q) => $q->withoutGlobalScope(OrganizationScope::class),
+            'agents' => fn ($q) => $q->withoutGlobalScope(OrganizationScope::class),
+        ])->findOrFail($orgId);
+
+        $this->authorize('delete', $org);
+
+        $this->deleteOrgId = $orgId;
+        $this->showDeleteModal = true;
+    }
+
+    public function deleteOrganization(): mixed
+    {
+        $org = OrganizationModel::withCount([
+            'databaseServers' => fn ($q) => $q->withoutGlobalScope(OrganizationScope::class),
+            'volumes' => fn ($q) => $q->withoutGlobalScope(OrganizationScope::class),
+            'agents' => fn ($q) => $q->withoutGlobalScope(OrganizationScope::class),
+        ])->findOrFail($this->deleteOrgId);
+
+        $this->authorize('delete', $org);
+
+        $org->delete();
+
+        $this->showDeleteModal = false;
+        $this->deleteOrgId = null;
+
+        $this->success(__('Organization deleted.'));
+
+        return $this->redirect(route('configuration.organizations'), navigate: true);
+    }
+
+    public function render(): View
+    {
+        return view('livewire.configuration.organization', [
+            'organizations' => $this->organizations(),
+            'headers' => [
+                ['key' => 'name', 'label' => __('Name')],
+                ['key' => 'id', 'label' => __('ID')],
+                ['key' => 'users_count', 'label' => __('Users')],
+                ['key' => 'database_servers_count', 'label' => __('Servers')],
+                ['key' => 'volumes_count', 'label' => __('Volumes')],
+                ['key' => 'agents_count', 'label' => __('Agents')],
+                ['key' => 'actions', 'label' => '', 'class' => 'w-32'],
+            ],
+        ]);
+    }
+}

app/Livewire/Dashboard/JobStatusGrid.php

@@ -23,7 +23,7 @@ class JobStatusGrid extends Component
     #[Computed]
     public function jobs(): Collection
     {
-        return BackupJob::query()
+        return BackupJob::forCurrentOrg()
             ->select(['id', 'status', 'duration_ms', 'created_at'])
             ->with([
                 'snapshot:id,backup_job_id,database_name,database_server_id' => [

app/Livewire/Dashboard/JobsActivityChart.php

@@ -20,7 +20,7 @@ public function mount(): void
         $days = 14;
         $startDate = Carbon::now()->subDays($days - 1)->startOfDay();
 
-        $jobs = BackupJob::where('created_at', '>=', $startDate)
+        $jobs = BackupJob::forCurrentOrg()->where('created_at', '>=', $startDate)
             ->get()
             ->groupBy(fn ($job) => $job->created_at->format('Y-m-d'));
 

app/Livewire/Dashboard/LatestJobs.php

@@ -72,7 +72,7 @@ public function getSelectedJobProperty(): ?BackupJob
 
     public function fetchJobs(): void
     {
-        $query = BackupJob::query()
+        $query = BackupJob::forCurrentOrg()
             ->with([
                 'snapshot.databaseServer',
                 'restore.targetServer',

app/Livewire/Dashboard/SnapshotsCard.php

@@ -4,6 +4,7 @@
 
 use App\Jobs\VerifySnapshotFileJob;
 use App\Models\Snapshot;
+use App\Services\CurrentOrganization;
 use App\Traits\Toast;
 use Illuminate\Contracts\View\View;
 use Illuminate\Support\Facades\Cache;
@@ -36,7 +37,7 @@ public function refreshDashboard(): void
 
     private function loadData(): void
     {
-        $baseQuery = Snapshot::whereRelation('job', 'status', 'completed');
+        $baseQuery = Snapshot::forCurrentOrg()->whereRelation('job', 'status', 'completed');
 
         $this->totalSnapshots = $baseQuery->count();
         $this->verifiedSnapshots = (clone $baseQuery)->whereNotNull('file_verified_at')->count();
@@ -52,7 +53,9 @@ public function verifyFiles(): void
     {
         abort_unless(auth()->user()->isAdmin(), Response::HTTP_FORBIDDEN);
 
-        $lock = Cache::lock('verify-snapshot-files', 300);
+        $currentOrg = app(CurrentOrganization::class);
+        $lockKey = 'verify-snapshot-files:'.$currentOrg->id();
+        $lock = Cache::lock($lockKey, 300);
 
         if (! $lock->get()) {
             $this->warning(__('File verification is already running.'));