Fix: Remove remaining subscription-related mock handlers

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Engel Nyst <engel.nyst@gmail.com>

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,2 @@
+# disable blank issue creation
+blank_issues_enabled: false

.github/workflows/enterprise-preview.yml

@@ -1,29 +0,0 @@
-# Feature branch preview for enterprise code
-name: Enterprise Preview
-
-# Run on PRs labeled
-on:
-  pull_request:
-    types: [labeled]
-
-# Match ghcr-build.yml, but don't interrupt it.
-concurrency:
-  group: ${{ github.workflow }}-${{ (github.head_ref && github.ref) || github.run_id }}
-  cancel-in-progress: false
-
-jobs:
-  # This must happen for the PR Docker workflow when the label is present,
-  # and also if it's added after the fact. Thus, it exists in both places.
-  enterprise-preview:
-    name: Enterprise preview
-    if: github.event.label.name == 'deploy'
-    runs-on: blacksmith-4vcpu-ubuntu-2204
-    steps:
-      # This should match the version in ghcr-build.yml
-      - name: Trigger remote job
-        run: |
-          curl --fail-with-body -sS -X POST \
-            -H "Authorization: Bearer ${{ secrets.ALLHANDS_BOT_GITHUB_PAT }}" \
-            -H "Accept: application/vnd.github+json" \
-            -d "{\"ref\": \"main\", \"inputs\": {\"openhandsPrNumber\": \"${{ github.event.pull_request.number }}\", \"deployEnvironment\": \"feature\", \"enterpriseImageTag\": \"pr-${{ github.event.pull_request.number }}\" }}" \
-            https://api.github.com/repos/OpenHands/deploy/actions/workflows/deploy.yaml/dispatches

.github/workflows/ghcr-build.yml

@@ -240,21 +240,6 @@ jobs:
           # Add build attestations for better security
           sbom: true
 
-  enterprise-preview:
-    name: Enterprise preview
-    if: github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'deploy')
-    runs-on: blacksmith-4vcpu-ubuntu-2204
-    needs: [ghcr_build_enterprise]
-    steps:
-      # This should match the version in enterprise-preview.yml
-      - name: Trigger remote job
-        run: |
-          curl --fail-with-body -sS -X POST \
-            -H "Authorization: Bearer ${{ secrets.ALLHANDS_BOT_GITHUB_PAT }}" \
-            -H "Accept: application/vnd.github+json" \
-            -d "{\"ref\": \"main\", \"inputs\": {\"openhandsPrNumber\": \"${{ github.event.pull_request.number }}\", \"deployEnvironment\": \"feature\", \"enterpriseImageTag\": \"pr-${{ github.event.pull_request.number }}\" }}" \
-            https://api.github.com/repos/OpenHands/deploy/actions/workflows/deploy.yaml/dispatches
-
   # "All Runtime Tests Passed" is a required job for PRs to merge
   # We can remove this once the config changes
   runtime_tests_check_success:

.github/workflows/pr-review-by-openhands.yml

@@ -2,16 +2,11 @@
 name: PR Review by OpenHands
 
 on:
-    # Use pull_request_target to allow fork PRs to access secrets when triggered by maintainers
-    # Security: This workflow runs when:
-    #   1. A new PR is opened (non-draft), OR
-    #   2. A draft PR is marked as ready for review, OR
-    #   3. A maintainer adds the 'review-this' label, OR
-    #   4. A maintainer requests openhands-agent or all-hands-bot as a reviewer
-    # Only users with write access can add labels or request reviews, ensuring security.
-    # The PR code is explicitly checked out for review, but secrets are only accessible
-    # because the workflow runs in the base repository context
-    pull_request_target:
+    # TEMPORARY MITIGATION (Clinejection hardening)
+    #
+    # We temporarily avoid `pull_request_target` here. We'll restore it after the PR review
+    # workflow is fully hardened for untrusted execution.
+    pull_request:
         types: [opened, ready_for_review, labeled, review_requested]
 
 permissions:
@@ -21,107 +16,33 @@ permissions:
 
 jobs:
     pr-review:
-        # Run when one of the following conditions is met:
-        #   1. A new non-draft PR is opened by a trusted contributor, OR
-        #   2. A draft PR is converted to ready for review by a trusted contributor, OR
-        #   3. 'review-this' label is added, OR
-        #   4. openhands-agent or all-hands-bot is requested as a reviewer
-        # Note: FIRST_TIME_CONTRIBUTOR PRs require manual trigger via label/reviewer request
+        # Note: fork PRs will not have access to repository secrets under `pull_request`.
+        # Skip forks to avoid noisy failures until we restore a hardened `pull_request_target` flow.
         if: |
-            (github.event.action == 'opened' && github.event.pull_request.draft == false && github.event.pull_request.author_association != 'FIRST_TIME_CONTRIBUTOR') ||
-            (github.event.action == 'ready_for_review' && github.event.pull_request.author_association != 'FIRST_TIME_CONTRIBUTOR') ||
-            github.event.label.name == 'review-this' ||
-            github.event.requested_reviewer.login == 'openhands-agent' ||
-            github.event.requested_reviewer.login == 'all-hands-bot'
+            github.event.pull_request.head.repo.full_name == github.repository &&
+            (
+                (github.event.action == 'opened' && github.event.pull_request.draft == false) ||
+                github.event.action == 'ready_for_review' ||
+                (github.event.action == 'labeled' && github.event.label.name == 'review-this') ||
+                (
+                    github.event.action == 'review_requested' &&
+                    (
+                        github.event.requested_reviewer.login == 'openhands-agent' ||
+                        github.event.requested_reviewer.login == 'all-hands-bot'
+                    )
+                )
+            )
         concurrency:
             group: pr-review-${{ github.event.pull_request.number }}
             cancel-in-progress: true
-        runs-on: blacksmith-4vcpu-ubuntu-2404
-        env:
-            LLM_MODEL: litellm_proxy/claude-sonnet-4-5-20250929
-            LLM_BASE_URL: https://llm-proxy.app.all-hands.dev
-            # PR context will be automatically provided by the agent script
-            PR_NUMBER: ${{ github.event.pull_request.number }}
-            PR_TITLE: ${{ github.event.pull_request.title }}
-            PR_BODY: ${{ github.event.pull_request.body }}
-            PR_BASE_BRANCH: ${{ github.event.pull_request.base.ref }}
-            PR_HEAD_BRANCH: ${{ github.event.pull_request.head.ref }}
-            REPO_NAME: ${{ github.repository }}
+        runs-on: ubuntu-24.04
         steps:
-            - name: Checkout software-agent-sdk repository
-              uses: actions/checkout@v5
+            - name: Run PR Review
+              uses: OpenHands/extensions/plugins/pr-review@main
               with:
-                  repository: OpenHands/software-agent-sdk
-                  path: software-agent-sdk
-
-            - name: Checkout PR repository
-              uses: actions/checkout@v5
-              with:
-                  # When using pull_request_target, explicitly checkout the PR branch
-                  # This ensures we review the actual PR code (including fork PRs)
-                  repository: ${{ github.event.pull_request.head.repo.full_name }}
-                  ref: ${{ github.event.pull_request.head.ref }}
-                  fetch-depth: 0
-                  # Security: Don't persist credentials to prevent untrusted PR code from using them
-                  persist-credentials: false
-                  path: pr-repo
-
-            - name: Set up Python
-              uses: actions/setup-python@v6
-              with:
-                  python-version: '3.13'
-
-            - name: Install uv
-              uses: astral-sh/setup-uv@v7
-              with:
-                  enable-cache: true
-
-            - name: Install GitHub CLI
-              run: |
-                  # Install GitHub CLI for posting review comments
-                  sudo apt-get update
-                  sudo apt-get install -y gh
-
-            - name: Install OpenHands dependencies
-              run: |
-                  # Install OpenHands SDK and tools from local checkout
-                  uv pip install --system ./software-agent-sdk/openhands-sdk ./software-agent-sdk/openhands-tools
-
-            - name: Check required configuration
-              env:
-                  LLM_API_KEY: ${{ secrets.LLM_API_KEY }}
-              run: |
-                  if [ -z "$LLM_API_KEY" ]; then
-                    echo "Error: LLM_API_KEY secret is not set."
-                    exit 1
-                  fi
-
-                  echo "PR Number: $PR_NUMBER"
-                  echo "PR Title: $PR_TITLE"
-                  echo "Repository: $REPO_NAME"
-                  echo "LLM model: $LLM_MODEL"
-                  if [ -n "$LLM_BASE_URL" ]; then
-                    echo "LLM base URL: $LLM_BASE_URL"
-                  fi
-
-            - name: Run PR review
-              env:
-                  LLM_API_KEY: ${{ secrets.LLM_API_KEY }}
-                  GITHUB_TOKEN: ${{ secrets.ALLHANDS_BOT_GITHUB_PAT }}
-                  LMNR_PROJECT_API_KEY: ${{ secrets.LMNR_SKILLS_API_KEY }}
-              run: |
-                  # Change to the PR repository directory so agent can analyze the code
-                  cd pr-repo
-
-                  # Run the PR review script from the software-agent-sdk checkout
-                  uv run python ../software-agent-sdk/examples/03_github_workflows/02_pr_review/agent_script.py
-
-            - name: Upload logs as artifact
-              uses: actions/upload-artifact@v5
-              if: always()
-              with:
-                  name: openhands-pr-review-logs
-                  path: |
-                      *.log
-                      output/
-                  retention-days: 7
+                  llm-model: litellm_proxy/claude-sonnet-4-5-20250929
+                  llm-base-url: https://llm-proxy.app.all-hands.dev
+                  review-style: roasted
+                  llm-api-key: ${{ secrets.LLM_API_KEY }}
+                  github-token: ${{ secrets.ALLHANDS_BOT_GITHUB_PAT }}
+                  lmnr-api-key: ${{ secrets.LMNR_SKILLS_API_KEY }}

.github/workflows/pr-review-evaluation.yml

@@ -0,0 +1,85 @@
+---
+name: PR Review Evaluation
+
+# This workflow evaluates how well PR review comments were addressed.
+# It runs when a PR is closed to assess review effectiveness.
+#
+# Security note: pull_request_target is safe here because:
+# 1. Only triggers on PR close (not on code changes)
+# 2. Does not checkout PR code - only downloads artifacts from trusted workflow runs
+# 3. Runs evaluation scripts from the extensions repo, not from the PR
+
+on:
+    pull_request_target:
+        types: [closed]
+
+permissions:
+    contents: read
+    pull-requests: read
+
+jobs:
+    evaluate:
+        runs-on: ubuntu-24.04
+        env:
+            PR_NUMBER: ${{ github.event.pull_request.number }}
+            REPO_NAME: ${{ github.repository }}
+            PR_MERGED: ${{ github.event.pull_request.merged }}
+
+        steps:
+            - name: Download review trace artifact
+              id: download-trace
+              uses: dawidd6/action-download-artifact@v6
+              continue-on-error: true
+              with:
+                  workflow: pr-review-by-openhands.yml
+                  name: pr-review-trace-${{ github.event.pull_request.number }}
+                  path: trace-info
+                  search_artifacts: true
+                  if_no_artifact_found: warn
+
+            - name: Check if trace file exists
+              id: check-trace
+              run: |
+                  if [ -f "trace-info/laminar_trace_info.json" ]; then
+                    echo "trace_exists=true" >> $GITHUB_OUTPUT
+                    echo "Found trace file for PR #$PR_NUMBER"
+                  else
+                    echo "trace_exists=false" >> $GITHUB_OUTPUT
+                    echo "No trace file found for PR #$PR_NUMBER - skipping evaluation"
+                  fi
+
+            # Always checkout main branch for security - cannot test script changes in PRs
+            - name: Checkout extensions repository
+              if: steps.check-trace.outputs.trace_exists == 'true'
+              uses: actions/checkout@v5
+              with:
+                  repository: OpenHands/extensions
+                  path: extensions
+
+            - name: Set up Python
+              if: steps.check-trace.outputs.trace_exists == 'true'
+              uses: actions/setup-python@v6
+              with:
+                  python-version: '3.12'
+
+            - name: Install dependencies
+              if: steps.check-trace.outputs.trace_exists == 'true'
+              run: pip install lmnr
+
+            - name: Run evaluation
+              if: steps.check-trace.outputs.trace_exists == 'true'
+              env:
+                  # Script expects LMNR_PROJECT_API_KEY; org secret is named LMNR_SKILLS_API_KEY
+                  LMNR_PROJECT_API_KEY: ${{ secrets.LMNR_SKILLS_API_KEY }}
+                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+              run: |
+                  python extensions/plugins/pr-review/scripts/evaluate_review.py \
+                      --trace-file trace-info/laminar_trace_info.json
+
+            - name: Upload evaluation logs
+              uses: actions/upload-artifact@v5
+              if: always() && steps.check-trace.outputs.trace_exists == 'true'
+              with:
+                  name: pr-review-evaluation-${{ github.event.pull_request.number }}
+                  path: '*.log'
+                  retention-days: 30

README.md

@@ -54,7 +54,7 @@ The experience will be familiar to anyone who has used Devin or Jules.
 ### OpenHands Cloud
 This is a deployment of OpenHands GUI, running on hosted infrastructure.
 
-You can try it with a free $10 credit by [signing in with your GitHub or GitLab account](https://app.all-hands.dev).
+You can try it for free using the Minimax model by [signing in with your GitHub or GitLab account](https://app.all-hands.dev).
 
 OpenHands Cloud comes with source-available features and integrations:
 - Integrations with Slack, Jira, and Linear

enterprise/doc/design-doc/plugin-launch-flow.md

@@ -0,0 +1,131 @@
+# Plugin Launch Flow
+
+This document describes how plugins are launched in OpenHands Saas / Enterprise, from the plugin directory through to agent execution.
+
+## Architecture Overview
+
+```
+Plugin Directory ──▶ Frontend /launch ──▶ App Server ──▶ Agent Server ──▶ SDK
+    (external)           (modal)           (API)        (in sandbox)    (plugin loading)
+```
+
+| Component | Responsibility |
+|-----------|---------------|
+| **Plugin Directory** | Index plugins, present to user, construct launch URLs |
+| **Frontend** | Display confirmation modal, collect parameters, call API |
+| **App Server** | Validate request, pass plugin specs to agent server |
+| **Agent Server** | Run inside sandbox, delegate plugin loading to SDK |
+| **SDK** | Fetch plugins, load contents, merge skills/hooks/MCP into agent |
+
+## User Experience
+
+### Plugin Directory
+
+The plugin directory presents users with a catalog of available plugins. For each plugin, users see:
+- Plugin name and description (from `plugin.json`)
+- Author and version information
+- A "Launch" button
+
+When a user clicks "Launch", the plugin directory:
+1. Reads the plugin's `entry_command` to know which slash command to invoke
+2. Determines what parameters the plugin accepts (if any)
+3. Redirects to OpenHands with this information encoded in the URL
+
+### Parameter Collection
+
+If a plugin requires user input (API keys, configuration values, etc.), the frontend displays a form modal before starting the conversation. Parameters are passed in the launch URL and rendered as form fields based on their type:
+
+- **String values** → Text input
+- **Number values** → Number input
+- **Boolean values** → Checkbox
+
+Only primitive types are supported. Complex types (arrays, objects) are not currently supported for parameter input.
+
+The user fills in required values, then clicks "Start Conversation" to proceed.
+
+## Launch Flow
+
+1. **Plugin Directory** (external) constructs a launch URL to the OpenHands app server when user clicks "Launch":
+   ```
+   /launch?plugins=BASE64_JSON&message=/city-weather:now%20Tokyo
+   ```
+
+   The `plugins` parameter includes any parameter definitions with default values:
+   ```json
+   [{
+     "source": "github:owner/repo",
+     "repo_path": "plugins/my-plugin",
+     "parameters": {"api_key": "", "timeout": 30, "debug": false}
+   }]
+   ```
+
+2. **OpenHands Frontend** (`/launch` route, [PR #12699](https://github.com/OpenHands/OpenHands/pull/12699)) displays modal with parameter form, collects user input
+
+3. **OpenHands App Server** ([PR #12338](https://github.com/OpenHands/OpenHands/pull/12338)) receives the API call:
+   ```
+   POST /api/v1/app-conversations
+   {
+     "plugins": [{"source": "github:owner/repo", "repo_path": "plugins/city-weather"}],
+     "initial_message": {"content": [{"type": "text", "text": "/city-weather:now Tokyo"}]}
+   }
+   ```
+
+   Call stack:
+   - `AppConversationRouter` receives request with `PluginSpec` list
+   - `LiveStatusAppConversationService._finalize_conversation_request()` converts `PluginSpec` → `PluginSource`
+   - Creates `StartConversationRequest(plugins=sdk_plugins, ...)` and sends to agent server
+
+4. **Agent Server** (inside sandbox, [SDK PR #1651](https://github.com/OpenHands/software-agent-sdk/pull/1651)) stores specs, defers loading:
+
+   Call stack:
+   - `ConversationService.start_conversation()` receives `StartConversationRequest`
+   - Creates `StoredConversation` with plugin specs
+   - Creates `LocalConversation(plugins=request.plugins, ...)`
+   - Plugin loading deferred until first `run()` or `send_message()`
+
+5. **SDK** fetches and loads plugins on first use:
+
+   Call stack:
+   - `LocalConversation._ensure_plugins_loaded()` triggered by first message
+   - For each plugin spec:
+     - `Plugin.fetch(source, ref, repo_path)` → clones/caches git repo
+     - `Plugin.load(path)` → parses `plugin.json`, loads commands/skills/hooks
+     - `plugin.add_skills_to(context)` → merges skills into agent
+     - `plugin.add_mcp_config_to(config)` → merges MCP servers
+
+6. **Agent** receives message, `/city-weather:now` triggers the skill
+
+## Key Design Decisions
+
+### Plugin Loading in Sandbox
+
+Plugins load **inside the sandbox** because:
+- Plugin hooks and scripts need isolated execution
+- MCP servers run inside the sandbox
+- Skills may reference sandbox filesystem
+
+### Entry Command Handling
+
+The `entry_command` field in `plugin.json` allows plugin authors to declare a default command:
+
+```json
+{
+  "name": "city-weather",
+  "entry_command": "now"
+}
+```
+
+This flows through the system:
+1. Plugin author declares `entry_command` in plugin.json
+2. Plugin directory reads it when indexing
+3. Plugin directory includes `/city-weather:now` in the launch URL's `message` parameter
+4. Message passes through to agent as `initial_message`
+
+The SDK exposes this field but does not auto-invoke it—callers control the initial message.
+
+## Related
+
+- [OpenHands PR #12338](https://github.com/OpenHands/OpenHands/pull/12338) - App server plugin support
+- [OpenHands PR #12699](https://github.com/OpenHands/OpenHands/pull/12699) - Frontend `/launch` route
+- [SDK PR #1651](https://github.com/OpenHands/software-agent-sdk/pull/1651) - Agent server plugin loading
+- [SDK PR #1647](https://github.com/OpenHands/software-agent-sdk/pull/1647) - Plugin.fetch() for remote plugin fetching

enterprise/migrations/versions/094_create_org_invitation_table.py

@@ -0,0 +1,110 @@
+"""create org_invitation table
+
+Revision ID: 094
+Revises: 093
+Create Date: 2026-02-18 00:00:00.000000
+
+"""
+
+from typing import Sequence, Union
+
+import sqlalchemy as sa
+from alembic import op
+from sqlalchemy.dialects import postgresql
+
+# revision identifiers, used by Alembic.
+revision: str = '094'
+down_revision: Union[str, None] = '093'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    # Create org_invitation table
+    op.create_table(
+        'org_invitation',
+        sa.Column('id', sa.Integer, sa.Identity(), primary_key=True),
+        sa.Column('token', sa.String(64), nullable=False),
+        sa.Column('org_id', postgresql.UUID(as_uuid=True), nullable=False),
+        sa.Column('email', sa.String(255), nullable=False),
+        sa.Column('role_id', sa.Integer, nullable=False),
+        sa.Column('inviter_id', postgresql.UUID(as_uuid=True), nullable=False),
+        sa.Column(
+            'status',
+            sa.String(20),
+            nullable=False,
+            server_default=sa.text("'pending'"),
+        ),
+        sa.Column(
+            'created_at',
+            sa.DateTime,
+            nullable=False,
+            server_default=sa.text('CURRENT_TIMESTAMP'),
+        ),
+        sa.Column('expires_at', sa.DateTime, nullable=False),
+        sa.Column('accepted_at', sa.DateTime, nullable=True),
+        sa.Column('accepted_by_user_id', postgresql.UUID(as_uuid=True), nullable=True),
+        # Foreign key constraints
+        sa.ForeignKeyConstraint(
+            ['org_id'],
+            ['org.id'],
+            name='org_invitation_org_fkey',
+            ondelete='CASCADE',
+        ),
+        sa.ForeignKeyConstraint(
+            ['role_id'],
+            ['role.id'],
+            name='org_invitation_role_fkey',
+        ),
+        sa.ForeignKeyConstraint(
+            ['inviter_id'],
+            ['user.id'],
+            name='org_invitation_inviter_fkey',
+        ),
+        sa.ForeignKeyConstraint(
+            ['accepted_by_user_id'],
+            ['user.id'],
+            name='org_invitation_accepter_fkey',
+        ),
+    )
+
+    # Create indexes
+    op.create_index(
+        'ix_org_invitation_token',
+        'org_invitation',
+        ['token'],
+        unique=True,
+    )
+    op.create_index(
+        'ix_org_invitation_org_id',
+        'org_invitation',
+        ['org_id'],
+    )
+    op.create_index(
+        'ix_org_invitation_email',
+        'org_invitation',
+        ['email'],
+    )
+    op.create_index(
+        'ix_org_invitation_status',
+        'org_invitation',
+        ['status'],
+    )
+    # Composite index for checking pending invitations
+    op.create_index(
+        'ix_org_invitation_org_email_status',
+        'org_invitation',
+        ['org_id', 'email', 'status'],
+    )
+
+
+def downgrade() -> None:
+    # Drop indexes
+    op.drop_index('ix_org_invitation_org_email_status', table_name='org_invitation')
+    op.drop_index('ix_org_invitation_status', table_name='org_invitation')
+    op.drop_index('ix_org_invitation_email', table_name='org_invitation')
+    op.drop_index('ix_org_invitation_org_id', table_name='org_invitation')
+    op.drop_index('ix_org_invitation_token', table_name='org_invitation')
+
+    # Drop table
+    op.drop_table('org_invitation')

enterprise/migrations/versions/095_drop_pending_free_credits.py

@@ -0,0 +1,37 @@
+"""Drop pending_free_credits column from org table.
+
+Revision ID: 095
+Revises: 094
+Create Date: 2025-02-18 00:00:00.000000
+
+"""
+
+from typing import Sequence, Union
+
+import sqlalchemy as sa
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision: str = '095'
+down_revision: Union[str, None] = '094'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    # Drop the pending_free_credits column from org table.
+    # This column was used for tracking free credit eligibility but is no longer needed.
+    op.drop_column('org', 'pending_free_credits')
+
+
+def downgrade() -> None:
+    # Re-add pending_free_credits column with default false.
+    op.add_column(
+        'org',
+        sa.Column(
+            'pending_free_credits',
+            sa.Boolean,
+            nullable=False,
+            server_default=sa.text('false'),
+        ),
+    )

enterprise/migrations/versions/096_create_resend_synced_users_table.py

@@ -0,0 +1,67 @@
+"""Create resend_synced_users table.
+
+Revision ID: 096
+Revises: 095
+Create Date: 2025-02-17 00:00:00.000000
+
+"""
+
+from typing import Sequence, Union
+
+import sqlalchemy as sa
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision: str = '096'
+down_revision: Union[str, None] = '095'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    """Create resend_synced_users table for tracking users synced to Resend audiences."""
+    op.create_table(
+        'resend_synced_users',
+        sa.Column(
+            'id',
+            sa.UUID(as_uuid=True),
+            nullable=False,
+            primary_key=True,
+        ),
+        sa.Column('email', sa.String(), nullable=False),
+        sa.Column('audience_id', sa.String(), nullable=False),
+        sa.Column(
+            'synced_at',
+            sa.DateTime(timezone=True),
+            nullable=False,
+            server_default=sa.text('CURRENT_TIMESTAMP'),
+        ),
+        sa.Column('keycloak_user_id', sa.String(), nullable=True),
+        sa.PrimaryKeyConstraint('id'),
+        sa.UniqueConstraint(
+            'email', 'audience_id', name='uq_resend_synced_email_audience'
+        ),
+    )
+
+    # Create index on email for fast lookups
+    op.create_index(
+        'ix_resend_synced_users_email',
+        'resend_synced_users',
+        ['email'],
+    )
+
+    # Create index on audience_id for filtering by audience
+    op.create_index(
+        'ix_resend_synced_users_audience_id',
+        'resend_synced_users',
+        ['audience_id'],
+    )
+
+
+def downgrade() -> None:
+    """Drop resend_synced_users table."""
+    op.drop_index(
+        'ix_resend_synced_users_audience_id', table_name='resend_synced_users'
+    )
+    op.drop_index('ix_resend_synced_users_email', table_name='resend_synced_users')
+    op.drop_table('resend_synced_users')

enterprise/migrations/versions/097_add_session_api_key_hash_to_v1_remote_sandbox.py

@@ -0,0 +1,41 @@
+"""Add session_api_key_hash to v1_remote_sandbox table
+
+Revision ID: 097
+Revises: 096
+Create Date: 2025-02-24 00:00:00.000000
+
+"""
+
+from typing import Sequence, Union
+
+import sqlalchemy as sa
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision: str = '097'
+down_revision: Union[str, None] = '096'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    """Add session_api_key_hash column to v1_remote_sandbox table."""
+    op.add_column(
+        'v1_remote_sandbox',
+        sa.Column('session_api_key_hash', sa.String(), nullable=True),
+    )
+    op.create_index(
+        op.f('ix_v1_remote_sandbox_session_api_key_hash'),
+        'v1_remote_sandbox',
+        ['session_api_key_hash'],
+        unique=False,
+    )
+
+
+def downgrade() -> None:
+    """Remove session_api_key_hash column from v1_remote_sandbox table."""
+    op.drop_index(
+        op.f('ix_v1_remote_sandbox_session_api_key_hash'),
+        table_name='v1_remote_sandbox',
+    )
+    op.drop_column('v1_remote_sandbox', 'session_api_key_hash')

enterprise/migrations/versions/098_create_verified_models_table.py

@@ -0,0 +1,92 @@
+"""Create verified_models table.
+
+Revision ID: 098
+Revises: 097
+Create Date: 2026-02-26 00:00:00.000000
+
+"""
+
+from typing import Sequence, Union
+
+import sqlalchemy as sa
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision: str = '098'
+down_revision: Union[str, None] = '097'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    """Create verified_models table and seed with current model list."""
+    op.create_table(
+        'verified_models',
+        sa.Column('id', sa.Integer, sa.Identity(), primary_key=True),
+        sa.Column('model_name', sa.String(255), nullable=False),
+        sa.Column('provider', sa.String(100), nullable=False),
+        sa.Column(
+            'is_enabled',
+            sa.Boolean(),
+            nullable=False,
+            server_default=sa.text('true'),
+        ),
+        sa.Column(
+            'created_at',
+            sa.DateTime(),
+            nullable=False,
+            server_default=sa.text('CURRENT_TIMESTAMP'),
+        ),
+        sa.Column(
+            'updated_at',
+            sa.DateTime(),
+            nullable=False,
+            server_default=sa.text('CURRENT_TIMESTAMP'),
+        ),
+        sa.UniqueConstraint(
+            'model_name', 'provider', name='uq_verified_model_provider'
+        ),
+    )
+
+    op.create_index(
+        'ix_verified_models_provider',
+        'verified_models',
+        ['provider'],
+    )
+    op.create_index(
+        'ix_verified_models_is_enabled',
+        'verified_models',
+        ['is_enabled'],
+    )
+
+    # Seed with current openhands provider models
+    models = [
+        ('claude-opus-4-5-20251101', 'openhands'),
+        ('claude-sonnet-4-5-20250929', 'openhands'),
+        ('gpt-5.2-codex', 'openhands'),
+        ('gpt-5.2', 'openhands'),
+        ('minimax-m2.5', 'openhands'),
+        ('gemini-3-pro-preview', 'openhands'),
+        ('gemini-3-flash-preview', 'openhands'),
+        ('deepseek-chat', 'openhands'),
+        ('devstral-medium-2512', 'openhands'),
+        ('kimi-k2-0711-preview', 'openhands'),
+        ('qwen3-coder-480b', 'openhands'),
+    ]
+
+    for model_name, provider in models:
+        op.execute(
+            sa.text(
+                """
+                INSERT INTO verified_models (model_name, provider)
+                VALUES (:model_name, :provider)
+                """
+            ).bindparams(model_name=model_name, provider=provider)
+        )
+
+
+def downgrade() -> None:
+    """Drop verified_models table."""
+    op.drop_index('ix_verified_models_is_enabled', table_name='verified_models')
+    op.drop_index('ix_verified_models_provider', table_name='verified_models')
+    op.drop_table('verified_models')

enterprise/poetry.lock

@@ -1540,66 +1540,58 @@ files = [
 
 [[package]]
 name = "cryptography"
-version = "46.0.3"
+version = "46.0.5"
 description = "cryptography is a package which provides cryptographic recipes and primitives to Python developers."
 optional = false
 python-versions = "!=3.9.0,!=3.9.1,>=3.8"
 groups = ["main"]
 files = [
-    {file = "cryptography-46.0.3-cp311-abi3-macosx_10_9_universal2.whl", hash = "sha256:109d4ddfadf17e8e7779c39f9b18111a09efb969a301a31e987416a0191ed93a"},
-    {file = "cryptography-46.0.3-cp311-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:09859af8466b69bc3c27bdf4f5d84a665e0f7ab5088412e9e2ec49758eca5cbc"},
-    {file = "cryptography-46.0.3-cp311-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:01ca9ff2885f3acc98c29f1860552e37f6d7c7d013d7334ff2a9de43a449315d"},
-    {file = "cryptography-46.0.3-cp311-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:6eae65d4c3d33da080cff9c4ab1f711b15c1d9760809dad6ea763f3812d254cb"},
-    {file = "cryptography-46.0.3-cp311-abi3-manylinux_2_28_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:e5bf0ed4490068a2e72ac03d786693adeb909981cc596425d09032d372bcc849"},
-    {file = "cryptography-46.0.3-cp311-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:5ecfccd2329e37e9b7112a888e76d9feca2347f12f37918facbb893d7bb88ee8"},
-    {file = "cryptography-46.0.3-cp311-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:a2c0cd47381a3229c403062f764160d57d4d175e022c1df84e168c6251a22eec"},
-    {file = "cryptography-46.0.3-cp311-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:549e234ff32571b1f4076ac269fcce7a808d3bf98b76c8dd560e42dbc66d7d91"},
-    {file = "cryptography-46.0.3-cp311-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:c0a7bb1a68a5d3471880e264621346c48665b3bf1c3759d682fc0864c540bd9e"},
-    {file = "cryptography-46.0.3-cp311-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:10b01676fc208c3e6feeb25a8b83d81767e8059e1fe86e1dc62d10a3018fa926"},
-    {file = "cryptography-46.0.3-cp311-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:0abf1ffd6e57c67e92af68330d05760b7b7efb243aab8377e583284dbab72c71"},
-    {file = "cryptography-46.0.3-cp311-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:a04bee9ab6a4da801eb9b51f1b708a1b5b5c9eb48c03f74198464c66f0d344ac"},
-    {file = "cryptography-46.0.3-cp311-abi3-win32.whl", hash = "sha256:f260d0d41e9b4da1ed1e0f1ce571f97fe370b152ab18778e9e8f67d6af432018"},
-    {file = "cryptography-46.0.3-cp311-abi3-win_amd64.whl", hash = "sha256:a9a3008438615669153eb86b26b61e09993921ebdd75385ddd748702c5adfddb"},
-    {file = "cryptography-46.0.3-cp311-abi3-win_arm64.whl", hash = "sha256:5d7f93296ee28f68447397bf5198428c9aeeab45705a55d53a6343455dcb2c3c"},
-    {file = "cryptography-46.0.3-cp314-cp314t-macosx_10_9_universal2.whl", hash = "sha256:00a5e7e87938e5ff9ff5447ab086a5706a957137e6e433841e9d24f38a065217"},
-    {file = "cryptography-46.0.3-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:c8daeb2d2174beb4575b77482320303f3d39b8e81153da4f0fb08eb5fe86a6c5"},
-    {file = "cryptography-46.0.3-cp314-cp314t-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:39b6755623145ad5eff1dab323f4eae2a32a77a7abef2c5089a04a3d04366715"},
-    {file = "cryptography-46.0.3-cp314-cp314t-manylinux_2_28_aarch64.whl", hash = "sha256:db391fa7c66df6762ee3f00c95a89e6d428f4d60e7abc8328f4fe155b5ac6e54"},
-    {file = "cryptography-46.0.3-cp314-cp314t-manylinux_2_28_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:78a97cf6a8839a48c49271cdcbd5cf37ca2c1d6b7fdd86cc864f302b5e9bf459"},
-    {file = "cryptography-46.0.3-cp314-cp314t-manylinux_2_28_ppc64le.whl", hash = "sha256:dfb781ff7eaa91a6f7fd41776ec37c5853c795d3b358d4896fdbb5df168af422"},
-    {file = "cryptography-46.0.3-cp314-cp314t-manylinux_2_28_x86_64.whl", hash = "sha256:6f61efb26e76c45c4a227835ddeae96d83624fb0d29eb5df5b96e14ed1a0afb7"},
-    {file = "cryptography-46.0.3-cp314-cp314t-manylinux_2_34_aarch64.whl", hash = "sha256:23b1a8f26e43f47ceb6d6a43115f33a5a37d57df4ea0ca295b780ae8546e8044"},
-    {file = "cryptography-46.0.3-cp314-cp314t-manylinux_2_34_ppc64le.whl", hash = "sha256:b419ae593c86b87014b9be7396b385491ad7f320bde96826d0dd174459e54665"},
-    {file = "cryptography-46.0.3-cp314-cp314t-manylinux_2_34_x86_64.whl", hash = "sha256:50fc3343ac490c6b08c0cf0d704e881d0d660be923fd3076db3e932007e726e3"},
-    {file = "cryptography-46.0.3-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:22d7e97932f511d6b0b04f2bfd818d73dcd5928db509460aaf48384778eb6d20"},
-    {file = "cryptography-46.0.3-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:d55f3dffadd674514ad19451161118fd010988540cee43d8bc20675e775925de"},
-    {file = "cryptography-46.0.3-cp314-cp314t-win32.whl", hash = "sha256:8a6e050cb6164d3f830453754094c086ff2d0b2f3a897a1d9820f6139a1f0914"},
-    {file = "cryptography-46.0.3-cp314-cp314t-win_amd64.whl", hash = "sha256:760f83faa07f8b64e9c33fc963d790a2edb24efb479e3520c14a45741cd9b2db"},
-    {file = "cryptography-46.0.3-cp314-cp314t-win_arm64.whl", hash = "sha256:516ea134e703e9fe26bcd1277a4b59ad30586ea90c365a87781d7887a646fe21"},
-    {file = "cryptography-46.0.3-cp38-abi3-macosx_10_9_universal2.whl", hash = "sha256:cb3d760a6117f621261d662bccc8ef5bc32ca673e037c83fbe565324f5c46936"},
-    {file = "cryptography-46.0.3-cp38-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:4b7387121ac7d15e550f5cb4a43aef2559ed759c35df7336c402bb8275ac9683"},
-    {file = "cryptography-46.0.3-cp38-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:15ab9b093e8f09daab0f2159bb7e47532596075139dd74365da52ecc9cb46c5d"},
-    {file = "cryptography-46.0.3-cp38-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:46acf53b40ea38f9c6c229599a4a13f0d46a6c3fa9ef19fc1a124d62e338dfa0"},
-    {file = "cryptography-46.0.3-cp38-abi3-manylinux_2_28_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:10ca84c4668d066a9878890047f03546f3ae0a6b8b39b697457b7757aaf18dbc"},
-    {file = "cryptography-46.0.3-cp38-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:36e627112085bb3b81b19fed209c05ce2a52ee8b15d161b7c643a7d5a88491f3"},
-    {file = "cryptography-46.0.3-cp38-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:1000713389b75c449a6e979ffc7dcc8ac90b437048766cef052d4d30b8220971"},
-    {file = "cryptography-46.0.3-cp38-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:b02cf04496f6576afffef5ddd04a0cb7d49cf6be16a9059d793a30b035f6b6ac"},
-    {file = "cryptography-46.0.3-cp38-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:71e842ec9bc7abf543b47cf86b9a743baa95f4677d22baa4c7d5c69e49e9bc04"},
-    {file = "cryptography-46.0.3-cp38-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:402b58fc32614f00980b66d6e56a5b4118e6cb362ae8f3fda141ba4689bd4506"},
-    {file = "cryptography-46.0.3-cp38-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:ef639cb3372f69ec44915fafcd6698b6cc78fbe0c2ea41be867f6ed612811963"},
-    {file = "cryptography-46.0.3-cp38-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:3b51b8ca4f1c6453d8829e1eb7299499ca7f313900dd4d89a24b8b87c0a780d4"},
-    {file = "cryptography-46.0.3-cp38-abi3-win32.whl", hash = "sha256:6276eb85ef938dc035d59b87c8a7dc559a232f954962520137529d77b18ff1df"},
-    {file = "cryptography-46.0.3-cp38-abi3-win_amd64.whl", hash = "sha256:416260257577718c05135c55958b674000baef9a1c7d9e8f306ec60d71db850f"},
-    {file = "cryptography-46.0.3-cp38-abi3-win_arm64.whl", hash = "sha256:d89c3468de4cdc4f08a57e214384d0471911a3830fcdaf7a8cc587e42a866372"},
-    {file = "cryptography-46.0.3-pp310-pypy310_pp73-macosx_10_9_x86_64.whl", hash = "sha256:a23582810fedb8c0bc47524558fb6c56aac3fc252cb306072fd2815da2a47c32"},
-    {file = "cryptography-46.0.3-pp310-pypy310_pp73-win_amd64.whl", hash = "sha256:e7aec276d68421f9574040c26e2a7c3771060bc0cff408bae1dcb19d3ab1e63c"},
-    {file = "cryptography-46.0.3-pp311-pypy311_pp73-macosx_10_9_x86_64.whl", hash = "sha256:7ce938a99998ed3c8aa7e7272dca1a610401ede816d36d0693907d863b10d9ea"},
-    {file = "cryptography-46.0.3-pp311-pypy311_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:191bb60a7be5e6f54e30ba16fdfae78ad3a342a0599eb4193ba88e3f3d6e185b"},
-    {file = "cryptography-46.0.3-pp311-pypy311_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:c70cc23f12726be8f8bc72e41d5065d77e4515efae3690326764ea1b07845cfb"},
-    {file = "cryptography-46.0.3-pp311-pypy311_pp73-manylinux_2_34_aarch64.whl", hash = "sha256:9394673a9f4de09e28b5356e7fff97d778f8abad85c9d5ac4a4b7e25a0de7717"},
-    {file = "cryptography-46.0.3-pp311-pypy311_pp73-manylinux_2_34_x86_64.whl", hash = "sha256:94cd0549accc38d1494e1f8de71eca837d0509d0d44bf11d158524b0e12cebf9"},
-    {file = "cryptography-46.0.3-pp311-pypy311_pp73-win_amd64.whl", hash = "sha256:6b5063083824e5509fdba180721d55909ffacccc8adbec85268b48439423d78c"},
-    {file = "cryptography-46.0.3.tar.gz", hash = "sha256:a8b17438104fed022ce745b362294d9ce35b4c2e45c1d958ad4a4b019285f4a1"},
+    {file = "cryptography-46.0.5-cp311-abi3-macosx_10_9_universal2.whl", hash = "sha256:351695ada9ea9618b3500b490ad54c739860883df6c1f555e088eaf25b1bbaad"},
+    {file = "cryptography-46.0.5-cp311-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:c18ff11e86df2e28854939acde2d003f7984f721eba450b56a200ad90eeb0e6b"},
+    {file = "cryptography-46.0.5-cp311-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:4d7e3d356b8cd4ea5aff04f129d5f66ebdc7b6f8eae802b93739ed520c47c79b"},
+    {file = "cryptography-46.0.5-cp311-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:50bfb6925eff619c9c023b967d5b77a54e04256c4281b0e21336a130cd7fc263"},
+    {file = "cryptography-46.0.5-cp311-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:803812e111e75d1aa73690d2facc295eaefd4439be1023fefc4995eaea2af90d"},
+    {file = "cryptography-46.0.5-cp311-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:3ee190460e2fbe447175cda91b88b84ae8322a104fc27766ad09428754a618ed"},
+    {file = "cryptography-46.0.5-cp311-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:f145bba11b878005c496e93e257c1e88f154d278d2638e6450d17e0f31e558d2"},
+    {file = "cryptography-46.0.5-cp311-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:e9251e3be159d1020c4030bd2e5f84d6a43fe54b6c19c12f51cde9542a2817b2"},
+    {file = "cryptography-46.0.5-cp311-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:47fb8a66058b80e509c47118ef8a75d14c455e81ac369050f20ba0d23e77fee0"},
+    {file = "cryptography-46.0.5-cp311-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:4c3341037c136030cb46e4b1e17b7418ea4cbd9dd207e4a6f3b2b24e0d4ac731"},
+    {file = "cryptography-46.0.5-cp311-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:890bcb4abd5a2d3f852196437129eb3667d62630333aacc13dfd470fad3aaa82"},
+    {file = "cryptography-46.0.5-cp311-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:80a8d7bfdf38f87ca30a5391c0c9ce4ed2926918e017c29ddf643d0ed2778ea1"},
+    {file = "cryptography-46.0.5-cp311-abi3-win32.whl", hash = "sha256:60ee7e19e95104d4c03871d7d7dfb3d22ef8a9b9c6778c94e1c8fcc8365afd48"},
+    {file = "cryptography-46.0.5-cp311-abi3-win_amd64.whl", hash = "sha256:38946c54b16c885c72c4f59846be9743d699eee2b69b6988e0a00a01f46a61a4"},
+    {file = "cryptography-46.0.5-cp314-cp314t-macosx_10_9_universal2.whl", hash = "sha256:94a76daa32eb78d61339aff7952ea819b1734b46f73646a07decb40e5b3448e2"},
+    {file = "cryptography-46.0.5-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:5be7bf2fb40769e05739dd0046e7b26f9d4670badc7b032d6ce4db64dddc0678"},
+    {file = "cryptography-46.0.5-cp314-cp314t-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:fe346b143ff9685e40192a4960938545c699054ba11d4f9029f94751e3f71d87"},
+    {file = "cryptography-46.0.5-cp314-cp314t-manylinux_2_28_aarch64.whl", hash = "sha256:c69fd885df7d089548a42d5ec05be26050ebcd2283d89b3d30676eb32ff87dee"},
+    {file = "cryptography-46.0.5-cp314-cp314t-manylinux_2_28_ppc64le.whl", hash = "sha256:8293f3dea7fc929ef7240796ba231413afa7b68ce38fd21da2995549f5961981"},
+    {file = "cryptography-46.0.5-cp314-cp314t-manylinux_2_28_x86_64.whl", hash = "sha256:1abfdb89b41c3be0365328a410baa9df3ff8a9110fb75e7b52e66803ddabc9a9"},
+    {file = "cryptography-46.0.5-cp314-cp314t-manylinux_2_31_armv7l.whl", hash = "sha256:d66e421495fdb797610a08f43b05269e0a5ea7f5e652a89bfd5a7d3c1dee3648"},
+    {file = "cryptography-46.0.5-cp314-cp314t-manylinux_2_34_aarch64.whl", hash = "sha256:4e817a8920bfbcff8940ecfd60f23d01836408242b30f1a708d93198393a80b4"},
+    {file = "cryptography-46.0.5-cp314-cp314t-manylinux_2_34_ppc64le.whl", hash = "sha256:68f68d13f2e1cb95163fa3b4db4bf9a159a418f5f6e7242564fc75fcae667fd0"},
+    {file = "cryptography-46.0.5-cp314-cp314t-manylinux_2_34_x86_64.whl", hash = "sha256:a3d1fae9863299076f05cb8a778c467578262fae09f9dc0ee9b12eb4268ce663"},
+    {file = "cryptography-46.0.5-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:c4143987a42a2397f2fc3b4d7e3a7d313fbe684f67ff443999e803dd75a76826"},
+    {file = "cryptography-46.0.5-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:7d731d4b107030987fd61a7f8ab512b25b53cef8f233a97379ede116f30eb67d"},
+    {file = "cryptography-46.0.5-cp314-cp314t-win32.whl", hash = "sha256:c3bcce8521d785d510b2aad26ae2c966092b7daa8f45dd8f44734a104dc0bc1a"},
+    {file = "cryptography-46.0.5-cp314-cp314t-win_amd64.whl", hash = "sha256:4d8ae8659ab18c65ced284993c2265910f6c9e650189d4e3f68445ef82a810e4"},
+    {file = "cryptography-46.0.5-cp38-abi3-macosx_10_9_universal2.whl", hash = "sha256:4108d4c09fbbf2789d0c926eb4152ae1760d5a2d97612b92d508d96c861e4d31"},
+    {file = "cryptography-46.0.5-cp38-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:7d1f30a86d2757199cb2d56e48cce14deddf1f9c95f1ef1b64ee91ea43fe2e18"},
+    {file = "cryptography-46.0.5-cp38-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:039917b0dc418bb9f6edce8a906572d69e74bd330b0b3fea4f79dab7f8ddd235"},
+    {file = "cryptography-46.0.5-cp38-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:ba2a27ff02f48193fc4daeadf8ad2590516fa3d0adeeb34336b96f7fa64c1e3a"},
+    {file = "cryptography-46.0.5-cp38-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:61aa400dce22cb001a98014f647dc21cda08f7915ceb95df0c9eaf84b4b6af76"},
+    {file = "cryptography-46.0.5-cp38-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:3ce58ba46e1bc2aac4f7d9290223cead56743fa6ab94a5d53292ffaac6a91614"},
+    {file = "cryptography-46.0.5-cp38-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:420d0e909050490d04359e7fdb5ed7e667ca5c3c402b809ae2563d7e66a92229"},
+    {file = "cryptography-46.0.5-cp38-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:582f5fcd2afa31622f317f80426a027f30dc792e9c80ffee87b993200ea115f1"},
+    {file = "cryptography-46.0.5-cp38-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:bfd56bb4b37ed4f330b82402f6f435845a5f5648edf1ad497da51a8452d5d62d"},
+    {file = "cryptography-46.0.5-cp38-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:a3d507bb6a513ca96ba84443226af944b0f7f47dcc9a399d110cd6146481d24c"},
+    {file = "cryptography-46.0.5-cp38-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:9f16fbdf4da055efb21c22d81b89f155f02ba420558db21288b3d0035bafd5f4"},
+    {file = "cryptography-46.0.5-cp38-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:ced80795227d70549a411a4ab66e8ce307899fad2220ce5ab2f296e687eacde9"},
+    {file = "cryptography-46.0.5-cp38-abi3-win32.whl", hash = "sha256:02f547fce831f5096c9a567fd41bc12ca8f11df260959ecc7c3202555cc47a72"},
+    {file = "cryptography-46.0.5-cp38-abi3-win_amd64.whl", hash = "sha256:556e106ee01aa13484ce9b0239bca667be5004efb0aabbed28d353df86445595"},
+    {file = "cryptography-46.0.5-pp311-pypy311_pp73-macosx_11_0_arm64.whl", hash = "sha256:3b4995dc971c9fb83c25aa44cf45f02ba86f71ee600d81091c2f0cbae116b06c"},
+    {file = "cryptography-46.0.5-pp311-pypy311_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:bc84e875994c3b445871ea7181d424588171efec3e185dced958dad9e001950a"},
+    {file = "cryptography-46.0.5-pp311-pypy311_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:2ae6971afd6246710480e3f15824ed3029a60fc16991db250034efd0b9fb4356"},
+    {file = "cryptography-46.0.5.tar.gz", hash = "sha256:abace499247268e3757271b2f1e244b36b06f8515cf27c4d49468fc9eb16e93d"},
 ]
 
 [package.dependencies]
@@ -1612,7 +1604,7 @@ nox = ["nox[uv] (>=2024.4.15)"]
 pep8test = ["check-sdist", "click (>=8.0.1)", "mypy (>=1.14)", "ruff (>=0.11.11)"]
 sdist = ["build (>=1.0.0)"]
 ssh = ["bcrypt (>=3.1.5)"]
-test = ["certifi (>=2024)", "cryptography-vectors (==46.0.3)", "pretend (>=0.7)", "pytest (>=7.4.0)", "pytest-benchmark (>=4.0)", "pytest-cov (>=2.10.1)", "pytest-xdist (>=3.5.0)"]
+test = ["certifi (>=2024)", "cryptography-vectors (==46.0.5)", "pretend (>=0.7)", "pytest (>=7.4.0)", "pytest-benchmark (>=4.0)", "pytest-cov (>=2.10.1)", "pytest-xdist (>=3.5.0)"]
 test-randomorder = ["pytest-randomly"]
 
 [[package]]
@@ -5754,14 +5746,14 @@ test = ["flaky", "ipykernel (>=6.19.3)", "ipython", "ipywidgets", "nbconvert (>=
 
 [[package]]
 name = "nbconvert"
-version = "7.16.6"
-description = "Converting Jupyter Notebooks (.ipynb files) to other formats.  Output formats include asciidoc, html, latex, markdown, pdf, py, rst, script.  nbconvert can be used both as a Python library (`import nbconvert`) or as a command line tool (invoked as `jupyter nbconvert ...`)."
+version = "7.17.0"
+description = "Convert Jupyter Notebooks (.ipynb files) to other formats."
 optional = false
-python-versions = ">=3.8"
+python-versions = ">=3.9"
 groups = ["main"]
 files = [
-    {file = "nbconvert-7.16.6-py3-none-any.whl", hash = "sha256:1375a7b67e0c2883678c48e506dc320febb57685e5ee67faa51b18a90f3a712b"},
-    {file = "nbconvert-7.16.6.tar.gz", hash = "sha256:576a7e37c6480da7b8465eefa66c17844243816ce1ccc372633c6b71c3c0f582"},
+    {file = "nbconvert-7.17.0-py3-none-any.whl", hash = "sha256:4f99a63b337b9a23504347afdab24a11faa7d86b405e5c8f9881cd313336d518"},
+    {file = "nbconvert-7.17.0.tar.gz", hash = "sha256:1b2696f1b5be12309f6c7d707c24af604b87dfaf6d950794c7b07acab96dda78"},
 ]
 
 [package.dependencies]
@@ -5781,8 +5773,8 @@ pygments = ">=2.4.1"
 traitlets = ">=5.1"
 
 [package.extras]
-all = ["flaky", "ipykernel", "ipython", "ipywidgets (>=7.5)", "myst-parser", "nbsphinx (>=0.2.12)", "playwright", "pydata-sphinx-theme", "pyqtwebengine (>=5.15)", "pytest (>=7)", "sphinx (==5.0.2)", "sphinxcontrib-spelling", "tornado (>=6.1)"]
-docs = ["ipykernel", "ipython", "myst-parser", "nbsphinx (>=0.2.12)", "pydata-sphinx-theme", "sphinx (==5.0.2)", "sphinxcontrib-spelling"]
+all = ["flaky", "intersphinx-registry", "ipykernel", "ipython", "ipywidgets (>=7.5)", "myst-parser", "nbsphinx (>=0.2.12)", "playwright", "pydata-sphinx-theme", "pyqtwebengine (>=5.15)", "pytest (>=7)", "sphinx (>=5.0.2)", "sphinxcontrib-spelling", "tornado (>=6.1)"]
+docs = ["intersphinx-registry", "ipykernel", "ipython", "myst-parser", "nbsphinx (>=0.2.12)", "pydata-sphinx-theme", "sphinx (>=5.0.2)", "sphinxcontrib-spelling"]
 qtpdf = ["pyqtwebengine (>=5.15)"]
 qtpng = ["pyqtwebengine (>=5.15)"]
 serve = ["tornado (>=6.1)"]
@@ -6102,14 +6094,14 @@ llama = ["llama-index (>=0.12.29,<0.13.0)", "llama-index-core (>=0.12.29,<0.13.0
 
 [[package]]
 name = "openhands-agent-server"
-version = "1.11.4"
+version = "1.11.5"
 description = "OpenHands Agent Server - REST/WebSocket interface for OpenHands AI Agent"
 optional = false
 python-versions = ">=3.12"
 groups = ["main"]
 files = [
-    {file = "openhands_agent_server-1.11.4-py3-none-any.whl", hash = "sha256:739bdb774dbfcd23d6e87ee6ee32bc0999f22300037506b6dd33e9ea67fa5c2a"},
-    {file = "openhands_agent_server-1.11.4.tar.gz", hash = "sha256:41247f7022a046eb50ca3b552bc6d12bfa9776e1bd27d0989da91b9f7ac77ca2"},
+    {file = "openhands_agent_server-1.11.5-py3-none-any.whl", hash = "sha256:8bae7063f232791d58a5c31919f58b557f7cce60e6295773985c7dadc556cb9e"},
+    {file = "openhands_agent_server-1.11.5.tar.gz", hash = "sha256:b61366d727c61ab9b7fcd66faab53f230f8ef0928c1177a388d2c5c4be6ebbd0"},
 ]
 
 [package.dependencies]
@@ -6126,7 +6118,7 @@ wsproto = ">=1.2.0"
 
 [[package]]
 name = "openhands-ai"
-version = "1.3.0"
+version = "1.4.0"
 description = "OpenHands: Code Less, Make More"
 optional = false
 python-versions = "^3.12,<3.14"
@@ -6168,9 +6160,9 @@ memory-profiler = ">=0.61"
 numpy = "*"
 openai = "2.8"
 openhands-aci = "0.3.2"
-openhands-agent-server = "1.11.4"
-openhands-sdk = "1.11.4"
-openhands-tools = "1.11.4"
+openhands-agent-server = "1.11.5"
+openhands-sdk = "1.11.5"
+openhands-tools = "1.11.5"
 opentelemetry-api = ">=1.33.1"
 opentelemetry-exporter-otlp-proto-grpc = ">=1.33.1"
 pathspec = ">=0.12.1"
@@ -6194,7 +6186,7 @@ python-jose = {version = ">=3.3", extras = ["cryptography"]}
 python-json-logger = ">=3.2.1"
 python-multipart = "*"
 python-pptx = "*"
-python-socketio = "5.13"
+python-socketio = "5.14"
 pythonnet = "*"
 pyyaml = ">=6.0.2"
 qtconsole = ">=5.6.1"
@@ -6225,14 +6217,14 @@ url = ".."
 
 [[package]]
 name = "openhands-sdk"
-version = "1.11.4"
+version = "1.11.5"
 description = "OpenHands SDK - Core functionality for building AI agents"
 optional = false
 python-versions = ">=3.12"
 groups = ["main"]
 files = [
-    {file = "openhands_sdk-1.11.4-py3-none-any.whl", hash = "sha256:9f4607c5d94b56fbcd533207026ee892779dd50e29bce79277ff82454a4f76d5"},
-    {file = "openhands_sdk-1.11.4.tar.gz", hash = "sha256:4088744f6b8856eeab22d3bc17e47d1736ea7ced945c2fa126bd7d48c14bb313"},
+    {file = "openhands_sdk-1.11.5-py3-none-any.whl", hash = "sha256:f949cd540cbecc339d90fb0cca2a5f29e1b62566b82b5aee82ef40f259d14e60"},
+    {file = "openhands_sdk-1.11.5.tar.gz", hash = "sha256:dd6225876b7b8dbb6c608559f2718c3d0bf44d0bb741e990b185c6cdc5150c5a"},
 ]
 
 [package.dependencies]
@@ -6253,14 +6245,14 @@ boto3 = ["boto3 (>=1.35.0)"]
 
 [[package]]
 name = "openhands-tools"
-version = "1.11.4"
+version = "1.11.5"
 description = "OpenHands Tools - Runtime tools for AI agents"
 optional = false
 python-versions = ">=3.12"
 groups = ["main"]
 files = [
-    {file = "openhands_tools-1.11.4-py3-none-any.whl", hash = "sha256:efd721b73e87a0dac69171a76931363fa59fcde98107ca86081ee7bf0253673a"},
-    {file = "openhands_tools-1.11.4.tar.gz", hash = "sha256:80671b1ea8c85a5247a75ea2340ae31d76363e9c723b104699a9a77e66d2043c"},
+    {file = "openhands_tools-1.11.5-py3-none-any.whl", hash = "sha256:1e981e1e7f3544184fe946cee8eb6bd287010cdef77d83ebac945c9f42df3baf"},
+    {file = "openhands_tools-1.11.5.tar.gz", hash = "sha256:d7b1163f6505a51b07147e7d8972062c129ecc46571a71f28d5470355e06650e"},
 ]
 
 [package.dependencies]
@@ -7323,23 +7315,23 @@ testing = ["google-api-core (>=1.31.5)"]
 
 [[package]]
 name = "protobuf"
-version = "5.29.5"
+version = "5.29.6"
 description = ""
 optional = false
 python-versions = ">=3.8"
 groups = ["main"]
 files = [
-    {file = "protobuf-5.29.5-cp310-abi3-win32.whl", hash = "sha256:3f1c6468a2cfd102ff4703976138844f78ebd1fb45f49011afc5139e9e283079"},
-    {file = "protobuf-5.29.5-cp310-abi3-win_amd64.whl", hash = "sha256:3f76e3a3675b4a4d867b52e4a5f5b78a2ef9565549d4037e06cf7b0942b1d3fc"},
-    {file = "protobuf-5.29.5-cp38-abi3-macosx_10_9_universal2.whl", hash = "sha256:e38c5add5a311f2a6eb0340716ef9b039c1dfa428b28f25a7838ac329204a671"},
-    {file = "protobuf-5.29.5-cp38-abi3-manylinux2014_aarch64.whl", hash = "sha256:fa18533a299d7ab6c55a238bf8629311439995f2e7eca5caaff08663606e9015"},
-    {file = "protobuf-5.29.5-cp38-abi3-manylinux2014_x86_64.whl", hash = "sha256:63848923da3325e1bf7e9003d680ce6e14b07e55d0473253a690c3a8b8fd6e61"},
-    {file = "protobuf-5.29.5-cp38-cp38-win32.whl", hash = "sha256:ef91363ad4faba7b25d844ef1ada59ff1604184c0bcd8b39b8a6bef15e1af238"},
-    {file = "protobuf-5.29.5-cp38-cp38-win_amd64.whl", hash = "sha256:7318608d56b6402d2ea7704ff1e1e4597bee46d760e7e4dd42a3d45e24b87f2e"},
-    {file = "protobuf-5.29.5-cp39-cp39-win32.whl", hash = "sha256:6f642dc9a61782fa72b90878af134c5afe1917c89a568cd3476d758d3c3a0736"},
-    {file = "protobuf-5.29.5-cp39-cp39-win_amd64.whl", hash = "sha256:470f3af547ef17847a28e1f47200a1cbf0ba3ff57b7de50d22776607cd2ea353"},
-    {file = "protobuf-5.29.5-py3-none-any.whl", hash = "sha256:6cf42630262c59b2d8de33954443d94b746c952b01434fc58a417fdbd2e84bd5"},
-    {file = "protobuf-5.29.5.tar.gz", hash = "sha256:bc1463bafd4b0929216c35f437a8e28731a2b7fe3d98bb77a600efced5a15c84"},
+    {file = "protobuf-5.29.6-cp310-abi3-win32.whl", hash = "sha256:62e8a3114992c7c647bce37dcc93647575fc52d50e48de30c6fcb28a6a291eb1"},
+    {file = "protobuf-5.29.6-cp310-abi3-win_amd64.whl", hash = "sha256:7e6ad413275be172f67fdee0f43484b6de5a904cc1c3ea9804cb6fe2ff366eda"},
+    {file = "protobuf-5.29.6-cp38-abi3-macosx_10_9_universal2.whl", hash = "sha256:b5a169e664b4057183a34bdc424540e86eea47560f3c123a0d64de4e137f9269"},
+    {file = "protobuf-5.29.6-cp38-abi3-manylinux2014_aarch64.whl", hash = "sha256:a8866b2cff111f0f863c1b3b9e7572dc7eaea23a7fae27f6fc613304046483e6"},
+    {file = "protobuf-5.29.6-cp38-abi3-manylinux2014_x86_64.whl", hash = "sha256:e3387f44798ac1106af0233c04fb8abf543772ff241169946f698b3a9a3d3ab9"},
+    {file = "protobuf-5.29.6-cp38-cp38-win32.whl", hash = "sha256:36ade6ff88212e91aef4e687a971a11d7d24d6948a66751abc1b3238648f5d05"},
+    {file = "protobuf-5.29.6-cp38-cp38-win_amd64.whl", hash = "sha256:831e2da16b6cc9d8f1654c041dd594eda43391affd3c03a91bea7f7f6da106d6"},
+    {file = "protobuf-5.29.6-cp39-cp39-win32.whl", hash = "sha256:cb4c86de9cd8a7f3a256b9744220d87b847371c6b2f10bde87768918ef33ba49"},
+    {file = "protobuf-5.29.6-cp39-cp39-win_amd64.whl", hash = "sha256:76e07e6567f8baf827137e8d5b8204b6c7b6488bbbff1bf0a72b383f77999c18"},
+    {file = "protobuf-5.29.6-py3-none-any.whl", hash = "sha256:6b9edb641441b2da9fa8f428760fc136a49cf97a52076010cf22a2ff73438a86"},
+    {file = "protobuf-5.29.6.tar.gz", hash = "sha256:da9ee6a5424b6b30fd5e45c5ea663aef540ca95f9ad99d1e887e819cdf9b8723"},
 ]
 
 [[package]]
@@ -7562,14 +7554,14 @@ typing-extensions = ">=4.15.0"
 
 [[package]]
 name = "pyasn1"
-version = "0.6.1"
+version = "0.6.2"
 description = "Pure-Python implementation of ASN.1 types and DER/BER/CER codecs (X.208)"
 optional = false
 python-versions = ">=3.8"
 groups = ["main"]
 files = [
-    {file = "pyasn1-0.6.1-py3-none-any.whl", hash = "sha256:0d632f46f2ba09143da3a8afe9e33fb6f92fa2320ab7e886e2d0f7672af84629"},
-    {file = "pyasn1-0.6.1.tar.gz", hash = "sha256:6f580d2bdd84365380830acf45550f2511469f673cb4a5ae3857a3170128b034"},
+    {file = "pyasn1-0.6.2-py3-none-any.whl", hash = "sha256:1eb26d860996a18e9b6ed05e7aae0e9fc21619fcee6af91cca9bad4fbea224bf"},
+    {file = "pyasn1-0.6.2.tar.gz", hash = "sha256:9b59a2b25ba7e4f8197db7686c09fb33e658b98339fadb826e9512629017833b"},
 ]
 
 [[package]]
@@ -11578,20 +11570,20 @@ diagrams = ["jinja2", "railroad-diagrams"]
 
 [[package]]
 name = "pypdf"
-version = "6.6.0"
+version = "6.7.3"
 description = "A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files"
 optional = false
 python-versions = ">=3.9"
 groups = ["main"]
 files = [
-    {file = "pypdf-6.6.0-py3-none-any.whl", hash = "sha256:bca9091ef6de36c7b1a81e09327c554b7ce51e88dad68f5890c2b4a4417f1fd7"},
-    {file = "pypdf-6.6.0.tar.gz", hash = "sha256:4c887ef2ea38d86faded61141995a3c7d068c9d6ae8477be7ae5de8a8e16592f"},
+    {file = "pypdf-6.7.3-py3-none-any.whl", hash = "sha256:cd25ac508f20b554a9fafd825186e3ba29591a69b78c156783c5d8a2d63a1c0a"},
+    {file = "pypdf-6.7.3.tar.gz", hash = "sha256:eca55c78d0ec7baa06f9288e2be5c4e8242d5cbb62c7a4b94f2716f8e50076d2"},
 ]
 
 [package.extras]
 crypto = ["cryptography"]
 cryptodome = ["PyCryptodome"]
-dev = ["black", "flit", "pip-tools", "pre-commit", "pytest-cov", "pytest-socket", "pytest-timeout", "pytest-xdist", "wheel"]
+dev = ["flit", "pip-tools", "pre-commit", "pytest-cov", "pytest-socket", "pytest-timeout", "pytest-xdist", "wheel"]
 docs = ["myst_parser", "sphinx", "sphinx_rtd_theme"]
 full = ["Pillow (>=8.0.0)", "cryptography"]
 image = ["Pillow (>=8.0.0)"]
@@ -11886,14 +11878,14 @@ requests-toolbelt = ">=0.6.0"
 
 [[package]]
 name = "python-multipart"
-version = "0.0.21"
+version = "0.0.22"
 description = "A streaming multipart parser for Python"
 optional = false
 python-versions = ">=3.10"
 groups = ["main"]
 files = [
-    {file = "python_multipart-0.0.21-py3-none-any.whl", hash = "sha256:cf7a6713e01c87aa35387f4774e812c4361150938d20d232800f75ffcf266090"},
-    {file = "python_multipart-0.0.21.tar.gz", hash = "sha256:7137ebd4d3bbf70ea1622998f902b97a29434a9e8dc40eb203bbcf7c2a2cba92"},
+    {file = "python_multipart-0.0.22-py3-none-any.whl", hash = "sha256:2b2cd894c83d21bf49d702499531c7bafd057d730c201782048f7945d82de155"},
+    {file = "python_multipart-0.0.22.tar.gz", hash = "sha256:7340bef99a7e0032613f56dc36027b959fd3b30a787ed62d310e951f7c3a3a58"},
 ]
 
 [[package]]
@@ -11916,14 +11908,14 @@ XlsxWriter = ">=0.5.7"
 
 [[package]]
 name = "python-socketio"
-version = "5.13.0"
+version = "5.14.0"
 description = "Socket.IO server and client for Python"
 optional = false
 python-versions = ">=3.8"
 groups = ["main"]
 files = [
-    {file = "python_socketio-5.13.0-py3-none-any.whl", hash = "sha256:51f68d6499f2df8524668c24bcec13ba1414117cfb3a90115c559b601ab10caf"},
-    {file = "python_socketio-5.13.0.tar.gz", hash = "sha256:ac4e19a0302ae812e23b712ec8b6427ca0521f7c582d6abb096e36e24a263029"},
+    {file = "python_socketio-5.14.0-py3-none-any.whl", hash = "sha256:7de5ad8a55efc33e17897f6cf91d20168d3d259f98c38d38e2940af83136d6f8"},
+    {file = "python_socketio-5.14.0.tar.gz", hash = "sha256:d057737f658b3948392ff452a5c865c5ccc969859c37cf095a73393ce755f98e"},
 ]
 
 [package.dependencies]
@@ -11969,7 +11961,7 @@ description = "Python for Window Extensions"
 optional = false
 python-versions = "*"
 groups = ["main"]
-markers = "sys_platform == \"win32\" or platform_system == \"Windows\""
+markers = "platform_system == \"Windows\" or sys_platform == \"win32\""
 files = [
     {file = "pywin32-311-cp310-cp310-win32.whl", hash = "sha256:d03ff496d2a0cd4a5893504789d4a15399133fe82517455e78bad62efbb7f0a3"},
     {file = "pywin32-311-cp310-cp310-win_amd64.whl", hash = "sha256:797c2772017851984b97180b0bebe4b620bb86328e8a884bb626156295a63b3b"},

enterprise/saas_server.py

@@ -38,9 +38,19 @@ from server.routes.integration.linear import linear_integration_router  # noqa:
 from server.routes.integration.slack import slack_router  # noqa: E402
 from server.routes.mcp_patch import patch_mcp_server  # noqa: E402
 from server.routes.oauth_device import oauth_device_router  # noqa: E402
+from server.routes.org_invitations import (  # noqa: E402
+    accept_router as invitation_accept_router,
+)
+from server.routes.org_invitations import (  # noqa: E402
+    invitation_router,
+)
 from server.routes.orgs import org_router  # noqa: E402
 from server.routes.readiness import readiness_router  # noqa: E402
 from server.routes.user import saas_user_router  # noqa: E402
+from server.routes.user_app_settings import user_app_settings_router  # noqa: E402
+from server.routes.verified_models import (  # noqa: E402
+    api_router as verified_models_router,
+)
 from server.sharing.shared_conversation_router import (  # noqa: E402
     router as shared_conversation_router,
 )
@@ -70,6 +80,7 @@ base_app.include_router(api_router)  # Add additional route for github auth
 base_app.include_router(oauth_router)  # Add additional route for oauth callback
 base_app.include_router(oauth_device_router)  # Add OAuth 2.0 Device Flow routes
 base_app.include_router(saas_user_router)  # Add additional route SAAS user calls
+base_app.include_router(user_app_settings_router)  # Add routes for user app settings
 base_app.include_router(
     billing_router
 )  # Add routes for credit management and Stripe payment integration
@@ -99,6 +110,11 @@ if GITLAB_APP_CLIENT_ID:
 
 base_app.include_router(api_keys_router)  # Add routes for API key management
 base_app.include_router(org_router)  # Add routes for organization management
+base_app.include_router(
+    verified_models_router
+)  # Add routes for verified models management
+base_app.include_router(invitation_router)  # Add routes for org invitation management
+base_app.include_router(invitation_accept_router)  # Add route for accepting invitations
 add_github_proxy_routes(base_app)
 add_debugging_routes(
     base_app

enterprise/server/auth/auth_error.py

@@ -38,3 +38,9 @@ class ExpiredError(AuthError):
     """Error when a token has expired (Usually the refresh token)"""
 
     pass
+
+
+class TokenRefreshError(AuthError):
+    """Error when token refresh fails due to timeout or lock contention"""
+
+    pass

enterprise/server/auth/auth_utils.py

@@ -1,7 +1,5 @@
 import os
 
-from server.auth.sheets_client import GoogleSheetsClient
-
 from openhands.core.logger import openhands_logger as logger
 
 
@@ -9,12 +7,9 @@ class UserVerifier:
     def __init__(self) -> None:
         logger.debug('Initializing UserVerifier')
         self.file_users: list[str] | None = None
-        self.sheets_client: GoogleSheetsClient | None = None
-        self.spreadsheet_id: str | None = None
 
         # Initialize from environment variables
         self._init_file_users()
-        self._init_sheets_client()
 
     def _init_file_users(self) -> None:
         """Load users from text file if configured."""
@@ -36,23 +31,11 @@ class UserVerifier:
         except Exception:
             logger.exception(f'Error reading user list file {waitlist}')
 
-    def _init_sheets_client(self) -> None:
-        """Initialize Google Sheets client if configured."""
-        sheet_id = os.getenv('GITHUB_USERS_SHEET_ID')
-
-        if not sheet_id:
-            logger.debug('GITHUB_USERS_SHEET_ID not configured')
-            return
-
-        logger.debug('Initializing Google Sheets integration')
-        self.sheets_client = GoogleSheetsClient()
-        self.spreadsheet_id = sheet_id
-
     def is_active(self) -> bool:
         if os.getenv('DISABLE_WAITLIST', '').lower() == 'true':
             logger.info('Waitlist disabled via DISABLE_WAITLIST env var')
             return False
-        return bool(self.file_users or (self.sheets_client and self.spreadsheet_id))
+        return bool(self.file_users)
 
     def is_user_allowed(self, username: str) -> bool:
         """Check if user is allowed based on file and/or sheet configuration."""
@@ -63,15 +46,6 @@ class UserVerifier:
                 return True
             logger.debug(f'User {username} not found in text file allowlist')
 
-        if self.sheets_client and self.spreadsheet_id:
-            sheet_users = [
-                u.lower() for u in self.sheets_client.get_usernames(self.spreadsheet_id)
-            ]
-            if username.lower() in sheet_users:
-                logger.debug(f'User {username} found in Google Sheets allowlist')
-                return True
-            logger.debug(f'User {username} not found in Google Sheets allowlist')
-
         logger.debug(f'User {username} not found in any allowlist')
         return False
 

enterprise/server/auth/authorization.py

@@ -0,0 +1,306 @@
+"""
+Permission-based authorization dependencies for API endpoints.
+
+This module provides FastAPI dependencies for checking user permissions
+within organizations. It uses a permission-based authorization model where
+roles (owner, admin, member) are mapped to specific permissions.
+
+Permissions are defined in the Permission enum and mapped to roles via
+ROLE_PERMISSIONS. This allows fine-grained access control while maintaining
+the familiar role-based hierarchy.
+
+Usage:
+    from server.auth.authorization import (
+        Permission,
+        require_permission,
+    )
+
+    @router.get('/{org_id}/settings')
+    async def get_settings(
+        org_id: UUID,
+        user_id: str = Depends(require_permission(Permission.VIEW_LLM_SETTINGS)),
+    ):
+        # Only users with VIEW_LLM_SETTINGS permission can access
+        ...
+
+    @router.patch('/{org_id}/settings')
+    async def update_settings(
+        org_id: UUID,
+        user_id: str = Depends(require_permission(Permission.EDIT_LLM_SETTINGS)),
+    ):
+        # Only users with EDIT_LLM_SETTINGS permission can access
+        ...
+"""
+
+from enum import Enum
+from uuid import UUID
+
+from fastapi import Depends, HTTPException, status
+from storage.org_member_store import OrgMemberStore
+from storage.role import Role
+from storage.role_store import RoleStore
+
+from openhands.core.logger import openhands_logger as logger
+from openhands.server.user_auth import get_user_id
+
+
+class Permission(str, Enum):
+    """Permissions that can be assigned to roles."""
+
+    # Secrets
+    MANAGE_SECRETS = 'manage_secrets'
+
+    # MCP
+    MANAGE_MCP = 'manage_mcp'
+
+    # Integrations
+    MANAGE_INTEGRATIONS = 'manage_integrations'
+
+    # Application Settings
+    MANAGE_APPLICATION_SETTINGS = 'manage_application_settings'
+
+    # API Keys
+    MANAGE_API_KEYS = 'manage_api_keys'
+
+    # LLM Settings
+    VIEW_LLM_SETTINGS = 'view_llm_settings'
+    EDIT_LLM_SETTINGS = 'edit_llm_settings'
+
+    # Billing
+    VIEW_BILLING = 'view_billing'
+    ADD_CREDITS = 'add_credits'
+
+    # Organization Members
+    INVITE_USER_TO_ORGANIZATION = 'invite_user_to_organization'
+    CHANGE_USER_ROLE_MEMBER = 'change_user_role:member'
+    CHANGE_USER_ROLE_ADMIN = 'change_user_role:admin'
+    CHANGE_USER_ROLE_OWNER = 'change_user_role:owner'
+
+    # Organization Management
+    VIEW_ORG_SETTINGS = 'view_org_settings'
+    CHANGE_ORGANIZATION_NAME = 'change_organization_name'
+    DELETE_ORGANIZATION = 'delete_organization'
+
+    # Temporary permissions until we finish the API updates.
+    EDIT_ORG_SETTINGS = 'edit_org_settings'
+
+
+class RoleName(str, Enum):
+    """Role names used in the system."""
+
+    OWNER = 'owner'
+    ADMIN = 'admin'
+    MEMBER = 'member'
+
+
+# Permission mappings for each role
+ROLE_PERMISSIONS: dict[RoleName, frozenset[Permission]] = {
+    RoleName.OWNER: frozenset(
+        [
+            # Settings (Full access)
+            Permission.MANAGE_SECRETS,
+            Permission.MANAGE_MCP,
+            Permission.MANAGE_INTEGRATIONS,
+            Permission.MANAGE_APPLICATION_SETTINGS,
+            Permission.MANAGE_API_KEYS,
+            Permission.VIEW_LLM_SETTINGS,
+            Permission.EDIT_LLM_SETTINGS,
+            Permission.VIEW_BILLING,
+            Permission.ADD_CREDITS,
+            # Organization Members
+            Permission.INVITE_USER_TO_ORGANIZATION,
+            Permission.CHANGE_USER_ROLE_MEMBER,
+            Permission.CHANGE_USER_ROLE_ADMIN,
+            Permission.CHANGE_USER_ROLE_OWNER,
+            # Organization Management
+            Permission.VIEW_ORG_SETTINGS,
+            Permission.EDIT_ORG_SETTINGS,
+            # Organization Management (Owner only)
+            Permission.CHANGE_ORGANIZATION_NAME,
+            Permission.DELETE_ORGANIZATION,
+        ]
+    ),
+    RoleName.ADMIN: frozenset(
+        [
+            # Settings (Full access)
+            Permission.MANAGE_SECRETS,
+            Permission.MANAGE_MCP,
+            Permission.MANAGE_INTEGRATIONS,
+            Permission.MANAGE_APPLICATION_SETTINGS,
+            Permission.MANAGE_API_KEYS,
+            Permission.VIEW_LLM_SETTINGS,
+            Permission.EDIT_LLM_SETTINGS,
+            Permission.VIEW_BILLING,
+            Permission.ADD_CREDITS,
+            # Organization Members
+            Permission.INVITE_USER_TO_ORGANIZATION,
+            Permission.CHANGE_USER_ROLE_MEMBER,
+            Permission.CHANGE_USER_ROLE_ADMIN,
+            # Organization Management
+            Permission.VIEW_ORG_SETTINGS,
+            Permission.EDIT_ORG_SETTINGS,
+        ]
+    ),
+    RoleName.MEMBER: frozenset(
+        [
+            # Settings (Full access)
+            Permission.MANAGE_SECRETS,
+            Permission.MANAGE_MCP,
+            Permission.MANAGE_INTEGRATIONS,
+            Permission.MANAGE_APPLICATION_SETTINGS,
+            Permission.MANAGE_API_KEYS,
+            # Settings (View only)
+            Permission.VIEW_ORG_SETTINGS,
+            Permission.VIEW_LLM_SETTINGS,
+        ]
+    ),
+}
+
+
+def get_user_org_role(user_id: str, org_id: UUID | None) -> Role | None:
+    """
+    Get the user's role in an organization (synchronous version).
+
+    Args:
+        user_id: User ID (string that will be converted to UUID)
+        org_id: Organization ID, or None to use the user's current organization
+
+    Returns:
+        Role object if user is a member, None otherwise
+    """
+    from uuid import UUID as parse_uuid
+
+    if org_id is None:
+        org_member = OrgMemberStore.get_org_member_for_current_org(parse_uuid(user_id))
+    else:
+        org_member = OrgMemberStore.get_org_member(org_id, parse_uuid(user_id))
+    if not org_member:
+        return None
+
+    return RoleStore.get_role_by_id(org_member.role_id)
+
+
+async def get_user_org_role_async(user_id: str, org_id: UUID | None) -> Role | None:
+    """
+    Get the user's role in an organization (async version).
+
+    Args:
+        user_id: User ID (string that will be converted to UUID)
+        org_id: Organization ID, or None to use the user's current organization
+
+    Returns:
+        Role object if user is a member, None otherwise
+    """
+    from uuid import UUID as parse_uuid
+
+    if org_id is None:
+        org_member = await OrgMemberStore.get_org_member_for_current_org_async(
+            parse_uuid(user_id)
+        )
+    else:
+        org_member = await OrgMemberStore.get_org_member_async(
+            org_id, parse_uuid(user_id)
+        )
+    if not org_member:
+        return None
+
+    return await RoleStore.get_role_by_id_async(org_member.role_id)
+
+
+def get_role_permissions(role_name: str) -> frozenset[Permission]:
+    """
+    Get the permissions for a role.
+
+    Args:
+        role_name: Name of the role
+
+    Returns:
+        Set of permissions for the role
+    """
+    try:
+        role_enum = RoleName(role_name)
+        return ROLE_PERMISSIONS.get(role_enum, frozenset())
+    except ValueError:
+        return frozenset()
+
+
+def has_permission(user_role: Role, permission: Permission) -> bool:
+    """
+    Check if a role has a specific permission.
+
+    Args:
+        user_role: User's Role object
+        permission: Permission to check
+
+    Returns:
+        True if the role has the permission
+    """
+    permissions = get_role_permissions(user_role.name)
+    return permission in permissions
+
+
+def require_permission(permission: Permission):
+    """
+    Factory function that creates a dependency to require a specific permission.
+
+    This creates a FastAPI dependency that:
+    1. Extracts org_id from the path parameter
+    2. Gets the authenticated user_id
+    3. Checks if the user has the required permission in the organization
+    4. Returns the user_id if authorized, raises HTTPException otherwise
+
+    Usage:
+        @router.get('/{org_id}/settings')
+        async def get_settings(
+            org_id: UUID,
+            user_id: str = Depends(require_permission(Permission.VIEW_LLM_SETTINGS)),
+        ):
+            ...
+
+    Args:
+        permission: The permission required to access the endpoint
+
+    Returns:
+        Dependency function that validates permission and returns user_id
+    """
+
+    async def permission_checker(
+        org_id: UUID | None = None,
+        user_id: str | None = Depends(get_user_id),
+    ) -> str:
+        if not user_id:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail='User not authenticated',
+            )
+
+        user_role = await get_user_org_role_async(user_id, org_id)
+
+        if not user_role:
+            logger.warning(
+                'User not a member of organization',
+                extra={'user_id': user_id, 'org_id': str(org_id)},
+            )
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail='User is not a member of this organization',
+            )
+
+        if not has_permission(user_role, permission):
+            logger.warning(
+                'Insufficient permissions',
+                extra={
+                    'user_id': user_id,
+                    'org_id': str(org_id),
+                    'user_role': user_role.name,
+                    'required_permission': permission.value,
+                },
+            )
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail=f'Requires {permission.value} permission',
+            )
+
+        return user_id
+
+    return permission_checker

enterprise/server/auth/github_utils.py

@@ -1,87 +1,11 @@
-import os
-
 from integrations.github.github_service import SaaSGitHubService
 from pydantic import SecretStr
-from server.auth.sheets_client import GoogleSheetsClient
 
+from enterprise.server.auth.auth_utils import user_verifier
 from openhands.core.logger import openhands_logger as logger
 from openhands.integrations.github.github_types import GitHubUser
 
 
-class UserVerifier:
-    def __init__(self) -> None:
-        logger.debug('Initializing UserVerifier')
-        self.file_users: list[str] | None = None
-        self.sheets_client: GoogleSheetsClient | None = None
-        self.spreadsheet_id: str | None = None
-
-        # Initialize from environment variables
-        self._init_file_users()
-        self._init_sheets_client()
-
-    def _init_file_users(self) -> None:
-        """Load users from text file if configured"""
-        waitlist = os.getenv('GITHUB_USER_LIST_FILE')
-        if not waitlist:
-            logger.debug('GITHUB_USER_LIST_FILE not configured')
-            return
-
-        if not os.path.exists(waitlist):
-            logger.error(f'User list file not found: {waitlist}')
-            raise FileNotFoundError(f'User list file not found: {waitlist}')
-
-        try:
-            with open(waitlist, 'r') as f:
-                self.file_users = [line.strip().lower() for line in f if line.strip()]
-            logger.info(
-                f'Successfully loaded {len(self.file_users)} users from {waitlist}'
-            )
-        except Exception:
-            logger.error(f'Error reading user list file {waitlist}', exc_info=True)
-
-    def _init_sheets_client(self) -> None:
-        """Initialize Google Sheets client if configured"""
-        sheet_id = os.getenv('GITHUB_USERS_SHEET_ID')
-
-        if not sheet_id:
-            logger.debug('GITHUB_USERS_SHEET_ID not configured')
-            return
-
-        logger.debug('Initializing Google Sheets integration')
-        self.sheets_client = GoogleSheetsClient()
-        self.spreadsheet_id = sheet_id
-
-    def is_active(self) -> bool:
-        if os.getenv('DISABLE_WAITLIST', '').lower() == 'true':
-            logger.info('Waitlist disabled via DISABLE_WAITLIST env var')
-            return False
-        return bool(self.file_users or (self.sheets_client and self.spreadsheet_id))
-
-    def is_user_allowed(self, username: str) -> bool:
-        """Check if user is allowed based on file and/or sheet configuration"""
-        logger.debug(f'Checking if GitHub user {username} is allowed')
-        if self.file_users:
-            if username.lower() in self.file_users:
-                logger.debug(f'User {username} found in text file allowlist')
-                return True
-            logger.debug(f'User {username} not found in text file allowlist')
-
-        if self.sheets_client and self.spreadsheet_id:
-            sheet_users = [
-                u.lower() for u in self.sheets_client.get_usernames(self.spreadsheet_id)
-            ]
-            if username.lower() in sheet_users:
-                logger.debug(f'User {username} found in Google Sheets allowlist')
-                return True
-            logger.debug(f'User {username} not found in Google Sheets allowlist')
-
-        logger.debug(f'User {username} not found in any allowlist')
-        return False
-
-
-user_verifier = UserVerifier()
-
-
 def is_user_allowed(user_login: str):
     if user_verifier.is_active() and not user_verifier.is_user_allowed(user_login):
         logger.warning(f'GitHub user {user_login} not in allow list')

enterprise/server/auth/token_manager.py

@@ -49,6 +49,10 @@ from openhands.integrations.service_types import ProviderType
 from openhands.server.types import SessionExpiredError
 from openhands.utils.http_session import httpx_verify_option
 
+# HTTP timeout for external IDP calls (in seconds)
+# This prevents indefinite blocking if an IDP is slow or unresponsive
+IDP_HTTP_TIMEOUT = 15.0
+
 
 def _before_sleep_callback(retry_state: RetryCallState) -> None:
     logger.info(f'Retry attempt {retry_state.attempt_number} for Keycloak operation')
@@ -202,7 +206,9 @@ class TokenManager:
         access_token: str,
         idp: ProviderType,
     ) -> dict[str, str | int]:
-        async with httpx.AsyncClient(verify=httpx_verify_option()) as client:
+        async with httpx.AsyncClient(
+            verify=httpx_verify_option(), timeout=IDP_HTTP_TIMEOUT
+        ) as client:
             base_url = KEYCLOAK_SERVER_URL_EXT if self.external else KEYCLOAK_SERVER_URL
             url = f'{base_url}/realms/{KEYCLOAK_REALM_NAME}/broker/{idp.value}/token'
             headers = {
@@ -361,7 +367,9 @@ class TokenManager:
             'refresh_token': refresh_token,
             'grant_type': 'refresh_token',
         }
-        async with httpx.AsyncClient(verify=httpx_verify_option()) as client:
+        async with httpx.AsyncClient(
+            verify=httpx_verify_option(), timeout=IDP_HTTP_TIMEOUT
+        ) as client:
             response = await client.post(url, data=payload)
             response.raise_for_status()
             logger.info('Successfully refreshed GitHub token')
@@ -387,7 +395,9 @@ class TokenManager:
             'refresh_token': refresh_token,
             'grant_type': 'refresh_token',
         }
-        async with httpx.AsyncClient(verify=httpx_verify_option()) as client:
+        async with httpx.AsyncClient(
+            verify=httpx_verify_option(), timeout=IDP_HTTP_TIMEOUT
+        ) as client:
             response = await client.post(url, data=payload)
             response.raise_for_status()
             logger.info('Successfully refreshed GitLab token')
@@ -415,7 +425,9 @@ class TokenManager:
             'refresh_token': refresh_token,
         }
 
-        async with httpx.AsyncClient(verify=httpx_verify_option()) as client:
+        async with httpx.AsyncClient(
+            verify=httpx_verify_option(), timeout=IDP_HTTP_TIMEOUT
+        ) as client:
             response = await client.post(url, data=data, headers=headers)
             response.raise_for_status()
             logger.info('Successfully refreshed Bitbucket token')

enterprise/server/constants.py

@@ -61,8 +61,6 @@ SUBSCRIPTION_PRICE_DATA = {
     },
 }
 
-FREE_CREDIT_THRESHOLD = float(os.environ.get('FREE_CREDIT_THRESHOLD', '10'))
-FREE_CREDIT_AMOUNT = float(os.environ.get('FREE_CREDIT_AMOUNT', '10'))
 STRIPE_API_KEY = os.environ.get('STRIPE_API_KEY', None)
 REQUIRE_PAYMENT = os.environ.get('REQUIRE_PAYMENT', '0') in ('1', 'true')
 

enterprise/server/logger.py

@@ -51,6 +51,14 @@ def custom_json_serializer(obj, **kwargs):
                 obj['stack_info'] = format_stack(stack_info)
 
     result = json.dumps(obj, **kwargs)
+
+    # Swap out newlines to make things easier to read. This will produce
+    # invalid json but means we can have similar logs in local development
+    # to production, making things easier to correlate. Obviously,
+    # LOG_JSON_FOR_CONSOLE should not be used in production environments.
+    if LOG_JSON_FOR_CONSOLE:
+        result = result.replace('\\n', '\n')
+
     return result
 
 

enterprise/server/middleware.py

@@ -103,11 +103,13 @@ class SetAuthCookieMiddleware:
         keycloak_auth_cookie = request.cookies.get('keycloak_auth')
         auth_header = request.headers.get('Authorization')
         mcp_auth_header = request.headers.get('X-Session-API-Key')
+        api_auth_header = request.headers.get('X-Access-Token')
         accepted_tos: bool | None = False
         if (
             keycloak_auth_cookie is None
             and (auth_header is None or not auth_header.startswith('Bearer '))
             and mcp_auth_header is None
+            and api_auth_header is None
         ):
             raise NoCredentialsError
 
@@ -160,10 +162,10 @@ class SetAuthCookieMiddleware:
             '/api/billing/customer-setup-success',
             '/api/billing/stripe-webhook',
             '/api/email/resend',
+            '/api/organizations/members/invite/accept',
             '/oauth/device/authorize',
             '/oauth/device/token',
             '/api/v1/web-client/config',
-            '/api/v1/webhooks/secrets',
         )
         if path in ignore_paths:
             return False
@@ -174,6 +176,10 @@ class SetAuthCookieMiddleware:
         ):
             return False
 
+        # Webhooks access is controlled using separate API keys
+        if path.startswith('/api/v1/webhooks/'):
+            return False
+
         is_mcp = path.startswith('/mcp')
         is_api_route = path.startswith('/api')
         return is_api_route or is_mcp

enterprise/server/routes/api_keys.py

@@ -2,6 +2,7 @@ from datetime import UTC, datetime
 
 from fastapi import APIRouter, Depends, HTTPException, status
 from pydantic import BaseModel, field_validator
+from storage.api_key import ApiKey
 from storage.api_key_store import ApiKeyStore
 from storage.lite_llm_manager import LiteLlmManager
 from storage.org_member import OrgMember
@@ -135,9 +136,9 @@ class ApiKeyCreate(BaseModel):
 class ApiKeyResponse(BaseModel):
     id: int
     name: str | None = None
-    created_at: str
-    last_used_at: str | None = None
-    expires_at: str | None = None
+    created_at: datetime
+    last_used_at: datetime | None = None
+    expires_at: datetime | None = None
 
 
 class ApiKeyCreateResponse(ApiKeyResponse):
@@ -152,12 +153,29 @@ class ByorPermittedResponse(BaseModel):
     permitted: bool
 
 
-@api_router.get('/llm/byor/permitted', response_model=ByorPermittedResponse)
-async def check_byor_permitted(user_id: str = Depends(get_user_id)):
+class MessageResponse(BaseModel):
+    message: str
+
+
+def api_key_to_response(key: ApiKey) -> ApiKeyResponse:
+    """Convert an ApiKey model to an ApiKeyResponse."""
+    return ApiKeyResponse(
+        id=key.id,
+        name=key.name,
+        created_at=key.created_at,
+        last_used_at=key.last_used_at,
+        expires_at=key.expires_at,
+    )
+
+
+@api_router.get('/llm/byor/permitted', tags=['Keys'])
+async def check_byor_permitted(
+    user_id: str = Depends(get_user_id),
+) -> ByorPermittedResponse:
     """Check if BYOR key export is permitted for the user's current org."""
     try:
         permitted = await OrgService.check_byor_export_enabled(user_id)
-        return {'permitted': permitted}
+        return ByorPermittedResponse(permitted=permitted)
     except Exception as e:
         logger.exception(
             'Error checking BYOR export permission', extra={'error': str(e)}
@@ -168,8 +186,10 @@ async def check_byor_permitted(user_id: str = Depends(get_user_id)):
         )
 
 
-@api_router.post('', response_model=ApiKeyCreateResponse)
-async def create_api_key(key_data: ApiKeyCreate, user_id: str = Depends(get_user_id)):
+@api_router.post('', tags=['Keys'])
+async def create_api_key(
+    key_data: ApiKeyCreate, user_id: str = Depends(get_user_id)
+) -> ApiKeyCreateResponse:
     """Create a new API key for the authenticated user."""
     try:
         api_key = await api_key_store.create_api_key(
@@ -178,48 +198,29 @@ async def create_api_key(key_data: ApiKeyCreate, user_id: str = Depends(get_user
         # Get the created key details
         keys = await api_key_store.list_api_keys(user_id)
         for key in keys:
-            if key['name'] == key_data.name:
-                return {
-                    **key,
-                    'key': api_key,
-                    'created_at': (
-                        key['created_at'].isoformat() if key['created_at'] else None
-                    ),
-                    'last_used_at': (
-                        key['last_used_at'].isoformat() if key['last_used_at'] else None
-                    ),
-                    'expires_at': (
-                        key['expires_at'].isoformat() if key['expires_at'] else None
-                    ),
-                }
+            if key.name == key_data.name:
+                return ApiKeyCreateResponse(
+                    id=key.id,
+                    name=key.name,
+                    key=api_key,
+                    created_at=key.created_at,
+                    last_used_at=key.last_used_at,
+                    expires_at=key.expires_at,
+                )
     except Exception:
         logger.exception('Error creating API key')
-        raise HTTPException(
-            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
-            detail='Failed to create API key',
-        )
+    raise HTTPException(
+        status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+        detail='Failed to create API key',
+    )
 
 
-@api_router.get('', response_model=list[ApiKeyResponse])
-async def list_api_keys(user_id: str = Depends(get_user_id)):
+@api_router.get('', tags=['Keys'])
+async def list_api_keys(user_id: str = Depends(get_user_id)) -> list[ApiKeyResponse]:
     """List all API keys for the authenticated user."""
     try:
         keys = await api_key_store.list_api_keys(user_id)
-        return [
-            {
-                **key,
-                'created_at': (
-                    key['created_at'].isoformat() if key['created_at'] else None
-                ),
-                'last_used_at': (
-                    key['last_used_at'].isoformat() if key['last_used_at'] else None
-                ),
-                'expires_at': (
-                    key['expires_at'].isoformat() if key['expires_at'] else None
-                ),
-            }
-            for key in keys
-        ]
+        return [api_key_to_response(key) for key in keys]
     except Exception:
         logger.exception('Error listing API keys')
         raise HTTPException(
@@ -228,8 +229,10 @@ async def list_api_keys(user_id: str = Depends(get_user_id)):
         )
 
 
-@api_router.delete('/{key_id}')
-async def delete_api_key(key_id: int, user_id: str = Depends(get_user_id)):
+@api_router.delete('/{key_id}', tags=['Keys'])
+async def delete_api_key(
+    key_id: int, user_id: str = Depends(get_user_id)
+) -> MessageResponse:
     """Delete an API key."""
     try:
         # First, verify the key belongs to the user
@@ -237,7 +240,7 @@ async def delete_api_key(key_id: int, user_id: str = Depends(get_user_id)):
         key_to_delete = None
 
         for key in keys:
-            if key['id'] == key_id:
+            if key.id == key_id:
                 key_to_delete = key
                 break
 
@@ -255,7 +258,7 @@ async def delete_api_key(key_id: int, user_id: str = Depends(get_user_id)):
                 status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
                 detail='Failed to delete API key',
             )
-        return {'message': 'API key deleted successfully'}
+        return MessageResponse(message='API key deleted successfully')
     except HTTPException:
         raise
     except Exception:
@@ -266,8 +269,10 @@ async def delete_api_key(key_id: int, user_id: str = Depends(get_user_id)):
         )
 
 
-@api_router.get('/llm/byor', response_model=LlmApiKeyResponse)
-async def get_llm_api_key_for_byor(user_id: str = Depends(get_user_id)):
+@api_router.get('/llm/byor', tags=['Keys'])
+async def get_llm_api_key_for_byor(
+    user_id: str = Depends(get_user_id),
+) -> LlmApiKeyResponse:
     """Get the LLM API key for BYOR (Bring Your Own Runtime) for the authenticated user.
 
     This endpoint validates that the key exists in LiteLLM before returning it.
@@ -290,7 +295,7 @@ async def get_llm_api_key_for_byor(user_id: str = Depends(get_user_id)):
             # Validate that the key is actually registered in LiteLLM
             is_valid = await LiteLlmManager.verify_key(byor_key, user_id)
             if is_valid:
-                return {'key': byor_key}
+                return LlmApiKeyResponse(key=byor_key)
             else:
                 # Key exists in DB but is invalid in LiteLLM - regenerate it
                 logger.warning(
@@ -315,7 +320,7 @@ async def get_llm_api_key_for_byor(user_id: str = Depends(get_user_id)):
                 'Successfully generated and stored new BYOR key',
                 extra={'user_id': user_id},
             )
-            return {'key': key}
+            return LlmApiKeyResponse(key=key)
         else:
             logger.error(
                 'Failed to generate new BYOR LLM API key',
@@ -337,8 +342,10 @@ async def get_llm_api_key_for_byor(user_id: str = Depends(get_user_id)):
         )
 
 
-@api_router.post('/llm/byor/refresh', response_model=LlmApiKeyResponse)
-async def refresh_llm_api_key_for_byor(user_id: str = Depends(get_user_id)):
+@api_router.post('/llm/byor/refresh', tags=['Keys'])
+async def refresh_llm_api_key_for_byor(
+    user_id: str = Depends(get_user_id),
+) -> LlmApiKeyResponse:
     """Refresh the LLM API key for BYOR (Bring Your Own Runtime) for the authenticated user.
 
     Returns 402 Payment Required if BYOR export is not enabled for the user's org.
@@ -391,7 +398,7 @@ async def refresh_llm_api_key_for_byor(user_id: str = Depends(get_user_id)):
             'BYOR LLM API key refresh completed successfully',
             extra={'user_id': user_id},
         )
-        return {'key': key}
+        return LlmApiKeyResponse(key=key)
     except HTTPException as he:
         logger.error(
             'HTTP exception during BYOR LLM API key refresh',

enterprise/server/routes/auth.py

@@ -5,6 +5,7 @@ import warnings
 from datetime import datetime, timezone
 from typing import Annotated, Literal, Optional
 from urllib.parse import quote
+from uuid import UUID as parse_uuid
 
 import posthog
 from fastapi import APIRouter, Header, HTTPException, Request, Response, status
@@ -26,6 +27,13 @@ from server.auth.token_manager import TokenManager
 from server.config import sign_token
 from server.constants import IS_FEATURE_ENV
 from server.routes.event_webhook import _get_session_api_key, _get_user_id
+from server.services.org_invitation_service import (
+    EmailMismatchError,
+    InvitationExpiredError,
+    InvitationInvalidError,
+    OrgInvitationService,
+    UserAlreadyMemberError,
+)
 from storage.database import session_maker
 from storage.user import User
 from storage.user_store import UserStore
@@ -104,22 +112,40 @@ def get_cookie_samesite(request: Request) -> Literal['lax', 'strict']:
     )
 
 
+def _extract_oauth_state(state: str | None) -> tuple[str, str | None, str | None]:
+    """Extract redirect URL, reCAPTCHA token, and invitation token from OAuth state.
+
+    Returns:
+        Tuple of (redirect_url, recaptcha_token, invitation_token).
+        Tokens may be None.
+    """
+    if not state:
+        return '', None, None
+
+    try:
+        # Try to decode as JSON (new format with reCAPTCHA and/or invitation)
+        state_data = json.loads(base64.urlsafe_b64decode(state.encode()).decode())
+        return (
+            state_data.get('redirect_url', ''),
+            state_data.get('recaptcha_token'),
+            state_data.get('invitation_token'),
+        )
+    except Exception:
+        # Old format - state is just the redirect URL
+        return state, None, None
+
+
+# Keep alias for backward compatibility
 def _extract_recaptcha_state(state: str | None) -> tuple[str, str | None]:
     """Extract redirect URL and reCAPTCHA token from OAuth state.
 
+    Deprecated: Use _extract_oauth_state instead.
+
     Returns:
         Tuple of (redirect_url, recaptcha_token). Token may be None.
     """
-    if not state:
-        return '', None
-
-    try:
-        # Try to decode as JSON (new format with reCAPTCHA)
-        state_data = json.loads(base64.urlsafe_b64decode(state.encode()).decode())
-        return state_data.get('redirect_url', ''), state_data.get('recaptcha_token')
-    except Exception:
-        # Old format - state is just the redirect URL
-        return state, None
+    redirect_url, recaptcha_token, _ = _extract_oauth_state(state)
+    return redirect_url, recaptcha_token
 
 
 @oauth_router.get('/keycloak/callback')
@@ -130,8 +156,8 @@ async def keycloak_callback(
     error: Optional[str] = None,
     error_description: Optional[str] = None,
 ):
-    # Extract redirect URL and reCAPTCHA token from state
-    redirect_url, recaptcha_token = _extract_recaptcha_state(state)
+    # Extract redirect URL, reCAPTCHA token, and invitation token from state
+    redirect_url, recaptcha_token, invitation_token = _extract_oauth_state(state)
     if not redirect_url:
         redirect_url = str(request.base_url)
 
@@ -182,6 +208,7 @@ async def keycloak_callback(
     else:
         # Existing user — gradually backfill contact_name if it still has a username-style value
         await UserStore.backfill_contact_name(user_id, user_info)
+        await UserStore.backfill_user_email(user_id, user_info)
 
     if not user:
         logger.error(f'Failed to authenticate user {user_info["preferred_username"]}')
@@ -302,8 +329,13 @@ async def keycloak_callback(
         from server.routes.email import verify_email
 
         await verify_email(request=request, user_id=user_id, is_auth_flow=True)
-        redirect_url = f'{request.base_url}login?email_verification_required=true&user_id={user_id}'
-        response = RedirectResponse(redirect_url, status_code=302)
+        verification_redirect_url = f'{request.base_url}login?email_verification_required=true&user_id={user_id}'
+        # Preserve invitation token so it can be included in OAuth state after verification
+        if invitation_token:
+            verification_redirect_url = (
+                f'{verification_redirect_url}&invitation_token={invitation_token}'
+            )
+        response = RedirectResponse(verification_redirect_url, status_code=302)
         return response
 
     # default to github IDP for now.
@@ -381,14 +413,90 @@ async def keycloak_callback(
         )
 
     has_accepted_tos = user.accepted_tos is not None
+
+    # Process invitation token if present (after email verification but before TOS)
+    if invitation_token:
+        try:
+            logger.info(
+                'Processing invitation token during auth callback',
+                extra={
+                    'user_id': user_id,
+                    'invitation_token_prefix': invitation_token[:10] + '...',
+                },
+            )
+
+            await OrgInvitationService.accept_invitation(
+                invitation_token, parse_uuid(user_id)
+            )
+            logger.info(
+                'Invitation accepted during auth callback',
+                extra={'user_id': user_id},
+            )
+
+        except InvitationExpiredError:
+            logger.warning(
+                'Invitation expired during auth callback',
+                extra={'user_id': user_id},
+            )
+            # Add query param to redirect URL
+            if '?' in redirect_url:
+                redirect_url = f'{redirect_url}&invitation_expired=true'
+            else:
+                redirect_url = f'{redirect_url}?invitation_expired=true'
+
+        except InvitationInvalidError as e:
+            logger.warning(
+                'Invalid invitation during auth callback',
+                extra={'user_id': user_id, 'error': str(e)},
+            )
+            if '?' in redirect_url:
+                redirect_url = f'{redirect_url}&invitation_invalid=true'
+            else:
+                redirect_url = f'{redirect_url}?invitation_invalid=true'
+
+        except UserAlreadyMemberError:
+            logger.info(
+                'User already member during invitation acceptance',
+                extra={'user_id': user_id},
+            )
+            if '?' in redirect_url:
+                redirect_url = f'{redirect_url}&already_member=true'
+            else:
+                redirect_url = f'{redirect_url}?already_member=true'
+
+        except EmailMismatchError as e:
+            logger.warning(
+                'Email mismatch during auth callback invitation acceptance',
+                extra={'user_id': user_id, 'error': str(e)},
+            )
+            if '?' in redirect_url:
+                redirect_url = f'{redirect_url}&email_mismatch=true'
+            else:
+                redirect_url = f'{redirect_url}?email_mismatch=true'
+
+        except Exception as e:
+            logger.exception(
+                'Unexpected error processing invitation during auth callback',
+                extra={'user_id': user_id, 'error': str(e)},
+            )
+            # Don't fail the login if invitation processing fails
+            if '?' in redirect_url:
+                redirect_url = f'{redirect_url}&invitation_error=true'
+            else:
+                redirect_url = f'{redirect_url}?invitation_error=true'
+
     # If the user hasn't accepted the TOS, redirect to the TOS page
     if not has_accepted_tos:
         encoded_redirect_url = quote(redirect_url, safe='')
         tos_redirect_url = (
             f'{request.base_url}accept-tos?redirect_url={encoded_redirect_url}'
         )
+        if invitation_token:
+            tos_redirect_url = f'{tos_redirect_url}&invitation_success=true'
         response = RedirectResponse(tos_redirect_url, status_code=302)
     else:
+        if invitation_token:
+            redirect_url = f'{redirect_url}&invitation_success=true'
         response = RedirectResponse(redirect_url, status_code=302)
 
     set_response_cookie(
@@ -442,7 +550,10 @@ async def keycloak_offline_callback(code: str, state: str, request: Request):
         user_id=user_info['sub'], offline_token=keycloak_refresh_token
     )
 
-    return RedirectResponse(state if state else request.base_url, status_code=302)
+    redirect_url, _, _ = _extract_oauth_state(state)
+    return RedirectResponse(
+        redirect_url if redirect_url else request.base_url, status_code=302
+    )
 
 
 @oauth_router.get('/github/callback')

enterprise/server/routes/billing.py

@@ -9,11 +9,7 @@ from fastapi import APIRouter, Depends, HTTPException, Request, status
 from fastapi.responses import RedirectResponse
 from integrations import stripe_service
 from pydantic import BaseModel
-from server.constants import (
-    FREE_CREDIT_AMOUNT,
-    FREE_CREDIT_THRESHOLD,
-    STRIPE_API_KEY,
-)
+from server.constants import STRIPE_API_KEY
 from server.logger import logger
 from starlette.datastructures import URL
 from storage.billing_session import BillingSession
@@ -27,7 +23,7 @@ from openhands.app_server.config import get_global_config
 from openhands.server.user_auth import get_user_id
 
 stripe.api_key = STRIPE_API_KEY
-billing_router = APIRouter(prefix='/api/billing')
+billing_router = APIRouter(prefix='/api/billing', tags=['Billing'])
 
 
 async def validate_billing_enabled() -> None:
@@ -97,9 +93,9 @@ async def get_credits(user_id: str = Depends(get_user_id)) -> GetCreditsResponse
     user_team_info = await LiteLlmManager.get_user_team_info(
         user_id, str(user.current_org_id)
     )
-    # Update to use calculate_credits
-    spend = user_team_info.get('spend', 0)
-    max_budget = (user_team_info.get('litellm_budget_table') or {}).get('max_budget', 0)
+    max_budget, spend = LiteLlmManager.get_budget_from_team_info(
+        user_team_info, user_id, str(user.current_org_id)
+    )
     credits = max(max_budget - spend, 0)
     return GetCreditsResponse(credits=Decimal('{:.2f}'.format(credits)))
 
@@ -151,7 +147,7 @@ async def create_customer_setup_session(
         customer=customer_info['customer_id'],
         mode='setup',
         payment_method_types=['card'],
-        success_url=f'{base_url}?free_credits=success',
+        success_url=f'{base_url}?setup=success',
         cancel_url=f'{base_url}',
     )
     return CreateBillingSessionResponse(redirect_url=checkout_session.url)
@@ -253,31 +249,13 @@ async def success_callback(session_id: str, request: Request):
         )
         amount_subtotal = stripe_session.amount_subtotal or 0
         add_credits = amount_subtotal / 100
-        max_budget = (user_team_info.get('litellm_budget_table') or {}).get(
-            'max_budget', 0
+        max_budget, _ = LiteLlmManager.get_budget_from_team_info(
+            user_team_info, billing_session.user_id, str(user.current_org_id)
         )
 
         org = session.query(Org).filter(Org.id == user.current_org_id).first()
         new_max_budget = max_budget + add_credits
 
-        # Grant free credits if:
-        # 1. The org has pending free credits (new org, eligible)
-        # 2. The budget after this purchase meets the threshold
-        should_grant_free_credits = (
-            org and org.pending_free_credits and new_max_budget >= FREE_CREDIT_THRESHOLD
-        )
-        if should_grant_free_credits:
-            new_max_budget += FREE_CREDIT_AMOUNT
-            org.pending_free_credits = False
-            logger.info(
-                'free_credits_granted',
-                extra={
-                    'user_id': billing_session.user_id,
-                    'org_id': str(user.current_org_id),
-                    'free_credit_amount': FREE_CREDIT_AMOUNT,
-                },
-            )
-
         await LiteLlmManager.update_team_and_users_budget(
             str(user.current_org_id), new_max_budget
         )
@@ -299,7 +277,6 @@ async def success_callback(session_id: str, request: Request):
                 'org_id': str(user.current_org_id),
                 'checkout_session_id': billing_session.id,
                 'stripe_customer_id': stripe_session.customer,
-                'free_credits_granted': should_grant_free_credits,
             },
         )
         session.commit()

enterprise/server/routes/email.py

@@ -8,6 +8,7 @@ from server.auth.keycloak_manager import get_keycloak_admin
 from server.auth.saas_user_auth import SaasUserAuth
 from server.routes.auth import set_response_cookie
 from server.utils.rate_limit_utils import check_rate_limit_by_user_id
+from storage.user_store import UserStore
 
 from openhands.core.logger import openhands_logger as logger
 from openhands.server.user_auth import get_user_id
@@ -62,6 +63,10 @@ async def update_email(
             },
         )
 
+        await UserStore.update_user_email(
+            user_id=user_id, email=email, email_verified=False
+        )
+
         user_auth: SaasUserAuth = await get_user_auth(request)
         await user_auth.refresh()  # refresh so access token has updated email
         user_auth.email = email
@@ -144,6 +149,7 @@ async def verified_email(request: Request):
     user_auth: SaasUserAuth = await get_user_auth(request)
     await user_auth.refresh()  # refresh so access token has updated email
     user_auth.email_verified = True
+    await UserStore.update_user_email(user_id=user_auth.user_id, email_verified=True)
     scheme = 'http' if request.url.hostname == 'localhost' else 'https'
     redirect_uri = f'{scheme}://{request.url.netloc}/settings/user'
     response = RedirectResponse(redirect_uri, status_code=302)

enterprise/server/routes/feedback.py

@@ -8,11 +8,18 @@ from storage.feedback import ConversationFeedback
 from storage.stored_conversation_metadata_saas import StoredConversationMetadataSaas
 
 from openhands.events.event_store import EventStore
+from openhands.server.dependencies import get_dependencies
 from openhands.server.shared import file_store
 from openhands.server.user_auth import get_user_id
 from openhands.utils.async_utils import call_sync_from_async
 
-router = APIRouter(prefix='/feedback', tags=['feedback'])
+# We use the get_dependencies method here to signal to the OpenAPI docs that this endpoint
+# is protected. The actual protection is provided by SetAuthCookieMiddleware
+# TODO: It may be an error by you can actually post feedback to a conversation you don't
+# own right now - maybe this is useful in the context of public shared conversations?
+router = APIRouter(
+    prefix='/feedback', tags=['feedback'], dependencies=get_dependencies()
+)
 
 
 async def get_event_ids(conversation_id: str, user_id: str) -> List[int]:

enterprise/server/routes/integration/jira.py

@@ -4,7 +4,7 @@ import json
 import os
 import re
 import uuid
-from urllib.parse import urlparse
+from urllib.parse import urlencode, urlparse
 
 import requests
 from fastapi import APIRouter, BackgroundTasks, Header, HTTPException, Request, status
@@ -371,9 +371,7 @@ async def create_jira_workspace(request: Request, workspace_data: JiraWorkspaceC
             'prompt': 'consent',
         }
 
-        auth_url = (
-            f"{JIRA_AUTH_URL}?{'&'.join([f'{k}={v}' for k, v in auth_params.items()])}"
-        )
+        auth_url = f'{JIRA_AUTH_URL}?{urlencode(auth_params)}'
 
         return JSONResponse(
             content={
@@ -432,9 +430,7 @@ async def create_workspace_link(request: Request, link_data: JiraLinkCreate):
             'response_type': 'code',
             'prompt': 'consent',
         }
-        auth_url = (
-            f"{JIRA_AUTH_URL}?{'&'.join([f'{k}={v}' for k, v in auth_params.items()])}"
-        )
+        auth_url = f'{JIRA_AUTH_URL}?{urlencode(auth_params)}'
 
         return JSONResponse(
             content={

enterprise/server/routes/integration/jira_dc.py

@@ -2,7 +2,7 @@ import json
 import os
 import re
 import uuid
-from urllib.parse import urlparse
+from urllib.parse import urlencode, urlparse
 
 import requests
 from fastapi import (
@@ -316,7 +316,7 @@ async def create_jira_dc_workspace(
                 'response_type': 'code',
             }
 
-            auth_url = f"{JIRA_DC_AUTH_URL}?{'&'.join([f'{k}={v}' for k, v in auth_params.items()])}"
+            auth_url = f'{JIRA_DC_AUTH_URL}?{urlencode(auth_params)}'
 
             return JSONResponse(
                 content={
@@ -436,7 +436,7 @@ async def create_workspace_link(request: Request, link_data: JiraDcLinkCreate):
                 'state': state,
                 'response_type': 'code',
             }
-            auth_url = f"{JIRA_DC_AUTH_URL}?{'&'.join([f'{k}={v}' for k, v in auth_params.items()])}"
+            auth_url = f'{JIRA_DC_AUTH_URL}?{urlencode(auth_params)}'
 
             return JSONResponse(
                 content={

enterprise/server/routes/org_invitation_models.py

@@ -0,0 +1,122 @@
+"""
+Pydantic models and custom exceptions for organization invitations.
+"""
+
+from pydantic import BaseModel, EmailStr
+from storage.org_invitation import OrgInvitation
+from storage.role_store import RoleStore
+
+
+class InvitationError(Exception):
+    """Base exception for invitation errors."""
+
+    pass
+
+
+class InvitationAlreadyExistsError(InvitationError):
+    """Raised when a pending invitation already exists for the email."""
+
+    def __init__(
+        self, message: str = 'A pending invitation already exists for this email'
+    ):
+        super().__init__(message)
+
+
+class UserAlreadyMemberError(InvitationError):
+    """Raised when the user is already a member of the organization."""
+
+    def __init__(self, message: str = 'User is already a member of this organization'):
+        super().__init__(message)
+
+
+class InvitationExpiredError(InvitationError):
+    """Raised when the invitation has expired."""
+
+    def __init__(self, message: str = 'Invitation has expired'):
+        super().__init__(message)
+
+
+class InvitationInvalidError(InvitationError):
+    """Raised when the invitation is invalid or revoked."""
+
+    def __init__(self, message: str = 'Invitation is no longer valid'):
+        super().__init__(message)
+
+
+class InsufficientPermissionError(InvitationError):
+    """Raised when the user lacks permission to perform the action."""
+
+    def __init__(self, message: str = 'Insufficient permission'):
+        super().__init__(message)
+
+
+class EmailMismatchError(InvitationError):
+    """Raised when the accepting user's email doesn't match the invitation email."""
+
+    def __init__(self, message: str = 'Your email does not match the invitation'):
+        super().__init__(message)
+
+
+class InvitationCreate(BaseModel):
+    """Request model for creating invitation(s)."""
+
+    emails: list[EmailStr]
+    role: str = 'member'  # Default to member role
+
+
+class InvitationResponse(BaseModel):
+    """Response model for invitation details."""
+
+    id: int
+    email: str
+    role: str
+    status: str
+    created_at: str
+    expires_at: str
+    inviter_email: str | None = None
+
+    @classmethod
+    def from_invitation(
+        cls,
+        invitation: OrgInvitation,
+        inviter_email: str | None = None,
+    ) -> 'InvitationResponse':
+        """Create an InvitationResponse from an OrgInvitation entity.
+
+        Args:
+            invitation: The invitation entity to convert
+            inviter_email: Optional email of the inviter
+
+        Returns:
+            InvitationResponse: The response model instance
+        """
+        role_name = ''
+        if invitation.role:
+            role_name = invitation.role.name
+        elif invitation.role_id:
+            role = RoleStore.get_role_by_id(invitation.role_id)
+            role_name = role.name if role else ''
+
+        return cls(
+            id=invitation.id,
+            email=invitation.email,
+            role=role_name,
+            status=invitation.status,
+            created_at=invitation.created_at.isoformat(),
+            expires_at=invitation.expires_at.isoformat(),
+            inviter_email=inviter_email,
+        )
+
+
+class InvitationFailure(BaseModel):
+    """Response model for a failed invitation."""
+
+    email: str
+    error: str
+
+
+class BatchInvitationResponse(BaseModel):
+    """Response model for batch invitation creation."""
+
+    successful: list[InvitationResponse]
+    failed: list[InvitationFailure]

enterprise/server/routes/org_invitations.py

@@ -0,0 +1,226 @@
+"""API routes for organization invitations."""
+
+from uuid import UUID
+
+from fastapi import APIRouter, Depends, HTTPException, Request, status
+from fastapi.responses import RedirectResponse
+from server.routes.org_invitation_models import (
+    BatchInvitationResponse,
+    EmailMismatchError,
+    InsufficientPermissionError,
+    InvitationCreate,
+    InvitationExpiredError,
+    InvitationFailure,
+    InvitationInvalidError,
+    InvitationResponse,
+    UserAlreadyMemberError,
+)
+from server.services.org_invitation_service import OrgInvitationService
+from server.utils.rate_limit_utils import check_rate_limit_by_user_id
+
+from openhands.core.logger import openhands_logger as logger
+from openhands.server.user_auth import get_user_id
+from openhands.server.user_auth.user_auth import get_user_auth
+
+# Router for invitation operations on an organization (requires org_id)
+invitation_router = APIRouter(prefix='/api/organizations/{org_id}/members')
+
+# Router for accepting invitations (no org_id required)
+accept_router = APIRouter(prefix='/api/organizations/members/invite')
+
+
+@invitation_router.post(
+    '/invite',
+    response_model=BatchInvitationResponse,
+    status_code=status.HTTP_201_CREATED,
+)
+async def create_invitation(
+    org_id: UUID,
+    invitation_data: InvitationCreate,
+    request: Request,
+    user_id: str = Depends(get_user_id),
+):
+    """Create organization invitations for multiple email addresses.
+
+    Sends emails to invitees with secure links to join the organization.
+    Supports batch invitations - some may succeed while others fail.
+
+    Permission rules:
+    - Only owners and admins can create invitations
+    - Admins can only invite with 'member' or 'admin' role (not 'owner')
+    - Owners can invite with any role
+
+    Args:
+        org_id: Organization UUID
+        invitation_data: Invitation details (emails array, role)
+        request: FastAPI request
+        user_id: Authenticated user ID (from dependency)
+
+    Returns:
+        BatchInvitationResponse: Lists of successful and failed invitations
+
+    Raises:
+        HTTPException 400: Invalid role or organization not found
+        HTTPException 403: User lacks permission to invite
+        HTTPException 429: Rate limit exceeded
+    """
+    # Rate limit: 10 invitations per minute per user (6 seconds between requests)
+    await check_rate_limit_by_user_id(
+        request=request,
+        key_prefix='org_invitation_create',
+        user_id=user_id,
+        user_rate_limit_seconds=6,
+    )
+
+    try:
+        successful, failed = await OrgInvitationService.create_invitations_batch(
+            org_id=org_id,
+            emails=[str(email) for email in invitation_data.emails],
+            role_name=invitation_data.role,
+            inviter_id=UUID(user_id),
+        )
+
+        logger.info(
+            'Batch organization invitations created',
+            extra={
+                'org_id': str(org_id),
+                'total_emails': len(invitation_data.emails),
+                'successful': len(successful),
+                'failed': len(failed),
+                'inviter_id': user_id,
+            },
+        )
+
+        return BatchInvitationResponse(
+            successful=[InvitationResponse.from_invitation(inv) for inv in successful],
+            failed=[
+                InvitationFailure(email=email, error=error) for email, error in failed
+            ],
+        )
+
+    except InsufficientPermissionError as e:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail=str(e),
+        )
+    except ValueError as e:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail=str(e),
+        )
+    except Exception as e:
+        logger.exception(
+            'Unexpected error creating batch invitations',
+            extra={'org_id': str(org_id), 'error': str(e)},
+        )
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail='An unexpected error occurred',
+        )
+
+
+@accept_router.get('/accept')
+async def accept_invitation(
+    token: str,
+    request: Request,
+):
+    """Accept an organization invitation via token.
+
+    This endpoint is accessed via the link in the invitation email.
+
+    Flow:
+    1. If user is authenticated: Accept invitation directly and redirect to home
+    2. If user is not authenticated: Redirect to login page with invitation token
+       - Frontend stores token and includes it in OAuth state during login
+       - After authentication, keycloak_callback processes the invitation
+
+    Args:
+        token: The invitation token from the email link
+        request: FastAPI request
+
+    Returns:
+        RedirectResponse: Redirect to home page on success, or login page if not authenticated,
+                         or home page with error query params on failure
+    """
+    base_url = str(request.base_url).rstrip('/')
+
+    # Try to get user_id from auth (may not be authenticated)
+    user_id = None
+    try:
+        user_auth = await get_user_auth(request)
+        if user_auth:
+            user_id = await user_auth.get_user_id()
+    except Exception:
+        pass
+
+    if not user_id:
+        # User not authenticated - redirect to login page with invitation token
+        # Frontend will store the token and include it in OAuth state during login
+        logger.info(
+            'Invitation accept: redirecting unauthenticated user to login',
+            extra={'token_prefix': token[:10] + '...'},
+        )
+        login_url = f'{base_url}/login?invitation_token={token}'
+        return RedirectResponse(login_url, status_code=302)
+
+    # User is authenticated - process the invitation directly
+    try:
+        await OrgInvitationService.accept_invitation(token, UUID(user_id))
+
+        logger.info(
+            'Invitation accepted successfully',
+            extra={
+                'token_prefix': token[:10] + '...',
+                'user_id': user_id,
+            },
+        )
+
+        # Redirect to home page on success
+        return RedirectResponse(f'{base_url}/', status_code=302)
+
+    except InvitationExpiredError:
+        logger.warning(
+            'Invitation accept failed: expired',
+            extra={'token_prefix': token[:10] + '...', 'user_id': user_id},
+        )
+        return RedirectResponse(f'{base_url}/?invitation_expired=true', status_code=302)
+
+    except InvitationInvalidError as e:
+        logger.warning(
+            'Invitation accept failed: invalid',
+            extra={
+                'token_prefix': token[:10] + '...',
+                'user_id': user_id,
+                'error': str(e),
+            },
+        )
+        return RedirectResponse(f'{base_url}/?invitation_invalid=true', status_code=302)
+
+    except UserAlreadyMemberError:
+        logger.info(
+            'Invitation accept: user already member',
+            extra={'token_prefix': token[:10] + '...', 'user_id': user_id},
+        )
+        return RedirectResponse(f'{base_url}/?already_member=true', status_code=302)
+
+    except EmailMismatchError as e:
+        logger.warning(
+            'Invitation accept failed: email mismatch',
+            extra={
+                'token_prefix': token[:10] + '...',
+                'user_id': user_id,
+                'error': str(e),
+            },
+        )
+        return RedirectResponse(f'{base_url}/?email_mismatch=true', status_code=302)
+
+    except Exception as e:
+        logger.exception(
+            'Unexpected error accepting invitation',
+            extra={
+                'token_prefix': token[:10] + '...',
+                'user_id': user_id,
+                'error': str(e),
+            },
+        )
+        return RedirectResponse(f'{base_url}/?invitation_error=true', status_code=302)

enterprise/server/routes/org_models.py

@@ -214,6 +214,7 @@ class OrgPage(BaseModel):
 
     items: list[OrgResponse]
     next_page_id: str | None = None
+    current_org_id: str | None = None
 
 
 class OrgUpdate(BaseModel):
@@ -257,7 +258,7 @@ class OrgMemberResponse(BaseModel):
     user_id: str
     email: str | None
     role_id: int
-    role_name: str
+    role: str
     role_rank: int
     status: str | None
 
@@ -266,7 +267,8 @@ class OrgMemberPage(BaseModel):
     """Paginated response for organization members."""
 
     items: list[OrgMemberResponse]
-    next_page_id: str | None = None
+    current_page: int = 1
+    per_page: int = 10
 
 
 class OrgMemberUpdate(BaseModel):

enterprise/server/routes/orgs.py

@@ -2,6 +2,10 @@ from typing import Annotated
 from uuid import UUID
 
 from fastapi import APIRouter, Depends, HTTPException, Query, status
+from server.auth.authorization import (
+    Permission,
+    require_permission,
+)
 from server.email_validation import get_admin_user_id
 from server.routes.org_models import (
     CannotModifySelfError,
@@ -28,12 +32,13 @@ from server.routes.org_models import (
 )
 from server.services.org_member_service import OrgMemberService
 from storage.org_service import OrgService
+from storage.user_store import UserStore
 
 from openhands.core.logger import openhands_logger as logger
 from openhands.server.user_auth import get_user_id
 
 # Initialize API router
-org_router = APIRouter(prefix='/api/organizations')
+org_router = APIRouter(prefix='/api/organizations', tags=['Orgs'])
 
 
 @org_router.get('', response_model=OrgPage)
@@ -74,6 +79,12 @@ async def list_user_orgs(
     )
 
     try:
+        # Fetch user to get current_org_id
+        user = await UserStore.get_user_by_id_async(user_id)
+        current_org_id = (
+            str(user.current_org_id) if user and user.current_org_id else None
+        )
+
         # Fetch organizations from service layer
         orgs, next_page_id = OrgService.get_user_orgs_paginated(
             user_id=user_id,
@@ -95,7 +106,11 @@ async def list_user_orgs(
             },
         )
 
-        return OrgPage(items=org_responses, next_page_id=next_page_id)
+        return OrgPage(
+            items=org_responses,
+            next_page_id=next_page_id,
+            current_org_id=current_org_id,
+        )
 
     except Exception as e:
         logger.exception(
@@ -189,23 +204,26 @@ async def create_org(
 @org_router.get('/{org_id}', response_model=OrgResponse, status_code=status.HTTP_200_OK)
 async def get_org(
     org_id: UUID,
-    user_id: str = Depends(get_user_id),
+    user_id: str = Depends(require_permission(Permission.VIEW_ORG_SETTINGS)),
 ) -> OrgResponse:
     """Get organization details by ID.
 
-    This endpoint allows authenticated users who are members of an organization
-    to retrieve its details. Only members of the organization can access this endpoint.
+    This endpoint retrieves details for a specific organization. Access requires
+    the VIEW_ORG_SETTINGS permission, which is granted to all organization members
+    (member, admin, and owner roles).
 
     Args:
         org_id: Organization ID (UUID)
-        user_id: Authenticated user ID (injected by dependency)
+        user_id: Authenticated user ID (injected by require_permission dependency)
 
     Returns:
         OrgResponse: The organization details
 
     Raises:
+        HTTPException: 401 if user is not authenticated
+        HTTPException: 403 if user lacks VIEW_ORG_SETTINGS permission
+        HTTPException: 404 if organization not found
         HTTPException: 422 if org_id is not a valid UUID (handled by FastAPI)
-        HTTPException: 404 if organization not found or user is not a member
         HTTPException: 500 if retrieval fails
     """
     logger.info(
@@ -305,23 +323,24 @@ async def get_me(
 @org_router.delete('/{org_id}', status_code=status.HTTP_200_OK)
 async def delete_org(
     org_id: UUID,
-    user_id: str = Depends(get_user_id),
+    user_id: str = Depends(require_permission(Permission.DELETE_ORGANIZATION)),
 ) -> dict:
     """Delete an organization.
 
-    This endpoint allows authenticated organization owners to delete their organization.
-    All associated data including organization members, conversations, billing data,
-    and external LiteLLM team resources will be permanently removed.
+    This endpoint permanently deletes an organization and all associated data including
+    organization members, conversations, billing data, and external LiteLLM team resources.
+    Access requires the DELETE_ORGANIZATION permission, which is granted only to owners.
 
     Args:
-        org_id: Organization ID to delete
-        user_id: Authenticated user ID (injected by dependency)
+        org_id: Organization ID to delete (UUID)
+        user_id: Authenticated user ID (injected by require_permission dependency)
 
     Returns:
         dict: Confirmation message with deleted organization details
 
     Raises:
-        HTTPException: 403 if user is not the organization owner
+        HTTPException: 401 if user is not authenticated
+        HTTPException: 403 if user lacks DELETE_ORGANIZATION permission
         HTTPException: 404 if organization not found
         HTTPException: 500 if deletion fails
     """
@@ -414,25 +433,26 @@ async def delete_org(
 async def update_org(
     org_id: UUID,
     update_data: OrgUpdate,
-    user_id: str = Depends(get_user_id),
+    user_id: str = Depends(require_permission(Permission.EDIT_ORG_SETTINGS)),
 ) -> OrgResponse:
     """Update an existing organization.
 
-    This endpoint allows authenticated users to update organization settings.
-    LLM-related settings require admin or owner role in the organization.
+    This endpoint updates organization settings. Access requires the EDIT_ORG_SETTINGS
+    permission, which is granted to admin and owner roles.
 
     Args:
-        org_id: Organization ID to update (UUID validated by FastAPI)
+        org_id: Organization ID to update (UUID)
         update_data: Organization update data
-        user_id: Authenticated user ID (injected by dependency)
+        user_id: Authenticated user ID (injected by require_permission dependency)
 
     Returns:
         OrgResponse: The updated organization details
 
     Raises:
-        HTTPException: 400 if org_id is invalid UUID format (handled by FastAPI)
-        HTTPException: 403 if user lacks permission for LLM settings
+        HTTPException: 401 if user is not authenticated
+        HTTPException: 403 if user lacks EDIT_ORG_SETTINGS permission
         HTTPException: 404 if organization not found
+        HTTPException: 409 if organization name already exists
         HTTPException: 422 if validation errors occur (handled by FastAPI)
         HTTPException: 500 if update fails
     """
@@ -496,10 +516,10 @@ async def update_org(
 
 @org_router.get('/{org_id}/members')
 async def get_org_members(
-    org_id: str,
+    org_id: UUID,
     page_id: Annotated[
         str | None,
-        Query(title='Optional next_page_id from the previously returned page'),
+        Query(title='Optional page offset for pagination'),
     ] = None,
     limit: Annotated[
         int,
@@ -508,16 +528,48 @@ async def get_org_members(
             gt=0,
             lte=100,
         ),
-    ] = 100,
-    current_user_id: str = Depends(get_user_id),
+    ] = 10,
+    email: Annotated[
+        str | None,
+        Query(
+            title='Filter members by email (case-insensitive partial match)',
+            min_length=1,
+            max_length=255,
+        ),
+    ] = None,
+    user_id: str = Depends(require_permission(Permission.VIEW_ORG_SETTINGS)),
 ) -> OrgMemberPage:
-    """Get all members of an organization with cursor-based pagination."""
+    """Get all members of an organization with pagination and optional email filter.
+
+    This endpoint retrieves a paginated list of organization members. Access requires
+    the VIEW_ORG_SETTINGS permission, which is granted to all organization members
+    (member, admin, and owner roles).
+
+    Args:
+        org_id: Organization ID (UUID)
+        page_id: Optional page offset for pagination
+        limit: Maximum number of members to return (1-100, default 10)
+        email: Optional email filter (case-insensitive partial match)
+        user_id: Authenticated user ID (injected by require_permission dependency)
+
+    Returns:
+        OrgMemberPage: Paginated list of organization members with
+            current_page and per_page metadata. Use the /count endpoint
+            to get the total count separately.
+
+    Raises:
+        HTTPException: 401 if user is not authenticated
+        HTTPException: 403 if user lacks VIEW_ORG_SETTINGS permission
+        HTTPException: 400 if org_id or page_id format is invalid
+        HTTPException: 500 if retrieval fails
+    """
     try:
         success, error_code, data = await OrgMemberService.get_org_members(
-            org_id=UUID(org_id),
-            current_user_id=UUID(current_user_id),
+            org_id=org_id,
+            current_user_id=UUID(user_id),
             page_id=page_id,
             limit=limit,
+            email_filter=email,
         )
 
         if not success:
@@ -560,9 +612,67 @@ async def get_org_members(
         )
 
 
+@org_router.get('/{org_id}/members/count')
+async def get_org_members_count(
+    org_id: UUID,
+    email: Annotated[
+        str | None,
+        Query(
+            title='Filter members by email (case-insensitive partial match)',
+            min_length=1,
+            max_length=255,
+        ),
+    ] = None,
+    user_id: str = Depends(require_permission(Permission.VIEW_ORG_SETTINGS)),
+) -> int:
+    """Get count of organization members with optional email filter.
+
+    This endpoint returns the total count of organization members matching
+    the filter criteria. Access requires the VIEW_ORG_SETTINGS permission,
+    which is granted to all organization members (member, admin, and owner roles).
+
+    Args:
+        org_id: Organization ID (UUID)
+        email: Optional email filter (case-insensitive partial match)
+        user_id: Authenticated user ID (injected by require_permission dependency)
+
+    Returns:
+        int: Total count of organization members matching the filter
+
+    Raises:
+        HTTPException: 401 if user is not authenticated
+        HTTPException: 403 if user lacks VIEW_ORG_SETTINGS permission or is not a member
+        HTTPException: 400 if org_id format is invalid
+        HTTPException: 500 if retrieval fails
+    """
+    try:
+        return await OrgMemberService.get_org_members_count(
+            org_id=org_id,
+            current_user_id=UUID(user_id),
+            email_filter=email,
+        )
+    except OrgMemberNotFoundError:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail='You are not a member of this organization',
+        )
+    except ValueError:
+        logger.exception('Invalid UUID format')
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail='Invalid organization ID format',
+        )
+    except Exception:
+        logger.exception('Error retrieving organization member count')
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail='Failed to retrieve member count',
+        )
+
+
 @org_router.delete('/{org_id}/members/{user_id}')
 async def remove_org_member(
-    org_id: str,
+    org_id: UUID,
     user_id: str,
     current_user_id: str = Depends(get_user_id),
 ):
@@ -576,7 +686,7 @@ async def remove_org_member(
     """
     try:
         success, error = await OrgMemberService.remove_org_member(
-            org_id=UUID(org_id),
+            org_id=org_id,
             target_user_id=UUID(user_id),
             current_user_id=UUID(current_user_id),
         )
@@ -708,7 +818,7 @@ async def switch_org(
 
 @org_router.patch('/{org_id}/members/{user_id}', response_model=OrgMemberResponse)
 async def update_org_member(
-    org_id: str,
+    org_id: UUID,
     user_id: str,
     update_data: OrgMemberUpdate,
     current_user_id: str = Depends(get_user_id),
@@ -725,7 +835,7 @@ async def update_org_member(
     """
     try:
         return await OrgMemberService.update_org_member(
-            org_id=UUID(org_id),
+            org_id=org_id,
             target_user_id=UUID(user_id),
             current_user_id=UUID(current_user_id),
             update_data=update_data,

enterprise/server/routes/user.py

@@ -4,6 +4,7 @@ from fastapi import APIRouter, Depends, Query, status
 from fastapi.responses import JSONResponse
 from pydantic import SecretStr
 from server.auth.token_manager import TokenManager
+from storage.user_store import UserStore
 from utils.identity import resolve_display_name
 
 from openhands.integrations.provider import (
@@ -115,13 +116,21 @@ async def saas_get_user(
                 content='Failed to retrieve user_info.',
                 status_code=status.HTTP_401_UNAUTHORIZED,
             )
+        # Prefer email from DB; fall back to Keycloak if not yet persisted
+        email = user_info.get('email') if user_info else None
+        sub = user_info.get('sub') if user_info else ''
+        if sub:
+            db_user = await UserStore.get_user_by_id_async(sub)
+            if db_user and db_user.email is not None:
+                email = db_user.email
+
         retval = await _check_idp(
             access_token=access_token,
             default_value=User(
-                id=(user_info.get('sub') if user_info else '') or '',
+                id=sub,
                 login=(user_info.get('preferred_username') if user_info else '') or '',
                 avatar_url='',
-                email=user_info.get('email') if user_info else None,
+                email=email,
                 name=resolve_display_name(user_info) if user_info else None,
                 company=user_info.get('company') if user_info else None,
             ),

enterprise/server/routes/user_app_settings.py

@@ -0,0 +1,115 @@
+"""Routes for user app settings API.
+
+Provides endpoints for managing user-level app preferences:
+- GET /api/users/app - Retrieve current user's app settings
+- POST /api/users/app - Update current user's app settings
+"""
+
+from fastapi import APIRouter, Depends, HTTPException, status
+from server.routes.user_app_settings_models import (
+    UserAppSettingsResponse,
+    UserAppSettingsUpdate,
+    UserNotFoundError,
+)
+from server.services.user_app_settings_service import (
+    UserAppSettingsService,
+    UserAppSettingsServiceInjector,
+)
+
+from openhands.core.logger import openhands_logger as logger
+
+user_app_settings_router = APIRouter(prefix='/api/users')
+
+# Create injector instance and dependency at module level
+_injector = UserAppSettingsServiceInjector()
+user_app_settings_service_dependency = Depends(_injector.depends)
+
+
+@user_app_settings_router.get('/app', response_model=UserAppSettingsResponse)
+async def get_user_app_settings(
+    service: UserAppSettingsService = user_app_settings_service_dependency,
+) -> UserAppSettingsResponse:
+    """Get the current user's app settings.
+
+    Returns language, analytics consent, sound notifications, and git config.
+
+    Args:
+        service: UserAppSettingsService (injected by dependency)
+
+    Returns:
+        UserAppSettingsResponse: The user's app settings
+
+    Raises:
+        HTTPException: 401 if user is not authenticated
+        HTTPException: 404 if user not found
+        HTTPException: 500 if retrieval fails
+    """
+    try:
+        return await service.get_user_app_settings()
+
+    except ValueError as e:
+        # User not authenticated
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail=str(e),
+        )
+    except UserNotFoundError as e:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail=str(e),
+        )
+    except Exception as e:
+        logger.exception(
+            'Unexpected error retrieving user app settings',
+            extra={'error': str(e)},
+        )
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail='Failed to retrieve user app settings',
+        )
+
+
+@user_app_settings_router.post('/app', response_model=UserAppSettingsResponse)
+async def update_user_app_settings(
+    update_data: UserAppSettingsUpdate,
+    service: UserAppSettingsService = user_app_settings_service_dependency,
+) -> UserAppSettingsResponse:
+    """Update the current user's app settings (partial update).
+
+    Only provided fields will be updated. Pass null to clear a field.
+
+    Args:
+        update_data: Fields to update
+        service: UserAppSettingsService (injected by dependency)
+
+    Returns:
+        UserAppSettingsResponse: The updated user's app settings
+
+    Raises:
+        HTTPException: 401 if user is not authenticated
+        HTTPException: 404 if user not found
+        HTTPException: 500 if update fails
+    """
+    try:
+        return await service.update_user_app_settings(update_data)
+
+    except ValueError as e:
+        # User not authenticated
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail=str(e),
+        )
+    except UserNotFoundError as e:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail=str(e),
+        )
+    except Exception as e:
+        logger.exception(
+            'Failed to update user app settings',
+            extra={'error': str(e)},
+        )
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail='Failed to update user app settings',
+        )

enterprise/server/routes/user_app_settings_models.py

@@ -0,0 +1,57 @@
+"""
+Pydantic models for user app settings API.
+"""
+
+from pydantic import BaseModel, EmailStr
+from storage.user import User
+
+
+class UserAppSettingsError(Exception):
+    """Base exception for user app settings errors."""
+
+    pass
+
+
+class UserNotFoundError(UserAppSettingsError):
+    """Raised when user is not found."""
+
+    def __init__(self, user_id: str):
+        self.user_id = user_id
+        super().__init__(f'User with id "{user_id}" not found')
+
+
+class UserAppSettingsUpdateError(UserAppSettingsError):
+    """Raised when user app settings update fails."""
+
+    pass
+
+
+class UserAppSettingsResponse(BaseModel):
+    """Response model for user app settings."""
+
+    language: str | None = None
+    user_consents_to_analytics: bool | None = None
+    enable_sound_notifications: bool | None = None
+    git_user_name: str | None = None
+    git_user_email: EmailStr | None = None
+
+    @classmethod
+    def from_user(cls, user: User) -> 'UserAppSettingsResponse':
+        """Create response from User entity."""
+        return cls(
+            language=user.language,
+            user_consents_to_analytics=user.user_consents_to_analytics,
+            enable_sound_notifications=user.enable_sound_notifications,
+            git_user_name=user.git_user_name,
+            git_user_email=user.git_user_email,
+        )
+
+
+class UserAppSettingsUpdate(BaseModel):
+    """Request model for updating user app settings (partial update)."""
+
+    language: str | None = None
+    user_consents_to_analytics: bool | None = None
+    enable_sound_notifications: bool | None = None
+    git_user_name: str | None = None
+    git_user_email: EmailStr | None = None

enterprise/server/routes/verified_models.py

@@ -0,0 +1,184 @@
+"""API routes for managing verified LLM models (admin only)."""
+
+from typing import Annotated
+
+from fastapi import APIRouter, Depends, HTTPException, Query, status
+from pydantic import BaseModel, field_validator
+from server.email_validation import get_admin_user_id
+from storage.verified_model_store import VerifiedModelStore
+
+from openhands.core.logger import openhands_logger as logger
+
+api_router = APIRouter(prefix='/api/admin/verified-models', tags=['Verified Models'])
+
+
+class VerifiedModelCreate(BaseModel):
+    model_name: str
+    provider: str
+    is_enabled: bool = True
+
+    @field_validator('model_name')
+    @classmethod
+    def validate_model_name(cls, v: str) -> str:
+        v = v.strip()
+        if not v or len(v) > 255:
+            raise ValueError('model_name must be 1-255 characters')
+        return v
+
+    @field_validator('provider')
+    @classmethod
+    def validate_provider(cls, v: str) -> str:
+        v = v.strip()
+        if not v or len(v) > 100:
+            raise ValueError('provider must be 1-100 characters')
+        return v
+
+
+class VerifiedModelUpdate(BaseModel):
+    is_enabled: bool | None = None
+
+
+class VerifiedModelResponse(BaseModel):
+    id: int
+    model_name: str
+    provider: str
+    is_enabled: bool
+
+
+class VerifiedModelPage(BaseModel):
+    """Paginated response model for verified model list."""
+
+    items: list[VerifiedModelResponse]
+    next_page_id: str | None = None
+
+
+def _to_response(model) -> VerifiedModelResponse:
+    return VerifiedModelResponse(
+        id=model.id,
+        model_name=model.model_name,
+        provider=model.provider,
+        is_enabled=model.is_enabled,
+    )
+
+
+@api_router.get('', response_model=VerifiedModelPage)
+async def list_verified_models(
+    provider: str | None = None,
+    page_id: Annotated[
+        str | None,
+        Query(title='Optional next_page_id from the previously returned page'),
+    ] = None,
+    limit: Annotated[
+        int, Query(title='The max number of results in the page', gt=0, le=100)
+    ] = 100,
+    user_id: str = Depends(get_admin_user_id),
+):
+    """List all verified models, optionally filtered by provider."""
+    try:
+        if provider:
+            all_models = VerifiedModelStore.get_models_by_provider(provider)
+        else:
+            all_models = VerifiedModelStore.get_all_models()
+
+        try:
+            offset = int(page_id) if page_id else 0
+        except ValueError:
+            offset = 0
+        page = all_models[offset : offset + limit + 1]
+        has_more = len(page) > limit
+        if has_more:
+            page = page[:limit]
+
+        return VerifiedModelPage(
+            items=[_to_response(m) for m in page],
+            next_page_id=str(offset + limit) if has_more else None,
+        )
+    except Exception:
+        logger.exception('Error listing verified models')
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail='Failed to list verified models',
+        )
+
+
+@api_router.post('', response_model=VerifiedModelResponse, status_code=201)
+async def create_verified_model(
+    data: VerifiedModelCreate,
+    user_id: str = Depends(get_admin_user_id),
+):
+    """Create a new verified model."""
+    try:
+        model = VerifiedModelStore.create_model(
+            model_name=data.model_name,
+            provider=data.provider,
+            is_enabled=data.is_enabled,
+        )
+        return _to_response(model)
+    except ValueError as e:
+        raise HTTPException(
+            status_code=status.HTTP_409_CONFLICT,
+            detail=str(e),
+        )
+    except Exception:
+        logger.exception('Error creating verified model')
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail='Failed to create verified model',
+        )
+
+
+@api_router.put('/{provider}/{model_name:path}', response_model=VerifiedModelResponse)
+async def update_verified_model(
+    provider: str,
+    model_name: str,
+    data: VerifiedModelUpdate,
+    user_id: str = Depends(get_admin_user_id),
+):
+    """Update a verified model by provider and model name."""
+    try:
+        model = VerifiedModelStore.update_model(
+            model_name=model_name,
+            provider=provider,
+            is_enabled=data.is_enabled,
+        )
+        if not model:
+            raise HTTPException(
+                status_code=status.HTTP_404_NOT_FOUND,
+                detail=f'Model {provider}/{model_name} not found',
+            )
+        return _to_response(model)
+    except HTTPException:
+        raise
+    except Exception:
+        logger.exception(f'Error updating verified model: {provider}/{model_name}')
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail='Failed to update verified model',
+        )
+
+
+@api_router.delete('/{provider}/{model_name:path}')
+async def delete_verified_model(
+    provider: str,
+    model_name: str,
+    user_id: str = Depends(get_admin_user_id),
+):
+    """Delete a verified model by provider and model name."""
+    try:
+        success = VerifiedModelStore.delete_model(
+            model_name=model_name, provider=provider
+        )
+        if not success:
+            raise HTTPException(
+                status_code=status.HTTP_404_NOT_FOUND,
+                detail=f'Model {provider}/{model_name} not found',
+            )
+        return {'message': f'Model {provider}/{model_name} deleted'}
+    except HTTPException:
+        raise
+    except Exception:
+        logger.exception(f'Error deleting verified model: {provider}/{model_name}')
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail='Failed to delete verified model',
+        )

enterprise/server/services/email_service.py

@@ -0,0 +1,131 @@
+"""Email service for sending transactional emails via Resend."""
+
+import os
+
+try:
+    import resend
+
+    RESEND_AVAILABLE = True
+except ImportError:
+    RESEND_AVAILABLE = False
+
+from openhands.core.logger import openhands_logger as logger
+
+DEFAULT_FROM_EMAIL = 'OpenHands <no-reply@openhands.dev>'
+DEFAULT_WEB_HOST = 'https://app.all-hands.dev'
+
+
+class EmailService:
+    """Service for sending transactional emails."""
+
+    @staticmethod
+    def _get_resend_client() -> bool:
+        """Initialize and return the Resend client.
+
+        Returns:
+            bool: True if client is ready, False otherwise
+        """
+        if not RESEND_AVAILABLE:
+            logger.warning('Resend library not installed, skipping email')
+            return False
+
+        resend_api_key = os.environ.get('RESEND_API_KEY')
+        if not resend_api_key:
+            logger.warning('RESEND_API_KEY not configured, skipping email')
+            return False
+
+        resend.api_key = resend_api_key
+        return True
+
+    @staticmethod
+    def send_invitation_email(
+        to_email: str,
+        org_name: str,
+        inviter_name: str,
+        role_name: str,
+        invitation_token: str,
+        invitation_id: int,
+    ) -> None:
+        """Send an organization invitation email.
+
+        Args:
+            to_email: Recipient's email address
+            org_name: Name of the organization
+            inviter_name: Display name of the person who sent the invite
+            role_name: Role being offered (e.g., 'member', 'admin')
+            invitation_token: The secure invitation token
+            invitation_id: The invitation ID for logging
+        """
+        if not EmailService._get_resend_client():
+            return
+
+        # Build invitation URL
+        web_host = os.environ.get('WEB_HOST', DEFAULT_WEB_HOST)
+        invitation_url = f'{web_host}/api/organizations/members/invite/accept?token={invitation_token}'
+
+        from_email = os.environ.get('RESEND_FROM_EMAIL', DEFAULT_FROM_EMAIL)
+
+        params = {
+            'from': from_email,
+            'to': [to_email],
+            'subject': f"You're invited to join {org_name} on OpenHands",
+            'html': f"""
+            <div style="font-family: Arial, sans-serif; max-width: 600px; margin: 0 auto;">
+                <p>Hi,</p>
+
+                <p><strong>{inviter_name}</strong> has invited you to join <strong>{org_name}</strong> on OpenHands as a <strong>{role_name}</strong>.</p>
+
+                <p>Click the button below to accept the invitation:</p>
+
+                <p style="margin: 30px 0;">
+                    <a href="{invitation_url}"
+                       style="background-color: #c9b974; color: #0D0F11; padding: 8px 16px;
+                              text-decoration: none; border-radius: 8px; display: inline-block;
+                              font-size: 14px; font-weight: 600;">
+                        Accept Invitation
+                    </a>
+                </p>
+
+                <p style="color: #666; font-size: 14px;">
+                    Or copy and paste this link into your browser:<br>
+                    <a href="{invitation_url}" style="color: #c9b974; font-weight: 600;">{invitation_url}</a>
+                </p>
+
+                <p style="color: #666; font-size: 14px;">
+                    This invitation will expire in 7 days.
+                </p>
+
+                <p style="color: #666; font-size: 14px;">
+                    If you weren't expecting this invitation, you can safely ignore this email.
+                </p>
+
+                <hr style="border: none; border-top: 1px solid #eee; margin: 30px 0;">
+
+                <p style="color: #999; font-size: 12px;">
+                    Best,<br>
+                    The OpenHands Team
+                </p>
+            </div>
+            """,
+        }
+
+        try:
+            response = resend.Emails.send(params)
+            logger.info(
+                'Invitation email sent',
+                extra={
+                    'invitation_id': invitation_id,
+                    'email': to_email,
+                    'response_id': response.get('id') if response else None,
+                },
+            )
+        except Exception as e:
+            logger.error(
+                'Failed to send invitation email',
+                extra={
+                    'invitation_id': invitation_id,
+                    'email': to_email,
+                    'error': str(e),
+                },
+            )
+            raise

enterprise/server/services/org_invitation_service.py

@@ -0,0 +1,397 @@
+"""Service for managing organization invitations."""
+
+import asyncio
+from uuid import UUID
+
+from server.auth.token_manager import TokenManager
+from server.constants import ROLE_ADMIN, ROLE_OWNER
+from server.routes.org_invitation_models import (
+    EmailMismatchError,
+    InsufficientPermissionError,
+    InvitationExpiredError,
+    InvitationInvalidError,
+    UserAlreadyMemberError,
+)
+from server.services.email_service import EmailService
+from storage.org_invitation import OrgInvitation
+from storage.org_invitation_store import OrgInvitationStore
+from storage.org_member_store import OrgMemberStore
+from storage.org_service import OrgService
+from storage.org_store import OrgStore
+from storage.role_store import RoleStore
+from storage.user_store import UserStore
+
+from openhands.core.logger import openhands_logger as logger
+
+
+class OrgInvitationService:
+    """Service for organization invitation operations."""
+
+    @staticmethod
+    async def create_invitation(
+        org_id: UUID,
+        email: str,
+        role_name: str,
+        inviter_id: UUID,
+    ) -> OrgInvitation:
+        """Create a new organization invitation.
+
+        This method:
+        1. Validates the organization exists
+        2. Validates this is not a personal workspace
+        3. Checks inviter has owner/admin role
+        4. Validates role assignment permissions
+        5. Checks if user is already a member
+        6. Creates the invitation
+        7. Sends the invitation email
+
+        Args:
+            org_id: Organization UUID
+            email: Invitee's email address
+            role_name: Role to assign on acceptance (owner, admin, member)
+            inviter_id: User ID of the person creating the invitation
+
+        Returns:
+            OrgInvitation: The created invitation
+
+        Raises:
+            ValueError: If organization or role not found
+            InsufficientPermissionError: If inviter lacks permission
+            UserAlreadyMemberError: If email is already a member
+            InvitationAlreadyExistsError: If pending invitation exists
+        """
+        email = email.lower().strip()
+
+        logger.info(
+            'Creating organization invitation',
+            extra={
+                'org_id': str(org_id),
+                'email': email,
+                'role_name': role_name,
+                'inviter_id': str(inviter_id),
+            },
+        )
+
+        # Step 1: Validate organization exists
+        org = OrgStore.get_org_by_id(org_id)
+        if not org:
+            raise ValueError(f'Organization {org_id} not found')
+
+        # Step 2: Check this is not a personal workspace
+        # A personal workspace has org_id matching the user's id
+        if str(org_id) == str(inviter_id):
+            raise InsufficientPermissionError(
+                'Cannot invite users to a personal workspace'
+            )
+
+        # Step 3: Check inviter is a member and has permission
+        inviter_member = OrgMemberStore.get_org_member(org_id, inviter_id)
+        if not inviter_member:
+            raise InsufficientPermissionError(
+                'You are not a member of this organization'
+            )
+
+        inviter_role = RoleStore.get_role_by_id(inviter_member.role_id)
+        if not inviter_role or inviter_role.name not in [ROLE_OWNER, ROLE_ADMIN]:
+            raise InsufficientPermissionError('Only owners and admins can invite users')
+
+        # Step 4: Validate role assignment permissions
+        role_name_lower = role_name.lower()
+        if role_name_lower == ROLE_OWNER and inviter_role.name != ROLE_OWNER:
+            raise InsufficientPermissionError('Only owners can invite with owner role')
+
+        # Get the target role
+        target_role = RoleStore.get_role_by_name(role_name_lower)
+        if not target_role:
+            raise ValueError(f'Invalid role: {role_name}')
+
+        # Step 5: Check if user is already a member (by email)
+        existing_user = await UserStore.get_user_by_email_async(email)
+        if existing_user:
+            existing_member = OrgMemberStore.get_org_member(org_id, existing_user.id)
+            if existing_member:
+                raise UserAlreadyMemberError(
+                    'User is already a member of this organization'
+                )
+
+        # Step 6: Create the invitation
+        invitation = await OrgInvitationStore.create_invitation(
+            org_id=org_id,
+            email=email,
+            role_id=target_role.id,
+            inviter_id=inviter_id,
+        )
+
+        # Step 7: Send invitation email
+        try:
+            # Get inviter info for the email
+            inviter_user = UserStore.get_user_by_id(str(inviter_member.user_id))
+            inviter_name = 'A team member'
+            if inviter_user and inviter_user.email:
+                inviter_name = inviter_user.email.split('@')[0]
+
+            EmailService.send_invitation_email(
+                to_email=email,
+                org_name=org.name,
+                inviter_name=inviter_name,
+                role_name=target_role.name,
+                invitation_token=invitation.token,
+                invitation_id=invitation.id,
+            )
+        except Exception as e:
+            logger.error(
+                'Failed to send invitation email',
+                extra={
+                    'invitation_id': invitation.id,
+                    'email': email,
+                    'error': str(e),
+                },
+            )
+            # Don't fail the invitation creation if email fails
+            # The user can still access via direct link
+
+        return invitation
+
+    @staticmethod
+    async def create_invitations_batch(
+        org_id: UUID,
+        emails: list[str],
+        role_name: str,
+        inviter_id: UUID,
+    ) -> tuple[list[OrgInvitation], list[tuple[str, str]]]:
+        """Create multiple organization invitations concurrently.
+
+        Validates permissions once upfront, then creates invitations in parallel.
+
+        Args:
+            org_id: Organization UUID
+            emails: List of invitee email addresses
+            role_name: Role to assign on acceptance (owner, admin, member)
+            inviter_id: User ID of the person creating the invitations
+
+        Returns:
+            Tuple of (successful_invitations, failed_emails_with_errors)
+
+        Raises:
+            ValueError: If organization or role not found
+            InsufficientPermissionError: If inviter lacks permission
+        """
+        logger.info(
+            'Creating batch organization invitations',
+            extra={
+                'org_id': str(org_id),
+                'email_count': len(emails),
+                'role_name': role_name,
+                'inviter_id': str(inviter_id),
+            },
+        )
+
+        # Step 1: Validate permissions upfront (shared for all emails)
+        org = OrgStore.get_org_by_id(org_id)
+        if not org:
+            raise ValueError(f'Organization {org_id} not found')
+
+        if str(org_id) == str(inviter_id):
+            raise InsufficientPermissionError(
+                'Cannot invite users to a personal workspace'
+            )
+
+        inviter_member = OrgMemberStore.get_org_member(org_id, inviter_id)
+        if not inviter_member:
+            raise InsufficientPermissionError(
+                'You are not a member of this organization'
+            )
+
+        inviter_role = RoleStore.get_role_by_id(inviter_member.role_id)
+        if not inviter_role or inviter_role.name not in [ROLE_OWNER, ROLE_ADMIN]:
+            raise InsufficientPermissionError('Only owners and admins can invite users')
+
+        role_name_lower = role_name.lower()
+        if role_name_lower == ROLE_OWNER and inviter_role.name != ROLE_OWNER:
+            raise InsufficientPermissionError('Only owners can invite with owner role')
+
+        target_role = RoleStore.get_role_by_name(role_name_lower)
+        if not target_role:
+            raise ValueError(f'Invalid role: {role_name}')
+
+        # Step 2: Create invitations concurrently
+        async def create_single(
+            email: str,
+        ) -> tuple[str, OrgInvitation | None, str | None]:
+            """Create single invitation, return (email, invitation, error)."""
+            try:
+                invitation = await OrgInvitationService.create_invitation(
+                    org_id=org_id,
+                    email=email,
+                    role_name=role_name,
+                    inviter_id=inviter_id,
+                )
+                return (email, invitation, None)
+            except (UserAlreadyMemberError, ValueError) as e:
+                return (email, None, str(e))
+
+        results = await asyncio.gather(*[create_single(email) for email in emails])
+
+        # Step 3: Separate successes and failures
+        successful: list[OrgInvitation] = []
+        failed: list[tuple[str, str]] = []
+        for email, invitation, error in results:
+            if invitation:
+                successful.append(invitation)
+            elif error:
+                failed.append((email, error))
+
+        logger.info(
+            'Batch invitation creation completed',
+            extra={
+                'org_id': str(org_id),
+                'successful': len(successful),
+                'failed': len(failed),
+            },
+        )
+
+        return successful, failed
+
+    @staticmethod
+    async def accept_invitation(token: str, user_id: UUID) -> OrgInvitation:
+        """Accept an organization invitation.
+
+        This method:
+        1. Validates the token and invitation status
+        2. Checks expiration
+        3. Verifies user is not already a member
+        4. Creates LiteLLM integration
+        5. Adds user to the organization
+        6. Marks invitation as accepted
+
+        Args:
+            token: The invitation token
+            user_id: The user accepting the invitation
+
+        Returns:
+            OrgInvitation: The accepted invitation
+
+        Raises:
+            InvitationInvalidError: If token is invalid or invitation not pending
+            InvitationExpiredError: If invitation has expired
+            UserAlreadyMemberError: If user is already a member
+        """
+        logger.info(
+            'Accepting organization invitation',
+            extra={
+                'token_prefix': token[:10] + '...' if len(token) > 10 else token,
+                'user_id': str(user_id),
+            },
+        )
+
+        # Step 1: Get and validate invitation
+        invitation = await OrgInvitationStore.get_invitation_by_token(token)
+
+        if not invitation:
+            raise InvitationInvalidError('Invalid invitation token')
+
+        if invitation.status != OrgInvitation.STATUS_PENDING:
+            if invitation.status == OrgInvitation.STATUS_ACCEPTED:
+                raise InvitationInvalidError('Invitation has already been accepted')
+            elif invitation.status == OrgInvitation.STATUS_REVOKED:
+                raise InvitationInvalidError('Invitation has been revoked')
+            else:
+                raise InvitationInvalidError('Invitation is no longer valid')
+
+        # Step 2: Check expiration
+        if OrgInvitationStore.is_token_expired(invitation):
+            await OrgInvitationStore.update_invitation_status(
+                invitation.id, OrgInvitation.STATUS_EXPIRED
+            )
+            raise InvitationExpiredError('Invitation has expired')
+
+        # Step 2.5: Verify user email matches invitation email
+        user = await UserStore.get_user_by_id_async(str(user_id))
+        if not user:
+            raise InvitationInvalidError('User not found')
+
+        user_email = user.email
+        # Fallback: fetch email from Keycloak if not in database (for existing users)
+        if not user_email:
+            token_manager = TokenManager()
+            user_info = await token_manager.get_user_info_from_user_id(str(user_id))
+            user_email = user_info.get('email') if user_info else None
+
+        if not user_email:
+            raise EmailMismatchError('Your account does not have an email address')
+
+        user_email = user_email.lower().strip()
+        invitation_email = invitation.email.lower().strip()
+
+        if user_email != invitation_email:
+            logger.warning(
+                'Email mismatch during invitation acceptance',
+                extra={
+                    'user_id': str(user_id),
+                    'user_email': user_email,
+                    'invitation_email': invitation_email,
+                    'invitation_id': invitation.id,
+                },
+            )
+            raise EmailMismatchError()
+
+        # Step 3: Check if user is already a member
+        existing_member = OrgMemberStore.get_org_member(invitation.org_id, user_id)
+        if existing_member:
+            raise UserAlreadyMemberError(
+                'You are already a member of this organization'
+            )
+
+        # Step 4: Create LiteLLM integration for the user in the new org
+        try:
+            settings = await OrgService.create_litellm_integration(
+                invitation.org_id, str(user_id)
+            )
+        except Exception as e:
+            logger.error(
+                'Failed to create LiteLLM integration for invitation acceptance',
+                extra={
+                    'invitation_id': invitation.id,
+                    'user_id': str(user_id),
+                    'org_id': str(invitation.org_id),
+                    'error': str(e),
+                },
+            )
+            raise InvitationInvalidError(
+                'Failed to set up organization access. Please try again.'
+            )
+
+        # Step 5: Add user to organization
+        from storage.org_member_store import OrgMemberStore as OMS
+
+        org_member_kwargs = OMS.get_kwargs_from_settings(settings)
+        # Don't override with org defaults - use invitation-specified role
+        org_member_kwargs.pop('llm_model', None)
+        org_member_kwargs.pop('llm_base_url', None)
+
+        OrgMemberStore.add_user_to_org(
+            org_id=invitation.org_id,
+            user_id=user_id,
+            role_id=invitation.role_id,
+            llm_api_key=settings.llm_api_key,
+            status='active',
+        )
+
+        # Step 6: Mark invitation as accepted
+        updated_invitation = await OrgInvitationStore.update_invitation_status(
+            invitation.id,
+            OrgInvitation.STATUS_ACCEPTED,
+            accepted_by_user_id=user_id,
+        )
+
+        logger.info(
+            'Organization invitation accepted',
+            extra={
+                'invitation_id': invitation.id,
+                'user_id': str(user_id),
+                'org_id': str(invitation.org_id),
+                'role_id': invitation.role_id,
+            },
+        )
+
+        return updated_invitation

enterprise/server/services/org_member_service.py

@@ -2,7 +2,7 @@
 
 from uuid import UUID
 
-from server.constants import ROLE_ADMIN, ROLE_MEMBER, ROLE_OWNER
+from server.constants import ROLE_ADMIN, ROLE_OWNER
 from server.routes.org_models import (
     CannotModifySelfError,
     InsufficientPermissionError,
@@ -16,10 +16,12 @@ from server.routes.org_models import (
     OrgMemberUpdate,
     RoleNotFoundError,
 )
+from storage.lite_llm_manager import LiteLlmManager
 from storage.org_member_store import OrgMemberStore
 from storage.role_store import RoleStore
 from storage.user_store import UserStore
 
+from openhands.core.logger import openhands_logger as logger
 from openhands.utils.async_utils import call_sync_from_async
 
 
@@ -65,10 +67,18 @@ class OrgMemberService:
         org_id: UUID,
         current_user_id: UUID,
         page_id: str | None = None,
-        limit: int = 100,
+        limit: int = 10,
+        email_filter: str | None = None,
     ) -> tuple[bool, str | None, OrgMemberPage | None]:
         """Get organization members with authorization check.
 
+        Args:
+            org_id: Organization UUID.
+            current_user_id: Requesting user's UUID.
+            page_id: Offset encoded as string (e.g., "0", "10", "20").
+            limit: Items per page (default 10).
+            email_filter: Optional case-insensitive partial email match.
+
         Returns:
             Tuple of (success, error_code, data). If success is True, error_code is None.
         """
@@ -88,8 +98,11 @@ class OrgMemberService:
                 return False, 'invalid_page_id', None
 
         # Call store to get paginated members
-        members, has_more = await OrgMemberStore.get_org_members_paginated(
-            org_id=org_id, offset=offset, limit=limit
+        members, _ = await OrgMemberStore.get_org_members_paginated(
+            org_id=org_id,
+            offset=offset,
+            limit=limit,
+            email_filter=email_filter,
         )
 
         # Transform data to response format
@@ -104,18 +117,53 @@ class OrgMemberService:
                     user_id=str(member.user_id),
                     email=user.email if user else None,
                     role_id=member.role_id,
-                    role_name=role.name if role else '',
+                    role=role.name if role else '',
                     role_rank=role.rank if role else 0,
                     status=member.status,
                 )
             )
 
-        # Calculate next_page_id
-        next_page_id = None
-        if has_more:
-            next_page_id = str(offset + limit)
+        # Calculate current page (1-indexed)
+        current_page = (offset // limit) + 1
 
-        return True, None, OrgMemberPage(items=items, next_page_id=next_page_id)
+        return (
+            True,
+            None,
+            OrgMemberPage(
+                items=items,
+                current_page=current_page,
+                per_page=limit,
+            ),
+        )
+
+    @staticmethod
+    async def get_org_members_count(
+        org_id: UUID,
+        current_user_id: UUID,
+        email_filter: str | None = None,
+    ) -> int:
+        """Get count of organization members with authorization check.
+
+        Args:
+            org_id: Organization UUID.
+            current_user_id: Requesting user's UUID.
+            email_filter: Optional case-insensitive partial email match.
+
+        Returns:
+            int: Count of organization members matching the filter.
+
+        Raises:
+            OrgMemberNotFoundError: If requesting user is not a member of the organization.
+        """
+        # Verify current user is a member of the organization
+        requester_membership = OrgMemberStore.get_org_member(org_id, current_user_id)
+        if not requester_membership:
+            raise OrgMemberNotFoundError(str(org_id), str(current_user_id))
+
+        return await OrgMemberStore.get_org_members_count(
+            org_id=org_id,
+            email_filter=email_filter,
+        )
 
     @staticmethod
     async def remove_org_member(
@@ -168,9 +216,42 @@ class OrgMemberService:
             if not success:
                 return False, 'removal_failed'
 
+            # Update user's current_org_id if it points to the org they were removed from
+            user = UserStore.get_user_by_id(str(target_user_id))
+            if user and user.current_org_id == org_id:
+                # Set current_org_id to personal workspace (org.id == user.id)
+                UserStore.update_current_org(str(target_user_id), target_user_id)
+
             return True, None
 
-        return await call_sync_from_async(_remove_member)
+        success, error = await call_sync_from_async(_remove_member)
+
+        # If database removal succeeded, also remove from LiteLLM team
+        if success:
+            try:
+                await LiteLlmManager.remove_user_from_team(
+                    str(target_user_id), str(org_id)
+                )
+                logger.info(
+                    'Successfully removed user from LiteLLM team',
+                    extra={
+                        'user_id': str(target_user_id),
+                        'org_id': str(org_id),
+                    },
+                )
+            except Exception as e:
+                # Log but don't fail the operation - database removal already succeeded
+                # LiteLLM state will be eventually consistent
+                logger.warning(
+                    'Failed to remove user from LiteLLM team',
+                    extra={
+                        'user_id': str(target_user_id),
+                        'org_id': str(org_id),
+                        'error': str(e),
+                    },
+                )
+
+        return success, error
 
     @staticmethod
     async def update_org_member(
@@ -182,10 +263,9 @@ class OrgMemberService:
         """Update a member's role in an organization.
 
         Permission rules:
-        - Admins can change roles of users (rank > ADMIN_RANK) to Admin or User
-        - Admins cannot modify other Admins or Owners
-        - Owners can change roles of non-owners (rank > OWNER_RANK) to any role
-        - Owners cannot modify other Owners
+        - Owners can modify anyone (including other owners), can set any role
+        - Admins can modify other admins and users
+        - Admins can only set admin or user roles (not owner)
 
         Args:
             org_id: Organization ID
@@ -240,7 +320,7 @@ class OrgMemberService:
                     user_id=str(target_membership.user_id),
                     email=user.email if user else None,
                     role_id=target_membership.role_id,
-                    role_name=target_role.name,
+                    role=target_role.name,
                     role_rank=target_role.rank,
                     status=target_membership.status,
                 )
@@ -280,7 +360,7 @@ class OrgMemberService:
                 user_id=str(updated_member.user_id),
                 email=user.email if user else None,
                 role_id=updated_member.role_id,
-                role_name=new_role.name,
+                role=new_role.name,
                 role_rank=new_role.rank,
                 status=updated_member.status,
             )
@@ -294,26 +374,21 @@ class OrgMemberService:
         """Check if requester can change target's role to new_role.
 
         Permission rules:
-        - Owners can modify admins and users, can set any role
-        - Owners cannot modify other owners
-        - Admins can only modify users
+        - Owners can modify anyone (including other owners), can set any role
+        - Admins can modify other admins and users
         - Admins can only set admin or user roles (not owner)
         """
         is_requester_owner = requester_role_name == ROLE_OWNER
         is_requester_admin = requester_role_name == ROLE_ADMIN
         is_target_owner = target_role_name == ROLE_OWNER
-        is_target_admin = target_role_name == ROLE_ADMIN
         is_new_role_owner = new_role_name == ROLE_OWNER
 
         if is_requester_owner:
-            # Owners cannot modify other owners
-            if is_target_owner:
-                return False
-            # Owners can set any role (owner, admin, user)
+            # Owners can modify anyone (including other owners)
             return True
         elif is_requester_admin:
-            # Admins cannot modify owners or other admins
-            if is_target_owner or is_target_admin:
+            # Admins cannot modify owners
+            if is_target_owner:
                 return False
             # Admins can only set admin or user roles (not owner)
             return not is_new_role_owner
@@ -325,8 +400,8 @@ class OrgMemberService:
         if requester_role_name == ROLE_OWNER:
             return True
         elif requester_role_name == ROLE_ADMIN:
-            # Admins can only remove members (not owners or other admins)
-            return target_role_name == ROLE_MEMBER
+            # Admins can remove admins and members (not owners)
+            return target_role_name != ROLE_OWNER
         return False
 
     @staticmethod

enterprise/server/services/user_app_settings_service.py

@@ -0,0 +1,126 @@
+"""Service class for managing user app settings.
+
+Separates business logic from route handlers.
+Uses dependency injection for db_session and user_context.
+"""
+
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import AsyncGenerator
+
+from fastapi import Request
+from server.routes.user_app_settings_models import (
+    UserAppSettingsResponse,
+    UserAppSettingsUpdate,
+    UserNotFoundError,
+)
+from storage.user_app_settings_store import UserAppSettingsStore
+
+from openhands.app_server.services.injector import Injector, InjectorState
+from openhands.app_server.user.user_context import UserContext
+from openhands.core.logger import openhands_logger as logger
+
+
+@dataclass
+class UserAppSettingsService:
+    """Service for user app settings with injected dependencies."""
+
+    store: UserAppSettingsStore
+    user_context: UserContext
+
+    async def get_user_app_settings(self) -> UserAppSettingsResponse:
+        """Get user app settings.
+
+        User ID is obtained from the injected user_context.
+
+        Returns:
+            UserAppSettingsResponse: The user's app settings
+
+        Raises:
+            ValueError: If user is not authenticated
+            UserNotFoundError: If user is not found
+        """
+        user_id = await self.user_context.get_user_id()
+        if not user_id:
+            raise ValueError('User is not authenticated')
+
+        logger.info(
+            'Getting user app settings',
+            extra={'user_id': user_id},
+        )
+
+        user = await self.store.get_user_by_id(user_id)
+
+        if not user:
+            raise UserNotFoundError(user_id)
+
+        return UserAppSettingsResponse.from_user(user)
+
+    async def update_user_app_settings(
+        self,
+        update_data: UserAppSettingsUpdate,
+    ) -> UserAppSettingsResponse:
+        """Update user app settings.
+
+        Only updates fields that are explicitly provided in update_data.
+        User ID is obtained from the injected user_context.
+        Session auto-commits at request end via DbSessionInjector.
+
+        Args:
+            update_data: The update data from the request
+
+        Returns:
+            UserAppSettingsResponse: The updated user's app settings
+
+        Raises:
+            ValueError: If user is not authenticated
+            UserNotFoundError: If user is not found
+        """
+        user_id = await self.user_context.get_user_id()
+        if not user_id:
+            raise ValueError('User is not authenticated')
+
+        logger.info(
+            'Updating user app settings',
+            extra={'user_id': user_id},
+        )
+
+        # Check if any fields are provided
+        update_dict = update_data.model_dump(exclude_unset=True)
+
+        if not update_dict:
+            # No fields to update, just return current settings
+            return await self.get_user_app_settings()
+
+        user = await self.store.update_user_app_settings(
+            user_id=user_id,
+            update_data=update_data,
+        )
+
+        if not user:
+            raise UserNotFoundError(user_id)
+
+        logger.info(
+            'User app settings updated successfully',
+            extra={'user_id': user_id, 'updated_fields': list(update_dict.keys())},
+        )
+
+        return UserAppSettingsResponse.from_user(user)
+
+
+class UserAppSettingsServiceInjector(Injector[UserAppSettingsService]):
+    """Injector that composes store and user_context for UserAppSettingsService."""
+
+    async def inject(
+        self, state: InjectorState, request: Request | None = None
+    ) -> AsyncGenerator[UserAppSettingsService, None]:
+        # Local imports to avoid circular dependencies
+        from openhands.app_server.config import get_db_session, get_user_context
+
+        async with (
+            get_user_context(state, request) as user_context,
+            get_db_session(state, request) as db_session,
+        ):
+            store = UserAppSettingsStore(db_session=db_session)
+            yield UserAppSettingsService(store=store, user_context=user_context)

enterprise/server/utils/saas_app_conversation_info_injector.py

@@ -22,11 +22,70 @@ from openhands.app_server.app_conversation.app_conversation_models import (
 from openhands.app_server.app_conversation.sql_app_conversation_info_service import (
     SQLAppConversationInfoService,
 )
+from openhands.app_server.errors import AuthError
 from openhands.app_server.services.injector import InjectorState
+from openhands.app_server.user.specifiy_user_context import ADMIN
 
 
 class SaasSQLAppConversationInfoService(SQLAppConversationInfoService):
-    """Extended SQLAppConversationInfoService with user-based filtering and SAAS metadata handling."""
+    """Extended SQLAppConversationInfoService with user and organization-based filtering and SAAS metadata handling."""
+
+    async def _get_current_user(self) -> User | None:
+        """Get the current user using the existing db_session.
+
+        Uses self.db_session to avoid opening a separate database session.
+
+        Returns:
+            User object or None if no user_id is available
+        """
+        user_id_str = await self.user_context.get_user_id()
+        if not user_id_str:
+            return None
+
+        user_id_uuid = UUID(user_id_str)
+        result = await self.db_session.execute(
+            select(User).where(User.id == user_id_uuid)
+        )
+        return result.scalars().first()
+
+    async def _apply_user_and_org_filter(self, query):
+        """Apply user_id and org_id filters to ensure conversation isolation.
+
+        Filters conversations by:
+        - user_id: Only show conversations belonging to the current user
+        - org_id: Only show conversations belonging to the user's current organization
+
+        Args:
+            query: SQLAlchemy query to apply filters to
+
+        Returns:
+            Query with user and organization filters applied
+
+        Raises:
+            AuthError: If no user_id is available (secure default: deny access)
+        """
+        # For internal operations such as getting a conversation by session_api_key
+        # we need a mode that does not have filtering. The dependency `as_admin()`
+        # is used to enable it
+        if self.user_context == ADMIN:
+            return query
+
+        user_id_str = await self.user_context.get_user_id()
+        if not user_id_str:
+            # Secure default: no user means no access, not "show everything"
+            raise AuthError('User authentication required')
+
+        user_id_uuid = UUID(user_id_str)
+        query = query.where(StoredConversationMetadataSaas.user_id == user_id_uuid)
+
+        # Filter by organization ID to ensure conversations are isolated per organization
+        user = await self._get_current_user()
+        if user and user.current_org_id is not None:
+            query = query.where(
+                StoredConversationMetadataSaas.org_id == user.current_org_id
+            )
+
+        return query
 
     async def _secure_select(self):
         query = (
@@ -38,13 +97,7 @@ class SaasSQLAppConversationInfoService(SQLAppConversationInfoService):
             )
             .where(StoredConversationMetadata.conversation_version == 'V1')
         )
-
-        user_id_str = await self.user_context.get_user_id()
-        if user_id_str:
-            user_id_uuid = UUID(user_id_str)
-            query = query.where(StoredConversationMetadataSaas.user_id == user_id_uuid)
-
-        return query
+        return await self._apply_user_and_org_filter(query)
 
     async def _secure_select_with_saas_metadata(self):
         """Select query that includes SAAS metadata for retrieving user_id."""
@@ -57,13 +110,7 @@ class SaasSQLAppConversationInfoService(SQLAppConversationInfoService):
             )
             .where(StoredConversationMetadata.conversation_version == 'V1')
         )
-
-        user_id_str = await self.user_context.get_user_id()
-        if user_id_str:
-            user_id_uuid = UUID(user_id_str)
-            query = query.where(StoredConversationMetadataSaas.user_id == user_id_uuid)
-
-        return query
+        return await self._apply_user_and_org_filter(query)
 
     async def search_app_conversation_info(
         self,
@@ -155,21 +202,16 @@ class SaasSQLAppConversationInfoService(SQLAppConversationInfoService):
         """Count conversations matching the given filters with SAAS metadata."""
         query = (
             select(func.count(StoredConversationMetadata.conversation_id))
-            .select_from(
-                StoredConversationMetadata.join(
-                    StoredConversationMetadataSaas,
-                    StoredConversationMetadata.conversation_id
-                    == StoredConversationMetadataSaas.conversation_id,
-                )
+            .join(
+                StoredConversationMetadataSaas,
+                StoredConversationMetadata.conversation_id
+                == StoredConversationMetadataSaas.conversation_id,
             )
             .where(StoredConversationMetadata.conversation_version == 'V1')
         )
 
-        # Apply user filtering
-        user_id_str = await self.user_context.get_user_id()
-        if user_id_str:
-            user_id_uuid = UUID(user_id_str)
-            query = query.where(StoredConversationMetadataSaas.user_id == user_id_uuid)
+        # Apply user and organization filtering
+        query = await self._apply_user_and_org_filter(query)
 
         query = self._apply_filters_with_saas_metadata(
             query=query,

enterprise/storage/__init__.py

@@ -20,8 +20,10 @@ from storage.linear_workspace import LinearWorkspace
 from storage.maintenance_task import MaintenanceTask, MaintenanceTaskStatus
 from storage.openhands_pr import OpenhandsPR
 from storage.org import Org
+from storage.org_invitation import OrgInvitation
 from storage.org_member import OrgMember
 from storage.proactive_convos import ProactiveConversation
+from storage.resend_synced_user import ResendSyncedUser
 from storage.role import Role
 from storage.slack_conversation import SlackConversation
 from storage.slack_team import SlackTeam
@@ -65,8 +67,10 @@ __all__ = [
     'MaintenanceTaskStatus',
     'OpenhandsPR',
     'Org',
+    'OrgInvitation',
     'OrgMember',
     'ProactiveConversation',
+    'ResendSyncedUser',
     'Role',
     'SlackConversation',
     'SlackTeam',

enterprise/storage/api_key_store.py

@@ -126,7 +126,7 @@ class ApiKeyStore:
 
             return True
 
-    async def list_api_keys(self, user_id: str) -> list[dict]:
+    async def list_api_keys(self, user_id: str) -> list[ApiKey]:
         """List all API keys for a user."""
         user = await UserStore.get_user_by_id_async(user_id)
         org_id = user.current_org_id
@@ -134,24 +134,14 @@ class ApiKeyStore:
 
     def _list_api_keys_from_db(self, user_id: str, org_id: str) -> list[ApiKey]:
         with self.session_maker() as session:
-            keys = (
+            keys: list[ApiKey] = (
                 session.query(ApiKey)
                 .filter(ApiKey.user_id == user_id)
                 .filter(ApiKey.org_id == org_id)
                 .all()
             )
 
-            return [
-                {
-                    'id': key.id,
-                    'name': key.name,
-                    'created_at': key.created_at,
-                    'last_used_at': key.last_used_at,
-                    'expires_at': key.expires_at,
-                }
-                for key in keys
-                if 'MCP_API_KEY' != key.name
-            ]
+            return [key for key in keys if key.name != 'MCP_API_KEY']
 
     async def retrieve_mcp_api_key(self, user_id: str) -> str | None:
         user = await UserStore.get_user_by_id_async(user_id)

enterprise/storage/auth_token_store.py

@@ -4,7 +4,9 @@ import time
 from dataclasses import dataclass
 from typing import Awaitable, Callable, Dict
 
-from sqlalchemy import select, update
+from server.auth.auth_error import TokenRefreshError
+from sqlalchemy import select, text, update
+from sqlalchemy.exc import OperationalError
 from sqlalchemy.orm import sessionmaker
 from storage.auth_tokens import AuthTokens
 from storage.database import a_session_maker
@@ -12,6 +14,14 @@ from storage.database import a_session_maker
 from openhands.core.logger import openhands_logger as logger
 from openhands.integrations.service_types import ProviderType
 
+# Time buffer (in seconds) before actual expiration to consider token expired
+# This ensures tokens are refreshed before they actually expire. The
+# github default is 8 hours, so 15 minutes leeway is ~3% of this.
+ACCESS_TOKEN_EXPIRY_BUFFER = 900  # 15 minutes
+
+# Database lock timeout to prevent indefinite blocking
+LOCK_TIMEOUT_SECONDS = 5
+
 
 @dataclass
 class AuthTokenStore:
@@ -23,6 +33,31 @@ class AuthTokenStore:
     def identity_provider_value(self) -> str:
         return self.idp.value
 
+    def _is_token_expired(
+        self, access_token_expires_at: int, refresh_token_expires_at: int
+    ) -> tuple[bool, bool]:
+        """Check if access and refresh tokens are expired.
+
+        Args:
+            access_token_expires_at: Expiration time for access token (seconds since epoch)
+            refresh_token_expires_at: Expiration time for refresh token (seconds since epoch)
+
+        Returns:
+            Tuple of (access_expired, refresh_expired)
+        """
+        current_time = int(time.time())
+        access_expired = (
+            False
+            if access_token_expires_at == 0
+            else access_token_expires_at < current_time + ACCESS_TOKEN_EXPIRY_BUFFER
+        )
+        refresh_expired = (
+            False
+            if refresh_token_expires_at == 0
+            else refresh_token_expires_at < current_time
+        )
+        return access_expired, refresh_expired
+
     async def store_tokens(
         self,
         access_token: str,
@@ -73,87 +108,149 @@ class AuthTokenStore:
         ]
         | None = None,
     ) -> Dict[str, str | int] | None:
-        """
-        Load authentication tokens from the database and refresh them if necessary.
+        """Load authentication tokens from the database and refresh them if necessary.
 
-        This method retrieves the current authentication tokens for the user and checks if they have expired.
-        It uses the provided `check_expiration_and_refresh` function to determine if the tokens need
-        to be refreshed and to refresh the tokens if needed.
+        This method uses a double-checked locking pattern to minimize lock contention:
+        1. First, check if the token is valid WITHOUT acquiring a lock (fast path)
+        2. If refresh is needed, acquire a lock with a timeout
+        3. Double-check if refresh is still needed (another request may have refreshed)
+        4. Perform the refresh if still needed
 
-        The method ensures that only one refresh operation is performed per refresh token by using a
-        row-level lock on the token record.
-
-        The method is designed to handle race conditions where multiple requests might attempt to refresh
-        the same token simultaneously, ensuring that only one refresh call occurs per refresh token.
+        The row-level lock ensures that only one refresh operation is performed per
+        refresh token, which is important because most IDPs invalidate the old refresh
+        token after it's used once.
 
         Args:
-            check_expiration_and_refresh (Callable, optional): A function that checks if the tokens have expired
-                and attempts to refresh them. It should return a dictionary containing the new access_token, refresh_token,
-                and their respective expiration timestamps. If no refresh is needed, it should return `None`.
+            check_expiration_and_refresh: A function that checks if the tokens have
+                expired and attempts to refresh them. It should return a dictionary
+                containing the new access_token, refresh_token, and their respective
+                expiration timestamps. If no refresh is needed, it should return None.
 
         Returns:
-            Dict[str, str | int] | None:
-                A dictionary containing the access_token, refresh_token, access_token_expires_at,
-                and refresh_token_expires_at. If no token record is found, returns `None`.
+            A dictionary containing the access_token, refresh_token,
+            access_token_expires_at, and refresh_token_expires_at.
+            If no token record is found, returns None.
+
+        Raises:
+            TokenRefreshError: If the lock cannot be acquired within the timeout
+                period. This typically means another request is holding the lock
+                for an extended period. Callers should handle this by returning
+                a 401 response to prompt the user to re-authenticate.
         """
+        # FAST PATH: Check without lock first to avoid unnecessary lock contention
         async with self.a_session_maker() as session:
-            async with session.begin():  # Ensures transaction management
-                # Lock the row while we check if we need to refresh the tokens.
-                # There is a race condition where 2 or more calls can load tokens simultaneously.
-                # If it turns out the loaded tokens are expired, then there will be multiple
-                # refresh token calls with the same refresh token. Most IDPs only allow one refresh
-                # per refresh token. This lock ensure that only one refresh call occurs per refresh token
-                result = await session.execute(
-                    select(AuthTokens)
-                    .filter(
-                        AuthTokens.keycloak_user_id == self.keycloak_user_id,
-                        AuthTokens.identity_provider == self.identity_provider_value,
-                    )
-                    .with_for_update()
+            result = await session.execute(
+                select(AuthTokens).filter(
+                    AuthTokens.keycloak_user_id == self.keycloak_user_id,
+                    AuthTokens.identity_provider == self.identity_provider_value,
                 )
-                token_record = result.scalars().one_or_none()
+            )
+            token_record = result.scalars().one_or_none()
 
-                if not token_record:
-                    return None
+            if not token_record:
+                return None
 
-                token_refresh = (
-                    await check_expiration_and_refresh(
+            # Check if token needs refresh
+            access_expired, _ = self._is_token_expired(
+                token_record.access_token_expires_at,
+                token_record.refresh_token_expires_at,
+            )
+
+            # If token is still valid, return it without acquiring a lock
+            if not access_expired or check_expiration_and_refresh is None:
+                return {
+                    'access_token': token_record.access_token,
+                    'refresh_token': token_record.refresh_token,
+                    'access_token_expires_at': token_record.access_token_expires_at,
+                    'refresh_token_expires_at': token_record.refresh_token_expires_at,
+                }
+
+        # SLOW PATH: Token needs refresh, acquire lock
+        try:
+            async with self.a_session_maker() as session:
+                async with session.begin():
+                    # Set a lock timeout to prevent indefinite blocking
+                    # This ensures we don't hold connections forever if something goes wrong
+                    await session.execute(
+                        text(f"SET LOCAL lock_timeout = '{LOCK_TIMEOUT_SECONDS}s'")
+                    )
+
+                    # Acquire row-level lock to prevent concurrent refresh attempts
+                    result = await session.execute(
+                        select(AuthTokens)
+                        .filter(
+                            AuthTokens.keycloak_user_id == self.keycloak_user_id,
+                            AuthTokens.identity_provider
+                            == self.identity_provider_value,
+                        )
+                        .with_for_update()
+                    )
+                    token_record = result.scalars().one_or_none()
+
+                    if not token_record:
+                        return None
+
+                    # Double-check: another request may have refreshed while we waited for the lock
+                    access_expired, _ = self._is_token_expired(
+                        token_record.access_token_expires_at,
+                        token_record.refresh_token_expires_at,
+                    )
+
+                    if not access_expired:
+                        # Token was refreshed by another request while we waited
+                        logger.debug(
+                            'Token was refreshed by another request while waiting for lock'
+                        )
+                        return {
+                            'access_token': token_record.access_token,
+                            'refresh_token': token_record.refresh_token,
+                            'access_token_expires_at': token_record.access_token_expires_at,
+                            'refresh_token_expires_at': token_record.refresh_token_expires_at,
+                        }
+
+                    # We're the one doing the refresh
+                    token_refresh = await check_expiration_and_refresh(
                         self.idp,
                         token_record.refresh_token,
                         token_record.access_token_expires_at,
                         token_record.refresh_token_expires_at,
                     )
-                    if check_expiration_and_refresh
-                    else None
-                )
 
-                if token_refresh:
-                    await session.execute(
-                        update(AuthTokens)
-                        .where(AuthTokens.id == token_record.id)
-                        .values(
-                            access_token=token_refresh['access_token'],
-                            refresh_token=token_refresh['refresh_token'],
-                            access_token_expires_at=token_refresh[
-                                'access_token_expires_at'
-                            ],
-                            refresh_token_expires_at=token_refresh[
-                                'refresh_token_expires_at'
-                            ],
+                    if token_refresh:
+                        await session.execute(
+                            update(AuthTokens)
+                            .where(AuthTokens.id == token_record.id)
+                            .values(
+                                access_token=token_refresh['access_token'],
+                                refresh_token=token_refresh['refresh_token'],
+                                access_token_expires_at=token_refresh[
+                                    'access_token_expires_at'
+                                ],
+                                refresh_token_expires_at=token_refresh[
+                                    'refresh_token_expires_at'
+                                ],
+                            )
                         )
-                    )
-                    await session.commit()
+                        await session.commit()
 
-                return (
-                    token_refresh
-                    if token_refresh
-                    else {
-                        'access_token': token_record.access_token,
-                        'refresh_token': token_record.refresh_token,
-                        'access_token_expires_at': token_record.access_token_expires_at,
-                        'refresh_token_expires_at': token_record.refresh_token_expires_at,
-                    }
-                )
+                    return (
+                        token_refresh
+                        if token_refresh
+                        else {
+                            'access_token': token_record.access_token,
+                            'refresh_token': token_record.refresh_token,
+                            'access_token_expires_at': token_record.access_token_expires_at,
+                            'refresh_token_expires_at': token_record.refresh_token_expires_at,
+                        }
+                    )
+        except OperationalError as e:
+            # Lock timeout - another request is holding the lock for too long
+            logger.warning(
+                f'Token refresh lock timeout for user {self.keycloak_user_id}: {e}'
+            )
+            raise TokenRefreshError(
+                'Unable to refresh token due to lock timeout. Please try again.'
+            ) from e
 
     async def is_access_token_valid(self) -> bool:
         """Check if the access token is still valid.
@@ -194,8 +291,8 @@ class AuthTokenStore:
         """Get an instance of the AuthTokenStore.
 
         Args:
-            config: The application configuration
             keycloak_user_id: The Keycloak user ID
+            idp: The identity provider type
 
         Returns:
             An instance of AuthTokenStore

enterprise/storage/database.py

@@ -18,17 +18,17 @@ def _get_db_session_injector():
     return _config.db_session
 
 
-def session_maker():
+def session_maker(**kwargs):
     db_session_injector = _get_db_session_injector()
-    session_maker = db_session_injector.get_session_maker()
-    return session_maker()
+    factory = db_session_injector.get_session_maker()
+    return factory(**kwargs)
 
 
 @contextlib.asynccontextmanager
-async def a_session_maker():
+async def a_session_maker(**kwargs):
     db_session_injector = _get_db_session_injector()
-    a_session_maker = await db_session_injector.get_async_session_maker()
-    async with a_session_maker() as session:
+    factory = await db_session_injector.get_async_session_maker()
+    async with factory(**kwargs) as session:
         yield session
 
 

enterprise/storage/lite_llm_manager.py

@@ -43,6 +43,34 @@ def get_byor_key_alias(keycloak_user_id: str, org_id: str) -> str:
 class LiteLlmManager:
     """Manage LiteLLM interactions."""
 
+    @staticmethod
+    def get_budget_from_team_info(
+        user_team_info: dict | None, user_id: str, org_id: str
+    ) -> tuple[float, float]:
+        """Extract max_budget and spend from user team info.
+
+        For personal orgs (user_id == org_id), uses litellm_budget_table.max_budget.
+        For team orgs, uses max_budget_in_team (populated by get_user_team_info).
+
+        Args:
+            user_team_info: The response from get_user_team_info
+            user_id: The user's ID
+            org_id: The organization's ID
+
+        Returns:
+            Tuple of (max_budget, spend)
+        """
+        if not user_team_info:
+            return 0, 0
+        spend = user_team_info.get('spend', 0)
+        if user_id == org_id:
+            max_budget = (user_team_info.get('litellm_budget_table') or {}).get(
+                'max_budget', 0
+            )
+        else:
+            max_budget = user_team_info.get('max_budget_in_team') or 0
+        return max_budget, spend
+
     @staticmethod
     async def create_entries(
         org_id: str,
@@ -71,8 +99,34 @@ class LiteLlmManager:
                     'x-goog-api-key': LITE_LLM_API_KEY,
                 }
             ) as client:
-                # New users start with $0 budget - they must purchase credits
-                await LiteLlmManager._create_team(client, keycloak_user_id, org_id, 0)
+                # Check if team already exists and get its budget
+                # New users joining existing orgs should inherit the team's budget
+                team_budget = 0.0
+                try:
+                    existing_team = await LiteLlmManager._get_team(client, org_id)
+                    if existing_team:
+                        team_info = existing_team.get('team_info', {})
+                        team_budget = team_info.get('max_budget', 0.0) or 0.0
+                        logger.info(
+                            'LiteLlmManager:create_entries:existing_team_budget',
+                            extra={
+                                'org_id': org_id,
+                                'user_id': keycloak_user_id,
+                                'team_budget': team_budget,
+                            },
+                        )
+                except httpx.HTTPStatusError as e:
+                    # Team doesn't exist yet (404) - this is expected for first user
+                    if e.response.status_code != 404:
+                        raise
+                    logger.info(
+                        'LiteLlmManager:create_entries:no_existing_team',
+                        extra={'org_id': org_id, 'user_id': keycloak_user_id},
+                    )
+
+                await LiteLlmManager._create_team(
+                    client, keycloak_user_id, org_id, team_budget
+                )
 
                 if create_user:
                     await LiteLlmManager._create_user(
@@ -80,7 +134,7 @@ class LiteLlmManager:
                     )
 
                 await LiteLlmManager._add_user_to_team(
-                    client, keycloak_user_id, org_id, 0
+                    client, keycloak_user_id, org_id, team_budget
                 )
 
                 key = await LiteLlmManager._generate_key(
@@ -892,21 +946,31 @@ class LiteLlmManager:
         if LITE_LLM_API_KEY is None or LITE_LLM_API_URL is None:
             logger.warning('LiteLLM API configuration not found')
             return None
-        team_info = await LiteLlmManager._get_team(client, team_id)
-        if not team_info:
+        team_response = await LiteLlmManager._get_team(client, team_id)
+        if not team_response:
             return None
 
         # Filter team_memberships based on team_id and keycloak_user_id
         user_membership = next(
             (
                 membership
-                for membership in team_info.get('team_memberships', [])
+                for membership in team_response.get('team_memberships', [])
                 if membership.get('user_id') == keycloak_user_id
                 and membership.get('team_id') == team_id
             ),
             None,
         )
 
+        if not user_membership:
+            return None
+
+        # For team orgs (user_id != team_id), include team-level budget info
+        # The team's max_budget and spend are shared across all members
+        if keycloak_user_id != team_id:
+            team_info = team_response.get('team_info', {})
+            user_membership['max_budget_in_team'] = team_info.get('max_budget')
+            user_membership['spend'] = team_info.get('spend', 0)
+
         return user_membership
 
     @staticmethod

enterprise/storage/org.py

@@ -47,11 +47,13 @@ class Org(Base):  # type: ignore
     conversation_expiration = Column(Integer, nullable=True)
     condenser_max_size = Column(Integer, nullable=True)
     byor_export_enabled = Column(Boolean, nullable=False, default=False)
-    pending_free_credits = Column(Boolean, nullable=False, default=False)
 
     # Relationships
     org_members = relationship('OrgMember', back_populates='org')
     current_users = relationship('User', back_populates='current_org')
+    invitations = relationship(
+        'OrgInvitation', back_populates='org', passive_deletes=True
+    )
     billing_sessions = relationship('BillingSession', back_populates='org')
     stored_conversation_metadata_saas = relationship(
         'StoredConversationMetadataSaas', back_populates='org'

enterprise/storage/org_invitation.py

@@ -0,0 +1,59 @@
+"""
+SQLAlchemy model for Organization Invitation.
+"""
+
+from sqlalchemy import UUID, Column, DateTime, ForeignKey, Integer, String, text
+from sqlalchemy.orm import relationship
+from storage.base import Base
+
+
+class OrgInvitation(Base):  # type: ignore
+    """Organization invitation model.
+
+    Represents an invitation for a user to join an organization.
+    Invitations are created by organization owners/admins and contain
+    a secure token that can be used to accept the invitation.
+    """
+
+    __tablename__ = 'org_invitation'
+
+    id = Column(Integer, primary_key=True, autoincrement=True)
+    token = Column(String(64), nullable=False, unique=True, index=True)
+    org_id = Column(
+        UUID(as_uuid=True),
+        ForeignKey('org.id', ondelete='CASCADE'),
+        nullable=False,
+        index=True,
+    )
+    email = Column(String(255), nullable=False, index=True)
+    role_id = Column(Integer, ForeignKey('role.id'), nullable=False)
+    inviter_id = Column(UUID(as_uuid=True), ForeignKey('user.id'), nullable=False)
+    status = Column(
+        String(20),
+        nullable=False,
+        server_default=text("'pending'"),
+    )
+    created_at = Column(
+        DateTime,
+        nullable=False,
+        server_default=text('CURRENT_TIMESTAMP'),
+    )
+    expires_at = Column(DateTime, nullable=False)
+    accepted_at = Column(DateTime, nullable=True)
+    accepted_by_user_id = Column(
+        UUID(as_uuid=True),
+        ForeignKey('user.id'),
+        nullable=True,
+    )
+
+    # Relationships
+    org = relationship('Org', back_populates='invitations')
+    role = relationship('Role')
+    inviter = relationship('User', foreign_keys=[inviter_id])
+    accepted_by_user = relationship('User', foreign_keys=[accepted_by_user_id])
+
+    # Status constants
+    STATUS_PENDING = 'pending'
+    STATUS_ACCEPTED = 'accepted'
+    STATUS_REVOKED = 'revoked'
+    STATUS_EXPIRED = 'expired'

enterprise/storage/org_invitation_store.py

@@ -0,0 +1,227 @@
+"""
+Store class for managing organization invitations.
+"""
+
+import secrets
+import string
+from datetime import datetime, timedelta
+from typing import Optional
+from uuid import UUID
+
+from sqlalchemy import and_, select
+from sqlalchemy.orm import joinedload
+from storage.database import a_session_maker
+from storage.org_invitation import OrgInvitation
+
+from openhands.core.logger import openhands_logger as logger
+
+# Invitation token configuration
+INVITATION_TOKEN_PREFIX = 'inv-'
+INVITATION_TOKEN_LENGTH = 48  # Total length will be 52 with prefix
+DEFAULT_EXPIRATION_DAYS = 7
+
+
+class OrgInvitationStore:
+    """Store for managing organization invitations."""
+
+    @staticmethod
+    def generate_token(length: int = INVITATION_TOKEN_LENGTH) -> str:
+        """Generate a secure invitation token.
+
+        Uses cryptographically secure random generation for tokens.
+        Pattern from api_key_store.py.
+
+        Args:
+            length: Length of the random part of the token
+
+        Returns:
+            str: Token with prefix (e.g., 'inv-aBcDeF123...')
+        """
+        alphabet = string.ascii_letters + string.digits
+        random_part = ''.join(secrets.choice(alphabet) for _ in range(length))
+        return f'{INVITATION_TOKEN_PREFIX}{random_part}'
+
+    @staticmethod
+    async def create_invitation(
+        org_id: UUID,
+        email: str,
+        role_id: int,
+        inviter_id: UUID,
+        expiration_days: int = DEFAULT_EXPIRATION_DAYS,
+    ) -> OrgInvitation:
+        """Create a new organization invitation.
+
+        Args:
+            org_id: Organization UUID
+            email: Invitee's email address
+            role_id: Role ID to assign on acceptance
+            inviter_id: User ID of the person creating the invitation
+            expiration_days: Days until the invitation expires
+
+        Returns:
+            OrgInvitation: The created invitation record
+        """
+        async with a_session_maker() as session:
+            token = OrgInvitationStore.generate_token()
+            # Use timezone-naive datetime for database compatibility
+            expires_at = datetime.utcnow() + timedelta(days=expiration_days)
+
+            invitation = OrgInvitation(
+                token=token,
+                org_id=org_id,
+                email=email.lower().strip(),
+                role_id=role_id,
+                inviter_id=inviter_id,
+                status=OrgInvitation.STATUS_PENDING,
+                expires_at=expires_at,
+            )
+            session.add(invitation)
+            await session.commit()
+
+            # Re-fetch with eagerly loaded relationships to avoid DetachedInstanceError
+            result = await session.execute(
+                select(OrgInvitation)
+                .options(joinedload(OrgInvitation.role))
+                .filter(OrgInvitation.id == invitation.id)
+            )
+            invitation = result.scalars().first()
+
+            logger.info(
+                'Created organization invitation',
+                extra={
+                    'invitation_id': invitation.id,
+                    'org_id': str(org_id),
+                    'email': email,
+                    'inviter_id': str(inviter_id),
+                    'expires_at': expires_at.isoformat(),
+                },
+            )
+
+            return invitation
+
+    @staticmethod
+    async def get_invitation_by_token(token: str) -> Optional[OrgInvitation]:
+        """Get an invitation by its token.
+
+        Args:
+            token: The invitation token
+
+        Returns:
+            OrgInvitation or None if not found
+        """
+        async with a_session_maker() as session:
+            result = await session.execute(
+                select(OrgInvitation)
+                .options(joinedload(OrgInvitation.org), joinedload(OrgInvitation.role))
+                .filter(OrgInvitation.token == token)
+            )
+            return result.scalars().first()
+
+    @staticmethod
+    async def get_pending_invitation(
+        org_id: UUID, email: str
+    ) -> Optional[OrgInvitation]:
+        """Get a pending invitation for an email in an organization.
+
+        Args:
+            org_id: Organization UUID
+            email: Email address to check
+
+        Returns:
+            OrgInvitation or None if no pending invitation exists
+        """
+        async with a_session_maker() as session:
+            result = await session.execute(
+                select(OrgInvitation).filter(
+                    and_(
+                        OrgInvitation.org_id == org_id,
+                        OrgInvitation.email == email.lower().strip(),
+                        OrgInvitation.status == OrgInvitation.STATUS_PENDING,
+                    )
+                )
+            )
+            return result.scalars().first()
+
+    @staticmethod
+    async def update_invitation_status(
+        invitation_id: int,
+        status: str,
+        accepted_by_user_id: Optional[UUID] = None,
+    ) -> Optional[OrgInvitation]:
+        """Update an invitation's status.
+
+        Args:
+            invitation_id: The invitation ID
+            status: New status (pending, accepted, revoked, expired)
+            accepted_by_user_id: User ID who accepted (only for 'accepted' status)
+
+        Returns:
+            Updated OrgInvitation or None if not found
+        """
+        async with a_session_maker() as session:
+            result = await session.execute(
+                select(OrgInvitation).filter(OrgInvitation.id == invitation_id)
+            )
+            invitation = result.scalars().first()
+
+            if not invitation:
+                return None
+
+            old_status = invitation.status
+            invitation.status = status
+
+            if status == OrgInvitation.STATUS_ACCEPTED and accepted_by_user_id:
+                # Use timezone-naive datetime for database compatibility
+                invitation.accepted_at = datetime.utcnow()
+                invitation.accepted_by_user_id = accepted_by_user_id
+
+            await session.commit()
+            await session.refresh(invitation)
+
+            logger.info(
+                'Updated invitation status',
+                extra={
+                    'invitation_id': invitation_id,
+                    'old_status': old_status,
+                    'new_status': status,
+                    'accepted_by_user_id': (
+                        str(accepted_by_user_id) if accepted_by_user_id else None
+                    ),
+                },
+            )
+
+            return invitation
+
+    @staticmethod
+    def is_token_expired(invitation: OrgInvitation) -> bool:
+        """Check if an invitation token has expired.
+
+        Args:
+            invitation: The invitation to check
+
+        Returns:
+            bool: True if expired, False otherwise
+        """
+        # Use timezone-naive datetime for comparison (database stores without timezone)
+        now = datetime.utcnow()
+        return invitation.expires_at < now
+
+    @staticmethod
+    async def mark_expired_if_needed(invitation: OrgInvitation) -> bool:
+        """Check if invitation is expired and update status if needed.
+
+        Args:
+            invitation: The invitation to check
+
+        Returns:
+            bool: True if invitation was marked as expired, False otherwise
+        """
+        if (
+            invitation.status == OrgInvitation.STATUS_PENDING
+            and OrgInvitationStore.is_token_expired(invitation)
+        ):
+            await OrgInvitationStore.update_invitation_status(
+                invitation.id, OrgInvitation.STATUS_EXPIRED
+            )
+            return True
+        return False

enterprise/storage/org_member_store.py

@@ -5,10 +5,11 @@ Store class for managing organization-member relationships.
 from typing import Optional
 from uuid import UUID
 
-from sqlalchemy import select
+from sqlalchemy import func, select
 from sqlalchemy.orm import joinedload
 from storage.database import a_session_maker, session_maker
 from storage.org_member import OrgMember
+from storage.user import User
 from storage.user_settings import UserSettings
 
 from openhands.storage.data_models.settings import Settings
@@ -60,6 +61,51 @@ class OrgMemberStore:
             )
             return result.scalars().first()
 
+    @staticmethod
+    def get_org_member_for_current_org(user_id: UUID) -> Optional[OrgMember]:
+        """Get the org member for a user's current organization.
+
+        Args:
+            user_id: The user's UUID.
+
+        Returns:
+            The OrgMember for the user's current organization, or None if not found.
+        """
+        with session_maker() as session:
+            result = (
+                session.query(OrgMember)
+                .join(User, User.id == OrgMember.user_id)
+                .filter(
+                    User.id == user_id,
+                    OrgMember.org_id == User.current_org_id,
+                )
+                .first()
+            )
+            return result
+
+    @staticmethod
+    async def get_org_member_for_current_org_async(
+        user_id: UUID,
+    ) -> Optional[OrgMember]:
+        """Get the org member for a user's current organization (async version).
+
+        Args:
+            user_id: The user's UUID.
+
+        Returns:
+            The OrgMember for the user's current organization, or None if not found.
+        """
+        async with a_session_maker() as session:
+            result = await session.execute(
+                select(OrgMember)
+                .join(User, User.id == OrgMember.user_id)
+                .filter(
+                    User.id == user_id,
+                    OrgMember.org_id == User.current_org_id,
+                )
+            )
+            return result.scalars().first()
+
     @staticmethod
     def get_user_orgs(user_id: UUID) -> list[OrgMember]:
         """Get all organizations for a user."""
@@ -137,14 +183,48 @@ class OrgMemberStore:
         }
         return kwargs
 
+    @staticmethod
+    async def get_org_members_count(
+        org_id: UUID,
+        email_filter: str | None = None,
+    ) -> int:
+        """Get total count of organization members, optionally filtered by email.
+
+        Args:
+            org_id: Organization UUID.
+            email_filter: Optional case-insensitive partial email match.
+
+        Returns:
+            Total count of matching members.
+        """
+        async with a_session_maker() as session:
+            query = select(func.count(OrgMember.user_id)).filter(
+                OrgMember.org_id == org_id
+            )
+
+            if email_filter:
+                query = query.join(User, User.id == OrgMember.user_id).filter(
+                    User.email.ilike(f'%{email_filter}%')
+                )
+
+            result = await session.execute(query)
+            return result.scalar() or 0
+
     @staticmethod
     async def get_org_members_paginated(
         org_id: UUID,
         offset: int = 0,
         limit: int = 100,
+        email_filter: str | None = None,
     ) -> tuple[list[OrgMember], bool]:
         """Get paginated list of organization members with user and role info.
 
+        Args:
+            org_id: Organization UUID.
+            offset: Number of records to skip.
+            limit: Maximum number of records to return.
+            email_filter: Optional case-insensitive partial email match.
+
         Returns:
             Tuple of (members_list, has_more) where has_more indicates if there are more results.
         """
@@ -154,13 +234,18 @@ class OrgMemberStore:
             query = (
                 select(OrgMember)
                 .options(joinedload(OrgMember.user), joinedload(OrgMember.role))
+                .join(User, User.id == OrgMember.user_id)
                 .filter(OrgMember.org_id == org_id)
-                .order_by(OrgMember.user_id)
-                .offset(offset)
-                .limit(limit + 1)
             )
+
+            # Apply email filter if provided
+            if email_filter:
+                query = query.filter(User.email.ilike(f'%{email_filter}%'))
+
+            query = query.order_by(OrgMember.user_id).offset(offset).limit(limit + 1)
+
             result = await session.execute(query)
-            members = list(result.scalars().all())
+            members = list(result.unique().scalars().all())
 
             # Check if there are more results
             has_more = len(members) > limit

enterprise/storage/org_service.py

@@ -112,7 +112,6 @@ class OrgService:
             contact_email=contact_email,
             org_version=ORG_SETTINGS_VERSION,
             default_llm_model=get_default_litellm_model(),
-            pending_free_credits=True,
         )
 
     @staticmethod
@@ -657,10 +656,9 @@ class OrgService:
                 )
                 return None
 
-            max_budget = (user_team_info.get('litellm_budget_table') or {}).get(
-                'max_budget', 0
+            max_budget, spend = LiteLlmManager.get_budget_from_team_info(
+                user_team_info, user_id, str(org_id)
             )
-            spend = user_team_info.get('spend', 0)
             credits = max(max_budget - spend, 0)
 
             logger.debug(

enterprise/storage/resend_synced_user.py

@@ -0,0 +1,35 @@
+"""SQLAlchemy model for tracking users synced to Resend audiences."""
+
+from datetime import UTC, datetime
+from uuid import uuid4
+
+from sqlalchemy import Column, DateTime, String, UniqueConstraint
+from sqlalchemy.dialects.postgresql import UUID
+from storage.base import Base
+
+
+class ResendSyncedUser(Base):  # type: ignore
+    """Tracks users that have been synced to a Resend audience.
+
+    This table ensures that once a user is synced to a Resend audience,
+    they won't be re-added even if they are later deleted from the
+    Resend UI. This respects manual deletions/unsubscribes.
+    """
+
+    __tablename__ = 'resend_synced_users'
+
+    id = Column(UUID(as_uuid=True), primary_key=True, default=uuid4)
+    email = Column(String, nullable=False, index=True)
+    audience_id = Column(String, nullable=False, index=True)
+    synced_at = Column(
+        DateTime(timezone=True),
+        default=lambda: datetime.now(UTC),
+        nullable=False,
+    )
+    keycloak_user_id = Column(String, nullable=True)
+
+    __table_args__ = (
+        UniqueConstraint(
+            'email', 'audience_id', name='uq_resend_synced_email_audience'
+        ),
+    )

enterprise/storage/resend_synced_user_store.py

@@ -0,0 +1,125 @@
+"""Store class for managing Resend synced users."""
+
+from dataclasses import dataclass
+from datetime import UTC, datetime
+from typing import Optional, Set
+
+from sqlalchemy import delete, select
+from sqlalchemy.dialects.postgresql import insert
+from sqlalchemy.orm import sessionmaker
+from storage.resend_synced_user import ResendSyncedUser
+
+
+@dataclass
+class ResendSyncedUserStore:
+    """Store for tracking users synced to Resend audiences."""
+
+    session_maker: sessionmaker
+
+    def is_user_synced(self, email: str, audience_id: str) -> bool:
+        """Check if a user has been synced to a specific audience.
+
+        Args:
+            email: The email address to check.
+            audience_id: The Resend audience ID.
+
+        Returns:
+            True if the user has been synced, False otherwise.
+        """
+        with self.session_maker() as session:
+            stmt = select(ResendSyncedUser).where(
+                ResendSyncedUser.email == email.lower(),
+                ResendSyncedUser.audience_id == audience_id,
+            )
+            result = session.execute(stmt).first()
+            return result is not None
+
+    def get_synced_emails_for_audience(self, audience_id: str) -> Set[str]:
+        """Get all synced email addresses for a specific audience.
+
+        Args:
+            audience_id: The Resend audience ID.
+
+        Returns:
+            A set of lowercase email addresses that have been synced.
+        """
+        with self.session_maker() as session:
+            stmt = select(ResendSyncedUser.email).where(
+                ResendSyncedUser.audience_id == audience_id,
+            )
+            result = session.execute(stmt).scalars().all()
+            return set(result)
+
+    def mark_user_synced(
+        self,
+        email: str,
+        audience_id: str,
+        keycloak_user_id: Optional[str] = None,
+    ) -> ResendSyncedUser:
+        """Mark a user as synced to a specific audience.
+
+        Uses upsert to handle race conditions - if the user is already
+        marked as synced, this is a no-op.
+
+        Args:
+            email: The email address of the user.
+            audience_id: The Resend audience ID.
+            keycloak_user_id: Optional Keycloak user ID.
+
+        Returns:
+            The ResendSyncedUser record.
+
+        Raises:
+            RuntimeError: If the record could not be created or retrieved.
+        """
+        with self.session_maker() as session:
+            stmt = (
+                insert(ResendSyncedUser)
+                .values(
+                    email=email.lower(),
+                    audience_id=audience_id,
+                    keycloak_user_id=keycloak_user_id,
+                    synced_at=datetime.now(UTC),
+                )
+                .on_conflict_do_nothing(constraint='uq_resend_synced_email_audience')
+                .returning(ResendSyncedUser)
+            )
+            result = session.execute(stmt)
+            session.commit()
+
+            row = result.first()
+            if row:
+                return row[0]
+
+            # on_conflict_do_nothing triggered, fetch the existing record
+            existing = session.execute(
+                select(ResendSyncedUser).where(
+                    ResendSyncedUser.email == email.lower(),
+                    ResendSyncedUser.audience_id == audience_id,
+                )
+            ).first()
+            if existing:
+                return existing[0]
+
+            raise RuntimeError(
+                f'Failed to create or retrieve synced user record for {email}'
+            )
+
+    def remove_synced_user(self, email: str, audience_id: str) -> bool:
+        """Remove a user's synced status for a specific audience.
+
+        Args:
+            email: The email address of the user.
+            audience_id: The Resend audience ID.
+
+        Returns:
+            True if a record was deleted, False if no record existed.
+        """
+        with self.session_maker() as session:
+            stmt = delete(ResendSyncedUser).where(
+                ResendSyncedUser.email == email.lower(),
+                ResendSyncedUser.audience_id == audience_id,
+            )
+            result = session.execute(stmt)
+            session.commit()
+            return result.rowcount > 0

enterprise/storage/role_store.py

@@ -29,6 +29,20 @@ class RoleStore:
         with session_maker() as session:
             return session.query(Role).filter(Role.id == role_id).first()
 
+    @staticmethod
+    async def get_role_by_id_async(
+        role_id: int,
+        session: Optional[AsyncSession] = None,
+    ) -> Optional[Role]:
+        """Get role by ID (async version)."""
+        if session is not None:
+            result = await session.execute(select(Role).where(Role.id == role_id))
+            return result.scalars().first()
+
+        async with a_session_maker() as session:
+            result = await session.execute(select(Role).where(Role.id == role_id))
+            return result.scalars().first()
+
     @staticmethod
     def get_role_by_name(name: str) -> Optional[Role]:
         """Get role by name."""

enterprise/storage/user_app_settings_store.py

@@ -0,0 +1,64 @@
+"""Store class for managing user app settings."""
+
+from __future__ import annotations
+
+import uuid
+from dataclasses import dataclass
+
+from server.routes.user_app_settings_models import UserAppSettingsUpdate
+from sqlalchemy import select
+from sqlalchemy.ext.asyncio import AsyncSession
+from storage.user import User
+
+
+@dataclass
+class UserAppSettingsStore:
+    """Store for user app settings with injected db_session."""
+
+    db_session: AsyncSession
+
+    async def get_user_by_id(self, user_id: str) -> User | None:
+        """Get user by ID.
+
+        Args:
+            user_id: The user's ID (Keycloak user ID)
+
+        Returns:
+            User: The user object, or None if not found
+        """
+        result = await self.db_session.execute(
+            select(User).filter(User.id == uuid.UUID(user_id))
+        )
+        return result.scalars().first()
+
+    async def update_user_app_settings(
+        self, user_id: str, update_data: UserAppSettingsUpdate
+    ) -> User | None:
+        """Update user app settings.
+
+        Only updates fields that are explicitly provided in update_data.
+        Uses flush() - commit happens at request end via DbSessionInjector.
+
+        Args:
+            user_id: The user's ID (Keycloak user ID)
+            update_data: Pydantic model with fields to update
+
+        Returns:
+            User: The updated user object, or None if user not found
+        """
+        result = await self.db_session.execute(
+            select(User).filter(User.id == uuid.UUID(user_id)).with_for_update()
+        )
+        user = result.scalars().first()
+
+        if not user:
+            return None
+
+        # Update only explicitly provided fields
+        for field, value in update_data.model_dump(exclude_unset=True).items():
+            setattr(user, field, value)
+
+        # flush instead of commit - DbSessionInjector auto-commits at request end
+        await self.db_session.flush()
+        await self.db_session.refresh(user)
+        return user

enterprise/storage/user_store.py

@@ -59,7 +59,6 @@ class UserStore:
                 or user_info.get('preferred_username', ''),
                 contact_email=user_info['email'],
                 v1_enabled=True,
-                pending_free_credits=True,
             )
             session.add(org)
 
@@ -84,6 +83,8 @@ class UserStore:
                 role_id=role_id,
                 **user_kwargs,
             )
+            user.email = user_info.get('email')
+            user.email_verified = user_info.get('email_verified')
             session.add(user)
 
             role = RoleStore.get_role_by_name('owner')
@@ -196,7 +197,6 @@ class UserStore:
                 or user_info.get('username', ''),
                 contact_email=user_info['email'],
                 byor_export_enabled=has_completed_billing,
-                pending_free_credits=not has_completed_billing,
             )
             session.add(org)
 
@@ -770,6 +770,30 @@ class UserStore:
             finally:
                 await UserStore._release_user_creation_lock(user_id)
 
+    @staticmethod
+    async def get_user_by_email_async(email: str) -> Optional[User]:
+        """Get user by email address (async version).
+
+        This method looks up a user by their email address. Note that email
+        addresses may not be unique across all users in rare cases.
+
+        Args:
+            email: The email address to search for
+
+        Returns:
+            User: The user with the matching email, or None if not found
+        """
+        if not email:
+            return None
+
+        async with a_session_maker() as session:
+            result = await session.execute(
+                select(User)
+                .options(joinedload(User.org_members))
+                .filter(User.email == email.lower().strip())
+            )
+            return result.scalars().first()
+
     @staticmethod
     def list_users() -> list[User]:
         """List all users."""
@@ -845,6 +869,88 @@ class UserStore:
                 org.contact_name = real_name
                 await session.commit()
 
+    @staticmethod
+    async def update_user_email(
+        user_id: str,
+        email: str | None = None,
+        email_verified: bool | None = None,
+    ) -> None:
+        """Unconditionally update User.email and/or email_verified.
+
+        Unlike backfill_user_email(), this overwrites existing values.
+        No-op when both arguments are None.
+        Missing user is logged as a warning and ignored.
+        """
+        if email is None and email_verified is None:
+            return
+
+        async with a_session_maker() as session:
+            result = await session.execute(
+                select(User).filter(User.id == uuid.UUID(user_id))
+            )
+            user = result.scalars().first()
+            if not user:
+                logger.warning(
+                    'update_user_email:user_not_found',
+                    extra={'user_id': user_id},
+                )
+                return
+
+            if email is not None:
+                user.email = email
+            if email_verified is not None:
+                user.email_verified = email_verified
+
+            logger.info(
+                'update_user_email:updated',
+                extra={
+                    'user_id': user_id,
+                    'email_set': email is not None,
+                    'email_verified_set': email_verified is not None,
+                },
+            )
+            await session.commit()
+
+    @staticmethod
+    async def backfill_user_email(user_id: str, user_info: dict) -> None:
+        """Set User.email and email_verified from IDP if they are still NULL.
+
+        Called during login to gradually fix existing users whose email
+        was never persisted on the User record. Preserves non-NULL values
+        (e.g. if a user manually changed their email).
+        """
+        async with a_session_maker() as session:
+            result = await session.execute(
+                select(User).filter(User.id == uuid.UUID(user_id))
+            )
+            user = result.scalars().first()
+            if not user:
+                logger.debug(
+                    'backfill_user_email:user_not_found',
+                    extra={'user_id': user_id},
+                )
+                return
+
+            updated = False
+            if user.email is None:
+                user.email = user_info.get('email')
+                updated = True
+
+            if user.email_verified is None:
+                user.email_verified = user_info.get('email_verified', False)
+                updated = True
+
+            if updated:
+                logger.info(
+                    'backfill_user_email:updated',
+                    extra={
+                        'user_id': user_id,
+                        'email_set': user.email is not None,
+                        'email_verified_set': user.email_verified is not None,
+                    },
+                )
+                await session.commit()
+
     # Prevent circular imports
     from typing import TYPE_CHECKING
 

enterprise/storage/verified_model.py

@@ -0,0 +1,39 @@
+"""SQLAlchemy model for verified LLM models."""
+
+from sqlalchemy import (
+    Boolean,
+    Column,
+    DateTime,
+    Identity,
+    Integer,
+    String,
+    UniqueConstraint,
+    func,
+    text,
+)
+from storage.base import Base
+
+
+class VerifiedModel(Base):  # type: ignore
+    """A verified LLM model available in the model selector.
+
+    The composite unique constraint on (model_name, provider) allows the same
+    model name to exist under different providers (e.g. 'claude-sonnet' under
+    both 'openhands' and 'anthropic').
+    """
+
+    __tablename__ = 'verified_models'
+    __table_args__ = (
+        UniqueConstraint('model_name', 'provider', name='uq_verified_model_provider'),
+    )
+
+    id = Column(Integer, Identity(), primary_key=True)
+    model_name = Column(String(255), nullable=False)
+    provider = Column(String(100), nullable=False, index=True)
+    is_enabled = Column(
+        Boolean, nullable=False, default=True, server_default=text('true')
+    )
+    created_at = Column(DateTime, nullable=False, server_default=func.now())
+    updated_at = Column(
+        DateTime, nullable=False, server_default=func.now(), onupdate=func.now()
+    )

enterprise/storage/verified_model_store.py

@@ -0,0 +1,187 @@
+"""Store for managing verified LLM models in the database."""
+
+from sqlalchemy import and_
+from storage.database import session_maker
+from storage.verified_model import VerifiedModel
+
+from openhands.core.logger import openhands_logger as logger
+
+
+class VerifiedModelStore:
+    """Store for CRUD operations on verified models.
+
+    Follows the project convention of static methods with session_maker()
+    (see UserStore, OrgMemberStore for reference).
+    """
+
+    @staticmethod
+    def get_enabled_models() -> list[VerifiedModel]:
+        """Get all enabled models.
+
+        Returns:
+            list[VerifiedModel]: All models where is_enabled is True
+        """
+        with session_maker() as session:
+            return (
+                session.query(VerifiedModel)
+                .filter(VerifiedModel.is_enabled.is_(True))
+                .order_by(VerifiedModel.provider, VerifiedModel.model_name)
+                .all()
+            )
+
+    @staticmethod
+    def get_models_by_provider(provider: str) -> list[VerifiedModel]:
+        """Get all enabled models for a specific provider.
+
+        Args:
+            provider: The provider name (e.g., 'openhands', 'anthropic')
+        """
+        with session_maker() as session:
+            return (
+                session.query(VerifiedModel)
+                .filter(
+                    and_(
+                        VerifiedModel.provider == provider,
+                        VerifiedModel.is_enabled.is_(True),
+                    )
+                )
+                .order_by(VerifiedModel.model_name)
+                .all()
+            )
+
+    @staticmethod
+    def get_all_models() -> list[VerifiedModel]:
+        """Get all models (including disabled)."""
+        with session_maker() as session:
+            return (
+                session.query(VerifiedModel)
+                .order_by(VerifiedModel.provider, VerifiedModel.model_name)
+                .all()
+            )
+
+    @staticmethod
+    def get_model(model_name: str, provider: str) -> VerifiedModel | None:
+        """Get a model by its composite key (model_name, provider).
+
+        Args:
+            model_name: The model identifier
+            provider: The provider name
+        """
+        with session_maker() as session:
+            return (
+                session.query(VerifiedModel)
+                .filter(
+                    and_(
+                        VerifiedModel.model_name == model_name,
+                        VerifiedModel.provider == provider,
+                    )
+                )
+                .first()
+            )
+
+    @staticmethod
+    def create_model(
+        model_name: str, provider: str, is_enabled: bool = True
+    ) -> VerifiedModel:
+        """Create a new verified model.
+
+        Args:
+            model_name: The model identifier
+            provider: The provider name
+            is_enabled: Whether the model is enabled (default True)
+
+        Raises:
+            ValueError: If a model with the same (model_name, provider) already exists
+        """
+        with session_maker() as session:
+            existing = (
+                session.query(VerifiedModel)
+                .filter(
+                    and_(
+                        VerifiedModel.model_name == model_name,
+                        VerifiedModel.provider == provider,
+                    )
+                )
+                .first()
+            )
+            if existing:
+                raise ValueError(f'Model {provider}/{model_name} already exists')
+
+            model = VerifiedModel(
+                model_name=model_name,
+                provider=provider,
+                is_enabled=is_enabled,
+            )
+            session.add(model)
+            session.commit()
+            session.refresh(model)
+            logger.info(f'Created verified model: {provider}/{model_name}')
+            return model
+
+    @staticmethod
+    def update_model(
+        model_name: str,
+        provider: str,
+        is_enabled: bool | None = None,
+    ) -> VerifiedModel | None:
+        """Update an existing verified model.
+
+        Args:
+            model_name: The model name to update
+            provider: The provider name
+            is_enabled: New enabled state (optional)
+
+        Returns:
+            The updated model if found, None otherwise
+        """
+        with session_maker() as session:
+            model = (
+                session.query(VerifiedModel)
+                .filter(
+                    and_(
+                        VerifiedModel.model_name == model_name,
+                        VerifiedModel.provider == provider,
+                    )
+                )
+                .first()
+            )
+            if not model:
+                return None
+
+            if is_enabled is not None:
+                model.is_enabled = is_enabled
+
+            session.commit()
+            session.refresh(model)
+            logger.info(f'Updated verified model: {provider}/{model_name}')
+            return model
+
+    @staticmethod
+    def delete_model(model_name: str, provider: str) -> bool:
+        """Delete a verified model.
+
+        Args:
+            model_name: The model name to delete
+            provider: The provider name
+
+        Returns:
+            True if deleted, False if not found
+        """
+        with session_maker() as session:
+            model = (
+                session.query(VerifiedModel)
+                .filter(
+                    and_(
+                        VerifiedModel.model_name == model_name,
+                        VerifiedModel.provider == provider,
+                    )
+                )
+                .first()
+            )
+            if not model:
+                return False
+
+            session.delete(model)
+            session.commit()
+            logger.info(f'Deleted verified model: {provider}/{model_name}')
+            return True

enterprise/sync/resend_keycloak.py

@@ -35,6 +35,7 @@ import resend
 from keycloak.exceptions import KeycloakError
 from resend.exceptions import ResendError
 from server.auth.token_manager import get_keycloak_admin
+from storage.resend_synced_user_store import ResendSyncedUserStore
 from tenacity import (
     retry,
     retry_if_exception_type,
@@ -69,9 +70,6 @@ RATE_LIMIT = float(os.environ.get('RATE_LIMIT', '2'))  # Requests per second
 # Set up Resend API
 resend.api_key = RESEND_API_KEY
 
-print('resend module', resend)
-print('has contacts', hasattr(resend, 'Contacts'))
-
 
 class ResendSyncError(Exception):
     """Base exception for Resend sync errors."""
@@ -98,7 +96,7 @@ class ResendAPIError(ResendSyncError):
 EMAIL_REGEX = re.compile(r'^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$')
 
 
-def is_valid_email(email: str) -> bool:
+def is_valid_email(email: Optional[str]) -> bool:
     """Validate an email address format.
 
     This uses a regex pattern that matches most valid email addresses
@@ -106,10 +104,10 @@ def is_valid_email(email: str) -> bool:
     does not accept (e.g., exclamation marks).
 
     Args:
-        email: The email address to validate.
+        email: The email address to validate, or None.
 
     Returns:
-        True if the email is valid, False otherwise.
+        True if the email is valid, False otherwise (including for None).
     """
     if not email:
         return False
@@ -199,8 +197,6 @@ def get_resend_contacts(audience_id: str) -> Dict[str, Dict[str, Any]]:
     Raises:
         ResendAPIError: If the API call fails.
     """
-    print('getting resend contacts')
-    print('has resend contacts', hasattr(resend, 'Contacts'))
     try:
         contacts = resend.Contacts.list(audience_id).get('data', [])
         # Create a dictionary mapping email addresses to contact data for
@@ -255,6 +251,15 @@ def add_contact_to_resend(
         raise
 
 
+@retry(
+    stop=stop_after_attempt(MAX_RETRIES),
+    wait=wait_exponential(
+        multiplier=INITIAL_BACKOFF_SECONDS,
+        max=MAX_BACKOFF_SECONDS,
+        exp_base=BACKOFF_FACTOR,
+    ),
+    retry=retry_if_exception_type(ResendError),
+)
 def send_welcome_email(
     email: str,
     first_name: Optional[str] = None,
@@ -271,7 +276,7 @@ def send_welcome_email(
         The API response.
 
     Raises:
-        ResendError: If the API call fails.
+        ResendError: If the API call fails after retries.
     """
     try:
         # Prepare the recipient name
@@ -317,8 +322,84 @@ def send_welcome_email(
         raise
 
 
+def _get_resend_synced_user_store() -> ResendSyncedUserStore:
+    """Get the ResendSyncedUserStore instance.
+
+    This is separated into a function to allow for easier testing/mocking.
+    """
+    from openhands.app_server.config import get_global_config
+
+    config = get_global_config()
+    db_session_injector = config.db_session
+    return ResendSyncedUserStore(session_maker=db_session_injector.get_session_maker())
+
+
+def _backfill_existing_resend_contacts(
+    synced_user_store: ResendSyncedUserStore,
+    audience_id: str,
+) -> int:
+    """Backfill the synced_users table with contacts already in Resend.
+
+    This ensures that users who were added to Resend before the tracking
+    table existed are properly recorded, preventing duplicate welcome emails.
+
+    Args:
+        synced_user_store: The store for tracking synced users.
+        audience_id: The Resend audience ID.
+
+    Returns:
+        The number of contacts backfilled.
+    """
+    logger.info('Starting backfill of existing Resend contacts...')
+
+    try:
+        resend_contacts = get_resend_contacts(audience_id)
+        logger.info(f'Found {len(resend_contacts)} contacts in Resend audience')
+
+        already_synced_emails = synced_user_store.get_synced_emails_for_audience(
+            audience_id
+        )
+        logger.info(
+            f'Found {len(already_synced_emails)} already synced emails in database'
+        )
+
+        backfilled_count = 0
+        for email in resend_contacts:
+            if email.lower() not in already_synced_emails:
+                synced_user_store.mark_user_synced(
+                    email=email,
+                    audience_id=audience_id,
+                    keycloak_user_id=None,  # We don't have this info during backfill
+                )
+                backfilled_count += 1
+                logger.debug(f'Backfilled existing Resend contact: {email}')
+
+        logger.info(
+            f'Backfill completed: {backfilled_count} contacts added to tracking'
+        )
+        return backfilled_count
+
+    except Exception:
+        logger.exception('Error during backfill of existing Resend contacts')
+        # Don't fail the entire sync if backfill fails - just log and continue
+        return 0
+
+
 def sync_users_to_resend():
-    """Sync users from Keycloak to Resend."""
+    """Sync users from Keycloak to Resend.
+
+    This function syncs users from Keycloak to a Resend audience. It tracks
+    which users have been synced in the database to ensure that:
+    1. Users are only added once (even across multiple sync runs)
+    2. Users who are manually deleted from Resend are not re-added
+
+    The tracking is done via the resend_synced_users table, which records
+    each email/audience_id combination that has been synced.
+
+    On first run (or when new contacts exist in Resend), it will backfill
+    the tracking table with existing Resend contacts to avoid sending
+    duplicate welcome emails.
+    """
     # Check required environment variables
     required_vars = {
         'RESEND_API_KEY': RESEND_API_KEY,
@@ -344,28 +425,36 @@ def sync_users_to_resend():
     )
 
     try:
+        # Get the store for tracking synced users
+        synced_user_store = _get_resend_synced_user_store()
+
+        # Backfill existing Resend contacts into our tracking table
+        # This ensures users already in Resend don't get duplicate welcome emails
+        backfilled_count = _backfill_existing_resend_contacts(
+            synced_user_store, RESEND_AUDIENCE_ID
+        )
+
         # Get the total number of users
         total_users = get_total_keycloak_users()
         logger.info(
             f'Found {total_users} users in Keycloak realm {KEYCLOAK_REALM_NAME}'
         )
 
-        # Get contacts from Resend
-        resend_contacts = get_resend_contacts(RESEND_AUDIENCE_ID)
-        logger.info(
-            f'Found {len(resend_contacts)} contacts in Resend audience '
-            f'{RESEND_AUDIENCE_ID}'
-        )
-
         # Stats
         stats = {
             'total_users': total_users,
-            'existing_contacts': len(resend_contacts),
+            'backfilled_contacts': backfilled_count,
+            'already_synced': 0,
             'added_contacts': 0,
             'skipped_invalid_emails': 0,
             'errors': 0,
         }
 
+        synced_emails = synced_user_store.get_synced_emails_for_audience(
+            RESEND_AUDIENCE_ID
+        )
+        logger.info(f'Found {len(synced_emails)} already synced emails in database')
+
         # Process users in batches
         offset = 0
         while offset < total_users:
@@ -378,8 +467,12 @@ def sync_users_to_resend():
                     continue
 
                 email = email.lower()
-                if email in resend_contacts:
-                    logger.debug(f'User {email} already exists in Resend, skipping')
+
+                if email in synced_emails:
+                    logger.debug(
+                        f'User {email} was already synced to this audience, skipping'
+                    )
+                    stats['already_synced'] += 1
                     continue
 
                 # Validate email format before attempting to add to Resend
@@ -388,35 +481,51 @@ def sync_users_to_resend():
                     stats['skipped_invalid_emails'] += 1
                     continue
 
-                try:
-                    first_name = user.get('first_name')
-                    last_name = user.get('last_name')
+                first_name = user.get('first_name')
+                last_name = user.get('last_name')
+                keycloak_user_id = user.get('id')
 
-                    # Add the contact to the Resend audience
+                # Mark as synced first (optimistic) to ensure consistency.
+                # If Resend API fails, we remove the record.
+                try:
+                    synced_user_store.mark_user_synced(
+                        email=email,
+                        audience_id=RESEND_AUDIENCE_ID,
+                        keycloak_user_id=keycloak_user_id,
+                    )
+                except Exception:
+                    logger.exception(f'Failed to mark user {email} as synced')
+                    stats['errors'] += 1
+                    continue
+
+                try:
                     add_contact_to_resend(
                         RESEND_AUDIENCE_ID, email, first_name, last_name
                     )
                     logger.info(f'Added user {email} to Resend')
-                    stats['added_contacts'] += 1
-
-                    # Sleep to respect rate limit after first API call
-                    time.sleep(1 / RATE_LIMIT)
-
-                    # Send a welcome email to the newly added contact
-                    try:
-                        send_welcome_email(email, first_name, last_name)
-                        logger.info(f'Sent welcome email to {email}')
-                    except Exception:
-                        logger.exception(
-                            f'Failed to send welcome email to {email}, but contact was added to audience'
-                        )
-                        # Continue with the sync process even if sending the welcome email fails
-
-                    # Sleep to respect rate limit after second API call
-                    time.sleep(1 / RATE_LIMIT)
                 except Exception:
                     logger.exception(f'Error adding user {email} to Resend')
+                    synced_user_store.remove_synced_user(email, RESEND_AUDIENCE_ID)
                     stats['errors'] += 1
+                    continue
+
+                synced_emails.add(email)
+                stats['added_contacts'] += 1
+
+                # Sleep to respect rate limit after first API call
+                time.sleep(1 / RATE_LIMIT)
+
+                # Send a welcome email to the newly added contact
+                try:
+                    send_welcome_email(email, first_name, last_name)
+                    logger.info(f'Sent welcome email to {email}')
+                except Exception:
+                    logger.exception(
+                        f'Failed to send welcome email to {email}, but contact was added to audience'
+                    )
+
+                # Sleep to respect rate limit after second API call
+                time.sleep(1 / RATE_LIMIT)
 
             offset += BATCH_SIZE
 

enterprise/tests/unit/conftest.py

@@ -15,6 +15,7 @@ from storage.device_code import DeviceCode  # noqa: F401
 from storage.feedback import Feedback
 from storage.github_app_installation import GithubAppInstallation
 from storage.org import Org
+from storage.org_invitation import OrgInvitation  # noqa: F401
 from storage.org_member import OrgMember
 from storage.role import Role
 from storage.stored_conversation_metadata import StoredConversationMetadata
@@ -24,6 +25,7 @@ from storage.stored_conversation_metadata_saas import (
 from storage.stored_offline_token import StoredOfflineToken
 from storage.stripe_customer import StripeCustomer
 from storage.user import User
+from storage.verified_model import VerifiedModel  # noqa: F401
 
 
 @pytest.fixture

enterprise/tests/unit/server/routes/test_api_keys.py

@@ -6,6 +6,8 @@ import httpx
 import pytest
 from fastapi import HTTPException
 from server.routes.api_keys import (
+    ByorPermittedResponse,
+    LlmApiKeyResponse,
     check_byor_permitted,
     delete_byor_key_from_litellm,
     get_llm_api_key_for_byor,
@@ -203,7 +205,7 @@ class TestGetLlmApiKeyForByor:
         result = await get_llm_api_key_for_byor(user_id=user_id)
 
         # Assert
-        assert result == {'key': new_key}
+        assert result == LlmApiKeyResponse(key=new_key)
         mock_check_enabled.assert_called_once_with(user_id)
         mock_get_key.assert_called_once_with(user_id)
         mock_generate_key.assert_called_once_with(user_id)
@@ -228,7 +230,7 @@ class TestGetLlmApiKeyForByor:
         result = await get_llm_api_key_for_byor(user_id=user_id)
 
         # Assert
-        assert result == {'key': existing_key}
+        assert result == LlmApiKeyResponse(key=existing_key)
         mock_check_enabled.assert_called_once_with(user_id)
         mock_get_key.assert_called_once_with(user_id)
         mock_verify_key.assert_called_once_with(existing_key, user_id)
@@ -265,7 +267,7 @@ class TestGetLlmApiKeyForByor:
         result = await get_llm_api_key_for_byor(user_id=user_id)
 
         # Assert
-        assert result == {'key': new_key}
+        assert result == LlmApiKeyResponse(key=new_key)
         mock_check_enabled.assert_called_once_with(user_id)
         mock_get_key.assert_called_once_with(user_id)
         mock_verify_key.assert_called_once_with(invalid_key, user_id)
@@ -305,7 +307,7 @@ class TestGetLlmApiKeyForByor:
         result = await get_llm_api_key_for_byor(user_id=user_id)
 
         # Assert
-        assert result == {'key': new_key}
+        assert result == LlmApiKeyResponse(key=new_key)
         mock_check_enabled.assert_called_once_with(user_id)
         mock_delete_key.assert_called_once_with(user_id, invalid_key)
         mock_generate_key.assert_called_once_with(user_id)
@@ -478,7 +480,7 @@ class TestCheckByorPermitted:
         result = await check_byor_permitted(user_id=user_id)
 
         # Assert
-        assert result == {'permitted': True}
+        assert result == ByorPermittedResponse(permitted=True)
         mock_check_enabled.assert_called_once_with(user_id)
 
     @pytest.mark.asyncio
@@ -493,7 +495,7 @@ class TestCheckByorPermitted:
         result = await check_byor_permitted(user_id=user_id)
 
         # Assert
-        assert result == {'permitted': False}
+        assert result == ByorPermittedResponse(permitted=False)
         mock_check_enabled.assert_called_once_with(user_id)
 
     @pytest.mark.asyncio

enterprise/tests/unit/server/routes/test_email_routes.py

@@ -6,8 +6,10 @@ from fastapi.responses import JSONResponse, RedirectResponse
 from pydantic import SecretStr
 from server.auth.saas_user_auth import SaasUserAuth
 from server.routes.email import (
+    EmailUpdate,
     ResendEmailVerificationRequest,
     resend_email_verification,
+    update_email,
     verified_email,
     verify_email,
 )
@@ -116,12 +118,15 @@ async def test_verified_email_default_redirect(mock_request, mock_user_auth):
     """Test verified_email redirects to /settings/user by default."""
     # Arrange
     mock_request.query_params.get.return_value = None
+    mock_user_auth.user_id = 'test-user-id'
 
     # Act
     with (
         patch('server.routes.email.get_user_auth', return_value=mock_user_auth),
         patch('server.routes.email.set_response_cookie') as mock_set_cookie,
+        patch('server.routes.email.UserStore') as mock_user_store,
     ):
+        mock_user_store.update_user_email = AsyncMock()
         result = await verified_email(mock_request)
 
     # Assert
@@ -140,12 +145,15 @@ async def test_verified_email_https_scheme(mock_request, mock_user_auth):
     mock_request.url.hostname = 'example.com'
     mock_request.url.netloc = 'example.com'
     mock_request.query_params.get.return_value = None
+    mock_user_auth.user_id = 'test-user-id'
 
     # Act
     with (
         patch('server.routes.email.get_user_auth', return_value=mock_user_auth),
         patch('server.routes.email.set_response_cookie') as mock_set_cookie,
+        patch('server.routes.email.UserStore') as mock_user_store,
     ):
+        mock_user_store.update_user_email = AsyncMock()
         result = await verified_email(mock_request)
 
     # Assert
@@ -327,6 +335,62 @@ async def test_resend_email_verification_with_is_auth_flow_false(mock_request):
         assert '/api/email/verified' in call_args.kwargs['redirect_uri']
 
 
+@pytest.mark.asyncio
+async def test_update_email_calls_update_user_email(mock_request, mock_user_auth):
+    """POST /api/email should call UserStore.update_user_email with new email and email_verified=False."""
+    user_id = 'test-user-id'
+    new_email = 'new@example.com'
+    email_data = EmailUpdate(email=new_email)
+
+    mock_keycloak_admin = MagicMock()
+    mock_keycloak_admin.get_user.return_value = {
+        'enabled': True,
+        'username': 'testuser',
+    }
+    mock_keycloak_admin.a_update_user = AsyncMock()
+    mock_user_store = MagicMock()
+    mock_user_store.update_user_email = AsyncMock()
+
+    with (
+        patch(
+            'server.routes.email.get_keycloak_admin', return_value=mock_keycloak_admin
+        ),
+        patch('server.routes.email.get_user_auth', return_value=mock_user_auth),
+        patch('server.routes.email.set_response_cookie'),
+        patch('server.routes.email.verify_email', new_callable=AsyncMock),
+        patch('server.routes.email.UserStore', mock_user_store),
+    ):
+        result = await update_email(
+            email_data=email_data, request=mock_request, user_id=user_id
+        )
+
+    assert result.status_code == status.HTTP_200_OK
+    mock_user_store.update_user_email.assert_awaited_once_with(
+        user_id=user_id, email=new_email, email_verified=False
+    )
+
+
+@pytest.mark.asyncio
+async def test_verified_email_calls_update_user_email(mock_request, mock_user_auth):
+    """GET /api/email/verified should call UserStore.update_user_email with email_verified=True."""
+    mock_user_auth.user_id = 'test-user-id'
+
+    mock_user_store = MagicMock()
+    mock_user_store.update_user_email = AsyncMock()
+
+    with (
+        patch('server.routes.email.get_user_auth', return_value=mock_user_auth),
+        patch('server.routes.email.set_response_cookie'),
+        patch('server.routes.email.UserStore', mock_user_store),
+    ):
+        result = await verified_email(mock_request)
+
+    assert result.status_code == 302
+    mock_user_store.update_user_email.assert_awaited_once_with(
+        user_id='test-user-id', email_verified=True
+    )
+
+
 @pytest.mark.asyncio
 async def test_resend_email_verification_body_none_uses_auth(mock_request):
     """Test resend_email_verification uses auth when body is None."""

enterprise/tests/unit/server/routes/test_jira_dc_integration_routes.py

@@ -1220,3 +1220,60 @@ async def test_validate_workspace_update_permissions_no_current_link(mock_manage
 
     result = await _validate_workspace_update_permissions('user1', 'test-workspace')
     assert result == mock_workspace
+
+
+# Tests for OAuth URL encoding
+class TestJiraDcOAuthUrlEncoding:
+    """Tests to verify OAuth authorization URLs are properly URL-encoded."""
+
+    @pytest.mark.asyncio
+    @patch('server.routes.integration.jira_dc.get_user_auth')
+    @patch('server.routes.integration.jira_dc.redis_client')
+    @patch('server.routes.integration.jira_dc.JIRA_DC_ENABLE_OAUTH', True)
+    async def test_create_jira_dc_workspace_url_encoding(
+        self, mock_redis, mock_get_auth, mock_request, mock_user_auth
+    ):
+        """Test that create_jira_dc_workspace properly URL-encodes the authorization URL."""
+        mock_get_auth.return_value = mock_user_auth
+        mock_redis.setex.return_value = True
+        workspace_data = JiraDcWorkspaceCreate(
+            workspace_name='test-workspace',
+            webhook_secret='secret',
+            svc_acc_email='svc@test.com',
+            svc_acc_api_key='key',
+            is_active=True,
+        )
+
+        response = await create_jira_dc_workspace(mock_request, workspace_data)
+        content = json.loads(response.body)
+
+        auth_url = content['authorizationUrl']
+        # Verify no raw spaces in the URL (spaces should be encoded as + or %20)
+        assert ' ' not in auth_url
+        # Verify scope parameter contains encoded scopes (+ is valid URL encoding for space)
+        assert 'scope=read%3Ame+read%3Ajira-user+read%3Ajira-work' in auth_url
+        # Verify redirect_uri is properly encoded
+        assert 'redirect_uri=https%3A%2F%2F' in auth_url
+
+    @pytest.mark.asyncio
+    @patch('server.routes.integration.jira_dc.get_user_auth')
+    @patch('server.routes.integration.jira_dc.redis_client')
+    @patch('server.routes.integration.jira_dc.JIRA_DC_ENABLE_OAUTH', True)
+    async def test_create_workspace_link_url_encoding(
+        self, mock_redis, mock_get_auth, mock_request, mock_user_auth
+    ):
+        """Test that create_workspace_link properly URL-encodes the authorization URL."""
+        mock_get_auth.return_value = mock_user_auth
+        mock_redis.setex.return_value = True
+        link_data = JiraDcLinkCreate(workspace_name='test-workspace')
+
+        response = await create_workspace_link(mock_request, link_data)
+        content = json.loads(response.body)
+
+        auth_url = content['authorizationUrl']
+        # Verify no raw spaces in the URL (spaces should be encoded as + or %20)
+        assert ' ' not in auth_url
+        # Verify scope parameter contains encoded scopes (+ is valid URL encoding for space)
+        assert 'scope=read%3Ame+read%3Ajira-user+read%3Ajira-work' in auth_url
+        # Verify redirect_uri is properly encoded
+        assert 'redirect_uri=https%3A%2F%2F' in auth_url

enterprise/tests/unit/server/routes/test_jira_integration_routes.py

@@ -1323,3 +1323,58 @@ async def test_validate_workspace_update_permissions_no_current_link(mock_manage
 
     result = await _validate_workspace_update_permissions('user1', 'test-workspace')
     assert result == mock_workspace
+
+
+# Tests for OAuth URL encoding
+class TestJiraOAuthUrlEncoding:
+    """Tests to verify OAuth authorization URLs are properly URL-encoded."""
+
+    @pytest.mark.asyncio
+    @patch('server.routes.integration.jira.get_user_auth')
+    @patch('server.routes.integration.jira.redis_client')
+    async def test_create_jira_workspace_url_encoding(
+        self, mock_redis, mock_get_auth, mock_request, mock_user_auth
+    ):
+        """Test that create_jira_workspace properly URL-encodes the authorization URL."""
+        mock_get_auth.return_value = mock_user_auth
+        mock_redis.setex.return_value = True
+        workspace_data = JiraWorkspaceCreate(
+            workspace_name='test-workspace',
+            webhook_secret='secret',
+            svc_acc_email='svc@test.com',
+            svc_acc_api_key='key',
+            is_active=True,
+        )
+
+        response = await create_jira_workspace(mock_request, workspace_data)
+        content = json.loads(response.body)
+
+        auth_url = content['authorizationUrl']
+        # Verify no raw spaces in the URL (spaces should be encoded as + or %20)
+        assert ' ' not in auth_url
+        # Verify scope parameter contains encoded scopes (+ is valid URL encoding for space)
+        assert 'scope=read%3Ame+read%3Ajira-user+read%3Ajira-work' in auth_url
+        # Verify redirect_uri is properly encoded
+        assert 'redirect_uri=https%3A%2F%2F' in auth_url
+
+    @pytest.mark.asyncio
+    @patch('server.routes.integration.jira.get_user_auth')
+    @patch('server.routes.integration.jira.redis_client')
+    async def test_create_workspace_link_url_encoding(
+        self, mock_redis, mock_get_auth, mock_request, mock_user_auth
+    ):
+        """Test that create_workspace_link properly URL-encodes the authorization URL."""
+        mock_get_auth.return_value = mock_user_auth
+        mock_redis.setex.return_value = True
+        link_data = JiraLinkCreate(workspace_name='test-workspace')
+
+        response = await create_workspace_link(mock_request, link_data)
+        content = json.loads(response.body)
+
+        auth_url = content['authorizationUrl']
+        # Verify no raw spaces in the URL (spaces should be encoded as + or %20)
+        assert ' ' not in auth_url
+        # Verify scope parameter contains encoded scopes (+ is valid URL encoding for space)
+        assert 'scope=read%3Ame+read%3Ajira-user+read%3Ajira-work' in auth_url
+        # Verify redirect_uri is properly encoded
+        assert 'redirect_uri=https%3A%2F%2F' in auth_url

enterprise/tests/unit/server/routes/test_user_app_settings.py

@@ -0,0 +1,207 @@
+"""
+Unit tests for user app settings API routes.
+
+Tests the GET and POST /api/users/app endpoints.
+"""
+
+import uuid
+from unittest.mock import AsyncMock, patch
+
+import pytest
+from fastapi import FastAPI, status
+from fastapi.testclient import TestClient
+from server.routes.user_app_settings import user_app_settings_router
+from server.routes.user_app_settings_models import (
+    UserAppSettingsResponse,
+    UserNotFoundError,
+)
+
+from openhands.server.user_auth import get_user_id
+
+TEST_USER_ID = str(uuid.uuid4())
+
+
+@pytest.fixture
+def mock_app():
+    """Create a test FastAPI app with user app settings routes and mocked auth."""
+    app = FastAPI()
+    app.include_router(user_app_settings_router)
+
+    def mock_get_user_id():
+        return TEST_USER_ID
+
+    app.dependency_overrides[get_user_id] = mock_get_user_id
+
+    return app
+
+
+@pytest.fixture
+def mock_app_unauthenticated():
+    """Create a test FastAPI app with no authenticated user."""
+    app = FastAPI()
+    app.include_router(user_app_settings_router)
+
+    def mock_get_user_id():
+        return None
+
+    app.dependency_overrides[get_user_id] = mock_get_user_id
+
+    return app
+
+
+@pytest.fixture
+def mock_settings_response():
+    """Create a mock user app settings response."""
+    return UserAppSettingsResponse(
+        language='en',
+        user_consents_to_analytics=True,
+        enable_sound_notifications=False,
+        git_user_name='testuser',
+        git_user_email='test@example.com',
+    )
+
+
+@pytest.mark.asyncio
+async def test_get_user_app_settings_success(mock_app, mock_settings_response):
+    """
+    GIVEN: An authenticated user with app settings
+    WHEN: GET /api/users/app is called
+    THEN: User's app settings are returned with 200 status
+    """
+    # Arrange
+    with patch(
+        'server.routes.user_app_settings.UserAppSettingsService.get_user_app_settings',
+        AsyncMock(return_value=mock_settings_response),
+    ):
+        client = TestClient(mock_app)
+
+        # Act
+        response = client.get('/api/users/app')
+
+        # Assert
+        assert response.status_code == status.HTTP_200_OK
+        data = response.json()
+        assert data['language'] == 'en'
+        assert data['user_consents_to_analytics'] is True
+        assert data['enable_sound_notifications'] is False
+        assert data['git_user_name'] == 'testuser'
+        assert data['git_user_email'] == 'test@example.com'
+
+
+@pytest.mark.asyncio
+async def test_get_user_app_settings_not_authenticated(mock_app_unauthenticated):
+    """
+    GIVEN: An unauthenticated request
+    WHEN: GET /api/users/app is called
+    THEN: 401 Unauthorized is returned
+    """
+    # Arrange
+    client = TestClient(mock_app_unauthenticated)
+
+    # Act
+    response = client.get('/api/users/app')
+
+    # Assert
+    assert response.status_code == status.HTTP_401_UNAUTHORIZED
+    assert 'not authenticated' in response.json()['detail'].lower()
+
+
+@pytest.mark.asyncio
+async def test_get_user_app_settings_user_not_found(mock_app):
+    """
+    GIVEN: An authenticated user that doesn't exist in the database
+    WHEN: GET /api/users/app is called
+    THEN: 404 Not Found is returned
+    """
+    # Arrange
+    with patch(
+        'server.routes.user_app_settings.UserAppSettingsService.get_user_app_settings',
+        AsyncMock(side_effect=UserNotFoundError(TEST_USER_ID)),
+    ):
+        client = TestClient(mock_app)
+
+        # Act
+        response = client.get('/api/users/app')
+
+        # Assert
+        assert response.status_code == status.HTTP_404_NOT_FOUND
+        assert 'not found' in response.json()['detail'].lower()
+
+
+@pytest.mark.asyncio
+async def test_update_user_app_settings_success(mock_app):
+    """
+    GIVEN: An authenticated user
+    WHEN: POST /api/users/app is called with update data
+    THEN: Updated settings are returned with 200 status
+    """
+    # Arrange
+    updated_response = UserAppSettingsResponse(
+        language='es',
+        user_consents_to_analytics=False,
+        enable_sound_notifications=True,
+        git_user_name='newuser',
+        git_user_email='new@example.com',
+    )
+    request_data = {
+        'language': 'es',
+        'user_consents_to_analytics': False,
+    }
+
+    with patch(
+        'server.routes.user_app_settings.UserAppSettingsService.update_user_app_settings',
+        AsyncMock(return_value=updated_response),
+    ):
+        client = TestClient(mock_app)
+
+        # Act
+        response = client.post('/api/users/app', json=request_data)
+
+        # Assert
+        assert response.status_code == status.HTTP_200_OK
+        data = response.json()
+        assert data['language'] == 'es'
+        assert data['user_consents_to_analytics'] is False
+
+
+@pytest.mark.asyncio
+async def test_update_user_app_settings_not_authenticated(mock_app_unauthenticated):
+    """
+    GIVEN: An unauthenticated request
+    WHEN: POST /api/users/app is called
+    THEN: 401 Unauthorized is returned
+    """
+    # Arrange
+    request_data = {'language': 'en'}
+    client = TestClient(mock_app_unauthenticated)
+
+    # Act
+    response = client.post('/api/users/app', json=request_data)
+
+    # Assert
+    assert response.status_code == status.HTTP_401_UNAUTHORIZED
+    assert 'not authenticated' in response.json()['detail'].lower()
+
+
+@pytest.mark.asyncio
+async def test_update_user_app_settings_user_not_found(mock_app):
+    """
+    GIVEN: An authenticated user that doesn't exist in the database
+    WHEN: POST /api/users/app is called
+    THEN: 404 Not Found is returned
+    """
+    # Arrange
+    request_data = {'language': 'en'}
+
+    with patch(
+        'server.routes.user_app_settings.UserAppSettingsService.update_user_app_settings',
+        AsyncMock(side_effect=UserNotFoundError(TEST_USER_ID)),
+    ):
+        client = TestClient(mock_app)
+
+        # Act
+        response = client.post('/api/users/app', json=request_data)
+
+        # Assert
+        assert response.status_code == status.HTTP_404_NOT_FOUND
+        assert 'not found' in response.json()['detail'].lower()

enterprise/tests/unit/server/services/test_org_member_service.py

@@ -7,7 +7,6 @@ import pytest
 from pydantic import SecretStr
 from server.routes.org_models import (
     CannotModifySelfError,
-    InsufficientPermissionError,
     InvalidRoleError,
     LastOwnerError,
     MeResponse,
@@ -175,11 +174,12 @@ class TestOrgMemberServiceGetOrgMembers:
             assert data is not None
             assert isinstance(data, OrgMemberPage)
             assert len(data.items) == 1
-            assert data.next_page_id is None
+            assert data.current_page == 1
+            assert data.per_page == 100
             assert data.items[0].user_id == str(current_user_id)
             assert data.items[0].email == 'test@example.com'
             assert data.items[0].role_id == 1
-            assert data.items[0].role_name == 'owner'
+            assert data.items[0].role == 'owner'
             assert data.items[0].role_rank == 10
             assert data.items[0].status == 'active'
 
@@ -282,9 +282,9 @@ class TestOrgMemberServiceGetOrgMembers:
             # Assert
             assert success is True
             assert data is not None
-            assert data.next_page_id is None
+            assert data.current_page == 1
             mock_get_paginated.assert_called_once_with(
-                org_id=org_id, offset=0, limit=100
+                org_id=org_id, offset=0, limit=100, email_filter=None
             )
 
     @pytest.mark.asyncio
@@ -316,9 +316,9 @@ class TestOrgMemberServiceGetOrgMembers:
             # Assert
             assert success is True
             assert data is not None
-            assert data.next_page_id == '150'  # offset (100) + limit (50)
+            assert data.current_page == 3  # offset (100) / limit (50) + 1
             mock_get_paginated.assert_called_once_with(
-                org_id=org_id, offset=100, limit=50
+                org_id=org_id, offset=100, limit=50, email_filter=None
             )
 
     @pytest.mark.asyncio
@@ -350,7 +350,7 @@ class TestOrgMemberServiceGetOrgMembers:
             # Assert
             assert success is True
             assert data is not None
-            assert data.next_page_id is None
+            assert data.current_page == 3
 
     @pytest.mark.asyncio
     async def test_empty_organization_no_members(
@@ -382,7 +382,6 @@ class TestOrgMemberServiceGetOrgMembers:
             assert success is True
             assert data is not None
             assert len(data.items) == 0
-            assert data.next_page_id is None
 
     @pytest.mark.asyncio
     async def test_missing_user_relationship_handles_gracefully(
@@ -462,7 +461,7 @@ class TestOrgMemberServiceGetOrgMembers:
             assert success is True
             assert data is not None
             assert len(data.items) == 1
-            assert data.items[0].role_name == ''
+            assert data.items[0].role == ''
             assert data.items[0].role_rank == 0
 
     @pytest.mark.asyncio
@@ -512,6 +511,156 @@ class TestOrgMemberServiceGetOrgMembers:
             assert data is not None
             assert len(data.items) == 2
 
+    @pytest.mark.asyncio
+    async def test_email_filter_passed_to_store(
+        self, org_id, current_user_id, mock_org_member, requester_membership_owner
+    ):
+        """Test that email filter is passed to store methods."""
+        # Arrange
+        with (
+            patch(
+                'server.services.org_member_service.OrgMemberStore.get_org_member'
+            ) as mock_get_member,
+            patch(
+                'server.services.org_member_service.OrgMemberStore.get_org_members_paginated',
+                new_callable=AsyncMock,
+            ) as mock_get_paginated,
+        ):
+            mock_get_member.return_value = requester_membership_owner
+            mock_get_paginated.return_value = ([mock_org_member], False)
+
+            # Act
+            await OrgMemberService.get_org_members(
+                org_id=org_id,
+                current_user_id=current_user_id,
+                page_id=None,
+                limit=10,
+                email_filter='alice',
+            )
+
+            # Assert
+            mock_get_paginated.assert_called_once_with(
+                org_id=org_id, offset=0, limit=10, email_filter='alice'
+            )
+
+    @pytest.mark.asyncio
+    async def test_pagination_metadata_correct_for_page_2(
+        self, org_id, current_user_id, mock_org_member, requester_membership_owner
+    ):
+        """Test pagination metadata is correct for page 2."""
+        # Arrange
+        with (
+            patch(
+                'server.services.org_member_service.OrgMemberStore.get_org_member'
+            ) as mock_get_member,
+            patch(
+                'server.services.org_member_service.OrgMemberStore.get_org_members_paginated',
+                new_callable=AsyncMock,
+            ) as mock_get_paginated,
+        ):
+            mock_get_member.return_value = requester_membership_owner
+            mock_get_paginated.return_value = ([mock_org_member], True)
+
+            # Act - Request page 2 (offset 10) with limit 10
+            success, error_code, data = await OrgMemberService.get_org_members(
+                org_id=org_id,
+                current_user_id=current_user_id,
+                page_id='10',
+                limit=10,
+            )
+
+            # Assert
+            assert success is True
+            assert data is not None
+            assert data.current_page == 2
+            assert data.per_page == 10
+
+
+class TestOrgMemberServiceGetOrgMembersCount:
+    """Test cases for OrgMemberService.get_org_members_count."""
+
+    @pytest.fixture
+    def requester_membership(self, org_id, current_user_id):
+        """Create a mock requester membership."""
+        membership = MagicMock(spec=OrgMember)
+        membership.org_id = org_id
+        membership.user_id = current_user_id
+        membership.role_id = 1
+        return membership
+
+    @pytest.mark.asyncio
+    async def test_count_succeeds_returns_count(
+        self, org_id, current_user_id, requester_membership
+    ):
+        """Test that successful count returns the member count."""
+        # Arrange
+        with (
+            patch(
+                'server.services.org_member_service.OrgMemberStore.get_org_member'
+            ) as mock_get_member,
+            patch(
+                'server.services.org_member_service.OrgMemberStore.get_org_members_count',
+                new_callable=AsyncMock,
+            ) as mock_get_count,
+        ):
+            mock_get_member.return_value = requester_membership
+            mock_get_count.return_value = 42
+
+            # Act
+            count = await OrgMemberService.get_org_members_count(
+                org_id=org_id,
+                current_user_id=current_user_id,
+            )
+
+            # Assert
+            assert count == 42
+            mock_get_count.assert_called_once_with(org_id=org_id, email_filter=None)
+
+    @pytest.mark.asyncio
+    async def test_count_with_email_filter(
+        self, org_id, current_user_id, requester_membership
+    ):
+        """Test that email filter is passed to store method."""
+        # Arrange
+        with (
+            patch(
+                'server.services.org_member_service.OrgMemberStore.get_org_member'
+            ) as mock_get_member,
+            patch(
+                'server.services.org_member_service.OrgMemberStore.get_org_members_count',
+                new_callable=AsyncMock,
+            ) as mock_get_count,
+        ):
+            mock_get_member.return_value = requester_membership
+            mock_get_count.return_value = 5
+
+            # Act
+            count = await OrgMemberService.get_org_members_count(
+                org_id=org_id,
+                current_user_id=current_user_id,
+                email_filter='alice',
+            )
+
+            # Assert
+            assert count == 5
+            mock_get_count.assert_called_once_with(org_id=org_id, email_filter='alice')
+
+    @pytest.mark.asyncio
+    async def test_not_a_member_raises_error(self, org_id, current_user_id):
+        """Test that non-member raises OrgMemberNotFoundError."""
+        # Arrange
+        with patch(
+            'server.services.org_member_service.OrgMemberStore.get_org_member'
+        ) as mock_get_member:
+            mock_get_member.return_value = None
+
+            # Act & Assert
+            with pytest.raises(OrgMemberNotFoundError):
+                await OrgMemberService.get_org_members_count(
+                    org_id=org_id,
+                    current_user_id=current_user_id,
+                )
+
 
 @pytest.fixture
 def target_membership_owner(org_id, target_user_id, owner_role):
@@ -549,6 +698,9 @@ class TestOrgMemberServiceRemoveOrgMember:
             patch(
                 'server.services.org_member_service.OrgMemberStore.remove_user_from_org'
             ) as mock_remove,
+            patch(
+                'server.services.org_member_service.UserStore.get_user_by_id'
+            ) as mock_get_user,
         ):
             mock_get_member.side_effect = [
                 requester_membership_owner,
@@ -556,6 +708,7 @@ class TestOrgMemberServiceRemoveOrgMember:
             ]
             mock_get_role.side_effect = [owner_role, member_role]
             mock_remove.return_value = True
+            mock_get_user.return_value = None
 
             # Act
             success, error = await OrgMemberService.remove_org_member(
@@ -590,6 +743,9 @@ class TestOrgMemberServiceRemoveOrgMember:
             patch(
                 'server.services.org_member_service.OrgMemberStore.remove_user_from_org'
             ) as mock_remove,
+            patch(
+                'server.services.org_member_service.UserStore.get_user_by_id'
+            ) as mock_get_user,
         ):
             mock_get_member.side_effect = [
                 requester_membership_owner,
@@ -597,6 +753,7 @@ class TestOrgMemberServiceRemoveOrgMember:
             ]
             mock_get_role.side_effect = [owner_role, admin_role]
             mock_remove.return_value = True
+            mock_get_user.return_value = None
 
             # Act
             success, error = await OrgMemberService.remove_org_member(
@@ -630,6 +787,9 @@ class TestOrgMemberServiceRemoveOrgMember:
             patch(
                 'server.services.org_member_service.OrgMemberStore.remove_user_from_org'
             ) as mock_remove,
+            patch(
+                'server.services.org_member_service.UserStore.get_user_by_id'
+            ) as mock_get_user,
         ):
             mock_get_member.side_effect = [
                 requester_membership_admin,
@@ -637,6 +797,7 @@ class TestOrgMemberServiceRemoveOrgMember:
             ]
             mock_get_role.side_effect = [admin_role, member_role]
             mock_remove.return_value = True
+            mock_get_user.return_value = None
 
             # Act
             success, error = await OrgMemberService.remove_org_member(
@@ -748,7 +909,7 @@ class TestOrgMemberServiceRemoveOrgMember:
             assert error == 'role_not_found'
 
     @pytest.mark.asyncio
-    async def test_admin_cannot_remove_admin_returns_error(
+    async def test_admin_can_remove_admin_succeeds(
         self,
         org_id,
         current_user_id,
@@ -757,7 +918,7 @@ class TestOrgMemberServiceRemoveOrgMember:
         target_membership_admin,
         admin_role,
     ):
-        """Test that an admin cannot remove another admin."""
+        """Test that an admin can remove another admin."""
         # Arrange
         with (
             patch(
@@ -766,12 +927,24 @@ class TestOrgMemberServiceRemoveOrgMember:
             patch(
                 'server.services.org_member_service.RoleStore.get_role_by_id'
             ) as mock_get_role,
+            patch(
+                'server.services.org_member_service.OrgMemberStore.remove_user_from_org'
+            ) as mock_remove,
+            patch(
+                'server.services.org_member_service.UserStore.get_user_by_id'
+            ) as mock_get_user,
+            patch(
+                'server.services.org_member_service.LiteLlmManager.remove_user_from_team'
+            ) as mock_remove_litellm,
         ):
             mock_get_member.side_effect = [
                 requester_membership_admin,
                 target_membership_admin,
             ]
             mock_get_role.side_effect = [admin_role, admin_role]
+            mock_remove.return_value = True
+            mock_get_user.return_value = None
+            mock_remove_litellm.return_value = None
 
             # Act
             success, error = await OrgMemberService.remove_org_member(
@@ -779,8 +952,8 @@ class TestOrgMemberServiceRemoveOrgMember:
             )
 
             # Assert
-            assert success is False
-            assert error == 'insufficient_permission'
+            assert success is True
+            assert error is None
 
     @pytest.mark.asyncio
     async def test_admin_cannot_remove_owner_returns_error(
@@ -927,6 +1100,9 @@ class TestOrgMemberServiceRemoveOrgMember:
             patch(
                 'server.services.org_member_service.OrgMemberStore.remove_user_from_org'
             ) as mock_remove,
+            patch(
+                'server.services.org_member_service.UserStore.get_user_by_id'
+            ) as mock_get_user,
         ):
             mock_get_member.side_effect = [
                 requester_membership_owner,
@@ -940,6 +1116,7 @@ class TestOrgMemberServiceRemoveOrgMember:
                 another_owner,
             ]
             mock_remove.return_value = True
+            mock_get_user.return_value = None
 
             # Act
             success, error = await OrgMemberService.remove_org_member(
@@ -990,6 +1167,302 @@ class TestOrgMemberServiceRemoveOrgMember:
             assert success is False
             assert error == 'removal_failed'
 
+    @pytest.mark.asyncio
+    async def test_remove_member_updates_current_org_id_when_matching(
+        self,
+        org_id,
+        current_user_id,
+        target_user_id,
+        requester_membership_owner,
+        target_membership_user,
+        owner_role,
+        member_role,
+    ):
+        """Test that current_org_id is updated to personal workspace when it matches removed org."""
+        # Arrange
+        mock_user = MagicMock(spec=User)
+        mock_user.current_org_id = (
+            org_id  # User's current org matches the org being removed
+        )
+
+        with (
+            patch(
+                'server.services.org_member_service.OrgMemberStore.get_org_member'
+            ) as mock_get_member,
+            patch(
+                'server.services.org_member_service.RoleStore.get_role_by_id'
+            ) as mock_get_role,
+            patch(
+                'server.services.org_member_service.OrgMemberStore.remove_user_from_org'
+            ) as mock_remove,
+            patch(
+                'server.services.org_member_service.UserStore.get_user_by_id'
+            ) as mock_get_user,
+            patch(
+                'server.services.org_member_service.UserStore.update_current_org'
+            ) as mock_update_org,
+        ):
+            mock_get_member.side_effect = [
+                requester_membership_owner,
+                target_membership_user,
+            ]
+            mock_get_role.side_effect = [owner_role, member_role]
+            mock_remove.return_value = True
+            mock_get_user.return_value = mock_user
+
+            # Act
+            success, error = await OrgMemberService.remove_org_member(
+                org_id, target_user_id, current_user_id
+            )
+
+            # Assert
+            assert success is True
+            assert error is None
+            mock_update_org.assert_called_once_with(str(target_user_id), target_user_id)
+
+    @pytest.mark.asyncio
+    async def test_remove_member_does_not_update_current_org_id_when_not_matching(
+        self,
+        org_id,
+        current_user_id,
+        target_user_id,
+        requester_membership_owner,
+        target_membership_user,
+        owner_role,
+        member_role,
+    ):
+        """Test that current_org_id is NOT updated when it differs from removed org."""
+        # Arrange
+        different_org_id = uuid.uuid4()
+        mock_user = MagicMock(spec=User)
+        mock_user.current_org_id = different_org_id  # User's current org is different
+
+        with (
+            patch(
+                'server.services.org_member_service.OrgMemberStore.get_org_member'
+            ) as mock_get_member,
+            patch(
+                'server.services.org_member_service.RoleStore.get_role_by_id'
+            ) as mock_get_role,
+            patch(
+                'server.services.org_member_service.OrgMemberStore.remove_user_from_org'
+            ) as mock_remove,
+            patch(
+                'server.services.org_member_service.UserStore.get_user_by_id'
+            ) as mock_get_user,
+            patch(
+                'server.services.org_member_service.UserStore.update_current_org'
+            ) as mock_update_org,
+        ):
+            mock_get_member.side_effect = [
+                requester_membership_owner,
+                target_membership_user,
+            ]
+            mock_get_role.side_effect = [owner_role, member_role]
+            mock_remove.return_value = True
+            mock_get_user.return_value = mock_user
+
+            # Act
+            success, error = await OrgMemberService.remove_org_member(
+                org_id, target_user_id, current_user_id
+            )
+
+            # Assert
+            assert success is True
+            assert error is None
+            mock_update_org.assert_not_called()
+
+    @pytest.mark.asyncio
+    async def test_remove_member_succeeds_when_user_not_found_after_removal(
+        self,
+        org_id,
+        current_user_id,
+        target_user_id,
+        requester_membership_owner,
+        target_membership_user,
+        owner_role,
+        member_role,
+    ):
+        """Test that removal succeeds even if user lookup returns None after removal."""
+        # Arrange
+        with (
+            patch(
+                'server.services.org_member_service.OrgMemberStore.get_org_member'
+            ) as mock_get_member,
+            patch(
+                'server.services.org_member_service.RoleStore.get_role_by_id'
+            ) as mock_get_role,
+            patch(
+                'server.services.org_member_service.OrgMemberStore.remove_user_from_org'
+            ) as mock_remove,
+            patch(
+                'server.services.org_member_service.UserStore.get_user_by_id'
+            ) as mock_get_user,
+            patch(
+                'server.services.org_member_service.UserStore.update_current_org'
+            ) as mock_update_org,
+        ):
+            mock_get_member.side_effect = [
+                requester_membership_owner,
+                target_membership_user,
+            ]
+            mock_get_role.side_effect = [owner_role, member_role]
+            mock_remove.return_value = True
+            mock_get_user.return_value = None  # User not found
+
+            # Act
+            success, error = await OrgMemberService.remove_org_member(
+                org_id, target_user_id, current_user_id
+            )
+
+            # Assert
+            assert success is True
+            assert error is None
+            mock_update_org.assert_not_called()
+
+    @pytest.mark.asyncio
+    async def test_successful_removal_calls_litellm_remove_user_from_team(
+        self,
+        org_id,
+        current_user_id,
+        target_user_id,
+        requester_membership_owner,
+        target_membership_user,
+        owner_role,
+        member_role,
+    ):
+        """Test that LiteLLM remove_user_from_team is called after successful database removal."""
+        # Arrange
+        with (
+            patch(
+                'server.services.org_member_service.OrgMemberStore.get_org_member'
+            ) as mock_get_member,
+            patch(
+                'server.services.org_member_service.RoleStore.get_role_by_id'
+            ) as mock_get_role,
+            patch(
+                'server.services.org_member_service.OrgMemberStore.remove_user_from_org'
+            ) as mock_remove,
+            patch(
+                'server.services.org_member_service.UserStore.get_user_by_id'
+            ) as mock_get_user,
+            patch(
+                'server.services.org_member_service.LiteLlmManager.remove_user_from_team',
+                new_callable=AsyncMock,
+            ) as mock_litellm_remove,
+        ):
+            mock_get_member.side_effect = [
+                requester_membership_owner,
+                target_membership_user,
+            ]
+            mock_get_role.side_effect = [owner_role, member_role]
+            mock_remove.return_value = True
+            mock_get_user.return_value = None
+
+            # Act
+            success, error = await OrgMemberService.remove_org_member(
+                org_id, target_user_id, current_user_id
+            )
+
+            # Assert
+            assert success is True
+            mock_litellm_remove.assert_called_once_with(
+                str(target_user_id), str(org_id)
+            )
+
+    @pytest.mark.asyncio
+    async def test_litellm_failure_does_not_fail_removal(
+        self,
+        org_id,
+        current_user_id,
+        target_user_id,
+        requester_membership_owner,
+        target_membership_user,
+        owner_role,
+        member_role,
+    ):
+        """Test that LiteLLM failure doesn't fail the overall removal operation."""
+        # Arrange
+        with (
+            patch(
+                'server.services.org_member_service.OrgMemberStore.get_org_member'
+            ) as mock_get_member,
+            patch(
+                'server.services.org_member_service.RoleStore.get_role_by_id'
+            ) as mock_get_role,
+            patch(
+                'server.services.org_member_service.OrgMemberStore.remove_user_from_org'
+            ) as mock_remove,
+            patch(
+                'server.services.org_member_service.UserStore.get_user_by_id'
+            ) as mock_get_user,
+            patch(
+                'server.services.org_member_service.LiteLlmManager.remove_user_from_team',
+                new_callable=AsyncMock,
+            ) as mock_litellm_remove,
+        ):
+            mock_get_member.side_effect = [
+                requester_membership_owner,
+                target_membership_user,
+            ]
+            mock_get_role.side_effect = [owner_role, member_role]
+            mock_remove.return_value = True
+            mock_get_user.return_value = None
+            mock_litellm_remove.side_effect = Exception('LiteLLM API error')
+
+            # Act
+            success, error = await OrgMemberService.remove_org_member(
+                org_id, target_user_id, current_user_id
+            )
+
+            # Assert
+            assert success is True
+            assert error is None
+
+    @pytest.mark.asyncio
+    async def test_database_failure_skips_litellm_call(
+        self,
+        org_id,
+        current_user_id,
+        target_user_id,
+        requester_membership_owner,
+        target_membership_user,
+        owner_role,
+        member_role,
+    ):
+        """Test that LiteLLM is not called when database removal fails."""
+        # Arrange
+        with (
+            patch(
+                'server.services.org_member_service.OrgMemberStore.get_org_member'
+            ) as mock_get_member,
+            patch(
+                'server.services.org_member_service.RoleStore.get_role_by_id'
+            ) as mock_get_role,
+            patch(
+                'server.services.org_member_service.OrgMemberStore.remove_user_from_org'
+            ) as mock_remove,
+            patch(
+                'server.services.org_member_service.LiteLlmManager.remove_user_from_team',
+                new_callable=AsyncMock,
+            ) as mock_litellm_remove,
+        ):
+            mock_get_member.side_effect = [
+                requester_membership_owner,
+                target_membership_user,
+            ]
+            mock_get_role.side_effect = [owner_role, member_role]
+            mock_remove.return_value = False
+
+            # Act
+            success, error = await OrgMemberService.remove_org_member(
+                org_id, target_user_id, current_user_id
+            )
+
+            # Assert
+            assert success is False
+            mock_litellm_remove.assert_not_called()
+
 
 class TestOrgMemberServiceCanRemoveMember:
     """Test cases for OrgMemberService._can_remove_member."""
@@ -1018,13 +1491,13 @@ class TestOrgMemberServiceCanRemoveMember:
         # Assert
         assert result is True
 
-    def test_admin_cannot_remove_admin(self):
-        """Test that admin cannot remove another admin."""
+    def test_admin_can_remove_admin(self):
+        """Test that admin can remove another admin."""
         # Act
         result = OrgMemberService._can_remove_member('admin', 'admin')
 
         # Assert
-        assert result is False
+        assert result is True
 
     def test_admin_cannot_remove_owner(self):
         """Test that admin cannot remove owner."""
@@ -1099,7 +1572,7 @@ class TestOrgMemberServiceUpdateOrgMember:
 
             # Assert
             assert isinstance(data, OrgMemberResponse)
-            assert data.role_name == 'admin'
+            assert data.role == 'admin'
             assert data.role_rank == 20
             mock_update.assert_called_once_with(org_id, target_user_id, admin_role.id)
 
@@ -1158,7 +1631,7 @@ class TestOrgMemberServiceUpdateOrgMember:
             mock_update.assert_called_once_with(org_id, target_user_id, admin_role.id)
 
     @pytest.mark.asyncio
-    async def test_admin_cannot_update_admin_raises_insufficient_permission(
+    async def test_admin_can_update_admin_to_member_succeeds(
         self,
         org_id,
         current_user_id,
@@ -1168,8 +1641,14 @@ class TestOrgMemberServiceUpdateOrgMember:
         admin_role,
         member_role,
     ):
-        """GIVEN admin and target admin WHEN admin tries to change target role THEN raises InsufficientPermissionError."""
+        """GIVEN admin and target admin WHEN admin changes target role to member THEN update succeeds."""
         # Arrange
+        updated_member = MagicMock(spec=OrgMember)
+        updated_member.user_id = target_user_id
+        updated_member.role_id = member_role.id
+        updated_member.status = 'active'
+        mock_user = MagicMock()
+        mock_user.email = 'target@example.com'
         with (
             patch(
                 'server.services.org_member_service.OrgMemberStore.get_org_member'
@@ -1180,6 +1659,12 @@ class TestOrgMemberServiceUpdateOrgMember:
             patch(
                 'server.services.org_member_service.RoleStore.get_role_by_name'
             ) as mock_get_role_by_name,
+            patch(
+                'server.services.org_member_service.OrgMemberStore.update_user_role_in_org'
+            ) as mock_update,
+            patch(
+                'server.services.org_member_service.UserStore.get_user_by_id'
+            ) as mock_get_user,
         ):
             mock_get_member.side_effect = [
                 requester_membership_admin,
@@ -1187,18 +1672,24 @@ class TestOrgMemberServiceUpdateOrgMember:
             ]
             mock_get_role.side_effect = [admin_role, admin_role]
             mock_get_role_by_name.return_value = member_role
+            mock_update.return_value = updated_member
+            mock_get_user.return_value = mock_user
 
-            # Act & Assert
-            with pytest.raises(InsufficientPermissionError):
-                await OrgMemberService.update_org_member(
-                    org_id,
-                    target_user_id,
-                    current_user_id,
-                    OrgMemberUpdate(role='member'),
-                )
+            # Act
+            data = await OrgMemberService.update_org_member(
+                org_id,
+                target_user_id,
+                current_user_id,
+                OrgMemberUpdate(role='member'),
+            )
+
+            # Assert
+            assert isinstance(data, OrgMemberResponse)
+            assert data.role == 'member'
+            mock_update.assert_called_once_with(org_id, target_user_id, member_role.id)
 
     @pytest.mark.asyncio
-    async def test_owner_cannot_update_owner_raises_insufficient_permission(
+    async def test_owner_can_update_owner_to_admin_succeeds(
         self,
         org_id,
         current_user_id,
@@ -1208,8 +1699,14 @@ class TestOrgMemberServiceUpdateOrgMember:
         owner_role,
         admin_role,
     ):
-        """GIVEN owner and target owner WHEN owner tries to change target role THEN raises InsufficientPermissionError."""
+        """GIVEN owner and target owner WHEN owner changes target role to admin THEN update succeeds."""
         # Arrange
+        updated_member = MagicMock(spec=OrgMember)
+        updated_member.user_id = target_user_id
+        updated_member.role_id = admin_role.id
+        updated_member.status = 'active'
+        mock_user = MagicMock()
+        mock_user.email = 'target@example.com'
         with (
             patch(
                 'server.services.org_member_service.OrgMemberStore.get_org_member'
@@ -1220,6 +1717,13 @@ class TestOrgMemberServiceUpdateOrgMember:
             patch(
                 'server.services.org_member_service.RoleStore.get_role_by_name'
             ) as mock_get_role_by_name,
+            patch(
+                'server.services.org_member_service.OrgMemberStore.update_user_role_in_org'
+            ) as mock_update,
+            patch(
+                'server.services.org_member_service.UserStore.get_user_by_id'
+            ) as mock_get_user,
+            patch.object(OrgMemberService, '_is_last_owner', return_value=False),
         ):
             mock_get_member.side_effect = [
                 requester_membership_owner,
@@ -1227,15 +1731,21 @@ class TestOrgMemberServiceUpdateOrgMember:
             ]
             mock_get_role.side_effect = [owner_role, owner_role]
             mock_get_role_by_name.return_value = admin_role
+            mock_update.return_value = updated_member
+            mock_get_user.return_value = mock_user
 
-            # Act & Assert
-            with pytest.raises(InsufficientPermissionError):
-                await OrgMemberService.update_org_member(
-                    org_id,
-                    target_user_id,
-                    current_user_id,
-                    OrgMemberUpdate(role='admin'),
-                )
+            # Act
+            data = await OrgMemberService.update_org_member(
+                org_id,
+                target_user_id,
+                current_user_id,
+                OrgMemberUpdate(role='admin'),
+            )
+
+            # Assert
+            assert isinstance(data, OrgMemberResponse)
+            assert data.role == 'admin'
+            mock_update.assert_called_once_with(org_id, target_user_id, admin_role.id)
 
     @pytest.mark.asyncio
     async def test_requester_not_a_member_raises_error(
@@ -1431,7 +1941,7 @@ class TestOrgMemberServiceUpdateOrgMember:
 
             # Assert
             assert data is not None
-            assert data.role_name == 'member'
+            assert data.role == 'member'
             assert data.role_rank == 1000
 
 
@@ -1450,10 +1960,10 @@ class TestOrgMemberServiceCanUpdateMemberRole:
             OrgMemberService._can_update_member_role('owner', 'member', 'owner') is True
         )
 
-    def test_owner_cannot_modify_owner(self):
-        """Owner cannot change another owner's role."""
+    def test_owner_can_modify_owner(self):
+        """Owner can change another owner's role."""
         assert (
-            OrgMemberService._can_update_member_role('owner', 'owner', 'admin') is False
+            OrgMemberService._can_update_member_role('owner', 'owner', 'admin') is True
         )
 
     def test_admin_can_set_admin_or_member_for_member(self):
@@ -1466,12 +1976,14 @@ class TestOrgMemberServiceCanUpdateMemberRole:
             is True
         )
 
-    def test_admin_cannot_modify_admin_or_owner(self):
-        """Admin cannot modify admin or owner targets."""
+    def test_admin_can_modify_admin(self):
+        """Admin can modify another admin's role to member."""
         assert (
-            OrgMemberService._can_update_member_role('admin', 'admin', 'member')
-            is False
+            OrgMemberService._can_update_member_role('admin', 'admin', 'member') is True
         )
+
+    def test_admin_cannot_modify_owner(self):
+        """Admin cannot modify owner targets."""
         assert (
             OrgMemberService._can_update_member_role('admin', 'owner', 'admin') is False
         )

enterprise/tests/unit/server/services/test_user_app_settings_service.py

@@ -0,0 +1,176 @@
+"""
+Unit tests for UserAppSettingsService.
+
+Tests the service layer for user app settings operations.
+"""
+
+import uuid
+from unittest.mock import AsyncMock, MagicMock
+
+import pytest
+from server.routes.user_app_settings_models import (
+    UserAppSettingsResponse,
+    UserAppSettingsUpdate,
+    UserNotFoundError,
+)
+from server.services.user_app_settings_service import UserAppSettingsService
+from storage.user import User
+
+
+@pytest.fixture
+def user_id():
+    """Create a test user ID."""
+    return str(uuid.uuid4())
+
+
+@pytest.fixture
+def mock_user(user_id):
+    """Create a mock user with app settings."""
+    user = MagicMock(spec=User)
+    user.id = uuid.UUID(user_id)
+    user.language = 'en'
+    user.user_consents_to_analytics = True
+    user.enable_sound_notifications = False
+    user.git_user_name = 'testuser'
+    user.git_user_email = 'test@example.com'
+    return user
+
+
+@pytest.fixture
+def mock_store():
+    """Create a mock UserAppSettingsStore."""
+    return MagicMock()
+
+
+@pytest.fixture
+def mock_user_context(user_id):
+    """Create a mock UserContext that returns the user_id."""
+    context = MagicMock()
+    context.get_user_id = AsyncMock(return_value=user_id)
+    return context
+
+
+@pytest.mark.asyncio
+async def test_get_user_app_settings_success(
+    user_id, mock_user, mock_store, mock_user_context
+):
+    """
+    GIVEN: A user exists in the database
+    WHEN: get_user_app_settings is called
+    THEN: UserAppSettingsResponse is returned with correct data
+    """
+    # Arrange
+    mock_store.get_user_by_id = AsyncMock(return_value=mock_user)
+    service = UserAppSettingsService(store=mock_store, user_context=mock_user_context)
+
+    # Act
+    result = await service.get_user_app_settings()
+
+    # Assert
+    assert isinstance(result, UserAppSettingsResponse)
+    assert result.language == 'en'
+    assert result.user_consents_to_analytics is True
+    assert result.enable_sound_notifications is False
+    assert result.git_user_name == 'testuser'
+    assert result.git_user_email == 'test@example.com'
+    mock_store.get_user_by_id.assert_called_once_with(user_id)
+
+
+@pytest.mark.asyncio
+async def test_get_user_app_settings_user_not_found(
+    user_id, mock_store, mock_user_context
+):
+    """
+    GIVEN: A user does not exist in the database
+    WHEN: get_user_app_settings is called
+    THEN: UserNotFoundError is raised
+    """
+    # Arrange
+    mock_store.get_user_by_id = AsyncMock(return_value=None)
+    service = UserAppSettingsService(store=mock_store, user_context=mock_user_context)
+
+    # Act & Assert
+    with pytest.raises(UserNotFoundError) as exc_info:
+        await service.get_user_app_settings()
+
+    assert user_id in str(exc_info.value)
+
+
+@pytest.mark.asyncio
+async def test_update_user_app_settings_success(
+    user_id, mock_user, mock_store, mock_user_context
+):
+    """
+    GIVEN: A user exists in the database
+    WHEN: update_user_app_settings is called with new values
+    THEN: UserAppSettingsResponse is returned with updated data
+    """
+    # Arrange
+    mock_user.language = 'es'
+    mock_user.user_consents_to_analytics = False
+
+    update_data = UserAppSettingsUpdate(
+        language='es',
+        user_consents_to_analytics=False,
+    )
+
+    mock_store.update_user_app_settings = AsyncMock(return_value=mock_user)
+    service = UserAppSettingsService(store=mock_store, user_context=mock_user_context)
+
+    # Act
+    result = await service.update_user_app_settings(update_data)
+
+    # Assert
+    assert isinstance(result, UserAppSettingsResponse)
+    assert result.language == 'es'
+    assert result.user_consents_to_analytics is False
+    mock_store.update_user_app_settings.assert_called_once_with(
+        user_id=user_id, update_data=update_data
+    )
+
+
+@pytest.mark.asyncio
+async def test_update_user_app_settings_no_changes(
+    user_id, mock_user, mock_store, mock_user_context
+):
+    """
+    GIVEN: A user exists in the database
+    WHEN: update_user_app_settings is called with no fields
+    THEN: Current settings are returned without calling update
+    """
+    # Arrange
+    update_data = UserAppSettingsUpdate()  # No fields set
+
+    mock_store.get_user_by_id = AsyncMock(return_value=mock_user)
+    mock_store.update_user_app_settings = AsyncMock()
+    service = UserAppSettingsService(store=mock_store, user_context=mock_user_context)
+
+    # Act
+    result = await service.update_user_app_settings(update_data)
+
+    # Assert
+    assert isinstance(result, UserAppSettingsResponse)
+    mock_store.get_user_by_id.assert_called_once_with(user_id)
+    mock_store.update_user_app_settings.assert_not_called()
+
+
+@pytest.mark.asyncio
+async def test_update_user_app_settings_user_not_found(
+    user_id, mock_store, mock_user_context
+):
+    """
+    GIVEN: A user does not exist in the database
+    WHEN: update_user_app_settings is called
+    THEN: UserNotFoundError is raised
+    """
+    # Arrange
+    update_data = UserAppSettingsUpdate(language='en')
+
+    mock_store.update_user_app_settings = AsyncMock(return_value=None)
+    service = UserAppSettingsService(store=mock_store, user_context=mock_user_context)
+
+    # Act & Assert
+    with pytest.raises(UserNotFoundError) as exc_info:
+        await service.update_user_app_settings(update_data)
+
+    assert user_id in str(exc_info.value)

enterprise/tests/unit/storage/test_auth_token_store.py

@@ -0,0 +1,661 @@
+"""Unit tests for AuthTokenStore."""
+
+import time
+from contextlib import asynccontextmanager
+from typing import Dict
+from unittest.mock import AsyncMock, MagicMock, patch
+
+import pytest
+from server.auth.auth_error import TokenRefreshError
+from sqlalchemy.exc import OperationalError
+from storage.auth_token_store import (
+    ACCESS_TOKEN_EXPIRY_BUFFER,
+    LOCK_TIMEOUT_SECONDS,
+    AuthTokenStore,
+)
+
+from openhands.integrations.service_types import ProviderType
+
+
+def create_mock_session():
+    """Create a mock async session with properly configured context managers."""
+    session = AsyncMock()
+
+    # Create async context manager for begin()
+    @asynccontextmanager
+    async def begin_context():
+        yield
+
+    session.begin = begin_context
+    return session
+
+
+def create_mock_session_maker(mock_session):
+    """Create a mock async session maker."""
+
+    @asynccontextmanager
+    async def session_context():
+        yield mock_session
+
+    # Return a callable that returns the context manager
+    return lambda: session_context()
+
+
+@pytest.fixture
+def mock_session():
+    """Create mock async session."""
+    return create_mock_session()
+
+
+@pytest.fixture
+def mock_session_maker(mock_session):
+    """Create mock async session maker."""
+    return create_mock_session_maker(mock_session)
+
+
+@pytest.fixture
+def auth_token_store(mock_session_maker):
+    """Create AuthTokenStore instance with mocked session maker."""
+    return AuthTokenStore(
+        keycloak_user_id='test-user-123',
+        idp=ProviderType.GITHUB,
+        a_session_maker=mock_session_maker,
+    )
+
+
+class TestIsTokenExpired:
+    """Tests for _is_token_expired method."""
+
+    def test_both_tokens_valid(self, auth_token_store):
+        """Test when both tokens are valid (not expired)."""
+        current_time = int(time.time())
+        access_expires = current_time + ACCESS_TOKEN_EXPIRY_BUFFER + 1000
+        refresh_expires = current_time + 1000
+
+        access_expired, refresh_expired = auth_token_store._is_token_expired(
+            access_expires, refresh_expires
+        )
+
+        assert access_expired is False
+        assert refresh_expired is False
+
+    def test_access_token_expired(self, auth_token_store):
+        """Test when access token is expired but within buffer."""
+        current_time = int(time.time())
+        # Access token expires within buffer period
+        access_expires = current_time + ACCESS_TOKEN_EXPIRY_BUFFER - 100
+        refresh_expires = current_time + 10000
+
+        access_expired, refresh_expired = auth_token_store._is_token_expired(
+            access_expires, refresh_expires
+        )
+
+        assert access_expired is True
+        assert refresh_expired is False
+
+    def test_refresh_token_expired(self, auth_token_store):
+        """Test when refresh token is expired."""
+        current_time = int(time.time())
+        access_expires = current_time + ACCESS_TOKEN_EXPIRY_BUFFER + 1000
+        refresh_expires = current_time - 100  # Already expired
+
+        access_expired, refresh_expired = auth_token_store._is_token_expired(
+            access_expires, refresh_expires
+        )
+
+        assert access_expired is False
+        assert refresh_expired is True
+
+    def test_both_tokens_expired(self, auth_token_store):
+        """Test when both tokens are expired."""
+        current_time = int(time.time())
+        access_expires = current_time - 100
+        refresh_expires = current_time - 100
+
+        access_expired, refresh_expired = auth_token_store._is_token_expired(
+            access_expires, refresh_expires
+        )
+
+        assert access_expired is True
+        assert refresh_expired is True
+
+    def test_zero_expiration_treated_as_never_expires(self, auth_token_store):
+        """Test that 0 expiration time is treated as never expires."""
+        access_expired, refresh_expired = auth_token_store._is_token_expired(0, 0)
+
+        assert access_expired is False
+        assert refresh_expired is False
+
+
+class TestLoadTokensFastPath:
+    """Tests for load_tokens fast path (no lock needed)."""
+
+    @pytest.mark.asyncio
+    async def test_fast_path_token_not_found(
+        self, auth_token_store, mock_session_maker, mock_session
+    ):
+        """Test fast path returns None when no token record exists."""
+        mock_result = MagicMock()
+        mock_result.scalars.return_value.one_or_none.return_value = None
+        mock_session.execute = AsyncMock(return_value=mock_result)
+
+        result = await auth_token_store.load_tokens()
+
+        assert result is None
+
+    @pytest.mark.asyncio
+    async def test_fast_path_valid_token_no_refresh_needed(
+        self, auth_token_store, mock_session_maker, mock_session
+    ):
+        """Test fast path returns tokens when they are still valid."""
+        current_time = int(time.time())
+        mock_token = MagicMock()
+        mock_token.access_token = 'valid-access-token'
+        mock_token.refresh_token = 'valid-refresh-token'
+        mock_token.access_token_expires_at = (
+            current_time + ACCESS_TOKEN_EXPIRY_BUFFER + 1000
+        )
+        mock_token.refresh_token_expires_at = current_time + 10000
+
+        mock_result = MagicMock()
+        mock_result.scalars.return_value.one_or_none.return_value = mock_token
+        mock_session.execute = AsyncMock(return_value=mock_result)
+
+        result = await auth_token_store.load_tokens()
+
+        assert result is not None
+        assert result['access_token'] == 'valid-access-token'
+        assert result['refresh_token'] == 'valid-refresh-token'
+
+    @pytest.mark.asyncio
+    async def test_fast_path_no_refresh_callback_provided(
+        self, auth_token_store, mock_session_maker, mock_session
+    ):
+        """Test fast path returns existing tokens when no refresh callback is provided."""
+        current_time = int(time.time())
+        mock_token = MagicMock()
+        mock_token.access_token = 'expired-access-token'
+        mock_token.refresh_token = 'valid-refresh-token'
+        # Expired access token
+        mock_token.access_token_expires_at = current_time - 100
+        mock_token.refresh_token_expires_at = current_time + 10000
+
+        mock_result = MagicMock()
+        mock_result.scalars.return_value.one_or_none.return_value = mock_token
+        mock_session.execute = AsyncMock(return_value=mock_result)
+
+        result = await auth_token_store.load_tokens(check_expiration_and_refresh=None)
+
+        assert result is not None
+        assert result['access_token'] == 'expired-access-token'
+
+
+class TestLoadTokensSlowPath:
+    """Tests for load_tokens slow path (lock required for refresh)."""
+
+    @pytest.mark.asyncio
+    async def test_slow_path_successful_refresh(self):
+        """Test slow path successfully refreshes expired tokens."""
+        current_time = int(time.time())
+        mock_session = create_mock_session()
+
+        # First call (fast path) - returns expired token
+        # Second call (slow path) - returns same token for update
+        expired_token = MagicMock()
+        expired_token.id = 1
+        expired_token.access_token = 'expired-access-token'
+        expired_token.refresh_token = 'valid-refresh-token'
+        expired_token.access_token_expires_at = current_time - 100  # Expired
+        expired_token.refresh_token_expires_at = current_time + 10000
+
+        mock_result = MagicMock()
+        mock_result.scalars.return_value.one_or_none.return_value = expired_token
+        mock_session.execute = AsyncMock(return_value=mock_result)
+        mock_session.commit = AsyncMock()
+
+        mock_session_maker = create_mock_session_maker(mock_session)
+
+        auth_store = AuthTokenStore(
+            keycloak_user_id='test-user-123',
+            idp=ProviderType.GITHUB,
+            a_session_maker=mock_session_maker,
+        )
+
+        async def mock_refresh(
+            idp: ProviderType, refresh_token: str, access_exp: int, refresh_exp: int
+        ) -> Dict[str, str | int]:
+            return {
+                'access_token': 'new-access-token',
+                'refresh_token': 'new-refresh-token',
+                'access_token_expires_at': current_time + 3600,
+                'refresh_token_expires_at': current_time + 86400,
+            }
+
+        result = await auth_store.load_tokens(check_expiration_and_refresh=mock_refresh)
+
+        assert result is not None
+        assert result['access_token'] == 'new-access-token'
+        assert result['refresh_token'] == 'new-refresh-token'
+
+    @pytest.mark.asyncio
+    async def test_slow_path_double_check_avoids_refresh(self):
+        """Test double-check locking: token was refreshed by another request."""
+        current_time = int(time.time())
+        mock_session = create_mock_session()
+
+        # Simulate scenario:
+        # 1. Fast path sees expired token
+        # 2. While waiting for lock, another request refreshes
+        # 3. Slow path sees fresh token, skips refresh
+
+        call_count = [0]
+
+        def create_token():
+            call_count[0] += 1
+            token = MagicMock()
+            token.id = 1
+            token.access_token = 'fresh-access-token'
+            token.refresh_token = 'fresh-refresh-token'
+            if call_count[0] == 1:
+                # First call (fast path) - expired
+                token.access_token_expires_at = current_time - 100
+            else:
+                # Second call (slow path) - already refreshed
+                token.access_token_expires_at = (
+                    current_time + ACCESS_TOKEN_EXPIRY_BUFFER + 1000
+                )
+            token.refresh_token_expires_at = current_time + 86400
+            return token
+
+        mock_result = MagicMock()
+        mock_result.scalars.return_value.one_or_none.side_effect = (
+            lambda: create_token()
+        )
+        mock_session.execute = AsyncMock(return_value=mock_result)
+        mock_session.commit = AsyncMock()
+
+        mock_session_maker = create_mock_session_maker(mock_session)
+
+        auth_store = AuthTokenStore(
+            keycloak_user_id='test-user-123',
+            idp=ProviderType.GITHUB,
+            a_session_maker=mock_session_maker,
+        )
+
+        refresh_called = [False]
+
+        async def mock_refresh(
+            idp: ProviderType, refresh_token: str, access_exp: int, refresh_exp: int
+        ) -> Dict[str, str | int]:
+            refresh_called[0] = True
+            return {
+                'access_token': 'should-not-be-used',
+                'refresh_token': 'should-not-be-used',
+                'access_token_expires_at': current_time + 3600,
+                'refresh_token_expires_at': current_time + 86400,
+            }
+
+        result = await auth_store.load_tokens(check_expiration_and_refresh=mock_refresh)
+
+        # The refresh callback should not be called because double-check
+        # found the token was already refreshed
+        assert result is not None
+        assert result['access_token'] == 'fresh-access-token'
+
+    @pytest.mark.asyncio
+    async def test_slow_path_token_not_found_after_lock(self):
+        """Test slow path returns None if token record disappears after lock."""
+        current_time = int(time.time())
+        mock_session = create_mock_session()
+
+        # First call (fast path) - token exists but expired
+        # Second call (slow path with lock) - token no longer exists
+        call_count = [0]
+
+        def get_token():
+            call_count[0] += 1
+            if call_count[0] == 1:
+                token = MagicMock()
+                token.access_token_expires_at = current_time - 100  # Expired
+                token.refresh_token_expires_at = current_time + 10000
+                return token
+            return None
+
+        mock_result = MagicMock()
+        mock_result.scalars.return_value.one_or_none.side_effect = get_token
+        mock_session.execute = AsyncMock(return_value=mock_result)
+
+        mock_session_maker = create_mock_session_maker(mock_session)
+
+        auth_store = AuthTokenStore(
+            keycloak_user_id='test-user-123',
+            idp=ProviderType.GITHUB,
+            a_session_maker=mock_session_maker,
+        )
+
+        async def mock_refresh(*args) -> Dict[str, str | int]:
+            return {
+                'access_token': 'new-token',
+                'refresh_token': 'new-refresh',
+                'access_token_expires_at': current_time + 3600,
+                'refresh_token_expires_at': current_time + 86400,
+            }
+
+        result = await auth_store.load_tokens(check_expiration_and_refresh=mock_refresh)
+
+        assert result is None
+
+
+class TestLoadTokensLockTimeout:
+    """Tests for lock timeout handling."""
+
+    @pytest.mark.asyncio
+    async def test_lock_timeout_raises_token_refresh_error(self):
+        """Test that lock timeout raises TokenRefreshError."""
+        current_time = int(time.time())
+        mock_session = create_mock_session()
+
+        # First call (fast path) - returns expired token
+        expired_token = MagicMock()
+        expired_token.access_token_expires_at = current_time - 100
+        expired_token.refresh_token_expires_at = current_time + 10000
+
+        mock_result = MagicMock()
+        mock_result.scalars.return_value.one_or_none.return_value = expired_token
+
+        # First execute for fast path succeeds
+        # Second execute (for slow path) raises OperationalError
+        call_count = [0]
+
+        async def execute_side_effect(*args, **kwargs):
+            call_count[0] += 1
+            if call_count[0] <= 1:
+                return mock_result
+            # Simulate lock timeout
+            raise OperationalError(
+                'canceling statement due to lock timeout', None, None
+            )
+
+        mock_session.execute = execute_side_effect
+
+        mock_session_maker = create_mock_session_maker(mock_session)
+
+        auth_store = AuthTokenStore(
+            keycloak_user_id='test-user-123',
+            idp=ProviderType.GITHUB,
+            a_session_maker=mock_session_maker,
+        )
+
+        async def mock_refresh(*args) -> Dict[str, str | int]:
+            return {
+                'access_token': 'new-token',
+                'refresh_token': 'new-refresh',
+                'access_token_expires_at': current_time + 3600,
+                'refresh_token_expires_at': current_time + 86400,
+            }
+
+        with pytest.raises(TokenRefreshError) as exc_info:
+            await auth_store.load_tokens(check_expiration_and_refresh=mock_refresh)
+
+        assert 'lock timeout' in str(exc_info.value).lower()
+
+    @pytest.mark.asyncio
+    async def test_lock_timeout_preserves_original_exception(self):
+        """Test that TokenRefreshError preserves the original OperationalError."""
+        current_time = int(time.time())
+        mock_session = create_mock_session()
+
+        expired_token = MagicMock()
+        expired_token.access_token_expires_at = current_time - 100
+        expired_token.refresh_token_expires_at = current_time + 10000
+
+        mock_result = MagicMock()
+        mock_result.scalars.return_value.one_or_none.return_value = expired_token
+
+        original_error = OperationalError(
+            'canceling statement due to lock timeout', None, None
+        )
+
+        call_count = [0]
+
+        async def execute_side_effect(*args, **kwargs):
+            call_count[0] += 1
+            if call_count[0] <= 1:
+                return mock_result
+            raise original_error
+
+        mock_session.execute = execute_side_effect
+
+        mock_session_maker = create_mock_session_maker(mock_session)
+
+        auth_store = AuthTokenStore(
+            keycloak_user_id='test-user-123',
+            idp=ProviderType.GITHUB,
+            a_session_maker=mock_session_maker,
+        )
+
+        async def mock_refresh(*args) -> Dict[str, str | int]:
+            return {
+                'access_token': 'new-token',
+                'refresh_token': 'new-refresh',
+                'access_token_expires_at': current_time + 3600,
+                'refresh_token_expires_at': current_time + 86400,
+            }
+
+        with pytest.raises(TokenRefreshError) as exc_info:
+            await auth_store.load_tokens(check_expiration_and_refresh=mock_refresh)
+
+        # Verify the original exception is chained
+        assert exc_info.value.__cause__ is original_error
+
+
+class TestLoadTokensRefreshCallbackBehavior:
+    """Tests for refresh callback return values."""
+
+    @pytest.mark.asyncio
+    async def test_refresh_callback_returns_none(self):
+        """Test behavior when refresh callback returns None (no refresh performed)."""
+        current_time = int(time.time())
+        mock_session = create_mock_session()
+
+        expired_token = MagicMock()
+        expired_token.id = 1
+        expired_token.access_token = 'old-access-token'
+        expired_token.refresh_token = 'old-refresh-token'
+        expired_token.access_token_expires_at = current_time - 100  # Expired
+        expired_token.refresh_token_expires_at = current_time + 10000
+
+        mock_result = MagicMock()
+        mock_result.scalars.return_value.one_or_none.return_value = expired_token
+        mock_session.execute = AsyncMock(return_value=mock_result)
+        mock_session.commit = AsyncMock()
+
+        mock_session_maker = create_mock_session_maker(mock_session)
+
+        auth_store = AuthTokenStore(
+            keycloak_user_id='test-user-123',
+            idp=ProviderType.GITHUB,
+            a_session_maker=mock_session_maker,
+        )
+
+        async def mock_refresh_returns_none(
+            idp: ProviderType, refresh_token: str, access_exp: int, refresh_exp: int
+        ) -> Dict[str, str | int] | None:
+            return None
+
+        result = await auth_store.load_tokens(
+            check_expiration_and_refresh=mock_refresh_returns_none
+        )
+
+        # Should return the old tokens when refresh returns None
+        assert result is not None
+        assert result['access_token'] == 'old-access-token'
+        assert result['refresh_token'] == 'old-refresh-token'
+
+
+class TestStoreTokens:
+    """Tests for store_tokens method."""
+
+    @pytest.mark.asyncio
+    async def test_store_tokens_creates_new_record(self):
+        """Test storing tokens when no existing record."""
+        mock_session = create_mock_session()
+        mock_result = MagicMock()
+        mock_result.scalars.return_value.first.return_value = None
+        mock_session.execute = AsyncMock(return_value=mock_result)
+        mock_session.add = MagicMock()
+        mock_session.commit = AsyncMock()
+
+        mock_session_maker = create_mock_session_maker(mock_session)
+
+        auth_store = AuthTokenStore(
+            keycloak_user_id='test-user-123',
+            idp=ProviderType.GITHUB,
+            a_session_maker=mock_session_maker,
+        )
+
+        await auth_store.store_tokens(
+            access_token='new-access-token',
+            refresh_token='new-refresh-token',
+            access_token_expires_at=1234567890,
+            refresh_token_expires_at=1234657890,
+        )
+
+        mock_session.add.assert_called_once()
+
+    @pytest.mark.asyncio
+    async def test_store_tokens_updates_existing_record(self):
+        """Test storing tokens updates existing record."""
+        mock_session = create_mock_session()
+        existing_token = MagicMock()
+        existing_token.access_token = 'old-access'
+
+        mock_result = MagicMock()
+        mock_result.scalars.return_value.first.return_value = existing_token
+        mock_session.execute = AsyncMock(return_value=mock_result)
+        mock_session.commit = AsyncMock()
+
+        mock_session_maker = create_mock_session_maker(mock_session)
+
+        auth_store = AuthTokenStore(
+            keycloak_user_id='test-user-123',
+            idp=ProviderType.GITHUB,
+            a_session_maker=mock_session_maker,
+        )
+
+        await auth_store.store_tokens(
+            access_token='new-access-token',
+            refresh_token='new-refresh-token',
+            access_token_expires_at=1234567890,
+            refresh_token_expires_at=1234657890,
+        )
+
+        assert existing_token.access_token == 'new-access-token'
+        assert existing_token.refresh_token == 'new-refresh-token'
+
+
+class TestIsAccessTokenValid:
+    """Tests for is_access_token_valid method."""
+
+    @pytest.mark.asyncio
+    async def test_is_access_token_valid_returns_false_when_no_tokens(
+        self, auth_token_store, mock_session_maker, mock_session
+    ):
+        """Test returns False when no tokens found."""
+        mock_result = MagicMock()
+        mock_result.scalars.return_value.one_or_none.return_value = None
+        mock_session.execute = AsyncMock(return_value=mock_result)
+
+        result = await auth_token_store.is_access_token_valid()
+
+        assert result is False
+
+    @pytest.mark.asyncio
+    async def test_is_access_token_valid_returns_true_for_valid_token(
+        self, auth_token_store, mock_session_maker, mock_session
+    ):
+        """Test returns True when token is valid."""
+        current_time = int(time.time())
+        mock_token = MagicMock()
+        mock_token.access_token = 'valid-access'
+        mock_token.refresh_token = 'valid-refresh'
+        mock_token.access_token_expires_at = current_time + 1000
+        mock_token.refresh_token_expires_at = current_time + 10000
+
+        mock_result = MagicMock()
+        mock_result.scalars.return_value.one_or_none.return_value = mock_token
+        mock_session.execute = AsyncMock(return_value=mock_result)
+
+        result = await auth_token_store.is_access_token_valid()
+
+        assert result is True
+
+    @pytest.mark.asyncio
+    async def test_is_access_token_valid_returns_false_for_expired_token(
+        self, auth_token_store, mock_session_maker, mock_session
+    ):
+        """Test returns False when token is expired."""
+        current_time = int(time.time())
+        mock_token = MagicMock()
+        mock_token.access_token = 'expired-access'
+        mock_token.refresh_token = 'valid-refresh'
+        mock_token.access_token_expires_at = current_time - 100  # Expired
+        mock_token.refresh_token_expires_at = current_time + 10000
+
+        mock_result = MagicMock()
+        mock_result.scalars.return_value.one_or_none.return_value = mock_token
+        mock_session.execute = AsyncMock(return_value=mock_result)
+
+        result = await auth_token_store.is_access_token_valid()
+
+        assert result is False
+
+
+class TestGetInstance:
+    """Tests for get_instance class method."""
+
+    @pytest.mark.asyncio
+    async def test_get_instance_creates_auth_token_store(self):
+        """Test get_instance creates an AuthTokenStore with correct params."""
+        with patch('storage.auth_token_store.a_session_maker') as mock_a_session_maker:
+            store = await AuthTokenStore.get_instance(
+                keycloak_user_id='user-123', idp=ProviderType.GITHUB
+            )
+
+            assert store.keycloak_user_id == 'user-123'
+            assert store.idp == ProviderType.GITHUB
+            assert store.a_session_maker is mock_a_session_maker
+
+
+class TestIdentityProviderValue:
+    """Tests for identity_provider_value property."""
+
+    def test_identity_provider_value_returns_idp_value(self, auth_token_store):
+        """Test that identity_provider_value returns the enum value."""
+        assert auth_token_store.identity_provider_value == ProviderType.GITHUB.value
+
+    def test_identity_provider_value_for_different_providers(self):
+        """Test identity_provider_value for different providers."""
+        for provider in [
+            ProviderType.GITHUB,
+            ProviderType.GITLAB,
+            ProviderType.BITBUCKET,
+        ]:
+            store = AuthTokenStore(
+                keycloak_user_id='test-user',
+                idp=provider,
+                a_session_maker=MagicMock(),
+            )
+            assert store.identity_provider_value == provider.value
+
+
+class TestConstants:
+    """Tests for module constants."""
+
+    def test_access_token_expiry_buffer_value(self):
+        """Test ACCESS_TOKEN_EXPIRY_BUFFER is set to 15 minutes."""
+        assert ACCESS_TOKEN_EXPIRY_BUFFER == 900
+
+    def test_lock_timeout_seconds_value(self):
+        """Test LOCK_TIMEOUT_SECONDS is set to 5 seconds."""
+        assert LOCK_TIMEOUT_SECONDS == 5

enterprise/tests/unit/storage/test_database.py

@@ -0,0 +1,99 @@
+"""Tests for the enterprise storage.database module.
+
+These tests verify that the session_maker function properly forwards
+keyword arguments to the underlying session maker for backward compatibility.
+"""
+
+from unittest.mock import MagicMock, patch
+
+
+class TestSessionMaker:
+    """Test cases for the session_maker function."""
+
+    @patch('enterprise.storage.database._get_db_session_injector')
+    def test_session_maker_without_args(self, mock_get_injector):
+        """Test that session_maker works without any arguments."""
+        from enterprise.storage.database import session_maker
+
+        # Set up mock
+        mock_injector = MagicMock()
+        mock_inner_session_maker = MagicMock()
+        mock_session = MagicMock()
+        mock_inner_session_maker.return_value = mock_session
+        mock_injector.get_session_maker.return_value = mock_inner_session_maker
+        mock_get_injector.return_value = mock_injector
+
+        # Call session_maker without arguments
+        result = session_maker()
+
+        # Verify the inner session maker was called without arguments
+        mock_inner_session_maker.assert_called_once_with()
+        assert result == mock_session
+
+    @patch('enterprise.storage.database._get_db_session_injector')
+    def test_session_maker_with_expire_on_commit_false(self, mock_get_injector):
+        """Test that session_maker accepts expire_on_commit keyword argument.
+
+        This is a critical backward compatibility test - the session_maker
+        must accept keyword arguments like expire_on_commit=False which is
+        used in slack.py and potentially other integration modules.
+        """
+        from enterprise.storage.database import session_maker
+
+        # Set up mock
+        mock_injector = MagicMock()
+        mock_inner_session_maker = MagicMock()
+        mock_session = MagicMock()
+        mock_inner_session_maker.return_value = mock_session
+        mock_injector.get_session_maker.return_value = mock_inner_session_maker
+        mock_get_injector.return_value = mock_injector
+
+        # Call session_maker with expire_on_commit=False
+        # This is the exact call pattern used in slack.py line 242
+        result = session_maker(expire_on_commit=False)
+
+        # Verify the inner session maker was called with the keyword argument
+        mock_inner_session_maker.assert_called_once_with(expire_on_commit=False)
+        assert result == mock_session
+
+    @patch('enterprise.storage.database._get_db_session_injector')
+    def test_session_maker_with_multiple_kwargs(self, mock_get_injector):
+        """Test that session_maker passes through multiple keyword arguments."""
+        from enterprise.storage.database import session_maker
+
+        # Set up mock
+        mock_injector = MagicMock()
+        mock_inner_session_maker = MagicMock()
+        mock_session = MagicMock()
+        mock_inner_session_maker.return_value = mock_session
+        mock_injector.get_session_maker.return_value = mock_inner_session_maker
+        mock_get_injector.return_value = mock_injector
+
+        # Call with multiple kwargs
+        result = session_maker(
+            expire_on_commit=False, autoflush=False, autocommit=False
+        )
+
+        # Verify all kwargs were passed through
+        mock_inner_session_maker.assert_called_once_with(
+            expire_on_commit=False, autoflush=False, autocommit=False
+        )
+        assert result == mock_session
+
+    @patch('enterprise.storage.database._get_db_session_injector')
+    def test_session_maker_returns_correct_session(self, mock_get_injector):
+        """Test that session_maker returns the session from the inner session maker."""
+        from enterprise.storage.database import session_maker
+
+        # Set up mock
+        mock_injector = MagicMock()
+        mock_inner_session_maker = MagicMock()
+        mock_session = MagicMock()
+        mock_inner_session_maker.return_value = mock_session
+        mock_injector.get_session_maker.return_value = mock_inner_session_maker
+        mock_get_injector.return_value = mock_injector
+
+        result = session_maker()
+
+        # Verify the returned session is from the inner session maker
+        assert result is mock_session

enterprise/tests/unit/storage/test_resend_synced_user_store.py

@@ -0,0 +1,158 @@
+"""Unit tests for ResendSyncedUserStore."""
+
+from unittest.mock import MagicMock
+
+import pytest
+
+# Import directly from the module files to avoid loading all of storage/__init__.py
+# which has many dependencies
+from storage.resend_synced_user import ResendSyncedUser
+from storage.resend_synced_user_store import ResendSyncedUserStore
+
+
+@pytest.fixture
+def mock_session():
+    """Mock database session."""
+    session = MagicMock()
+    return session
+
+
+@pytest.fixture
+def mock_session_maker(mock_session):
+    """Mock session maker."""
+    session_maker = MagicMock()
+    session_maker.return_value.__enter__.return_value = mock_session
+    session_maker.return_value.__exit__.return_value = None
+    return session_maker
+
+
+@pytest.fixture
+def store(mock_session_maker):
+    """Create ResendSyncedUserStore instance."""
+    return ResendSyncedUserStore(session_maker=mock_session_maker)
+
+
+class TestResendSyncedUserStore:
+    """Test cases for ResendSyncedUserStore."""
+
+    def test_is_user_synced_returns_true_when_exists(self, store, mock_session):
+        """Test is_user_synced returns True when user exists in database."""
+        email = 'test@example.com'
+        audience_id = 'test-audience-123'
+
+        mock_row = MagicMock()
+        mock_session.execute.return_value.first.return_value = mock_row
+
+        result = store.is_user_synced(email, audience_id)
+
+        assert result is True
+        mock_session.execute.assert_called_once()
+
+    def test_is_user_synced_returns_false_when_not_exists(self, store, mock_session):
+        """Test is_user_synced returns False when user doesn't exist."""
+        email = 'test@example.com'
+        audience_id = 'test-audience-123'
+
+        mock_session.execute.return_value.first.return_value = None
+
+        result = store.is_user_synced(email, audience_id)
+
+        assert result is False
+
+    def test_is_user_synced_normalizes_email_to_lowercase(self, store, mock_session):
+        """Test that is_user_synced normalizes email to lowercase."""
+        email = 'TEST@EXAMPLE.COM'
+        audience_id = 'test-audience-123'
+
+        mock_session.execute.return_value.first.return_value = None
+
+        store.is_user_synced(email, audience_id)
+
+        # Verify the query was called (we can't easily check the exact SQL)
+        mock_session.execute.assert_called_once()
+
+    def test_mark_user_synced_creates_new_record(self, store, mock_session):
+        """Test that mark_user_synced creates a new record."""
+        email = 'test@example.com'
+        audience_id = 'test-audience-123'
+        keycloak_user_id = 'kc-user-123'
+
+        mock_synced_user = MagicMock(spec=ResendSyncedUser)
+        mock_result = MagicMock()
+        mock_result.first.return_value = (mock_synced_user,)
+        mock_session.execute.return_value = mock_result
+
+        result = store.mark_user_synced(email, audience_id, keycloak_user_id)
+
+        assert result == mock_synced_user
+        mock_session.execute.assert_called_once()
+        mock_session.commit.assert_called_once()
+
+    def test_mark_user_synced_handles_existing_record(self, store, mock_session):
+        """Test that mark_user_synced handles conflict (existing record)."""
+        email = 'test@example.com'
+        audience_id = 'test-audience-123'
+
+        # First execute (insert) returns None (conflict occurred)
+        # Second execute (select existing) returns the record
+        mock_existing_user = MagicMock(spec=ResendSyncedUser)
+        mock_result_insert = MagicMock()
+        mock_result_insert.first.return_value = None
+
+        mock_result_select = MagicMock()
+        mock_result_select.first.return_value = (mock_existing_user,)
+
+        mock_session.execute.side_effect = [mock_result_insert, mock_result_select]
+
+        result = store.mark_user_synced(email, audience_id)
+
+        assert result == mock_existing_user
+        assert mock_session.execute.call_count == 2
+        mock_session.commit.assert_called_once()
+
+    def test_mark_user_synced_normalizes_email_to_lowercase(self, store, mock_session):
+        """Test that mark_user_synced normalizes email to lowercase."""
+        email = 'TEST@EXAMPLE.COM'
+        audience_id = 'test-audience-123'
+
+        mock_synced_user = MagicMock(spec=ResendSyncedUser)
+        mock_result = MagicMock()
+        mock_result.first.return_value = (mock_synced_user,)
+        mock_session.execute.return_value = mock_result
+
+        store.mark_user_synced(email, audience_id)
+
+        # Verify execute was called (the email normalization happens in the SQL)
+        mock_session.execute.assert_called_once()
+        mock_session.commit.assert_called_once()
+
+    def test_mark_user_synced_without_keycloak_user_id(self, store, mock_session):
+        """Test that mark_user_synced works without keycloak_user_id."""
+        email = 'test@example.com'
+        audience_id = 'test-audience-123'
+
+        mock_synced_user = MagicMock(spec=ResendSyncedUser)
+        mock_result = MagicMock()
+        mock_result.first.return_value = (mock_synced_user,)
+        mock_session.execute.return_value = mock_result
+
+        result = store.mark_user_synced(email, audience_id)
+
+        assert result == mock_synced_user
+        mock_session.execute.assert_called_once()
+
+
+class TestResendSyncedUser:
+    """Test cases for ResendSyncedUser model."""
+
+    def test_model_has_required_fields(self):
+        """Test that the model has all required fields."""
+        assert hasattr(ResendSyncedUser, 'id')
+        assert hasattr(ResendSyncedUser, 'email')
+        assert hasattr(ResendSyncedUser, 'audience_id')
+        assert hasattr(ResendSyncedUser, 'synced_at')
+        assert hasattr(ResendSyncedUser, 'keycloak_user_id')
+
+    def test_model_table_name(self):
+        """Test the model's table name."""
+        assert ResendSyncedUser.__tablename__ == 'resend_synced_users'

enterprise/tests/unit/storage/test_saas_sql_app_conversation_info_service.py

@@ -10,8 +10,12 @@ from unittest.mock import AsyncMock, MagicMock
 from uuid import UUID, uuid4
 
 import pytest
+from sqlalchemy import select
 from sqlalchemy.ext.asyncio import AsyncSession, async_sessionmaker, create_async_engine
 from sqlalchemy.pool import StaticPool
+from storage.base import Base
+from storage.org import Org
+from storage.user import User
 
 from enterprise.server.utils.saas_app_conversation_info_injector import (
     SaasSQLAppConversationInfoService,
@@ -20,10 +24,15 @@ from openhands.app_server.app_conversation.app_conversation_models import (
     AppConversationInfo,
 )
 from openhands.app_server.user.specifiy_user_context import SpecifyUserContext
-from openhands.app_server.utils.sql_utils import Base
 from openhands.integrations.service_types import ProviderType
 from openhands.storage.data_models.conversation_metadata import ConversationTrigger
 
+# Test UUIDs
+USER1_ID = UUID('a1111111-1111-1111-1111-111111111111')
+USER2_ID = UUID('b2222222-2222-2222-2222-222222222222')
+ORG1_ID = UUID('c1111111-1111-1111-1111-111111111111')
+ORG2_ID = UUID('d2222222-2222-2222-2222-222222222222')
+
 
 @pytest.fixture
 async def async_engine():
@@ -55,6 +64,41 @@ async def async_session(async_engine) -> AsyncGenerator[AsyncSession, None]:
         yield db_session
 
 
+@pytest.fixture
+async def async_session_with_users(async_engine) -> AsyncGenerator[AsyncSession, None]:
+    """Create an async session with pre-populated Org and User rows for testing."""
+    async_session_maker = async_sessionmaker(
+        async_engine, class_=AsyncSession, expire_on_commit=False
+    )
+
+    async with async_session_maker() as db_session:
+        # Insert Orgs first (required for User foreign key)
+        org1 = Org(
+            id=ORG1_ID,
+            name='test-org-1',
+            enable_default_condenser=True,
+            enable_proactive_conversation_starters=True,
+        )
+        org2 = Org(
+            id=ORG2_ID,
+            name='test-org-2',
+            enable_default_condenser=True,
+            enable_proactive_conversation_starters=True,
+        )
+        db_session.add(org1)
+        db_session.add(org2)
+        await db_session.flush()
+
+        # Insert Users
+        user1 = User(id=USER1_ID, current_org_id=ORG1_ID)
+        user2 = User(id=USER2_ID, current_org_id=ORG2_ID)
+        db_session.add(user1)
+        db_session.add(user2)
+        await db_session.commit()
+
+        yield db_session
+
+
 @pytest.fixture
 def service(async_session) -> SaasSQLAppConversationInfoService:
     """Create a SQLAppConversationInfoService instance for testing."""
@@ -178,15 +222,26 @@ class TestSaasSQLAppConversationInfoService:
         assert user1_id != user2_id
 
     @pytest.mark.asyncio
-    async def test_secure_select_includes_user_filtering(
+    async def test_secure_select_includes_user_and_org_filtering(
         self,
-        saas_service_user1: SaasSQLAppConversationInfoService,
+        async_session_with_users: AsyncSession,
     ):
-        """Test that _secure_select method includes user filtering."""
-        # This test verifies that the _secure_select method exists and can be called
-        # The actual SQL generation is tested implicitly through integration
-        query = await saas_service_user1._secure_select()
-        assert query is not None
+        """Test that _secure_select method includes both user_id and org_id filtering."""
+        service = SaasSQLAppConversationInfoService(
+            db_session=async_session_with_users,
+            user_context=SpecifyUserContext(user_id=str(USER1_ID)),
+        )
+
+        query = await service._secure_select()
+
+        # Convert query to string to verify filters are present
+        query_str = str(query.compile(compile_kwargs={'literal_binds': True}))
+
+        # Verify user_id filter is present
+        assert str(USER1_ID) in query_str or str(USER1_ID).replace('-', '') in query_str
+
+        # Verify org_id filter is present (user1 is in org1)
+        assert str(ORG1_ID) in query_str or str(ORG1_ID).replace('-', '') in query_str
 
     @pytest.mark.asyncio
     async def test_to_info_with_user_id_functionality(
@@ -241,100 +296,32 @@ class TestSaasSQLAppConversationInfoService:
         assert result.sandbox_id == 'test-sandbox'
 
     @pytest.mark.asyncio
-    async def test_user_isolation(
+    async def test_user_isolation_different_users(
         self,
-        async_session: AsyncSession,
-        multiple_conversation_infos: list[AppConversationInfo],
+        async_session_with_users: AsyncSession,
     ):
-        """Test that user isolation works correctly."""
-        from unittest.mock import MagicMock
-
-        from storage.user import User
-
-        # Mock the database session execute method to return mock users
-        # This mock intercepts User queries and returns a mock user object
-        # with user_id and org_id the same as the user_id_uuid from the query
-        original_execute = async_session.execute
-
-        async def mock_execute(query):
-            query_str = str(query)
-
-            # Check if this is a User query
-            if '"user"' in query_str.lower() and '"user".id' in query_str.lower():
-                # Extract the UUID from the query parameters
-                # The query will have bound parameters, we need to get the UUID value
-                if hasattr(query, 'compile'):
-                    try:
-                        compiled = query.compile(compile_kwargs={'literal_binds': True})
-                        query_with_params = str(compiled)
-
-                        # Extract UUID from the query string
-                        import re
-
-                        # Try both formats: with dashes and without dashes
-                        uuid_pattern_with_dashes = r'[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}'
-                        uuid_pattern_without_dashes = r'[a-f0-9]{32}'
-
-                        uuid_match = re.search(
-                            uuid_pattern_with_dashes, query_with_params
-                        )
-                        if not uuid_match:
-                            uuid_match = re.search(
-                                uuid_pattern_without_dashes, query_with_params
-                            )
-
-                        if uuid_match:
-                            user_id_str = uuid_match.group(0)
-                            # If the UUID doesn't have dashes, add them
-                            if len(user_id_str) == 32 and '-' not in user_id_str:
-                                # Convert from 'a1111111111111111111111111111111' to 'a1111111-1111-1111-1111-111111111111'
-                                user_id_str = f'{user_id_str[:8]}-{user_id_str[8:12]}-{user_id_str[12:16]}-{user_id_str[16:20]}-{user_id_str[20:]}'
-                            user_id_uuid = UUID(user_id_str)
-
-                            # Create a mock user with user_id and org_id the same as user_id_uuid
-                            mock_user = MagicMock(spec=User)
-                            mock_user.id = user_id_uuid
-                            mock_user.current_org_id = user_id_uuid
-
-                            # Create a mock result
-                            mock_result = MagicMock()
-                            mock_result.scalar_one_or_none.return_value = mock_user
-                            return mock_result
-                    except Exception:
-                        # If there's any error in parsing, fall back to original execute
-                        pass
-
-            # For all other queries, use the original execute method
-            return await original_execute(query)
-
-        # Apply the mock
-        async_session.execute = mock_execute
-
+        """Test that different users cannot see each other's conversations."""
         # Create services for different users
         user1_service = SaasSQLAppConversationInfoService(
-            db_session=async_session,
-            user_context=SpecifyUserContext(
-                user_id='a1111111-1111-1111-1111-111111111111'
-            ),
+            db_session=async_session_with_users,
+            user_context=SpecifyUserContext(user_id=str(USER1_ID)),
         )
         user2_service = SaasSQLAppConversationInfoService(
-            db_session=async_session,
-            user_context=SpecifyUserContext(
-                user_id='b2222222-2222-2222-2222-222222222222'
-            ),
+            db_session=async_session_with_users,
+            user_context=SpecifyUserContext(user_id=str(USER2_ID)),
         )
 
         # Create conversations for different users
         user1_info = AppConversationInfo(
             id=uuid4(),
-            created_by_user_id='a1111111-1111-1111-1111-111111111111',
+            created_by_user_id=str(USER1_ID),
             sandbox_id='sandbox_user1',
             title='User 1 Conversation',
         )
 
         user2_info = AppConversationInfo(
             id=uuid4(),
-            created_by_user_id='b2222222-2222-2222-2222-222222222222',
+            created_by_user_id=str(USER2_ID),
             sandbox_id='sandbox_user2',
             title='User 2 Conversation',
         )
@@ -346,18 +333,12 @@ class TestSaasSQLAppConversationInfoService:
         # User 1 should only see their conversation
         user1_page = await user1_service.search_app_conversation_info()
         assert len(user1_page.items) == 1
-        assert (
-            user1_page.items[0].created_by_user_id
-            == 'a1111111-1111-1111-1111-111111111111'
-        )
+        assert user1_page.items[0].created_by_user_id == str(USER1_ID)
 
         # User 2 should only see their conversation
         user2_page = await user2_service.search_app_conversation_info()
         assert len(user2_page.items) == 1
-        assert (
-            user2_page.items[0].created_by_user_id
-            == 'b2222222-2222-2222-2222-222222222222'
-        )
+        assert user2_page.items[0].created_by_user_id == str(USER2_ID)
 
         # User 1 should not be able to get user 2's conversation
         user2_from_user1 = await user1_service.get_app_conversation_info(user2_info.id)
@@ -366,3 +347,319 @@ class TestSaasSQLAppConversationInfoService:
         # User 2 should not be able to get user 1's conversation
         user1_from_user2 = await user2_service.get_app_conversation_info(user1_info.id)
         assert user1_from_user2 is None
+
+    @pytest.mark.asyncio
+    async def test_same_user_org_switching_isolation(
+        self,
+        async_session_with_users: AsyncSession,
+    ):
+        """Test that the same user switching orgs cannot see conversations from other orgs.
+
+        This tests the actual bug scenario: a user creates a conversation in org1,
+        then switches to org2, and should NOT see org1's conversations.
+        """
+        # Create service for user1 in org1
+        user1_service_org1 = SaasSQLAppConversationInfoService(
+            db_session=async_session_with_users,
+            user_context=SpecifyUserContext(user_id=str(USER1_ID)),
+        )
+
+        # Create a conversation while user is in org1
+        conv_in_org1 = AppConversationInfo(
+            id=uuid4(),
+            created_by_user_id=str(USER1_ID),
+            sandbox_id='sandbox_org1',
+            title='Conversation in Org 1',
+        )
+        await user1_service_org1.save_app_conversation_info(conv_in_org1)
+
+        # Verify user can see the conversation in org1
+        page_in_org1 = await user1_service_org1.search_app_conversation_info()
+        assert len(page_in_org1.items) == 1
+        assert page_in_org1.items[0].title == 'Conversation in Org 1'
+
+        # Simulate user switching to org2 by updating current_org_id using ORM
+        result = await async_session_with_users.execute(
+            select(User).where(User.id == USER1_ID)
+        )
+        user_to_update = result.scalars().first()
+        user_to_update.current_org_id = ORG2_ID
+        await async_session_with_users.commit()
+        # Clear SQLAlchemy's identity map cache to simulate a new request
+        async_session_with_users.expire_all()
+
+        # Create new service instance (simulating a new request after org switch)
+        user1_service_org2 = SaasSQLAppConversationInfoService(
+            db_session=async_session_with_users,
+            user_context=SpecifyUserContext(user_id=str(USER1_ID)),
+        )
+
+        # User should NOT see org1's conversations after switching to org2
+        page_in_org2 = await user1_service_org2.search_app_conversation_info()
+        assert (
+            len(page_in_org2.items) == 0
+        ), 'User should not see conversations from org1 after switching to org2'
+
+        # User should not be able to get the specific conversation from org1
+        conv_from_org2 = await user1_service_org2.get_app_conversation_info(
+            conv_in_org1.id
+        )
+        assert (
+            conv_from_org2 is None
+        ), 'User should not be able to access org1 conversation from org2'
+
+        # Now create a conversation in org2
+        conv_in_org2 = AppConversationInfo(
+            id=uuid4(),
+            created_by_user_id=str(USER1_ID),
+            sandbox_id='sandbox_org2',
+            title='Conversation in Org 2',
+        )
+        await user1_service_org2.save_app_conversation_info(conv_in_org2)
+
+        # User should only see org2's conversation
+        page_in_org2_after = await user1_service_org2.search_app_conversation_info()
+        assert len(page_in_org2_after.items) == 1
+        assert page_in_org2_after.items[0].title == 'Conversation in Org 2'
+
+        # Switch back to org1 and verify isolation works both ways
+        result = await async_session_with_users.execute(
+            select(User).where(User.id == USER1_ID)
+        )
+        user_to_update = result.scalars().first()
+        user_to_update.current_org_id = ORG1_ID
+        await async_session_with_users.commit()
+        async_session_with_users.expire_all()
+
+        user1_service_back_to_org1 = SaasSQLAppConversationInfoService(
+            db_session=async_session_with_users,
+            user_context=SpecifyUserContext(user_id=str(USER1_ID)),
+        )
+
+        # User should only see org1's conversation now
+        page_back_in_org1 = (
+            await user1_service_back_to_org1.search_app_conversation_info()
+        )
+        assert len(page_back_in_org1.items) == 1
+        assert page_back_in_org1.items[0].title == 'Conversation in Org 1'
+
+    @pytest.mark.asyncio
+    async def test_count_respects_org_isolation(
+        self,
+        async_session_with_users: AsyncSession,
+    ):
+        """Test that count_app_conversation_info respects org isolation."""
+        # Create service for user1 in org1
+        user1_service = SaasSQLAppConversationInfoService(
+            db_session=async_session_with_users,
+            user_context=SpecifyUserContext(user_id=str(USER1_ID)),
+        )
+
+        # Create conversations in org1
+        for i in range(3):
+            conv = AppConversationInfo(
+                id=uuid4(),
+                created_by_user_id=str(USER1_ID),
+                sandbox_id=f'sandbox_org1_{i}',
+                title=f'Org1 Conversation {i}',
+            )
+            await user1_service.save_app_conversation_info(conv)
+
+        # Count should be 3
+        count_org1 = await user1_service.count_app_conversation_info()
+        assert count_org1 == 3
+
+        # Switch to org2 using ORM
+        result = await async_session_with_users.execute(
+            select(User).where(User.id == USER1_ID)
+        )
+        user_to_update = result.scalars().first()
+        user_to_update.current_org_id = ORG2_ID
+        await async_session_with_users.commit()
+        async_session_with_users.expire_all()
+
+        user1_service_org2 = SaasSQLAppConversationInfoService(
+            db_session=async_session_with_users,
+            user_context=SpecifyUserContext(user_id=str(USER1_ID)),
+        )
+
+        # Count should be 0 in org2
+        count_org2 = await user1_service_org2.count_app_conversation_info()
+        assert count_org2 == 0
+
+
+class TestSaasSQLAppConversationInfoServiceAdminContext:
+    """Test suite for SaasSQLAppConversationInfoService with ADMIN context."""
+
+    @pytest.mark.asyncio
+    async def test_admin_context_returns_unfiltered_data(
+        self,
+        async_session_with_users: AsyncSession,
+    ):
+        """Test that ADMIN context returns unfiltered data (no user/org filtering)."""
+        # Create conversations for different users
+        user1_service = SaasSQLAppConversationInfoService(
+            db_session=async_session_with_users,
+            user_context=SpecifyUserContext(user_id=str(USER1_ID)),
+        )
+
+        # Create conversations for user1 in org1
+        for i in range(3):
+            conv = AppConversationInfo(
+                id=uuid4(),
+                created_by_user_id=str(USER1_ID),
+                sandbox_id=f'sandbox_user1_{i}',
+                title=f'User1 Conversation {i}',
+            )
+            await user1_service.save_app_conversation_info(conv)
+
+        # Now create an ADMIN service
+        from openhands.app_server.user.specifiy_user_context import ADMIN
+
+        admin_service = SaasSQLAppConversationInfoService(
+            db_session=async_session_with_users,
+            user_context=ADMIN,
+        )
+
+        # ADMIN should see ALL conversations (unfiltered)
+        admin_page = await admin_service.search_app_conversation_info()
+        assert (
+            len(admin_page.items) == 3
+        ), 'ADMIN context should see all conversations without filtering'
+
+        # ADMIN count should return total count (3)
+        admin_count = await admin_service.count_app_conversation_info()
+        assert (
+            admin_count == 3
+        ), 'ADMIN context should count all conversations without filtering'
+
+    @pytest.mark.asyncio
+    async def test_admin_context_can_access_any_conversation(
+        self,
+        async_session_with_users: AsyncSession,
+    ):
+        """Test that ADMIN context can access any conversation regardless of owner."""
+        from openhands.app_server.user.specifiy_user_context import ADMIN
+
+        # Create a conversation as user1
+        user1_service = SaasSQLAppConversationInfoService(
+            db_session=async_session_with_users,
+            user_context=SpecifyUserContext(user_id=str(USER1_ID)),
+        )
+
+        conv = AppConversationInfo(
+            id=uuid4(),
+            created_by_user_id=str(USER1_ID),
+            sandbox_id='sandbox_user1',
+            title='User1 Private Conversation',
+        )
+        await user1_service.save_app_conversation_info(conv)
+
+        # Create a service as user2 in org2 - should not see user1's conversation
+        user2_service = SaasSQLAppConversationInfoService(
+            db_session=async_session_with_users,
+            user_context=SpecifyUserContext(user_id=str(USER2_ID)),
+        )
+
+        user2_page = await user2_service.search_app_conversation_info()
+        assert len(user2_page.items) == 0, 'User2 should not see User1 conversation'
+
+        # But ADMIN should see ALL conversations including user1's
+        admin_service = SaasSQLAppConversationInfoService(
+            db_session=async_session_with_users,
+            user_context=ADMIN,
+        )
+
+        admin_page = await admin_service.search_app_conversation_info()
+        assert len(admin_page.items) == 1
+        assert admin_page.items[0].id == conv.id
+
+        # ADMIN should also be able to get specific conversation by ID
+        admin_get_conv = await admin_service.get_app_conversation_info(conv.id)
+        assert admin_get_conv is not None
+        assert admin_get_conv.id == conv.id
+
+    @pytest.mark.asyncio
+    async def test_secure_select_admin_bypasses_filtering(
+        self,
+        async_session_with_users: AsyncSession,
+    ):
+        """Test that _secure_select returns unfiltered query for ADMIN context."""
+        from openhands.app_server.user.specifiy_user_context import ADMIN
+
+        # Create an ADMIN service
+        admin_service = SaasSQLAppConversationInfoService(
+            db_session=async_session_with_users,
+            user_context=ADMIN,
+        )
+
+        # Get the secure select query
+        query = await admin_service._secure_select()
+
+        # Convert query to string to verify NO filters are present
+        query_str = str(query.compile(compile_kwargs={'literal_binds': True}))
+
+        # For ADMIN, there should be no user_id or org_id filtering
+        # The query should not contain filters for user_id or org_id
+        assert str(USER1_ID) not in query_str.replace(
+            '-', ''
+        ), 'ADMIN context should not filter by user_id'
+        assert str(USER2_ID) not in query_str.replace(
+            '-', ''
+        ), 'ADMIN context should not filter by user_id'
+
+    @pytest.mark.asyncio
+    async def test_regular_user_context_filters_correctly(
+        self,
+        async_session_with_users: AsyncSession,
+    ):
+        """Test that regular user context properly filters data (control test)."""
+        from openhands.app_server.user.specifiy_user_context import ADMIN
+
+        # Create conversations for different users
+        user1_service = SaasSQLAppConversationInfoService(
+            db_session=async_session_with_users,
+            user_context=SpecifyUserContext(user_id=str(USER1_ID)),
+        )
+
+        # Create 3 conversations for user1
+        for i in range(3):
+            conv = AppConversationInfo(
+                id=uuid4(),
+                created_by_user_id=str(USER1_ID),
+                sandbox_id=f'sandbox_user1_{i}',
+                title=f'User1 Conversation {i}',
+            )
+            await user1_service.save_app_conversation_info(conv)
+
+        # Create 2 conversations for user2
+        user2_service = SaasSQLAppConversationInfoService(
+            db_session=async_session_with_users,
+            user_context=SpecifyUserContext(user_id=str(USER2_ID)),
+        )
+
+        for i in range(2):
+            conv = AppConversationInfo(
+                id=uuid4(),
+                created_by_user_id=str(USER2_ID),
+                sandbox_id=f'sandbox_user2_{i}',
+                title=f'User2 Conversation {i}',
+            )
+            await user2_service.save_app_conversation_info(conv)
+
+        # User1 should only see their 3 conversations
+        user1_page = await user1_service.search_app_conversation_info()
+        assert len(user1_page.items) == 3
+
+        # User2 should only see their 2 conversations
+        user2_page = await user2_service.search_app_conversation_info()
+        assert len(user2_page.items) == 2
+
+        # But ADMIN should see all 5 conversations
+        admin_service = SaasSQLAppConversationInfoService(
+            db_session=async_session_with_users,
+            user_context=ADMIN,
+        )
+
+        admin_page = await admin_service.search_app_conversation_info()
+        assert len(admin_page.items) == 5

enterprise/tests/unit/storage/test_user_app_settings_store.py

@@ -0,0 +1,204 @@
+"""
+Unit tests for UserAppSettingsStore.
+
+Tests the async database operations for user app settings.
+"""
+
+import uuid
+from unittest.mock import patch
+
+import pytest
+from sqlalchemy.ext.asyncio import AsyncSession, async_sessionmaker, create_async_engine
+from sqlalchemy.pool import StaticPool
+
+# Mock the database module before importing
+with patch('storage.database.engine', create=True), patch(
+    'storage.database.a_engine', create=True
+):
+    from server.routes.user_app_settings_models import UserAppSettingsUpdate
+    from storage.base import Base
+    from storage.org import Org
+    from storage.user import User
+    from storage.user_app_settings_store import UserAppSettingsStore
+
+
+@pytest.fixture
+async def async_engine():
+    """Create an async SQLite engine for testing."""
+    engine = create_async_engine(
+        'sqlite+aiosqlite:///:memory:',
+        poolclass=StaticPool,
+        connect_args={'check_same_thread': False},
+        echo=False,
+    )
+    async with engine.begin() as conn:
+        await conn.run_sync(Base.metadata.create_all)
+    yield engine
+    await engine.dispose()
+
+
+@pytest.fixture
+async def async_session_maker(async_engine):
+    """Create an async session maker for testing."""
+    return async_sessionmaker(async_engine, class_=AsyncSession, expire_on_commit=False)
+
+
+@pytest.mark.asyncio
+async def test_get_user_by_id_success(async_session_maker):
+    """
+    GIVEN: A user exists in the database
+    WHEN: get_user_by_id is called with the user's ID
+    THEN: The user is returned with correct data
+    """
+    # Arrange
+    async with async_session_maker() as session:
+        org = Org(name='test-org')
+        session.add(org)
+        await session.flush()
+
+        user = User(
+            id=uuid.uuid4(),
+            current_org_id=org.id,
+            language='en',
+            user_consents_to_analytics=True,
+            enable_sound_notifications=False,
+            git_user_name='testuser',
+            git_user_email='test@example.com',
+        )
+        session.add(user)
+        await session.commit()
+        user_id = str(user.id)
+
+        # Act - create store with the session
+        store = UserAppSettingsStore(db_session=session)
+        result = await store.get_user_by_id(user_id)
+
+    # Assert
+    assert result is not None
+    assert str(result.id) == user_id
+    assert result.language == 'en'
+    assert result.user_consents_to_analytics is True
+    assert result.enable_sound_notifications is False
+    assert result.git_user_name == 'testuser'
+    assert result.git_user_email == 'test@example.com'
+
+
+@pytest.mark.asyncio
+async def test_get_user_by_id_not_found(async_session_maker):
+    """
+    GIVEN: A user does not exist in the database
+    WHEN: get_user_by_id is called with a non-existent ID
+    THEN: None is returned
+    """
+    # Arrange
+    non_existent_id = str(uuid.uuid4())
+
+    # Act
+    async with async_session_maker() as session:
+        store = UserAppSettingsStore(db_session=session)
+        result = await store.get_user_by_id(non_existent_id)
+
+    # Assert
+    assert result is None
+
+
+@pytest.mark.asyncio
+async def test_update_user_app_settings_success(async_session_maker):
+    """
+    GIVEN: A user exists in the database
+    WHEN: update_user_app_settings is called with new values
+    THEN: The user's settings are updated and returned
+    """
+    # Arrange
+    async with async_session_maker() as session:
+        org = Org(name='test-org')
+        session.add(org)
+        await session.flush()
+
+        user = User(
+            id=uuid.uuid4(),
+            current_org_id=org.id,
+            language='en',
+            user_consents_to_analytics=False,
+        )
+        session.add(user)
+        await session.commit()
+        user_id = str(user.id)
+
+        update_data = UserAppSettingsUpdate(
+            language='es',
+            user_consents_to_analytics=True,
+            enable_sound_notifications=True,
+            git_user_name='newuser',
+            git_user_email='new@example.com',
+        )
+
+        # Act - create store with the session
+        store = UserAppSettingsStore(db_session=session)
+        result = await store.update_user_app_settings(user_id, update_data)
+
+    # Assert
+    assert result is not None
+    assert result.language == 'es'
+    assert result.user_consents_to_analytics is True
+    assert result.enable_sound_notifications is True
+    assert result.git_user_name == 'newuser'
+    assert result.git_user_email == 'new@example.com'
+
+
+@pytest.mark.asyncio
+async def test_update_user_app_settings_partial(async_session_maker):
+    """
+    GIVEN: A user exists with existing settings
+    WHEN: update_user_app_settings is called with only some fields
+    THEN: Only the provided fields are updated, others remain unchanged
+    """
+    # Arrange
+    async with async_session_maker() as session:
+        org = Org(name='test-org')
+        session.add(org)
+        await session.flush()
+
+        user = User(
+            id=uuid.uuid4(),
+            current_org_id=org.id,
+            language='en',
+            user_consents_to_analytics=True,
+            git_user_name='original',
+        )
+        session.add(user)
+        await session.commit()
+        user_id = str(user.id)
+
+        # Only update language
+        update_data = UserAppSettingsUpdate(language='fr')
+
+        # Act - create store with the session
+        store = UserAppSettingsStore(db_session=session)
+        result = await store.update_user_app_settings(user_id, update_data)
+
+    # Assert
+    assert result is not None
+    assert result.language == 'fr'
+    assert result.user_consents_to_analytics is True  # Unchanged
+    assert result.git_user_name == 'original'  # Unchanged
+
+
+@pytest.mark.asyncio
+async def test_update_user_app_settings_user_not_found(async_session_maker):
+    """
+    GIVEN: A user does not exist in the database
+    WHEN: update_user_app_settings is called
+    THEN: None is returned
+    """
+    # Arrange
+    non_existent_id = str(uuid.uuid4())
+    update_data = UserAppSettingsUpdate(language='en')
+
+    # Act
+    async with async_session_maker() as session:
+        store = UserAppSettingsStore(db_session=session)
+        result = await store.update_user_app_settings(non_existent_id, update_data)
+
+    # Assert
+    assert result is None

enterprise/tests/unit/storage/test_verified_model_store.py

@@ -0,0 +1,123 @@
+"""Unit tests for VerifiedModelStore."""
+
+from unittest.mock import patch
+
+import pytest
+from sqlalchemy import create_engine
+from sqlalchemy.orm import sessionmaker
+from storage.base import Base
+from storage.verified_model_store import VerifiedModelStore
+
+
+@pytest.fixture
+def _mock_session_maker():
+    """Create an in-memory SQLite database and patch session_maker."""
+    engine = create_engine('sqlite:///:memory:')
+    Base.metadata.create_all(engine)
+    session_factory = sessionmaker(bind=engine)
+
+    with patch(
+        'storage.verified_model_store.session_maker',
+        side_effect=lambda **kwargs: session_factory(**kwargs),
+    ):
+        yield
+
+    Base.metadata.drop_all(engine)
+
+
+@pytest.fixture
+def _seed_models(_mock_session_maker):
+    """Seed the database with test models."""
+    VerifiedModelStore.create_model(model_name='claude-sonnet', provider='openhands')
+    VerifiedModelStore.create_model(model_name='claude-sonnet', provider='anthropic')
+    VerifiedModelStore.create_model(
+        model_name='gpt-4o', provider='openhands', is_enabled=False
+    )
+
+
+class TestCreateModel:
+    def test_create_model(self, _mock_session_maker):
+        model = VerifiedModelStore.create_model(
+            model_name='test-model', provider='test-provider'
+        )
+        assert model.model_name == 'test-model'
+        assert model.provider == 'test-provider'
+        assert model.is_enabled is True
+        assert model.id is not None
+
+    def test_create_duplicate_raises(self, _mock_session_maker):
+        VerifiedModelStore.create_model(model_name='test-model', provider='test')
+        with pytest.raises(ValueError, match='test/test-model already exists'):
+            VerifiedModelStore.create_model(model_name='test-model', provider='test')
+
+    def test_same_name_different_provider_allowed(self, _mock_session_maker):
+        VerifiedModelStore.create_model(model_name='claude', provider='openhands')
+        model = VerifiedModelStore.create_model(
+            model_name='claude', provider='anthropic'
+        )
+        assert model.provider == 'anthropic'
+
+
+class TestGetModel:
+    def test_get_model(self, _seed_models):
+        model = VerifiedModelStore.get_model('claude-sonnet', 'openhands')
+        assert model is not None
+        assert model.provider == 'openhands'
+
+    def test_get_model_not_found(self, _seed_models):
+        assert VerifiedModelStore.get_model('nonexistent', 'openhands') is None
+
+    def test_get_model_wrong_provider(self, _seed_models):
+        assert VerifiedModelStore.get_model('claude-sonnet', 'openai') is None
+
+
+class TestGetModels:
+    def test_get_all_models(self, _seed_models):
+        models = VerifiedModelStore.get_all_models()
+        assert len(models) == 3
+
+    def test_get_enabled_models(self, _seed_models):
+        models = VerifiedModelStore.get_enabled_models()
+        assert len(models) == 2
+        names = {m.model_name for m in models}
+        assert 'gpt-4o' not in names
+
+    def test_get_models_by_provider(self, _seed_models):
+        models = VerifiedModelStore.get_models_by_provider('openhands')
+        assert len(models) == 1
+        assert models[0].model_name == 'claude-sonnet'
+
+
+class TestUpdateModel:
+    def test_update_model(self, _seed_models):
+        updated = VerifiedModelStore.update_model(
+            model_name='claude-sonnet', provider='openhands', is_enabled=False
+        )
+        assert updated is not None
+        assert updated.is_enabled is False
+
+    def test_update_not_found(self, _seed_models):
+        assert (
+            VerifiedModelStore.update_model(
+                model_name='nonexistent', provider='openhands', is_enabled=False
+            )
+            is None
+        )
+
+    def test_update_no_change(self, _seed_models):
+        updated = VerifiedModelStore.update_model(
+            model_name='claude-sonnet', provider='openhands'
+        )
+        assert updated is not None
+        assert updated.is_enabled is True
+
+
+class TestDeleteModel:
+    def test_delete_model(self, _seed_models):
+        assert VerifiedModelStore.delete_model('claude-sonnet', 'openhands') is True
+        assert VerifiedModelStore.get_model('claude-sonnet', 'openhands') is None
+        # Other provider's version should still exist
+        assert VerifiedModelStore.get_model('claude-sonnet', 'anthropic') is not None
+
+    def test_delete_not_found(self, _seed_models):
+        assert VerifiedModelStore.delete_model('nonexistent', 'openhands') is False

enterprise/tests/unit/sync/test_resend_keycloak.py

@@ -1,6 +1,25 @@
-"""Tests for resend_keycloak email validation."""
+"""Tests for Resend Keycloak sync functionality."""
 
-from sync.resend_keycloak import is_valid_email
+import os
+from unittest.mock import MagicMock, patch
+
+import pytest
+from resend.exceptions import ResendError
+from tenacity import RetryError
+
+# Set required environment variables before importing the module
+# that reads them at import time
+os.environ['RESEND_API_KEY'] = 'test_api_key'
+os.environ['RESEND_AUDIENCE_ID'] = 'test_audience_id'
+os.environ['KEYCLOAK_SERVER_URL'] = 'http://localhost:8080'
+os.environ['KEYCLOAK_REALM_NAME'] = 'test_realm'
+os.environ['KEYCLOAK_ADMIN_PASSWORD'] = 'test_password'
+
+from enterprise.sync.resend_keycloak import (  # noqa: E402
+    add_contact_to_resend,
+    is_valid_email,
+    send_welcome_email,
+)
 
 
 class TestIsValidEmail:
@@ -115,3 +134,134 @@ class TestIsValidEmail:
         """Test that validation works for uppercase emails."""
         assert is_valid_email('USER@EXAMPLE.COM') is True
         assert is_valid_email('User@Example.Com') is True
+
+
+class TestSendWelcomeEmail:
+    """Tests for send_welcome_email function."""
+
+    @patch('enterprise.sync.resend_keycloak.resend.Emails.send')
+    def test_send_welcome_email_success(self, mock_send: MagicMock) -> None:
+        """Test successful welcome email sending."""
+        mock_send.return_value = {'id': 'email_123'}
+
+        result = send_welcome_email(
+            email='test@example.com',
+            first_name='John',
+            last_name='Doe',
+        )
+
+        assert result == {'id': 'email_123'}
+        mock_send.assert_called_once()
+        call_args = mock_send.call_args[0][0]
+        assert call_args['to'] == ['test@example.com']
+        assert call_args['subject'] == 'Welcome to OpenHands Cloud'
+        assert 'Hi John Doe,' in call_args['html']
+
+    @patch('enterprise.sync.resend_keycloak.resend.Emails.send')
+    def test_send_welcome_email_retries_on_rate_limit(
+        self, mock_send: MagicMock
+    ) -> None:
+        """Test that send_welcome_email retries on rate limit errors."""
+        # First two calls raise rate limit error, third succeeds
+        mock_send.side_effect = [
+            ResendError(
+                code=429,
+                message='Too many requests',
+                error_type='rate_limit_exceeded',
+                suggested_action='',
+            ),
+            ResendError(
+                code=429,
+                message='Too many requests',
+                error_type='rate_limit_exceeded',
+                suggested_action='',
+            ),
+            {'id': 'email_123'},
+        ]
+
+        result = send_welcome_email(
+            email='test@example.com',
+            first_name='John',
+            last_name='Doe',
+        )
+
+        assert result == {'id': 'email_123'}
+        assert mock_send.call_count == 3
+
+    @patch('enterprise.sync.resend_keycloak.resend.Emails.send')
+    def test_send_welcome_email_fails_after_max_retries(
+        self, mock_send: MagicMock
+    ) -> None:
+        """Test that send_welcome_email fails after max retries."""
+        # All calls raise rate limit error
+        mock_send.side_effect = ResendError(
+            code=429,
+            message='Too many requests',
+            error_type='rate_limit_exceeded',
+            suggested_action='',
+        )
+
+        # Tenacity wraps the final exception in RetryError
+        with pytest.raises(RetryError):
+            send_welcome_email(
+                email='test@example.com',
+                first_name='John',
+                last_name='Doe',
+            )
+
+        # Default MAX_RETRIES is 3
+        assert mock_send.call_count == 3
+
+    @patch('enterprise.sync.resend_keycloak.resend.Emails.send')
+    def test_send_welcome_email_no_name(self, mock_send: MagicMock) -> None:
+        """Test welcome email with no name provided."""
+        mock_send.return_value = {'id': 'email_123'}
+
+        result = send_welcome_email(email='test@example.com')
+
+        assert result == {'id': 'email_123'}
+        call_args = mock_send.call_args[0][0]
+        assert 'Hi there,' in call_args['html']
+
+
+class TestAddContactToResend:
+    """Tests for add_contact_to_resend function."""
+
+    @patch('enterprise.sync.resend_keycloak.resend.Contacts.create')
+    def test_add_contact_to_resend_success(self, mock_create: MagicMock) -> None:
+        """Test successful contact addition."""
+        mock_create.return_value = {'id': 'contact_123'}
+
+        result = add_contact_to_resend(
+            audience_id='test_audience',
+            email='test@example.com',
+            first_name='John',
+            last_name='Doe',
+        )
+
+        assert result == {'id': 'contact_123'}
+        mock_create.assert_called_once()
+
+    @patch('enterprise.sync.resend_keycloak.resend.Contacts.create')
+    def test_add_contact_to_resend_retries_on_rate_limit(
+        self, mock_create: MagicMock
+    ) -> None:
+        """Test that add_contact_to_resend retries on rate limit errors."""
+        # First call raises rate limit error, second succeeds
+        mock_create.side_effect = [
+            ResendError(
+                code=429,
+                message='Too many requests',
+                error_type='rate_limit_exceeded',
+                suggested_action='',
+            ),
+            {'id': 'contact_123'},
+        ]
+
+        result = add_contact_to_resend(
+            audience_id='test_audience',
+            email='test@example.com',
+        )
+
+        assert result == {'id': 'contact_123'}
+        assert mock_create.call_count == 2

enterprise/tests/unit/test_api_key_store.py

@@ -265,17 +265,17 @@ async def test_list_api_keys(
     # Verify
     mock_get_user.assert_called_once_with(user_id)
     assert len(result) == 2
-    assert result[0]['id'] == 1
-    assert result[0]['name'] == 'Key 1'
-    assert result[0]['created_at'] == now
-    assert result[0]['last_used_at'] == now
-    assert result[0]['expires_at'] == now + timedelta(days=30)
+    assert result[0].id == 1
+    assert result[0].name == 'Key 1'
+    assert result[0].created_at == now
+    assert result[0].last_used_at == now
+    assert result[0].expires_at == now + timedelta(days=30)
 
-    assert result[1]['id'] == 2
-    assert result[1]['name'] == 'Key 2'
-    assert result[1]['created_at'] == now
-    assert result[1]['last_used_at'] is None
-    assert result[1]['expires_at'] is None
+    assert result[1].id == 2
+    assert result[1].name == 'Key 2'
+    assert result[1].created_at == now
+    assert result[1].last_used_at is None
+    assert result[1].expires_at is None
 
 
 @pytest.mark.asyncio

enterprise/tests/unit/test_auth_invitation_callback.py

@@ -0,0 +1,181 @@
+"""Tests for auth callback invitation acceptance - EmailMismatchError handling."""
+
+import pytest
+
+
+class TestAuthCallbackInvitationEmailMismatch:
+    """Test cases for EmailMismatchError handling during auth callback."""
+
+    @pytest.fixture
+    def mock_redirect_url(self):
+        """Base redirect URL."""
+        return 'https://app.example.com/'
+
+    @pytest.fixture
+    def mock_user_id(self):
+        """Mock user ID."""
+        return '87654321-4321-8765-4321-876543218765'
+
+    def test_email_mismatch_appends_to_url_without_query_params(
+        self, mock_redirect_url, mock_user_id
+    ):
+        """Test that email_mismatch=true is appended correctly when URL has no query params."""
+        from server.routes.org_invitation_models import EmailMismatchError
+
+        # Simulate the logic from auth.py
+        redirect_url = mock_redirect_url
+        try:
+            raise EmailMismatchError('Your email does not match the invitation')
+        except EmailMismatchError:
+            if '?' in redirect_url:
+                redirect_url = f'{redirect_url}&email_mismatch=true'
+            else:
+                redirect_url = f'{redirect_url}?email_mismatch=true'
+
+        assert redirect_url == 'https://app.example.com/?email_mismatch=true'
+
+    def test_email_mismatch_appends_to_url_with_query_params(self, mock_user_id):
+        """Test that email_mismatch=true is appended correctly when URL has existing query params."""
+        from server.routes.org_invitation_models import EmailMismatchError
+
+        redirect_url = 'https://app.example.com/?other_param=value'
+        try:
+            raise EmailMismatchError()
+        except EmailMismatchError:
+            if '?' in redirect_url:
+                redirect_url = f'{redirect_url}&email_mismatch=true'
+            else:
+                redirect_url = f'{redirect_url}?email_mismatch=true'
+
+        assert (
+            redirect_url
+            == 'https://app.example.com/?other_param=value&email_mismatch=true'
+        )
+
+    def test_email_mismatch_error_has_default_message(self):
+        """Test that EmailMismatchError has the default message."""
+        from server.routes.org_invitation_models import EmailMismatchError
+
+        error = EmailMismatchError()
+        assert str(error) == 'Your email does not match the invitation'
+
+    def test_email_mismatch_error_accepts_custom_message(self):
+        """Test that EmailMismatchError accepts a custom message."""
+        from server.routes.org_invitation_models import EmailMismatchError
+
+        custom_message = 'Custom error message'
+        error = EmailMismatchError(custom_message)
+        assert str(error) == custom_message
+
+    def test_email_mismatch_error_is_invitation_error(self):
+        """Test that EmailMismatchError inherits from InvitationError."""
+        from server.routes.org_invitation_models import (
+            EmailMismatchError,
+            InvitationError,
+        )
+
+        error = EmailMismatchError()
+        assert isinstance(error, InvitationError)
+
+
+class TestInvitationTokenInOAuthState:
+    """Test cases for invitation token handling in OAuth state."""
+
+    def test_invitation_token_included_in_oauth_state(self):
+        """Test that invitation token is included in OAuth state data."""
+        import base64
+        import json
+
+        # Simulate building OAuth state with invitation token
+        state_data = {
+            'redirect_url': 'https://app.example.com/',
+            'invitation_token': 'inv-test-token-12345',
+        }
+
+        encoded_state = base64.b64encode(json.dumps(state_data).encode()).decode()
+        decoded_data = json.loads(base64.b64decode(encoded_state))
+
+        assert decoded_data['invitation_token'] == 'inv-test-token-12345'
+        assert decoded_data['redirect_url'] == 'https://app.example.com/'
+
+    def test_invitation_token_extracted_from_oauth_state(self):
+        """Test that invitation token can be extracted from OAuth state."""
+        import base64
+        import json
+
+        state_data = {
+            'redirect_url': 'https://app.example.com/',
+            'invitation_token': 'inv-test-token-12345',
+        }
+
+        encoded_state = base64.b64encode(json.dumps(state_data).encode()).decode()
+
+        # Simulate decoding in callback
+        decoded_state = json.loads(base64.b64decode(encoded_state))
+        invitation_token = decoded_state.get('invitation_token')
+
+        assert invitation_token == 'inv-test-token-12345'
+
+    def test_oauth_state_without_invitation_token(self):
+        """Test that OAuth state works without invitation token."""
+        import base64
+        import json
+
+        state_data = {
+            'redirect_url': 'https://app.example.com/',
+        }
+
+        encoded_state = base64.b64encode(json.dumps(state_data).encode()).decode()
+        decoded_data = json.loads(base64.b64decode(encoded_state))
+
+        assert 'invitation_token' not in decoded_data
+        assert decoded_data['redirect_url'] == 'https://app.example.com/'
+
+
+class TestAuthCallbackInvitationErrors:
+    """Test cases for various invitation error scenarios in auth callback."""
+
+    def test_invitation_expired_appends_flag(self):
+        """Test that invitation_expired=true is appended for expired invitations."""
+        from server.routes.org_invitation_models import InvitationExpiredError
+
+        redirect_url = 'https://app.example.com/'
+        try:
+            raise InvitationExpiredError()
+        except InvitationExpiredError:
+            if '?' in redirect_url:
+                redirect_url = f'{redirect_url}&invitation_expired=true'
+            else:
+                redirect_url = f'{redirect_url}?invitation_expired=true'
+
+        assert redirect_url == 'https://app.example.com/?invitation_expired=true'
+
+    def test_invitation_invalid_appends_flag(self):
+        """Test that invitation_invalid=true is appended for invalid invitations."""
+        from server.routes.org_invitation_models import InvitationInvalidError
+
+        redirect_url = 'https://app.example.com/'
+        try:
+            raise InvitationInvalidError()
+        except InvitationInvalidError:
+            if '?' in redirect_url:
+                redirect_url = f'{redirect_url}&invitation_invalid=true'
+            else:
+                redirect_url = f'{redirect_url}?invitation_invalid=true'
+
+        assert redirect_url == 'https://app.example.com/?invitation_invalid=true'
+
+    def test_already_member_appends_flag(self):
+        """Test that already_member=true is appended when user is already a member."""
+        from server.routes.org_invitation_models import UserAlreadyMemberError
+
+        redirect_url = 'https://app.example.com/'
+        try:
+            raise UserAlreadyMemberError()
+        except UserAlreadyMemberError:
+            if '?' in redirect_url:
+                redirect_url = f'{redirect_url}&already_member=true'
+            else:
+                redirect_url = f'{redirect_url}?already_member=true'
+
+        assert redirect_url == 'https://app.example.com/?already_member=true'

enterprise/tests/unit/test_auth_middleware.py

@@ -284,3 +284,85 @@ async def test_middleware_ignores_email_resend_path_no_tos_check(
         assert result == mock_response
         mock_call_next.assert_called_once_with(mock_request)
         # Should not raise TosNotAcceptedError for this path
+
+
+@pytest.mark.asyncio
+async def test_middleware_skips_webhook_endpoints(
+    middleware, mock_request, mock_response
+):
+    """Test middleware skips webhook endpoints (/api/v1/webhooks/*) and doesn't require auth."""
+    # Test various webhook paths
+    webhook_paths = [
+        '/api/v1/webhooks/events',
+        '/api/v1/webhooks/events/123',
+        '/api/v1/webhooks/stats',
+        '/api/v1/webhooks/parent-conversation',
+    ]
+
+    for path in webhook_paths:
+        mock_request.cookies = {}
+        mock_request.url = MagicMock()
+        mock_request.url.hostname = 'localhost'
+        mock_request.url.path = path
+        mock_call_next = AsyncMock(return_value=mock_response)
+
+        # Act
+        result = await middleware(mock_request, mock_call_next)
+
+        # Assert - middleware should skip auth check and call next
+        assert result == mock_response
+        mock_call_next.assert_called_once_with(mock_request)
+
+
+@pytest.mark.asyncio
+async def test_middleware_skips_webhook_secrets_endpoint(
+    middleware, mock_request, mock_response
+):
+    """Test middleware skips the old /api/v1/webhooks/secrets endpoint."""
+    # This was explicitly in ignore_paths but is now handled by the prefix check
+    mock_request.cookies = {}
+    mock_request.url = MagicMock()
+    mock_request.url.hostname = 'localhost'
+    mock_request.url.path = '/api/v1/webhooks/secrets'
+    mock_call_next = AsyncMock(return_value=mock_response)
+
+    # Act
+    result = await middleware(mock_request, mock_call_next)
+
+    # Assert - middleware should skip auth check and call next
+    assert result == mock_response
+    mock_call_next.assert_called_once_with(mock_request)
+
+
+@pytest.mark.asyncio
+async def test_middleware_does_not_skip_similar_non_webhook_paths(
+    middleware, mock_response
+):
+    """Test middleware does NOT skip paths that start with /api/v1/webhook (without 's')."""
+    # These paths should still be processed by the middleware (not skipped)
+    # They start with /api so _should_attach returns True, and since there's no auth,
+    # middleware should return 401 response (it catches NoCredentialsError internally)
+    non_webhook_paths = [
+        '/api/v1/webhook/events',
+        '/api/v1/webhook/something',
+    ]
+
+    for path in non_webhook_paths:
+        # Create a fresh mock request for each test
+        mock_request = MagicMock(spec=Request)
+        mock_request.cookies = {}
+        mock_request.url = MagicMock()
+        mock_request.url.hostname = 'localhost'
+        mock_request.url.path = path
+        mock_request.headers = MagicMock()
+        mock_request.headers.get = MagicMock(side_effect=lambda k: None)
+
+        # Since these paths start with /api, _should_attach returns True
+        # Since there's no auth, middleware catches NoCredentialsError and returns 401
+        mock_call_next = AsyncMock()
+        result = await middleware(mock_request, mock_call_next)
+
+        # Should return a 401 response, not raise an exception
+        assert result.status_code == status.HTTP_401_UNAUTHORIZED
+        # Should NOT call next for non-webhook paths when auth is missing
+        mock_call_next.assert_not_called()

enterprise/tests/unit/test_auth_routes.py

@@ -154,6 +154,7 @@ async def test_keycloak_callback_user_not_allowed(mock_request):
         mock_user_store.create_user = AsyncMock(return_value=mock_user)
         mock_user_store.migrate_user = AsyncMock(return_value=mock_user)
         mock_user_store.backfill_contact_name = AsyncMock()
+        mock_user_store.backfill_user_email = AsyncMock()
 
         mock_verifier.is_active.return_value = True
         mock_verifier.is_user_allowed.return_value = False
@@ -190,6 +191,7 @@ async def test_keycloak_callback_success_with_valid_offline_token(mock_request):
         mock_user_store.create_user = AsyncMock(return_value=mock_user)
         mock_user_store.migrate_user = AsyncMock(return_value=mock_user)
         mock_user_store.backfill_contact_name = AsyncMock()
+        mock_user_store.backfill_user_email = AsyncMock()
 
         mock_token_manager.get_keycloak_tokens = AsyncMock(
             return_value=('test_access_token', 'test_refresh_token')
@@ -262,6 +264,7 @@ async def test_keycloak_callback_email_not_verified(mock_request):
         mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user)
         mock_user_store.create_user = AsyncMock(return_value=mock_user)
         mock_user_store.backfill_contact_name = AsyncMock()
+        mock_user_store.backfill_user_email = AsyncMock()
 
         # Act
         result = await keycloak_callback(
@@ -310,6 +313,7 @@ async def test_keycloak_callback_email_not_verified_missing_field(mock_request):
         mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user)
         mock_user_store.create_user = AsyncMock(return_value=mock_user)
         mock_user_store.backfill_contact_name = AsyncMock()
+        mock_user_store.backfill_user_email = AsyncMock()
 
         # Act
         result = await keycloak_callback(
@@ -352,6 +356,7 @@ async def test_keycloak_callback_success_without_offline_token(mock_request):
         mock_user_store.create_user = AsyncMock(return_value=mock_user)
         mock_user_store.migrate_user = AsyncMock(return_value=mock_user)
         mock_user_store.backfill_contact_name = AsyncMock()
+        mock_user_store.backfill_user_email = AsyncMock()
 
         mock_token_manager.get_keycloak_tokens = AsyncMock(
             return_value=('test_access_token', 'test_refresh_token')
@@ -587,6 +592,7 @@ async def test_keycloak_callback_blocked_email_domain(mock_request):
         mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user)
         mock_user_store.create_user = AsyncMock(return_value=mock_user)
         mock_user_store.backfill_contact_name = AsyncMock()
+        mock_user_store.backfill_user_email = AsyncMock()
 
         mock_domain_blocker.is_active.return_value = True
         mock_domain_blocker.is_domain_blocked.return_value = True
@@ -651,6 +657,7 @@ async def test_keycloak_callback_allowed_email_domain(mock_request):
         mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user)
         mock_user_store.create_user = AsyncMock(return_value=mock_user)
         mock_user_store.backfill_contact_name = AsyncMock()
+        mock_user_store.backfill_user_email = AsyncMock()
 
         mock_domain_blocker.is_active.return_value = True
         mock_domain_blocker.is_domain_blocked.return_value = False
@@ -715,6 +722,7 @@ async def test_keycloak_callback_domain_blocking_inactive(mock_request):
         mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user)
         mock_user_store.create_user = AsyncMock(return_value=mock_user)
         mock_user_store.backfill_contact_name = AsyncMock()
+        mock_user_store.backfill_user_email = AsyncMock()
 
         mock_domain_blocker.is_active.return_value = False
         mock_domain_blocker.is_domain_blocked.return_value = False
@@ -777,6 +785,7 @@ async def test_keycloak_callback_missing_email(mock_request):
         mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user)
         mock_user_store.create_user = AsyncMock(return_value=mock_user)
         mock_user_store.backfill_contact_name = AsyncMock()
+        mock_user_store.backfill_user_email = AsyncMock()
 
         mock_domain_blocker.is_active.return_value = True
 
@@ -823,6 +832,7 @@ async def test_keycloak_callback_duplicate_email_detected(mock_request):
         mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user)
         mock_user_store.create_user = AsyncMock(return_value=mock_user)
         mock_user_store.backfill_contact_name = AsyncMock()
+        mock_user_store.backfill_user_email = AsyncMock()
 
         # Act
         result = await keycloak_callback(
@@ -868,6 +878,7 @@ async def test_keycloak_callback_duplicate_email_deletion_fails(mock_request):
         mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user)
         mock_user_store.create_user = AsyncMock(return_value=mock_user)
         mock_user_store.backfill_contact_name = AsyncMock()
+        mock_user_store.backfill_user_email = AsyncMock()
 
         # Act
         result = await keycloak_callback(
@@ -926,6 +937,7 @@ async def test_keycloak_callback_duplicate_check_exception(mock_request):
         mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user)
         mock_user_store.create_user = AsyncMock(return_value=mock_user)
         mock_user_store.backfill_contact_name = AsyncMock()
+        mock_user_store.backfill_user_email = AsyncMock()
 
         mock_verifier.is_active.return_value = True
         mock_verifier.is_user_allowed.return_value = True
@@ -984,6 +996,7 @@ async def test_keycloak_callback_no_duplicate_email(mock_request):
         mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user)
         mock_user_store.create_user = AsyncMock(return_value=mock_user)
         mock_user_store.backfill_contact_name = AsyncMock()
+        mock_user_store.backfill_user_email = AsyncMock()
 
         mock_verifier.is_active.return_value = True
         mock_verifier.is_user_allowed.return_value = True
@@ -1045,6 +1058,7 @@ async def test_keycloak_callback_no_email_in_user_info(mock_request):
         mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user)
         mock_user_store.create_user = AsyncMock(return_value=mock_user)
         mock_user_store.backfill_contact_name = AsyncMock()
+        mock_user_store.backfill_user_email = AsyncMock()
 
         mock_verifier.is_active.return_value = True
         mock_verifier.is_user_allowed.return_value = True
@@ -1202,6 +1216,7 @@ class TestKeycloakCallbackRecaptcha:
             mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user)
             mock_user_store.create_user = AsyncMock(return_value=mock_user)
             mock_user_store.backfill_contact_name = AsyncMock()
+            mock_user_store.backfill_user_email = AsyncMock()
 
             mock_verifier.is_active.return_value = True
             mock_verifier.is_user_allowed.return_value = True
@@ -1267,6 +1282,7 @@ class TestKeycloakCallbackRecaptcha:
             mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user)
             mock_user_store.create_user = AsyncMock(return_value=mock_user)
             mock_user_store.backfill_contact_name = AsyncMock()
+            mock_user_store.backfill_user_email = AsyncMock()
 
             mock_domain_blocker.is_domain_blocked.return_value = False
 
@@ -1350,6 +1366,7 @@ class TestKeycloakCallbackRecaptcha:
             mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user)
             mock_user_store.create_user = AsyncMock(return_value=mock_user)
             mock_user_store.backfill_contact_name = AsyncMock()
+            mock_user_store.backfill_user_email = AsyncMock()
 
             mock_verifier.is_active.return_value = True
             mock_verifier.is_user_allowed.return_value = True
@@ -1438,6 +1455,7 @@ class TestKeycloakCallbackRecaptcha:
             mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user)
             mock_user_store.create_user = AsyncMock(return_value=mock_user)
             mock_user_store.backfill_contact_name = AsyncMock()
+            mock_user_store.backfill_user_email = AsyncMock()
 
             mock_verifier.is_active.return_value = True
             mock_verifier.is_user_allowed.return_value = True
@@ -1523,6 +1541,7 @@ class TestKeycloakCallbackRecaptcha:
             mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user)
             mock_user_store.create_user = AsyncMock(return_value=mock_user)
             mock_user_store.backfill_contact_name = AsyncMock()
+            mock_user_store.backfill_user_email = AsyncMock()
 
             mock_verifier.is_active.return_value = True
             mock_verifier.is_user_allowed.return_value = True
@@ -1607,6 +1626,7 @@ class TestKeycloakCallbackRecaptcha:
             mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user)
             mock_user_store.create_user = AsyncMock(return_value=mock_user)
             mock_user_store.backfill_contact_name = AsyncMock()
+            mock_user_store.backfill_user_email = AsyncMock()
 
             mock_verifier.is_active.return_value = True
             mock_verifier.is_user_allowed.return_value = True
@@ -1688,6 +1708,7 @@ class TestKeycloakCallbackRecaptcha:
             mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user)
             mock_user_store.create_user = AsyncMock(return_value=mock_user)
             mock_user_store.backfill_contact_name = AsyncMock()
+            mock_user_store.backfill_user_email = AsyncMock()
 
             mock_verifier.is_active.return_value = True
             mock_verifier.is_user_allowed.return_value = True
@@ -1755,6 +1776,7 @@ class TestKeycloakCallbackRecaptcha:
             mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user)
             mock_user_store.create_user = AsyncMock(return_value=mock_user)
             mock_user_store.backfill_contact_name = AsyncMock()
+            mock_user_store.backfill_user_email = AsyncMock()
 
             mock_verifier.is_active.return_value = True
             mock_verifier.is_user_allowed.return_value = True
@@ -1828,6 +1850,7 @@ class TestKeycloakCallbackRecaptcha:
             mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user)
             mock_user_store.create_user = AsyncMock(return_value=mock_user)
             mock_user_store.backfill_contact_name = AsyncMock()
+            mock_user_store.backfill_user_email = AsyncMock()
 
             mock_verifier.is_active.return_value = True
             mock_verifier.is_user_allowed.return_value = True
@@ -1899,6 +1922,7 @@ class TestKeycloakCallbackRecaptcha:
             mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user)
             mock_user_store.create_user = AsyncMock(return_value=mock_user)
             mock_user_store.backfill_contact_name = AsyncMock()
+            mock_user_store.backfill_user_email = AsyncMock()
 
             mock_domain_blocker.is_domain_blocked.return_value = False
 
@@ -1918,3 +1942,57 @@ class TestKeycloakCallbackRecaptcha:
             assert call_kwargs[0][0] == 'recaptcha_blocked_at_callback'
             assert call_kwargs[1]['extra']['score'] == 0.2
             assert call_kwargs[1]['extra']['user_id'] == 'test_user_id'
+
+
+@pytest.mark.asyncio
+async def test_keycloak_callback_calls_backfill_user_email_for_existing_user(
+    mock_request,
+):
+    """When an existing user logs in, backfill_user_email should be called."""
+    user_info = {
+        'sub': 'test_user_id',
+        'preferred_username': 'test_user',
+        'identity_provider': 'github',
+        'email': 'test@example.com',
+        'email_verified': True,
+    }
+
+    with (
+        patch('server.routes.auth.token_manager') as mock_token_manager,
+        patch('server.routes.auth.user_verifier') as mock_verifier,
+        patch('server.routes.auth.set_response_cookie'),
+        patch('server.routes.auth.UserStore') as mock_user_store,
+        patch('server.routes.auth.posthog'),
+    ):
+        mock_user = MagicMock()
+        mock_user.id = 'test_user_id'
+        mock_user.current_org_id = 'test_org_id'
+        mock_user.accepted_tos = '2025-01-01'
+
+        mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user)
+        mock_user_store.create_user = AsyncMock(return_value=mock_user)
+        mock_user_store.backfill_contact_name = AsyncMock()
+        mock_user_store.backfill_user_email = AsyncMock()
+
+        mock_token_manager.get_keycloak_tokens = AsyncMock(
+            return_value=('test_access_token', 'test_refresh_token')
+        )
+        mock_token_manager.get_user_info = AsyncMock(return_value=user_info)
+        mock_token_manager.store_idp_tokens = AsyncMock()
+        mock_token_manager.validate_offline_token = AsyncMock(return_value=True)
+        mock_token_manager.check_duplicate_base_email = AsyncMock(return_value=False)
+
+        mock_verifier.is_active.return_value = True
+        mock_verifier.is_user_allowed.return_value = True
+
+        result = await keycloak_callback(
+            code='test_code', state='test_state', request=mock_request
+        )
+
+        assert isinstance(result, RedirectResponse)
+        assert result.status_code == 302
+
+        # backfill_user_email should have been called with the user_id and user_info
+        mock_user_store.backfill_user_email.assert_called_once_with(
+            'test_user_id', user_info
+        )

enterprise/tests/unit/test_authorization.py

@@ -0,0 +1,756 @@
+"""
+Unit tests for permission-based authorization (authorization.py).
+
+Tests the FastAPI dependencies that validate user permissions within organizations.
+"""
+
+from unittest.mock import AsyncMock, MagicMock, patch
+from uuid import uuid4
+
+import pytest
+from fastapi import HTTPException
+from server.auth.authorization import (
+    ROLE_PERMISSIONS,
+    Permission,
+    RoleName,
+    get_role_permissions,
+    get_user_org_role,
+    has_permission,
+    require_permission,
+)
+
+# =============================================================================
+# Tests for Permission enum
+# =============================================================================
+
+
+class TestPermission:
+    """Tests for Permission enum."""
+
+    def test_permission_values(self):
+        """
+        GIVEN: Permission enum
+        WHEN: Accessing permission values
+        THEN: All expected permissions exist with correct string values
+        """
+        assert Permission.MANAGE_SECRETS.value == 'manage_secrets'
+        assert Permission.MANAGE_MCP.value == 'manage_mcp'
+        assert Permission.MANAGE_INTEGRATIONS.value == 'manage_integrations'
+        assert (
+            Permission.MANAGE_APPLICATION_SETTINGS.value
+            == 'manage_application_settings'
+        )
+        assert Permission.MANAGE_API_KEYS.value == 'manage_api_keys'
+        assert Permission.VIEW_LLM_SETTINGS.value == 'view_llm_settings'
+        assert Permission.EDIT_LLM_SETTINGS.value == 'edit_llm_settings'
+        assert Permission.VIEW_BILLING.value == 'view_billing'
+        assert Permission.ADD_CREDITS.value == 'add_credits'
+        assert (
+            Permission.INVITE_USER_TO_ORGANIZATION.value
+            == 'invite_user_to_organization'
+        )
+        assert Permission.CHANGE_USER_ROLE_MEMBER.value == 'change_user_role:member'
+        assert Permission.CHANGE_USER_ROLE_ADMIN.value == 'change_user_role:admin'
+        assert Permission.CHANGE_USER_ROLE_OWNER.value == 'change_user_role:owner'
+        assert Permission.VIEW_ORG_SETTINGS.value == 'view_org_settings'
+        assert Permission.CHANGE_ORGANIZATION_NAME.value == 'change_organization_name'
+        assert Permission.DELETE_ORGANIZATION.value == 'delete_organization'
+
+    def test_permission_from_string(self):
+        """
+        GIVEN: Valid permission string
+        WHEN: Creating Permission from string
+        THEN: Correct enum value is returned
+        """
+        assert Permission('manage_secrets') == Permission.MANAGE_SECRETS
+        assert Permission('view_llm_settings') == Permission.VIEW_LLM_SETTINGS
+        assert Permission('delete_organization') == Permission.DELETE_ORGANIZATION
+
+    def test_permission_invalid_string(self):
+        """
+        GIVEN: Invalid permission string
+        WHEN: Creating Permission from string
+        THEN: ValueError is raised
+        """
+        with pytest.raises(ValueError):
+            Permission('invalid_permission')
+
+
+# =============================================================================
+# Tests for RoleName enum
+# =============================================================================
+
+
+class TestRoleName:
+    """Tests for RoleName enum."""
+
+    def test_role_name_values(self):
+        """
+        GIVEN: RoleName enum
+        WHEN: Accessing role name values
+        THEN: All expected roles exist with correct string values
+        """
+        assert RoleName.OWNER.value == 'owner'
+        assert RoleName.ADMIN.value == 'admin'
+        assert RoleName.MEMBER.value == 'member'
+
+    def test_role_name_from_string(self):
+        """
+        GIVEN: Valid role name string
+        WHEN: Creating RoleName from string
+        THEN: Correct enum value is returned
+        """
+        assert RoleName('owner') == RoleName.OWNER
+        assert RoleName('admin') == RoleName.ADMIN
+        assert RoleName('member') == RoleName.MEMBER
+
+    def test_role_name_invalid_string(self):
+        """
+        GIVEN: Invalid role name string
+        WHEN: Creating RoleName from string
+        THEN: ValueError is raised
+        """
+        with pytest.raises(ValueError):
+            RoleName('invalid_role')
+
+
+# =============================================================================
+# Tests for ROLE_PERMISSIONS mapping
+# =============================================================================
+
+
+class TestRolePermissions:
+    """Tests for role permission mappings."""
+
+    def test_owner_has_all_permissions(self):
+        """
+        GIVEN: ROLE_PERMISSIONS mapping
+        WHEN: Checking owner permissions
+        THEN: Owner has all permissions including owner-only permissions
+        """
+        owner_perms = ROLE_PERMISSIONS[RoleName.OWNER]
+        assert Permission.MANAGE_SECRETS in owner_perms
+        assert Permission.MANAGE_MCP in owner_perms
+        assert Permission.VIEW_LLM_SETTINGS in owner_perms
+        assert Permission.EDIT_LLM_SETTINGS in owner_perms
+        assert Permission.VIEW_BILLING in owner_perms
+        assert Permission.ADD_CREDITS in owner_perms
+        assert Permission.INVITE_USER_TO_ORGANIZATION in owner_perms
+        assert Permission.CHANGE_USER_ROLE_MEMBER in owner_perms
+        assert Permission.CHANGE_USER_ROLE_ADMIN in owner_perms
+        assert Permission.CHANGE_USER_ROLE_OWNER in owner_perms
+        assert Permission.CHANGE_ORGANIZATION_NAME in owner_perms
+        assert Permission.DELETE_ORGANIZATION in owner_perms
+
+    def test_admin_has_admin_permissions(self):
+        """
+        GIVEN: ROLE_PERMISSIONS mapping
+        WHEN: Checking admin permissions
+        THEN: Admin has admin permissions but not owner-only permissions
+        """
+        admin_perms = ROLE_PERMISSIONS[RoleName.ADMIN]
+        assert Permission.MANAGE_SECRETS in admin_perms
+        assert Permission.MANAGE_MCP in admin_perms
+        assert Permission.VIEW_LLM_SETTINGS in admin_perms
+        assert Permission.EDIT_LLM_SETTINGS in admin_perms
+        assert Permission.VIEW_BILLING in admin_perms
+        assert Permission.ADD_CREDITS in admin_perms
+        assert Permission.INVITE_USER_TO_ORGANIZATION in admin_perms
+        assert Permission.CHANGE_USER_ROLE_MEMBER in admin_perms
+        assert Permission.CHANGE_USER_ROLE_ADMIN in admin_perms
+        # Admin should NOT have owner-only permissions
+        assert Permission.CHANGE_USER_ROLE_OWNER not in admin_perms
+        assert Permission.CHANGE_ORGANIZATION_NAME not in admin_perms
+        assert Permission.DELETE_ORGANIZATION not in admin_perms
+
+    def test_member_has_limited_permissions(self):
+        """
+        GIVEN: ROLE_PERMISSIONS mapping
+        WHEN: Checking member permissions
+        THEN: Member has limited permissions
+        """
+        member_perms = ROLE_PERMISSIONS[RoleName.MEMBER]
+        # Member has basic settings permissions
+        assert Permission.MANAGE_SECRETS in member_perms
+        assert Permission.MANAGE_MCP in member_perms
+        assert Permission.MANAGE_INTEGRATIONS in member_perms
+        assert Permission.MANAGE_APPLICATION_SETTINGS in member_perms
+        assert Permission.MANAGE_API_KEYS in member_perms
+        assert Permission.VIEW_LLM_SETTINGS in member_perms
+        assert Permission.VIEW_ORG_SETTINGS in member_perms
+        # Member should NOT have admin/owner permissions
+        assert Permission.EDIT_LLM_SETTINGS not in member_perms
+        assert Permission.VIEW_BILLING not in member_perms
+        assert Permission.ADD_CREDITS not in member_perms
+        assert Permission.INVITE_USER_TO_ORGANIZATION not in member_perms
+        assert Permission.CHANGE_USER_ROLE_MEMBER not in member_perms
+        assert Permission.CHANGE_USER_ROLE_ADMIN not in member_perms
+        assert Permission.CHANGE_USER_ROLE_OWNER not in member_perms
+        assert Permission.CHANGE_ORGANIZATION_NAME not in member_perms
+        assert Permission.DELETE_ORGANIZATION not in member_perms
+
+
+# =============================================================================
+# Tests for get_role_permissions function
+# =============================================================================
+
+
+class TestGetRolePermissions:
+    """Tests for get_role_permissions function."""
+
+    def test_get_owner_permissions(self):
+        """
+        GIVEN: Role name 'owner'
+        WHEN: get_role_permissions is called
+        THEN: Owner permissions are returned
+        """
+        perms = get_role_permissions('owner')
+        assert Permission.DELETE_ORGANIZATION in perms
+        assert Permission.CHANGE_ORGANIZATION_NAME in perms
+
+    def test_get_admin_permissions(self):
+        """
+        GIVEN: Role name 'admin'
+        WHEN: get_role_permissions is called
+        THEN: Admin permissions are returned
+        """
+        perms = get_role_permissions('admin')
+        assert Permission.EDIT_LLM_SETTINGS in perms
+        assert Permission.DELETE_ORGANIZATION not in perms
+
+    def test_get_member_permissions(self):
+        """
+        GIVEN: Role name 'member'
+        WHEN: get_role_permissions is called
+        THEN: Member permissions are returned
+        """
+        perms = get_role_permissions('member')
+        assert Permission.VIEW_LLM_SETTINGS in perms
+        assert Permission.EDIT_LLM_SETTINGS not in perms
+
+    def test_get_invalid_role_permissions(self):
+        """
+        GIVEN: Invalid role name
+        WHEN: get_role_permissions is called
+        THEN: Empty frozenset is returned
+        """
+        perms = get_role_permissions('invalid_role')
+        assert perms == frozenset()
+
+
+# =============================================================================
+# Tests for has_permission function
+# =============================================================================
+
+
+class TestHasPermission:
+    """Tests for has_permission function."""
+
+    def test_owner_has_delete_organization_permission(self):
+        """
+        GIVEN: User with owner role
+        WHEN: Checking for DELETE_ORGANIZATION permission
+        THEN: Returns True
+        """
+        mock_role = MagicMock()
+        mock_role.name = 'owner'
+        assert has_permission(mock_role, Permission.DELETE_ORGANIZATION) is True
+
+    def test_owner_has_view_llm_settings_permission(self):
+        """
+        GIVEN: User with owner role
+        WHEN: Checking for VIEW_LLM_SETTINGS permission
+        THEN: Returns True
+        """
+        mock_role = MagicMock()
+        mock_role.name = 'owner'
+        assert has_permission(mock_role, Permission.VIEW_LLM_SETTINGS) is True
+
+    def test_admin_has_edit_llm_settings_permission(self):
+        """
+        GIVEN: User with admin role
+        WHEN: Checking for EDIT_LLM_SETTINGS permission
+        THEN: Returns True
+        """
+        mock_role = MagicMock()
+        mock_role.name = 'admin'
+        assert has_permission(mock_role, Permission.EDIT_LLM_SETTINGS) is True
+
+    def test_admin_lacks_delete_organization_permission(self):
+        """
+        GIVEN: User with admin role
+        WHEN: Checking for DELETE_ORGANIZATION permission
+        THEN: Returns False
+        """
+        mock_role = MagicMock()
+        mock_role.name = 'admin'
+        assert has_permission(mock_role, Permission.DELETE_ORGANIZATION) is False
+
+    def test_member_has_view_llm_settings_permission(self):
+        """
+        GIVEN: User with member role
+        WHEN: Checking for VIEW_LLM_SETTINGS permission
+        THEN: Returns True
+        """
+        mock_role = MagicMock()
+        mock_role.name = 'member'
+        assert has_permission(mock_role, Permission.VIEW_LLM_SETTINGS) is True
+
+    def test_member_lacks_edit_llm_settings_permission(self):
+        """
+        GIVEN: User with member role
+        WHEN: Checking for EDIT_LLM_SETTINGS permission
+        THEN: Returns False
+        """
+        mock_role = MagicMock()
+        mock_role.name = 'member'
+        assert has_permission(mock_role, Permission.EDIT_LLM_SETTINGS) is False
+
+    def test_member_lacks_delete_organization_permission(self):
+        """
+        GIVEN: User with member role
+        WHEN: Checking for DELETE_ORGANIZATION permission
+        THEN: Returns False
+        """
+        mock_role = MagicMock()
+        mock_role.name = 'member'
+        assert has_permission(mock_role, Permission.DELETE_ORGANIZATION) is False
+
+    def test_invalid_role_has_no_permissions(self):
+        """
+        GIVEN: User with invalid role
+        WHEN: Checking for any permission
+        THEN: Returns False
+        """
+        mock_role = MagicMock()
+        mock_role.name = 'invalid_role'
+        assert has_permission(mock_role, Permission.VIEW_LLM_SETTINGS) is False
+        assert has_permission(mock_role, Permission.DELETE_ORGANIZATION) is False
+
+
+# =============================================================================
+# Tests for get_user_org_role function
+# =============================================================================
+
+
+class TestGetUserOrgRole:
+    """Tests for get_user_org_role function."""
+
+    def test_returns_role_when_member_exists(self):
+        """
+        GIVEN: User is a member of organization with role
+        WHEN: get_user_org_role is called
+        THEN: Role object is returned
+        """
+        user_id = str(uuid4())
+        org_id = uuid4()
+
+        mock_org_member = MagicMock()
+        mock_org_member.role_id = 1
+
+        mock_role = MagicMock()
+        mock_role.name = 'admin'
+
+        with (
+            patch(
+                'server.auth.authorization.OrgMemberStore.get_org_member',
+                return_value=mock_org_member,
+            ),
+            patch(
+                'server.auth.authorization.RoleStore.get_role_by_id',
+                return_value=mock_role,
+            ),
+        ):
+            result = get_user_org_role(user_id, org_id)
+            assert result == mock_role
+
+    def test_returns_none_when_not_member(self):
+        """
+        GIVEN: User is not a member of organization
+        WHEN: get_user_org_role is called
+        THEN: None is returned
+        """
+        user_id = str(uuid4())
+        org_id = uuid4()
+
+        with patch(
+            'server.auth.authorization.OrgMemberStore.get_org_member',
+            return_value=None,
+        ):
+            result = get_user_org_role(user_id, org_id)
+            assert result is None
+
+    def test_returns_role_when_org_id_is_none(self):
+        """
+        GIVEN: User with a current organization
+        WHEN: get_user_org_role is called with org_id=None
+        THEN: Role object is returned using get_org_member_for_current_org
+        """
+        user_id = str(uuid4())
+
+        mock_org_member = MagicMock()
+        mock_org_member.role_id = 1
+
+        mock_role = MagicMock()
+        mock_role.name = 'admin'
+
+        with (
+            patch(
+                'server.auth.authorization.OrgMemberStore.get_org_member_for_current_org',
+                return_value=mock_org_member,
+            ) as mock_get_current,
+            patch(
+                'server.auth.authorization.OrgMemberStore.get_org_member',
+            ) as mock_get_org_member,
+            patch(
+                'server.auth.authorization.RoleStore.get_role_by_id',
+                return_value=mock_role,
+            ),
+        ):
+            result = get_user_org_role(user_id, None)
+            assert result == mock_role
+            mock_get_current.assert_called_once()
+            mock_get_org_member.assert_not_called()
+
+    def test_returns_none_when_org_id_is_none_and_no_current_org(self):
+        """
+        GIVEN: User with no current organization membership
+        WHEN: get_user_org_role is called with org_id=None
+        THEN: None is returned
+        """
+        user_id = str(uuid4())
+
+        with patch(
+            'server.auth.authorization.OrgMemberStore.get_org_member_for_current_org',
+            return_value=None,
+        ):
+            result = get_user_org_role(user_id, None)
+            assert result is None
+
+
+# =============================================================================
+# Tests for require_permission dependency
+# =============================================================================
+
+
+class TestRequirePermission:
+    """Tests for require_permission dependency factory."""
+
+    @pytest.mark.asyncio
+    async def test_returns_user_id_when_authorized(self):
+        """
+        GIVEN: User with required permission
+        WHEN: Permission checker is called
+        THEN: User ID is returned
+        """
+        user_id = str(uuid4())
+        org_id = uuid4()
+
+        mock_role = MagicMock()
+        mock_role.name = 'admin'
+
+        with patch(
+            'server.auth.authorization.get_user_org_role_async',
+            AsyncMock(return_value=mock_role),
+        ):
+            permission_checker = require_permission(Permission.VIEW_LLM_SETTINGS)
+            result = await permission_checker(org_id=org_id, user_id=user_id)
+            assert result == user_id
+
+    @pytest.mark.asyncio
+    async def test_raises_401_when_not_authenticated(self):
+        """
+        GIVEN: No user ID (not authenticated)
+        WHEN: Permission checker is called
+        THEN: 401 Unauthorized is raised
+        """
+        org_id = uuid4()
+
+        permission_checker = require_permission(Permission.VIEW_LLM_SETTINGS)
+        with pytest.raises(HTTPException) as exc_info:
+            await permission_checker(org_id=org_id, user_id=None)
+
+        assert exc_info.value.status_code == 401
+        assert 'not authenticated' in exc_info.value.detail.lower()
+
+    @pytest.mark.asyncio
+    async def test_raises_403_when_not_member(self):
+        """
+        GIVEN: User is not a member of organization
+        WHEN: Permission checker is called
+        THEN: 403 Forbidden is raised
+        """
+        user_id = str(uuid4())
+        org_id = uuid4()
+
+        with patch(
+            'server.auth.authorization.get_user_org_role_async',
+            AsyncMock(return_value=None),
+        ):
+            permission_checker = require_permission(Permission.VIEW_LLM_SETTINGS)
+            with pytest.raises(HTTPException) as exc_info:
+                await permission_checker(org_id=org_id, user_id=user_id)
+
+            assert exc_info.value.status_code == 403
+            assert 'not a member' in exc_info.value.detail.lower()
+
+    @pytest.mark.asyncio
+    async def test_raises_403_when_insufficient_permission(self):
+        """
+        GIVEN: User without required permission
+        WHEN: Permission checker is called
+        THEN: 403 Forbidden is raised
+        """
+        user_id = str(uuid4())
+        org_id = uuid4()
+
+        mock_role = MagicMock()
+        mock_role.name = 'member'
+
+        with patch(
+            'server.auth.authorization.get_user_org_role_async',
+            AsyncMock(return_value=mock_role),
+        ):
+            permission_checker = require_permission(Permission.DELETE_ORGANIZATION)
+            with pytest.raises(HTTPException) as exc_info:
+                await permission_checker(org_id=org_id, user_id=user_id)
+
+            assert exc_info.value.status_code == 403
+            assert 'delete_organization' in exc_info.value.detail.lower()
+
+    @pytest.mark.asyncio
+    async def test_owner_can_delete_organization(self):
+        """
+        GIVEN: User with owner role
+        WHEN: DELETE_ORGANIZATION permission is required
+        THEN: User ID is returned
+        """
+        user_id = str(uuid4())
+        org_id = uuid4()
+
+        mock_role = MagicMock()
+        mock_role.name = 'owner'
+
+        with patch(
+            'server.auth.authorization.get_user_org_role_async',
+            AsyncMock(return_value=mock_role),
+        ):
+            permission_checker = require_permission(Permission.DELETE_ORGANIZATION)
+            result = await permission_checker(org_id=org_id, user_id=user_id)
+            assert result == user_id
+
+    @pytest.mark.asyncio
+    async def test_admin_cannot_delete_organization(self):
+        """
+        GIVEN: User with admin role
+        WHEN: DELETE_ORGANIZATION permission is required
+        THEN: 403 Forbidden is raised
+        """
+        user_id = str(uuid4())
+        org_id = uuid4()
+
+        mock_role = MagicMock()
+        mock_role.name = 'admin'
+
+        with patch(
+            'server.auth.authorization.get_user_org_role_async',
+            AsyncMock(return_value=mock_role),
+        ):
+            permission_checker = require_permission(Permission.DELETE_ORGANIZATION)
+            with pytest.raises(HTTPException) as exc_info:
+                await permission_checker(org_id=org_id, user_id=user_id)
+
+            assert exc_info.value.status_code == 403
+
+    @pytest.mark.asyncio
+    async def test_logs_warning_on_insufficient_permission(self):
+        """
+        GIVEN: User without required permission
+        WHEN: Permission checker is called
+        THEN: Warning is logged with details
+        """
+        user_id = str(uuid4())
+        org_id = uuid4()
+
+        mock_role = MagicMock()
+        mock_role.name = 'member'
+
+        with (
+            patch(
+                'server.auth.authorization.get_user_org_role_async',
+                AsyncMock(return_value=mock_role),
+            ),
+            patch('server.auth.authorization.logger') as mock_logger,
+        ):
+            permission_checker = require_permission(Permission.DELETE_ORGANIZATION)
+            with pytest.raises(HTTPException):
+                await permission_checker(org_id=org_id, user_id=user_id)
+
+            mock_logger.warning.assert_called()
+            call_args = mock_logger.warning.call_args
+            assert call_args[1]['extra']['user_id'] == user_id
+            assert call_args[1]['extra']['user_role'] == 'member'
+            assert call_args[1]['extra']['required_permission'] == 'delete_organization'
+
+    @pytest.mark.asyncio
+    async def test_returns_user_id_when_org_id_is_none(self):
+        """
+        GIVEN: User with required permission in their current org
+        WHEN: Permission checker is called with org_id=None
+        THEN: User ID is returned
+        """
+        user_id = str(uuid4())
+
+        mock_role = MagicMock()
+        mock_role.name = 'admin'
+
+        with patch(
+            'server.auth.authorization.get_user_org_role_async',
+            AsyncMock(return_value=mock_role),
+        ) as mock_get_role:
+            permission_checker = require_permission(Permission.VIEW_LLM_SETTINGS)
+            result = await permission_checker(org_id=None, user_id=user_id)
+            assert result == user_id
+            mock_get_role.assert_called_once_with(user_id, None)
+
+    @pytest.mark.asyncio
+    async def test_raises_403_when_org_id_is_none_and_not_member(self):
+        """
+        GIVEN: User not a member of their current organization
+        WHEN: Permission checker is called with org_id=None
+        THEN: HTTPException with 403 status is raised
+        """
+        user_id = str(uuid4())
+
+        with patch(
+            'server.auth.authorization.get_user_org_role_async',
+            AsyncMock(return_value=None),
+        ):
+            permission_checker = require_permission(Permission.VIEW_LLM_SETTINGS)
+            with pytest.raises(HTTPException) as exc_info:
+                await permission_checker(org_id=None, user_id=user_id)
+
+            assert exc_info.value.status_code == 403
+            assert 'not a member' in exc_info.value.detail
+
+
+# =============================================================================
+# Tests for permission-based access control scenarios
+# =============================================================================
+
+
+class TestPermissionScenarios:
+    """Tests for real-world permission scenarios."""
+
+    @pytest.mark.asyncio
+    async def test_member_can_manage_secrets(self):
+        """
+        GIVEN: User with member role
+        WHEN: MANAGE_SECRETS permission is required
+        THEN: User ID is returned
+        """
+        user_id = str(uuid4())
+        org_id = uuid4()
+
+        mock_role = MagicMock()
+        mock_role.name = 'member'
+
+        with patch(
+            'server.auth.authorization.get_user_org_role_async',
+            AsyncMock(return_value=mock_role),
+        ):
+            permission_checker = require_permission(Permission.MANAGE_SECRETS)
+            result = await permission_checker(org_id=org_id, user_id=user_id)
+            assert result == user_id
+
+    @pytest.mark.asyncio
+    async def test_member_cannot_invite_users(self):
+        """
+        GIVEN: User with member role
+        WHEN: INVITE_USER_TO_ORGANIZATION permission is required
+        THEN: 403 Forbidden is raised
+        """
+        user_id = str(uuid4())
+        org_id = uuid4()
+
+        mock_role = MagicMock()
+        mock_role.name = 'member'
+
+        with patch(
+            'server.auth.authorization.get_user_org_role_async',
+            AsyncMock(return_value=mock_role),
+        ):
+            permission_checker = require_permission(
+                Permission.INVITE_USER_TO_ORGANIZATION
+            )
+            with pytest.raises(HTTPException) as exc_info:
+                await permission_checker(org_id=org_id, user_id=user_id)
+
+            assert exc_info.value.status_code == 403
+
+    @pytest.mark.asyncio
+    async def test_admin_can_invite_users(self):
+        """
+        GIVEN: User with admin role
+        WHEN: INVITE_USER_TO_ORGANIZATION permission is required
+        THEN: User ID is returned
+        """
+        user_id = str(uuid4())
+        org_id = uuid4()
+
+        mock_role = MagicMock()
+        mock_role.name = 'admin'
+
+        with patch(
+            'server.auth.authorization.get_user_org_role_async',
+            AsyncMock(return_value=mock_role),
+        ):
+            permission_checker = require_permission(
+                Permission.INVITE_USER_TO_ORGANIZATION
+            )
+            result = await permission_checker(org_id=org_id, user_id=user_id)
+            assert result == user_id
+
+    @pytest.mark.asyncio
+    async def test_admin_cannot_change_owner_role(self):
+        """
+        GIVEN: User with admin role
+        WHEN: CHANGE_USER_ROLE_OWNER permission is required
+        THEN: 403 Forbidden is raised
+        """
+        user_id = str(uuid4())
+        org_id = uuid4()
+
+        mock_role = MagicMock()
+        mock_role.name = 'admin'
+
+        with patch(
+            'server.auth.authorization.get_user_org_role_async',
+            AsyncMock(return_value=mock_role),
+        ):
+            permission_checker = require_permission(Permission.CHANGE_USER_ROLE_OWNER)
+            with pytest.raises(HTTPException) as exc_info:
+                await permission_checker(org_id=org_id, user_id=user_id)
+
+            assert exc_info.value.status_code == 403
+
+    @pytest.mark.asyncio
+    async def test_owner_can_change_owner_role(self):
+        """
+        GIVEN: User with owner role
+        WHEN: CHANGE_USER_ROLE_OWNER permission is required
+        THEN: User ID is returned
+        """
+        user_id = str(uuid4())
+        org_id = uuid4()
+
+        mock_role = MagicMock()
+        mock_role.name = 'owner'
+
+        with patch(
+            'server.auth.authorization.get_user_org_role_async',
+            AsyncMock(return_value=mock_role),
+        ):
+            permission_checker = require_permission(Permission.CHANGE_USER_ROLE_OWNER)
+            result = await permission_checker(org_id=org_id, user_id=user_id)
+            assert result == user_id

enterprise/tests/unit/test_billing.py

@@ -101,7 +101,7 @@ async def test_get_credits_success():
         json={
             'user_info': {
                 'spend': 25.50,
-                'litellm_budget_table': {'max_budget': 100.00},
+                'max_budget_in_team': 100.00,
             }
         },
         request=MagicMock(),
@@ -121,7 +121,7 @@ async def test_get_credits_success():
             'storage.lite_llm_manager.LiteLlmManager.get_user_team_info',
             return_value={
                 'spend': 25.50,
-                'litellm_budget_table': {'max_budget': 100.00},
+                'max_budget_in_team': 100.00,
             },
         ),
     ):
@@ -291,7 +291,7 @@ async def test_success_callback_stripe_incomplete():
 
 @pytest.mark.asyncio
 async def test_success_callback_success():
-    """Test successful payment completion and credit update (bonus already granted)."""
+    """Test successful payment completion and credit update."""
     mock_request = Request(scope={'type': 'http'})
     mock_request._base_url = URL('http://test.com/')
 
@@ -300,7 +300,6 @@ async def test_success_callback_success():
     mock_billing_session.user_id = 'mock_user'
 
     mock_org = MagicMock()
-    mock_org.pending_free_credits = False  # Not eligible (old org or already granted)
 
     with (
         patch('server.routes.billing.session_maker') as mock_session_maker,
@@ -314,7 +313,7 @@ async def test_success_callback_success():
             'storage.lite_llm_manager.LiteLlmManager.get_user_team_info',
             return_value={
                 'spend': 25.50,
-                'litellm_budget_table': {'max_budget': 100.00},
+                'max_budget_in_team': 100.00,
             },
         ),
         patch(
@@ -347,10 +346,10 @@ async def test_success_callback_success():
             == 'https://test.com/settings/billing?checkout=success'
         )
 
-        # Verify LiteLLM API calls - no bonus since not eligible
+        # Verify LiteLLM API calls
         mock_update_budget.assert_called_once_with(
             'mock_org_id',
-            125.0,  # 100 + 25.00 (no bonus)
+            125.0,  # 100 + 25.00
         )
 
         # Verify BYOR export is enabled for the org (updated in same session)
@@ -363,92 +362,6 @@ async def test_success_callback_success():
         mock_db_session.commit.assert_called_once()
 
 
-@pytest.mark.asyncio
-@pytest.mark.parametrize(
-    'initial_budget,purchase_cents,pending_credits,expected_final_budget,expected_pending_after',
-    [
-        # New user buys $10 -> gets free credits, pending becomes False
-        (0, 1000, True, 20.0, False),
-        # New user buys $5 -> below threshold, no free credits yet, pending stays True
-        (0, 500, True, 5.0, True),
-        # User with $5 buys $5 more -> reaches threshold, gets free credits
-        (5.0, 500, True, 20.0, False),
-        # User with $5 buys $3 -> below threshold, no free credits yet
-        (5.0, 300, True, 8.0, True),
-        # Old user (not pending) buys $25 -> no free credits, stays False
-        (20.0, 2500, False, 45.0, False),
-    ],
-    ids=[
-        'new_user_buys_10_gets_free_credits',
-        'new_user_buys_5_below_threshold',
-        'user_with_5_buys_5_reaches_threshold',
-        'user_with_5_buys_3_below_threshold',
-        'old_user_not_eligible',
-    ],
-)
-async def test_success_callback_free_credits(
-    initial_budget,
-    purchase_cents,
-    pending_credits,
-    expected_final_budget,
-    expected_pending_after,
-):
-    """Test free credits are granted only when pending and threshold is met."""
-    mock_request = Request(scope={'type': 'http'})
-    mock_request._base_url = URL('http://test.com/')
-
-    mock_billing_session = MagicMock()
-    mock_billing_session.status = 'in_progress'
-    mock_billing_session.user_id = 'mock_user'
-
-    mock_org = MagicMock()
-    mock_org.pending_free_credits = pending_credits
-
-    with (
-        patch('server.routes.billing.session_maker') as mock_session_maker,
-        patch('stripe.checkout.Session.retrieve') as mock_stripe_retrieve,
-        patch(
-            'storage.user_store.UserStore.get_user_by_id_async',
-            new_callable=AsyncMock,
-            return_value=MagicMock(current_org_id='mock_org_id'),
-        ),
-        patch(
-            'storage.lite_llm_manager.LiteLlmManager.get_user_team_info',
-            return_value={
-                'spend': 0,
-                'litellm_budget_table': {'max_budget': initial_budget},
-            },
-        ),
-        patch(
-            'storage.lite_llm_manager.LiteLlmManager.update_team_and_users_budget'
-        ) as mock_update_budget,
-        patch('server.routes.billing.FREE_CREDIT_THRESHOLD', 10.0),
-        patch('server.routes.billing.FREE_CREDIT_AMOUNT', 10.0),
-    ):
-        mock_db_session = MagicMock()
-        mock_query_chain_billing = MagicMock()
-        mock_query_chain_billing.filter.return_value.filter.return_value.first.return_value = mock_billing_session
-        mock_query_chain_org = MagicMock()
-        mock_query_chain_org.filter.return_value.first.return_value = mock_org
-        mock_db_session.query.side_effect = [
-            mock_query_chain_billing,
-            mock_query_chain_org,
-        ]
-        mock_session_maker.return_value.__enter__.return_value = mock_db_session
-
-        mock_stripe_retrieve.return_value = MagicMock(
-            status='complete',
-            amount_subtotal=purchase_cents,
-            customer='mock_customer_id',
-        )
-
-        response = await success_callback('test_session_id', mock_request)
-
-        assert response.status_code == 302
-        mock_update_budget.assert_called_once_with('mock_org_id', expected_final_budget)
-        assert mock_org.pending_free_credits is expected_pending_after
-
-
 @pytest.mark.asyncio
 async def test_success_callback_lite_llm_error():
     """Test handling of LiteLLM API errors during success callback."""
@@ -491,11 +404,10 @@ async def test_success_callback_lite_llm_error():
 
 @pytest.mark.asyncio
 async def test_success_callback_lite_llm_update_budget_error_rollback():
-    """Test that pending_free_credits change is not committed when update_team_and_users_budget fails.
+    """Test that database changes are not committed when update_team_and_users_budget fails.
 
-    This test verifies that if LiteLlmManager.update_team_and_users_budget raises an exception
-    after pending_free_credits has been set to False, the database transaction rolls back and
-    pending_free_credits remains True.
+    This test verifies that if LiteLlmManager.update_team_and_users_budget raises an exception,
+    the database transaction rolls back.
     """
     mock_request = Request(scope={'type': 'http'})
     mock_request._base_url = URL('http://test.com/')
@@ -505,7 +417,6 @@ async def test_success_callback_lite_llm_update_budget_error_rollback():
     mock_billing_session.user_id = 'mock_user'
 
     mock_org = MagicMock()
-    mock_org.pending_free_credits = True
 
     with (
         patch('server.routes.billing.session_maker') as mock_session_maker,
@@ -519,15 +430,13 @@ async def test_success_callback_lite_llm_update_budget_error_rollback():
             'storage.lite_llm_manager.LiteLlmManager.get_user_team_info',
             return_value={
                 'spend': 0,
-                'litellm_budget_table': {'max_budget': 0},
+                'max_budget_in_team': 0,
             },
         ),
         patch(
             'storage.lite_llm_manager.LiteLlmManager.update_team_and_users_budget',
             side_effect=Exception('LiteLLM API Error'),
         ),
-        patch('server.routes.billing.FREE_CREDIT_THRESHOLD', 10.0),
-        patch('server.routes.billing.FREE_CREDIT_AMOUNT', 10.0),
     ):
         mock_db_session = MagicMock()
         mock_query_chain_billing = MagicMock()
@@ -540,7 +449,6 @@ async def test_success_callback_lite_llm_update_budget_error_rollback():
         ]
         mock_session_maker.return_value.__enter__.return_value = mock_db_session
 
-        # Purchase $10 to reach threshold
         mock_stripe_retrieve.return_value = MagicMock(
             status='complete',
             amount_subtotal=1000,  # $10
@@ -671,6 +579,6 @@ async def test_create_customer_setup_session_success():
             customer='mock-customer-id',
             mode='setup',
             payment_method_types=['card'],
-            success_url='https://test.com/?free_credits=success',
+            success_url='https://test.com/?setup=success',
             cancel_url='https://test.com/',
         )

enterprise/tests/unit/test_billing_stripe_integration.py

@@ -48,7 +48,7 @@ async def test_create_customer_setup_session_uses_customer_id():
             customer=customer_id,
             mode='setup',
             payment_method_types=['card'],
-            success_url=f'{request.base_url}?free_credits=success',
+            success_url=f'{request.base_url}?setup=success',
             cancel_url=f'{request.base_url}',
         )
 

enterprise/tests/unit/test_email_service.py

@@ -0,0 +1,192 @@
+"""Tests for email service."""
+
+import os
+from unittest.mock import MagicMock, patch
+
+from server.services.email_service import (
+    DEFAULT_WEB_HOST,
+    EmailService,
+)
+
+
+class TestEmailServiceInvitationUrl:
+    """Test cases for invitation URL generation."""
+
+    def test_invitation_url_uses_correct_endpoint(self):
+        """Test that invitation URL points to the correct API endpoint."""
+        mock_response = MagicMock()
+        mock_response.get.return_value = 'test-email-id'
+
+        with (
+            patch.dict(os.environ, {'RESEND_API_KEY': 'test-key'}),
+            patch('server.services.email_service.RESEND_AVAILABLE', True),
+            patch('server.services.email_service.resend') as mock_resend,
+        ):
+            mock_resend.Emails.send.return_value = mock_response
+
+            EmailService.send_invitation_email(
+                to_email='test@example.com',
+                org_name='Test Org',
+                inviter_name='Inviter',
+                role_name='member',
+                invitation_token='inv-test-token-12345',
+                invitation_id=1,
+            )
+
+            # Get the call arguments
+            call_args = mock_resend.Emails.send.call_args
+            email_params = call_args[0][0]
+
+            # Verify the URL in the email HTML contains the correct endpoint
+            assert (
+                '/api/organizations/members/invite/accept?token='
+                in email_params['html']
+            )
+            assert 'inv-test-token-12345' in email_params['html']
+
+    def test_invitation_url_uses_web_host_env_var(self):
+        """Test that invitation URL uses WEB_HOST environment variable."""
+        custom_host = 'https://custom.example.com'
+        mock_response = MagicMock()
+        mock_response.get.return_value = 'test-email-id'
+
+        with (
+            patch.dict(
+                os.environ,
+                {'RESEND_API_KEY': 'test-key', 'WEB_HOST': custom_host},
+            ),
+            patch('server.services.email_service.RESEND_AVAILABLE', True),
+            patch('server.services.email_service.resend') as mock_resend,
+        ):
+            mock_resend.Emails.send.return_value = mock_response
+
+            EmailService.send_invitation_email(
+                to_email='test@example.com',
+                org_name='Test Org',
+                inviter_name='Inviter',
+                role_name='member',
+                invitation_token='inv-test-token-12345',
+                invitation_id=1,
+            )
+
+            call_args = mock_resend.Emails.send.call_args
+            email_params = call_args[0][0]
+
+            expected_url = f'{custom_host}/api/organizations/members/invite/accept?token=inv-test-token-12345'
+            assert expected_url in email_params['html']
+
+    def test_invitation_url_uses_default_host_when_env_not_set(self):
+        """Test that invitation URL falls back to DEFAULT_WEB_HOST when env not set."""
+        mock_response = MagicMock()
+        mock_response.get.return_value = 'test-email-id'
+
+        env_without_web_host = {'RESEND_API_KEY': 'test-key'}
+        # Remove WEB_HOST if it exists
+        env_without_web_host.pop('WEB_HOST', None)
+
+        with (
+            patch.dict(os.environ, env_without_web_host, clear=True),
+            patch('server.services.email_service.RESEND_AVAILABLE', True),
+            patch('server.services.email_service.resend') as mock_resend,
+        ):
+            # Clear WEB_HOST from the environment
+            os.environ.pop('WEB_HOST', None)
+            mock_resend.Emails.send.return_value = mock_response
+
+            EmailService.send_invitation_email(
+                to_email='test@example.com',
+                org_name='Test Org',
+                inviter_name='Inviter',
+                role_name='member',
+                invitation_token='inv-test-token-12345',
+                invitation_id=1,
+            )
+
+            call_args = mock_resend.Emails.send.call_args
+            email_params = call_args[0][0]
+
+            expected_url = f'{DEFAULT_WEB_HOST}/api/organizations/members/invite/accept?token=inv-test-token-12345'
+            assert expected_url in email_params['html']
+
+
+class TestEmailServiceGetResendClient:
+    """Test cases for Resend client initialization."""
+
+    def test_get_resend_client_returns_false_when_resend_not_available(self):
+        """Test that _get_resend_client returns False when resend is not installed."""
+        with patch('server.services.email_service.RESEND_AVAILABLE', False):
+            result = EmailService._get_resend_client()
+            assert result is False
+
+    def test_get_resend_client_returns_false_when_api_key_not_configured(self):
+        """Test that _get_resend_client returns False when API key is missing."""
+        with (
+            patch('server.services.email_service.RESEND_AVAILABLE', True),
+            patch.dict(os.environ, {}, clear=True),
+        ):
+            os.environ.pop('RESEND_API_KEY', None)
+            result = EmailService._get_resend_client()
+            assert result is False
+
+    def test_get_resend_client_returns_true_when_configured(self):
+        """Test that _get_resend_client returns True when properly configured."""
+        with (
+            patch.dict(os.environ, {'RESEND_API_KEY': 'test-key'}),
+            patch('server.services.email_service.RESEND_AVAILABLE', True),
+            patch('server.services.email_service.resend') as mock_resend,
+        ):
+            result = EmailService._get_resend_client()
+            assert result is True
+            assert mock_resend.api_key == 'test-key'
+
+
+class TestEmailServiceSendInvitationEmail:
+    """Test cases for send_invitation_email method."""
+
+    def test_send_invitation_email_skips_when_client_not_ready(self):
+        """Test that email sending is skipped when client is not ready."""
+        with patch.object(
+            EmailService, '_get_resend_client', return_value=False
+        ) as mock_get_client:
+            # Should not raise, just return early
+            EmailService.send_invitation_email(
+                to_email='test@example.com',
+                org_name='Test Org',
+                inviter_name='Inviter',
+                role_name='member',
+                invitation_token='inv-test-token',
+                invitation_id=1,
+            )
+
+            mock_get_client.assert_called_once()
+
+    def test_send_invitation_email_includes_all_required_info(self):
+        """Test that invitation email includes org name, inviter name, and role."""
+        mock_response = MagicMock()
+        mock_response.get.return_value = 'test-email-id'
+
+        with (
+            patch.dict(os.environ, {'RESEND_API_KEY': 'test-key'}),
+            patch('server.services.email_service.RESEND_AVAILABLE', True),
+            patch('server.services.email_service.resend') as mock_resend,
+        ):
+            mock_resend.Emails.send.return_value = mock_response
+
+            EmailService.send_invitation_email(
+                to_email='test@example.com',
+                org_name='Acme Corp',
+                inviter_name='John Doe',
+                role_name='admin',
+                invitation_token='inv-test-token-12345',
+                invitation_id=42,
+            )
+
+            call_args = mock_resend.Emails.send.call_args
+            email_params = call_args[0][0]
+
+            # Verify email content
+            assert email_params['to'] == ['test@example.com']
+            assert 'Acme Corp' in email_params['subject']
+            assert 'John Doe' in email_params['html']
+            assert 'Acme Corp' in email_params['html']
+            assert 'admin' in email_params['html']

enterprise/tests/unit/test_lite_llm_manager.py

@@ -142,44 +142,192 @@ class TestLiteLlmManager:
     @pytest.mark.asyncio
     async def test_create_entries_cloud_deployment(self, mock_settings, mock_response):
         """Test create_entries in cloud deployment mode."""
-        with patch.dict(os.environ, {'LOCAL_DEPLOYMENT': ''}):
-            with patch('storage.lite_llm_manager.LITE_LLM_API_KEY', 'test-key'):
-                with patch(
-                    'storage.lite_llm_manager.LITE_LLM_API_URL', 'http://test.com'
-                ):
-                    with patch(
-                        'storage.lite_llm_manager.TokenManager'
-                    ) as mock_token_manager:
-                        mock_token_manager.return_value.get_user_info_from_user_id = (
-                            AsyncMock(return_value={'email': 'test@example.com'})
-                        )
+        mock_404_response = MagicMock()
+        mock_404_response.status_code = 404
+        mock_404_response.is_success = False
 
-                        with patch('httpx.AsyncClient') as mock_client_class:
-                            mock_client = AsyncMock()
-                            mock_client_class.return_value.__aenter__.return_value = (
-                                mock_client
-                            )
-                            mock_client.post.return_value = mock_response
+        mock_token_manager = MagicMock()
+        mock_token_manager.return_value.get_user_info_from_user_id = AsyncMock(
+            return_value={'email': 'test@example.com'}
+        )
 
-                            result = await LiteLlmManager.create_entries(
-                                'test-org-id',
-                                'test-user-id',
-                                mock_settings,
-                                create_user=False,
-                            )
+        mock_client = AsyncMock()
+        mock_client.get.return_value = mock_404_response
+        mock_client.get.return_value.raise_for_status.side_effect = (
+            httpx.HTTPStatusError(
+                message='Not Found', request=MagicMock(), response=mock_404_response
+            )
+        )
+        mock_client.post.return_value = mock_response
 
-                            assert result is not None
-                            assert result.agent == 'CodeActAgent'
-                            assert result.llm_model == get_default_litellm_model()
-                            assert (
-                                result.llm_api_key.get_secret_value() == 'test-api-key'
-                            )
-                            assert result.llm_base_url == 'http://test.com'
+        mock_client_class = MagicMock()
+        mock_client_class.return_value.__aenter__.return_value = mock_client
 
-                            # Verify API calls were made
-                            assert (
-                                mock_client.post.call_count == 3
-                            )  # create_team, create_user, add_user_to_team, generate_key
+        with (
+            patch.dict(os.environ, {'LOCAL_DEPLOYMENT': ''}),
+            patch('storage.lite_llm_manager.LITE_LLM_API_KEY', 'test-key'),
+            patch('storage.lite_llm_manager.LITE_LLM_API_URL', 'http://test.com'),
+            patch('storage.lite_llm_manager.TokenManager', mock_token_manager),
+            patch('httpx.AsyncClient', mock_client_class),
+        ):
+            result = await LiteLlmManager.create_entries(
+                'test-org-id', 'test-user-id', mock_settings, create_user=False
+            )
+
+            assert result is not None
+            assert result.agent == 'CodeActAgent'
+            assert result.llm_model == get_default_litellm_model()
+            assert result.llm_api_key.get_secret_value() == 'test-api-key'
+            assert result.llm_base_url == 'http://test.com'
+
+            # Verify API calls were made (get_team + 3 posts)
+            assert mock_client.get.call_count == 1  # get_team
+            assert (
+                mock_client.post.call_count == 3
+            )  # create_team, add_user_to_team, generate_key
+
+    @pytest.mark.asyncio
+    async def test_create_entries_inherits_existing_team_budget(
+        self, mock_settings, mock_response
+    ):
+        """Test that create_entries inherits budget from existing team."""
+        mock_team_response = MagicMock()
+        mock_team_response.is_success = True
+        mock_team_response.status_code = 200
+        mock_team_response.json.return_value = {
+            'team_info': {'max_budget': 30.0, 'spend': 5.0},
+            'team_memberships': [],
+        }
+        mock_team_response.raise_for_status = MagicMock()
+
+        mock_token_manager = MagicMock()
+        mock_token_manager.return_value.get_user_info_from_user_id = AsyncMock(
+            return_value={'email': 'test@example.com'}
+        )
+
+        mock_client = AsyncMock()
+        mock_client.get.return_value = mock_team_response
+        mock_client.post.return_value = mock_response
+
+        mock_client_class = MagicMock()
+        mock_client_class.return_value.__aenter__.return_value = mock_client
+
+        with (
+            patch.dict(os.environ, {'LOCAL_DEPLOYMENT': ''}),
+            patch('storage.lite_llm_manager.LITE_LLM_API_KEY', 'test-key'),
+            patch('storage.lite_llm_manager.LITE_LLM_API_URL', 'http://test.com'),
+            patch('storage.lite_llm_manager.TokenManager', mock_token_manager),
+            patch('httpx.AsyncClient', mock_client_class),
+        ):
+            result = await LiteLlmManager.create_entries(
+                'test-org-id', 'test-user-id', mock_settings, create_user=False
+            )
+
+            assert result is not None
+
+            # Verify _get_team was called first
+            mock_client.get.assert_called_once()
+            get_call_url = mock_client.get.call_args[0][0]
+            assert 'team/info' in get_call_url
+            assert 'test-org-id' in get_call_url
+
+            # Verify _create_team was called with inherited budget (30.0)
+            create_team_call = mock_client.post.call_args_list[0]
+            assert 'team/new' in create_team_call[0][0]
+            assert create_team_call[1]['json']['max_budget'] == 30.0
+
+            # Verify _add_user_to_team was called with inherited budget (30.0)
+            add_user_call = mock_client.post.call_args_list[1]
+            assert 'team/member_add' in add_user_call[0][0]
+            assert add_user_call[1]['json']['max_budget_in_team'] == 30.0
+
+    @pytest.mark.asyncio
+    async def test_create_entries_new_org_uses_zero_budget(
+        self, mock_settings, mock_response
+    ):
+        """Test that create_entries uses budget=0 for new org (team doesn't exist)."""
+        mock_404_response = MagicMock()
+        mock_404_response.status_code = 404
+        mock_404_response.is_success = False
+
+        mock_token_manager = MagicMock()
+        mock_token_manager.return_value.get_user_info_from_user_id = AsyncMock(
+            return_value={'email': 'test@example.com'}
+        )
+
+        mock_client = AsyncMock()
+        mock_client.get.return_value = mock_404_response
+        mock_client.get.return_value.raise_for_status.side_effect = (
+            httpx.HTTPStatusError(
+                message='Not Found', request=MagicMock(), response=mock_404_response
+            )
+        )
+        mock_client.post.return_value = mock_response
+
+        mock_client_class = MagicMock()
+        mock_client_class.return_value.__aenter__.return_value = mock_client
+
+        with (
+            patch.dict(os.environ, {'LOCAL_DEPLOYMENT': ''}),
+            patch('storage.lite_llm_manager.LITE_LLM_API_KEY', 'test-key'),
+            patch('storage.lite_llm_manager.LITE_LLM_API_URL', 'http://test.com'),
+            patch('storage.lite_llm_manager.TokenManager', mock_token_manager),
+            patch('httpx.AsyncClient', mock_client_class),
+        ):
+            result = await LiteLlmManager.create_entries(
+                'test-org-id', 'test-user-id', mock_settings, create_user=False
+            )
+
+            assert result is not None
+
+            # Verify _create_team was called with budget=0
+            create_team_call = mock_client.post.call_args_list[0]
+            assert 'team/new' in create_team_call[0][0]
+            assert create_team_call[1]['json']['max_budget'] == 0.0
+
+            # Verify _add_user_to_team was called with budget=0
+            add_user_call = mock_client.post.call_args_list[1]
+            assert 'team/member_add' in add_user_call[0][0]
+            assert add_user_call[1]['json']['max_budget_in_team'] == 0.0
+
+    @pytest.mark.asyncio
+    async def test_create_entries_propagates_non_404_errors(self, mock_settings):
+        """Test that create_entries propagates non-404 errors from _get_team."""
+        mock_500_response = MagicMock()
+        mock_500_response.status_code = 500
+        mock_500_response.is_success = False
+
+        mock_token_manager = MagicMock()
+        mock_token_manager.return_value.get_user_info_from_user_id = AsyncMock(
+            return_value={'email': 'test@example.com'}
+        )
+
+        mock_client = AsyncMock()
+        mock_client.get.return_value = mock_500_response
+        mock_client.get.return_value.raise_for_status.side_effect = (
+            httpx.HTTPStatusError(
+                message='Internal Server Error',
+                request=MagicMock(),
+                response=mock_500_response,
+            )
+        )
+
+        mock_client_class = MagicMock()
+        mock_client_class.return_value.__aenter__.return_value = mock_client
+
+        with (
+            patch.dict(os.environ, {'LOCAL_DEPLOYMENT': ''}),
+            patch('storage.lite_llm_manager.LITE_LLM_API_KEY', 'test-key'),
+            patch('storage.lite_llm_manager.LITE_LLM_API_URL', 'http://test.com'),
+            patch('storage.lite_llm_manager.TokenManager', mock_token_manager),
+            patch('httpx.AsyncClient', mock_client_class),
+        ):
+            with pytest.raises(httpx.HTTPStatusError) as exc_info:
+                await LiteLlmManager.create_entries(
+                    'test-org-id', 'test-user-id', mock_settings, create_user=False
+                )
+
+            assert exc_info.value.response.status_code == 500
 
     @pytest.mark.asyncio
     async def test_migrate_entries_missing_config(self, mock_user_settings):

enterprise/tests/unit/test_org_invitation_service.py

@@ -0,0 +1,464 @@
+"""Tests for organization invitation service - email validation."""
+
+from unittest.mock import AsyncMock, MagicMock, patch
+from uuid import UUID
+
+import pytest
+from server.routes.org_invitation_models import (
+    EmailMismatchError,
+)
+from server.services.org_invitation_service import OrgInvitationService
+from storage.org_invitation import OrgInvitation
+
+
+class TestAcceptInvitationEmailValidation:
+    """Test cases for email validation during invitation acceptance."""
+
+    @pytest.fixture
+    def mock_invitation(self):
+        """Create a mock invitation with pending status."""
+        invitation = MagicMock(spec=OrgInvitation)
+        invitation.id = 1
+        invitation.email = 'alice@example.com'
+        invitation.status = OrgInvitation.STATUS_PENDING
+        invitation.org_id = UUID('12345678-1234-5678-1234-567812345678')
+        invitation.role_id = 1
+        return invitation
+
+    @pytest.fixture
+    def mock_user(self):
+        """Create a mock user with email."""
+        user = MagicMock()
+        user.id = UUID('87654321-4321-8765-4321-876543218765')
+        user.email = 'alice@example.com'
+        return user
+
+    @pytest.mark.asyncio
+    async def test_accept_invitation_email_matches(self, mock_invitation, mock_user):
+        """Test that invitation is accepted when user email matches invitation email."""
+        # Arrange
+        user_id = mock_user.id
+        token = 'inv-test-token-12345'
+
+        with patch.object(
+            OrgInvitationService, 'accept_invitation', new_callable=AsyncMock
+        ) as mock_accept:
+            mock_accept.return_value = mock_invitation
+
+            # Act
+            await OrgInvitationService.accept_invitation(token, user_id)
+
+            # Assert
+            mock_accept.assert_called_once_with(token, user_id)
+
+    @pytest.mark.asyncio
+    async def test_accept_invitation_email_mismatch_raises_error(
+        self, mock_invitation, mock_user
+    ):
+        """Test that EmailMismatchError is raised when emails don't match."""
+        # Arrange
+        user_id = mock_user.id
+        token = 'inv-test-token-12345'
+        mock_user.email = 'bob@example.com'  # Different email
+
+        with (
+            patch(
+                'server.services.org_invitation_service.OrgInvitationStore.get_invitation_by_token',
+                new_callable=AsyncMock,
+            ) as mock_get_invitation,
+            patch(
+                'server.services.org_invitation_service.OrgInvitationStore.is_token_expired'
+            ) as mock_is_expired,
+            patch(
+                'server.services.org_invitation_service.UserStore.get_user_by_id_async',
+                new_callable=AsyncMock,
+            ) as mock_get_user,
+        ):
+            mock_get_invitation.return_value = mock_invitation
+            mock_is_expired.return_value = False
+            mock_get_user.return_value = mock_user
+
+            # Act & Assert
+            with pytest.raises(EmailMismatchError):
+                await OrgInvitationService.accept_invitation(token, user_id)
+
+    @pytest.mark.asyncio
+    async def test_accept_invitation_user_no_email_keycloak_fallback_matches(
+        self, mock_invitation
+    ):
+        """Test that Keycloak email is used when user has no email in database."""
+        # Arrange
+        user_id = UUID('87654321-4321-8765-4321-876543218765')
+        token = 'inv-test-token-12345'
+
+        mock_user = MagicMock()
+        mock_user.id = user_id
+        mock_user.email = None  # No email in database
+
+        mock_keycloak_user_info = {'email': 'alice@example.com'}  # Email from Keycloak
+
+        with (
+            patch(
+                'server.services.org_invitation_service.OrgInvitationStore.get_invitation_by_token',
+                new_callable=AsyncMock,
+            ) as mock_get_invitation,
+            patch(
+                'server.services.org_invitation_service.OrgInvitationStore.is_token_expired'
+            ) as mock_is_expired,
+            patch(
+                'server.services.org_invitation_service.UserStore.get_user_by_id_async',
+                new_callable=AsyncMock,
+            ) as mock_get_user,
+            patch(
+                'server.services.org_invitation_service.TokenManager'
+            ) as mock_token_manager_class,
+            patch(
+                'server.services.org_invitation_service.OrgMemberStore.get_org_member'
+            ) as mock_get_member,
+            patch(
+                'server.services.org_invitation_service.OrgService.create_litellm_integration',
+                new_callable=AsyncMock,
+            ) as mock_create_litellm,
+            patch(
+                'server.services.org_invitation_service.OrgMemberStore.add_user_to_org'
+            ),
+            patch(
+                'server.services.org_invitation_service.OrgInvitationStore.update_invitation_status',
+                new_callable=AsyncMock,
+            ) as mock_update_status,
+        ):
+            mock_get_invitation.return_value = mock_invitation
+            mock_is_expired.return_value = False
+            mock_get_user.return_value = mock_user
+
+            # Mock TokenManager instance
+            mock_token_manager = MagicMock()
+            mock_token_manager.get_user_info_from_user_id = AsyncMock(
+                return_value=mock_keycloak_user_info
+            )
+            mock_token_manager_class.return_value = mock_token_manager
+
+            mock_get_member.return_value = None  # Not already a member
+            mock_create_litellm.return_value = MagicMock(llm_api_key='test-key')
+            mock_update_status.return_value = mock_invitation
+
+            # Act - should not raise error because Keycloak email matches
+            await OrgInvitationService.accept_invitation(token, user_id)
+
+            # Assert
+            mock_token_manager.get_user_info_from_user_id.assert_called_once_with(
+                str(user_id)
+            )
+
+    @pytest.mark.asyncio
+    async def test_accept_invitation_no_email_anywhere_raises_error(
+        self, mock_invitation
+    ):
+        """Test that EmailMismatchError is raised when user has no email in database or Keycloak."""
+        # Arrange
+        user_id = UUID('87654321-4321-8765-4321-876543218765')
+        token = 'inv-test-token-12345'
+
+        mock_user = MagicMock()
+        mock_user.id = user_id
+        mock_user.email = None  # No email in database
+
+        with (
+            patch(
+                'server.services.org_invitation_service.OrgInvitationStore.get_invitation_by_token',
+                new_callable=AsyncMock,
+            ) as mock_get_invitation,
+            patch(
+                'server.services.org_invitation_service.OrgInvitationStore.is_token_expired'
+            ) as mock_is_expired,
+            patch(
+                'server.services.org_invitation_service.UserStore.get_user_by_id_async',
+                new_callable=AsyncMock,
+            ) as mock_get_user,
+            patch(
+                'server.services.org_invitation_service.TokenManager'
+            ) as mock_token_manager_class,
+        ):
+            mock_get_invitation.return_value = mock_invitation
+            mock_is_expired.return_value = False
+            mock_get_user.return_value = mock_user
+
+            # Mock TokenManager to return no email
+            mock_token_manager = MagicMock()
+            mock_token_manager.get_user_info_from_user_id = AsyncMock(return_value={})
+            mock_token_manager_class.return_value = mock_token_manager
+
+            # Act & Assert
+            with pytest.raises(EmailMismatchError) as exc_info:
+                await OrgInvitationService.accept_invitation(token, user_id)
+
+            assert 'does not have an email address' in str(exc_info.value)
+
+    @pytest.mark.asyncio
+    async def test_accept_invitation_email_comparison_is_case_insensitive(
+        self, mock_invitation
+    ):
+        """Test that email comparison is case insensitive."""
+        # Arrange
+        user_id = UUID('87654321-4321-8765-4321-876543218765')
+        token = 'inv-test-token-12345'
+
+        mock_user = MagicMock()
+        mock_user.id = user_id
+        mock_user.email = 'ALICE@EXAMPLE.COM'  # Uppercase email
+
+        mock_invitation.email = 'alice@example.com'  # Lowercase in invitation
+
+        with (
+            patch(
+                'server.services.org_invitation_service.OrgInvitationStore.get_invitation_by_token',
+                new_callable=AsyncMock,
+            ) as mock_get_invitation,
+            patch(
+                'server.services.org_invitation_service.OrgInvitationStore.is_token_expired'
+            ) as mock_is_expired,
+            patch(
+                'server.services.org_invitation_service.UserStore.get_user_by_id_async',
+                new_callable=AsyncMock,
+            ) as mock_get_user,
+            patch(
+                'server.services.org_invitation_service.OrgMemberStore.get_org_member'
+            ) as mock_get_member,
+            patch(
+                'server.services.org_invitation_service.OrgService.create_litellm_integration',
+                new_callable=AsyncMock,
+            ) as mock_create_litellm,
+            patch(
+                'server.services.org_invitation_service.OrgMemberStore.add_user_to_org'
+            ),
+            patch(
+                'server.services.org_invitation_service.OrgInvitationStore.update_invitation_status',
+                new_callable=AsyncMock,
+            ) as mock_update_status,
+        ):
+            mock_get_invitation.return_value = mock_invitation
+            mock_is_expired.return_value = False
+            mock_get_user.return_value = mock_user
+            mock_get_member.return_value = None
+            mock_create_litellm.return_value = MagicMock(llm_api_key='test-key')
+            mock_update_status.return_value = mock_invitation
+
+            # Act - should not raise error because emails match case-insensitively
+            await OrgInvitationService.accept_invitation(token, user_id)
+
+            # Assert - invitation was accepted (update_invitation_status was called)
+            mock_update_status.assert_called_once()
+
+
+class TestCreateInvitationsBatch:
+    """Test cases for batch invitation creation."""
+
+    @pytest.fixture
+    def org_id(self):
+        """Organization UUID for testing."""
+        return UUID('12345678-1234-5678-1234-567812345678')
+
+    @pytest.fixture
+    def inviter_id(self):
+        """Inviter UUID for testing."""
+        return UUID('87654321-4321-8765-4321-876543218765')
+
+    @pytest.fixture
+    def mock_org(self):
+        """Create a mock organization."""
+        org = MagicMock()
+        org.id = UUID('12345678-1234-5678-1234-567812345678')
+        org.name = 'Test Org'
+        return org
+
+    @pytest.fixture
+    def mock_inviter_member(self):
+        """Create a mock inviter member with owner role."""
+        member = MagicMock()
+        member.user_id = UUID('87654321-4321-8765-4321-876543218765')
+        member.role_id = 1
+        return member
+
+    @pytest.fixture
+    def mock_owner_role(self):
+        """Create a mock owner role."""
+        role = MagicMock()
+        role.id = 1
+        role.name = 'owner'
+        return role
+
+    @pytest.fixture
+    def mock_member_role(self):
+        """Create a mock member role."""
+        role = MagicMock()
+        role.id = 3
+        role.name = 'member'
+        return role
+
+    @pytest.mark.asyncio
+    async def test_batch_creates_all_invitations_successfully(
+        self,
+        org_id,
+        inviter_id,
+        mock_org,
+        mock_inviter_member,
+        mock_owner_role,
+        mock_member_role,
+    ):
+        """Test that batch creation succeeds for all valid emails."""
+        # Arrange
+        emails = ['alice@example.com', 'bob@example.com']
+        mock_invitation_1 = MagicMock(spec=OrgInvitation)
+        mock_invitation_1.id = 1
+        mock_invitation_2 = MagicMock(spec=OrgInvitation)
+        mock_invitation_2.id = 2
+
+        with (
+            patch(
+                'server.services.org_invitation_service.OrgStore.get_org_by_id',
+                return_value=mock_org,
+            ),
+            patch(
+                'server.services.org_invitation_service.OrgMemberStore.get_org_member',
+                return_value=mock_inviter_member,
+            ),
+            patch(
+                'server.services.org_invitation_service.RoleStore.get_role_by_id',
+                return_value=mock_owner_role,
+            ),
+            patch(
+                'server.services.org_invitation_service.RoleStore.get_role_by_name',
+                return_value=mock_member_role,
+            ),
+            patch.object(
+                OrgInvitationService,
+                'create_invitation',
+                new_callable=AsyncMock,
+                side_effect=[mock_invitation_1, mock_invitation_2],
+            ),
+        ):
+            # Act
+            successful, failed = await OrgInvitationService.create_invitations_batch(
+                org_id=org_id,
+                emails=emails,
+                role_name='member',
+                inviter_id=inviter_id,
+            )
+
+            # Assert
+            assert len(successful) == 2
+            assert len(failed) == 0
+
+    @pytest.mark.asyncio
+    async def test_batch_handles_partial_success(
+        self,
+        org_id,
+        inviter_id,
+        mock_org,
+        mock_inviter_member,
+        mock_owner_role,
+        mock_member_role,
+    ):
+        """Test that batch returns partial results when some emails fail."""
+        # Arrange
+        from server.routes.org_invitation_models import UserAlreadyMemberError
+
+        emails = ['alice@example.com', 'existing@example.com']
+        mock_invitation = MagicMock(spec=OrgInvitation)
+        mock_invitation.id = 1
+
+        with (
+            patch(
+                'server.services.org_invitation_service.OrgStore.get_org_by_id',
+                return_value=mock_org,
+            ),
+            patch(
+                'server.services.org_invitation_service.OrgMemberStore.get_org_member',
+                return_value=mock_inviter_member,
+            ),
+            patch(
+                'server.services.org_invitation_service.RoleStore.get_role_by_id',
+                return_value=mock_owner_role,
+            ),
+            patch(
+                'server.services.org_invitation_service.RoleStore.get_role_by_name',
+                return_value=mock_member_role,
+            ),
+            patch.object(
+                OrgInvitationService,
+                'create_invitation',
+                new_callable=AsyncMock,
+                side_effect=[mock_invitation, UserAlreadyMemberError()],
+            ),
+        ):
+            # Act
+            successful, failed = await OrgInvitationService.create_invitations_batch(
+                org_id=org_id,
+                emails=emails,
+                role_name='member',
+                inviter_id=inviter_id,
+            )
+
+            # Assert
+            assert len(successful) == 1
+            assert len(failed) == 1
+            assert failed[0][0] == 'existing@example.com'
+
+    @pytest.mark.asyncio
+    async def test_batch_fails_entirely_on_permission_error(self, org_id, inviter_id):
+        """Test that permission error fails the entire batch upfront."""
+        # Arrange
+
+        emails = ['alice@example.com', 'bob@example.com']
+
+        with patch(
+            'server.services.org_invitation_service.OrgStore.get_org_by_id',
+            return_value=None,  # Organization not found
+        ):
+            # Act & Assert
+            with pytest.raises(ValueError) as exc_info:
+                await OrgInvitationService.create_invitations_batch(
+                    org_id=org_id,
+                    emails=emails,
+                    role_name='member',
+                    inviter_id=inviter_id,
+                )
+
+            assert 'not found' in str(exc_info.value)
+
+    @pytest.mark.asyncio
+    async def test_batch_fails_on_invalid_role(
+        self, org_id, inviter_id, mock_org, mock_inviter_member, mock_owner_role
+    ):
+        """Test that invalid role fails the entire batch."""
+        # Arrange
+        emails = ['alice@example.com']
+
+        with (
+            patch(
+                'server.services.org_invitation_service.OrgStore.get_org_by_id',
+                return_value=mock_org,
+            ),
+            patch(
+                'server.services.org_invitation_service.OrgMemberStore.get_org_member',
+                return_value=mock_inviter_member,
+            ),
+            patch(
+                'server.services.org_invitation_service.RoleStore.get_role_by_id',
+                return_value=mock_owner_role,
+            ),
+            patch(
+                'server.services.org_invitation_service.RoleStore.get_role_by_name',
+                return_value=None,  # Invalid role
+            ),
+        ):
+            # Act & Assert
+            with pytest.raises(ValueError) as exc_info:
+                await OrgInvitationService.create_invitations_batch(
+                    org_id=org_id,
+                    emails=emails,
+                    role_name='invalid_role',
+                    inviter_id=inviter_id,
+                )
+
+            assert 'Invalid role' in str(exc_info.value)

enterprise/tests/unit/test_org_invitation_store.py

@@ -0,0 +1,308 @@
+"""Tests for organization invitation store."""
+
+from datetime import datetime, timedelta
+from unittest.mock import AsyncMock, MagicMock, patch
+
+import pytest
+from storage.org_invitation import OrgInvitation
+from storage.org_invitation_store import (
+    INVITATION_TOKEN_LENGTH,
+    INVITATION_TOKEN_PREFIX,
+    OrgInvitationStore,
+)
+
+
+class TestGenerateToken:
+    """Test cases for token generation."""
+
+    def test_generate_token_has_correct_prefix(self):
+        """Test that generated tokens have the correct prefix."""
+        token = OrgInvitationStore.generate_token()
+        assert token.startswith(INVITATION_TOKEN_PREFIX)
+
+    def test_generate_token_has_correct_length(self):
+        """Test that generated tokens have the correct total length."""
+        token = OrgInvitationStore.generate_token()
+        expected_length = len(INVITATION_TOKEN_PREFIX) + INVITATION_TOKEN_LENGTH
+        assert len(token) == expected_length
+
+    def test_generate_token_uses_alphanumeric_characters(self):
+        """Test that generated tokens use only alphanumeric characters."""
+        token = OrgInvitationStore.generate_token()
+        # Remove prefix and check the rest is alphanumeric
+        random_part = token[len(INVITATION_TOKEN_PREFIX) :]
+        assert random_part.isalnum()
+
+    def test_generate_token_is_unique(self):
+        """Test that generated tokens are unique (probabilistically)."""
+        tokens = [OrgInvitationStore.generate_token() for _ in range(100)]
+        assert len(set(tokens)) == 100
+
+
+class TestIsTokenExpired:
+    """Test cases for token expiration checking."""
+
+    def test_token_not_expired_when_future(self):
+        """Test that tokens with future expiration are not expired."""
+        invitation = MagicMock(spec=OrgInvitation)
+        invitation.expires_at = datetime.utcnow() + timedelta(days=1)
+
+        result = OrgInvitationStore.is_token_expired(invitation)
+        assert result is False
+
+    def test_token_expired_when_past(self):
+        """Test that tokens with past expiration are expired."""
+        invitation = MagicMock(spec=OrgInvitation)
+        invitation.expires_at = datetime.utcnow() - timedelta(seconds=1)
+
+        result = OrgInvitationStore.is_token_expired(invitation)
+        assert result is True
+
+    def test_token_expired_at_exact_boundary(self):
+        """Test that tokens at exact expiration time are expired."""
+        # A token that expires "now" should be expired
+        now = datetime.utcnow()
+        invitation = MagicMock(spec=OrgInvitation)
+        invitation.expires_at = now - timedelta(microseconds=1)
+
+        result = OrgInvitationStore.is_token_expired(invitation)
+        assert result is True
+
+
+class TestCreateInvitation:
+    """Test cases for invitation creation."""
+
+    @pytest.mark.asyncio
+    async def test_create_invitation_normalizes_email(self):
+        """Test that email is normalized (lowercase, stripped) on creation."""
+        mock_session = AsyncMock()
+        mock_session.add = MagicMock()
+        mock_session.commit = AsyncMock()
+        mock_session.execute = AsyncMock()
+
+        # Mock the result of the re-fetch query
+        mock_result = MagicMock()
+        mock_invitation = MagicMock()
+        mock_invitation.id = 1
+        mock_invitation.email = 'test@example.com'
+        mock_result.scalars.return_value.first.return_value = mock_invitation
+        mock_session.execute.return_value = mock_result
+
+        with patch(
+            'storage.org_invitation_store.a_session_maker'
+        ) as mock_session_maker:
+            mock_session_manager = AsyncMock()
+            mock_session_manager.__aenter__.return_value = mock_session
+            mock_session_manager.__aexit__.return_value = None
+            mock_session_maker.return_value = mock_session_manager
+
+            from uuid import UUID
+
+            await OrgInvitationStore.create_invitation(
+                org_id=UUID('12345678-1234-5678-1234-567812345678'),
+                email='  TEST@EXAMPLE.COM  ',
+                role_id=1,
+                inviter_id=UUID('87654321-4321-8765-4321-876543218765'),
+            )
+
+            # Verify that the OrgInvitation was created with normalized email
+            add_call = mock_session.add.call_args
+            created_invitation = add_call[0][0]
+            assert created_invitation.email == 'test@example.com'
+
+
+class TestGetInvitationByToken:
+    """Test cases for getting invitation by token."""
+
+    @pytest.mark.asyncio
+    async def test_get_invitation_by_token_returns_invitation(self):
+        """Test that get_invitation_by_token returns the invitation when found."""
+        mock_invitation = MagicMock(spec=OrgInvitation)
+        mock_invitation.token = 'inv-test-token-12345'
+
+        mock_session = AsyncMock()
+        mock_result = MagicMock()
+        mock_result.scalars.return_value.first.return_value = mock_invitation
+        mock_session.execute = AsyncMock(return_value=mock_result)
+
+        with patch(
+            'storage.org_invitation_store.a_session_maker'
+        ) as mock_session_maker:
+            mock_session_manager = AsyncMock()
+            mock_session_manager.__aenter__.return_value = mock_session
+            mock_session_manager.__aexit__.return_value = None
+            mock_session_maker.return_value = mock_session_manager
+
+            result = await OrgInvitationStore.get_invitation_by_token(
+                'inv-test-token-12345'
+            )
+            assert result == mock_invitation
+
+    @pytest.mark.asyncio
+    async def test_get_invitation_by_token_returns_none_when_not_found(self):
+        """Test that get_invitation_by_token returns None when not found."""
+        mock_session = AsyncMock()
+        mock_result = MagicMock()
+        mock_result.scalars.return_value.first.return_value = None
+        mock_session.execute = AsyncMock(return_value=mock_result)
+
+        with patch(
+            'storage.org_invitation_store.a_session_maker'
+        ) as mock_session_maker:
+            mock_session_manager = AsyncMock()
+            mock_session_manager.__aenter__.return_value = mock_session
+            mock_session_manager.__aexit__.return_value = None
+            mock_session_maker.return_value = mock_session_manager
+
+            result = await OrgInvitationStore.get_invitation_by_token(
+                'inv-nonexistent-token'
+            )
+            assert result is None
+
+
+class TestGetPendingInvitation:
+    """Test cases for getting pending invitation."""
+
+    @pytest.mark.asyncio
+    async def test_get_pending_invitation_normalizes_email(self):
+        """Test that email is normalized when querying for pending invitations."""
+        mock_session = AsyncMock()
+        mock_result = MagicMock()
+        mock_result.scalars.return_value.first.return_value = None
+        mock_session.execute = AsyncMock(return_value=mock_result)
+
+        with patch(
+            'storage.org_invitation_store.a_session_maker'
+        ) as mock_session_maker:
+            mock_session_manager = AsyncMock()
+            mock_session_manager.__aenter__.return_value = mock_session
+            mock_session_manager.__aexit__.return_value = None
+            mock_session_maker.return_value = mock_session_manager
+
+            from uuid import UUID
+
+            await OrgInvitationStore.get_pending_invitation(
+                org_id=UUID('12345678-1234-5678-1234-567812345678'),
+                email='  TEST@EXAMPLE.COM  ',
+            )
+
+            # Verify the query was called (email normalization happens in the filter)
+            assert mock_session.execute.called
+
+
+class TestUpdateInvitationStatus:
+    """Test cases for updating invitation status."""
+
+    @pytest.mark.asyncio
+    async def test_update_status_sets_accepted_at_for_accepted(self):
+        """Test that accepted_at is set when status is accepted."""
+        from uuid import UUID
+
+        mock_invitation = MagicMock(spec=OrgInvitation)
+        mock_invitation.id = 1
+        mock_invitation.status = OrgInvitation.STATUS_PENDING
+
+        mock_session = AsyncMock()
+        mock_result = MagicMock()
+        mock_result.scalars.return_value.first.return_value = mock_invitation
+        mock_session.execute = AsyncMock(return_value=mock_result)
+        mock_session.commit = AsyncMock()
+        mock_session.refresh = AsyncMock()
+
+        with patch(
+            'storage.org_invitation_store.a_session_maker'
+        ) as mock_session_maker:
+            mock_session_manager = AsyncMock()
+            mock_session_manager.__aenter__.return_value = mock_session
+            mock_session_manager.__aexit__.return_value = None
+            mock_session_maker.return_value = mock_session_manager
+
+            user_id = UUID('87654321-4321-8765-4321-876543218765')
+            await OrgInvitationStore.update_invitation_status(
+                invitation_id=1,
+                status=OrgInvitation.STATUS_ACCEPTED,
+                accepted_by_user_id=user_id,
+            )
+
+            assert mock_invitation.accepted_at is not None
+            assert mock_invitation.accepted_by_user_id == user_id
+
+    @pytest.mark.asyncio
+    async def test_update_status_returns_none_when_not_found(self):
+        """Test that update returns None when invitation not found."""
+        mock_session = AsyncMock()
+        mock_result = MagicMock()
+        mock_result.scalars.return_value.first.return_value = None
+        mock_session.execute = AsyncMock(return_value=mock_result)
+
+        with patch(
+            'storage.org_invitation_store.a_session_maker'
+        ) as mock_session_maker:
+            mock_session_manager = AsyncMock()
+            mock_session_manager.__aenter__.return_value = mock_session
+            mock_session_manager.__aexit__.return_value = None
+            mock_session_maker.return_value = mock_session_manager
+
+            result = await OrgInvitationStore.update_invitation_status(
+                invitation_id=999,
+                status=OrgInvitation.STATUS_ACCEPTED,
+            )
+            assert result is None
+
+
+class TestMarkExpiredIfNeeded:
+    """Test cases for marking expired invitations."""
+
+    @pytest.mark.asyncio
+    async def test_marks_expired_when_pending_and_past_expiry(self):
+        """Test that pending expired invitations are marked as expired."""
+        mock_invitation = MagicMock(spec=OrgInvitation)
+        mock_invitation.id = 1
+        mock_invitation.status = OrgInvitation.STATUS_PENDING
+        mock_invitation.expires_at = datetime.utcnow() - timedelta(days=1)
+
+        with patch.object(
+            OrgInvitationStore,
+            'update_invitation_status',
+            new_callable=AsyncMock,
+        ) as mock_update:
+            result = await OrgInvitationStore.mark_expired_if_needed(mock_invitation)
+
+            assert result is True
+            mock_update.assert_called_once_with(1, OrgInvitation.STATUS_EXPIRED)
+
+    @pytest.mark.asyncio
+    async def test_does_not_mark_when_not_expired(self):
+        """Test that non-expired invitations are not marked."""
+        mock_invitation = MagicMock(spec=OrgInvitation)
+        mock_invitation.id = 1
+        mock_invitation.status = OrgInvitation.STATUS_PENDING
+        mock_invitation.expires_at = datetime.utcnow() + timedelta(days=1)
+
+        with patch.object(
+            OrgInvitationStore,
+            'update_invitation_status',
+            new_callable=AsyncMock,
+        ) as mock_update:
+            result = await OrgInvitationStore.mark_expired_if_needed(mock_invitation)
+
+            assert result is False
+            mock_update.assert_not_called()
+
+    @pytest.mark.asyncio
+    async def test_does_not_mark_when_not_pending(self):
+        """Test that non-pending invitations are not marked even if expired."""
+        mock_invitation = MagicMock(spec=OrgInvitation)
+        mock_invitation.id = 1
+        mock_invitation.status = OrgInvitation.STATUS_ACCEPTED
+        mock_invitation.expires_at = datetime.utcnow() - timedelta(days=1)
+
+        with patch.object(
+            OrgInvitationStore,
+            'update_invitation_status',
+            new_callable=AsyncMock,
+        ) as mock_update:
+            result = await OrgInvitationStore.mark_expired_if_needed(mock_invitation)
+
+            assert result is False
+            mock_update.assert_not_called()

enterprise/tests/unit/test_org_invitations_router.py

@@ -0,0 +1,388 @@
+"""Tests for organization invitations API router."""
+
+from unittest.mock import AsyncMock, MagicMock, patch
+
+import pytest
+from fastapi import FastAPI
+from fastapi.testclient import TestClient
+from server.routes.org_invitation_models import (
+    EmailMismatchError,
+    InvitationExpiredError,
+    InvitationInvalidError,
+    UserAlreadyMemberError,
+)
+from server.routes.org_invitations import accept_router, invitation_router
+
+
+@pytest.fixture
+def app():
+    """Create a FastAPI app with the invitation routers."""
+    app = FastAPI()
+    app.include_router(invitation_router)
+    app.include_router(accept_router)
+    return app
+
+
+@pytest.fixture
+def client(app):
+    """Create a test client for the app."""
+    return TestClient(app)
+
+
+class TestRouterPrefixes:
+    """Test that router prefixes are configured correctly."""
+
+    def test_invitation_router_has_correct_prefix(self):
+        """Test that invitation_router has /api/organizations/{org_id}/members prefix."""
+        assert invitation_router.prefix == '/api/organizations/{org_id}/members'
+
+    def test_accept_router_has_correct_prefix(self):
+        """Test that accept_router has /api/organizations/members/invite prefix."""
+        assert accept_router.prefix == '/api/organizations/members/invite'
+
+
+class TestAcceptInvitationEndpoint:
+    """Test cases for the accept invitation endpoint."""
+
+    @pytest.fixture
+    def mock_user_auth(self):
+        """Create a mock user auth."""
+        user_auth = MagicMock()
+        user_auth.get_user_id = AsyncMock(
+            return_value='87654321-4321-8765-4321-876543218765'
+        )
+        return user_auth
+
+    @pytest.mark.asyncio
+    async def test_accept_unauthenticated_redirects_to_login(self, client):
+        """Test that unauthenticated users are redirected to login with invitation token."""
+        with patch(
+            'server.routes.org_invitations.get_user_auth',
+            new_callable=AsyncMock,
+            return_value=None,
+        ):
+            response = client.get(
+                '/api/organizations/members/invite/accept?token=inv-test-token-123',
+                follow_redirects=False,
+            )
+
+            assert response.status_code == 302
+            assert '/login?invitation_token=inv-test-token-123' in response.headers.get(
+                'location', ''
+            )
+
+    @pytest.mark.asyncio
+    async def test_accept_authenticated_success_redirects_home(
+        self, client, mock_user_auth
+    ):
+        """Test that successful acceptance redirects to home page."""
+        mock_invitation = MagicMock()
+
+        with (
+            patch(
+                'server.routes.org_invitations.get_user_auth',
+                new_callable=AsyncMock,
+                return_value=mock_user_auth,
+            ),
+            patch(
+                'server.routes.org_invitations.OrgInvitationService.accept_invitation',
+                new_callable=AsyncMock,
+                return_value=mock_invitation,
+            ),
+        ):
+            response = client.get(
+                '/api/organizations/members/invite/accept?token=inv-test-token-123',
+                follow_redirects=False,
+            )
+
+            assert response.status_code == 302
+            location = response.headers.get('location', '')
+            assert location.endswith('/')
+            assert 'invitation_expired' not in location
+            assert 'invitation_invalid' not in location
+            assert 'email_mismatch' not in location
+
+    @pytest.mark.asyncio
+    async def test_accept_expired_invitation_redirects_with_flag(
+        self, client, mock_user_auth
+    ):
+        """Test that expired invitation redirects with invitation_expired=true."""
+        with (
+            patch(
+                'server.routes.org_invitations.get_user_auth',
+                new_callable=AsyncMock,
+                return_value=mock_user_auth,
+            ),
+            patch(
+                'server.routes.org_invitations.OrgInvitationService.accept_invitation',
+                new_callable=AsyncMock,
+                side_effect=InvitationExpiredError(),
+            ),
+        ):
+            response = client.get(
+                '/api/organizations/members/invite/accept?token=inv-test-token-123',
+                follow_redirects=False,
+            )
+
+            assert response.status_code == 302
+            assert 'invitation_expired=true' in response.headers.get('location', '')
+
+    @pytest.mark.asyncio
+    async def test_accept_invalid_invitation_redirects_with_flag(
+        self, client, mock_user_auth
+    ):
+        """Test that invalid invitation redirects with invitation_invalid=true."""
+        with (
+            patch(
+                'server.routes.org_invitations.get_user_auth',
+                new_callable=AsyncMock,
+                return_value=mock_user_auth,
+            ),
+            patch(
+                'server.routes.org_invitations.OrgInvitationService.accept_invitation',
+                new_callable=AsyncMock,
+                side_effect=InvitationInvalidError(),
+            ),
+        ):
+            response = client.get(
+                '/api/organizations/members/invite/accept?token=inv-test-token-123',
+                follow_redirects=False,
+            )
+
+            assert response.status_code == 302
+            assert 'invitation_invalid=true' in response.headers.get('location', '')
+
+    @pytest.mark.asyncio
+    async def test_accept_already_member_redirects_with_flag(
+        self, client, mock_user_auth
+    ):
+        """Test that already member error redirects with already_member=true."""
+        with (
+            patch(
+                'server.routes.org_invitations.get_user_auth',
+                new_callable=AsyncMock,
+                return_value=mock_user_auth,
+            ),
+            patch(
+                'server.routes.org_invitations.OrgInvitationService.accept_invitation',
+                new_callable=AsyncMock,
+                side_effect=UserAlreadyMemberError(),
+            ),
+        ):
+            response = client.get(
+                '/api/organizations/members/invite/accept?token=inv-test-token-123',
+                follow_redirects=False,
+            )
+
+            assert response.status_code == 302
+            assert 'already_member=true' in response.headers.get('location', '')
+
+    @pytest.mark.asyncio
+    async def test_accept_email_mismatch_redirects_with_flag(
+        self, client, mock_user_auth
+    ):
+        """Test that email mismatch error redirects with email_mismatch=true."""
+        with (
+            patch(
+                'server.routes.org_invitations.get_user_auth',
+                new_callable=AsyncMock,
+                return_value=mock_user_auth,
+            ),
+            patch(
+                'server.routes.org_invitations.OrgInvitationService.accept_invitation',
+                new_callable=AsyncMock,
+                side_effect=EmailMismatchError(),
+            ),
+        ):
+            response = client.get(
+                '/api/organizations/members/invite/accept?token=inv-test-token-123',
+                follow_redirects=False,
+            )
+
+            assert response.status_code == 302
+            assert 'email_mismatch=true' in response.headers.get('location', '')
+
+    @pytest.mark.asyncio
+    async def test_accept_unexpected_error_redirects_with_flag(
+        self, client, mock_user_auth
+    ):
+        """Test that unexpected errors redirect with invitation_error=true."""
+        with (
+            patch(
+                'server.routes.org_invitations.get_user_auth',
+                new_callable=AsyncMock,
+                return_value=mock_user_auth,
+            ),
+            patch(
+                'server.routes.org_invitations.OrgInvitationService.accept_invitation',
+                new_callable=AsyncMock,
+                side_effect=Exception('Unexpected error'),
+            ),
+        ):
+            response = client.get(
+                '/api/organizations/members/invite/accept?token=inv-test-token-123',
+                follow_redirects=False,
+            )
+
+            assert response.status_code == 302
+            assert 'invitation_error=true' in response.headers.get('location', '')
+
+
+class TestCreateInvitationBatchEndpoint:
+    """Test cases for the batch invitation creation endpoint."""
+
+    @pytest.fixture
+    def batch_app(self):
+        """Create a FastAPI app with dependency overrides for batch tests."""
+        from openhands.server.user_auth import get_user_id
+
+        app = FastAPI()
+        app.include_router(invitation_router)
+
+        # Override the get_user_id dependency
+        app.dependency_overrides[get_user_id] = (
+            lambda: '87654321-4321-8765-4321-876543218765'
+        )
+
+        return app
+
+    @pytest.fixture
+    def batch_client(self, batch_app):
+        """Create a test client with dependency overrides."""
+        return TestClient(batch_app)
+
+    @pytest.fixture
+    def mock_invitation(self):
+        """Create a mock invitation."""
+        from datetime import datetime
+
+        invitation = MagicMock()
+        invitation.id = 1
+        invitation.email = 'alice@example.com'
+        invitation.role = MagicMock(name='member')
+        invitation.role.name = 'member'
+        invitation.role_id = 3
+        invitation.status = 'pending'
+        invitation.created_at = datetime(2026, 2, 17, 10, 0, 0)
+        invitation.expires_at = datetime(2026, 2, 24, 10, 0, 0)
+        return invitation
+
+    @pytest.mark.asyncio
+    async def test_batch_create_returns_successful_invitations(
+        self, batch_client, mock_invitation
+    ):
+        """Test that batch creation returns successful invitations."""
+        mock_invitation_2 = MagicMock()
+        mock_invitation_2.id = 2
+        mock_invitation_2.email = 'bob@example.com'
+        mock_invitation_2.role = MagicMock()
+        mock_invitation_2.role.name = 'member'
+        mock_invitation_2.role_id = 3
+        mock_invitation_2.status = 'pending'
+        mock_invitation_2.created_at = mock_invitation.created_at
+        mock_invitation_2.expires_at = mock_invitation.expires_at
+
+        with (
+            patch(
+                'server.routes.org_invitations.check_rate_limit_by_user_id',
+                new_callable=AsyncMock,
+            ),
+            patch(
+                'server.routes.org_invitations.OrgInvitationService.create_invitations_batch',
+                new_callable=AsyncMock,
+                return_value=([mock_invitation, mock_invitation_2], []),
+            ),
+        ):
+            response = batch_client.post(
+                '/api/organizations/12345678-1234-5678-1234-567812345678/members/invite',
+                json={
+                    'emails': ['alice@example.com', 'bob@example.com'],
+                    'role': 'member',
+                },
+            )
+
+            assert response.status_code == 201
+            data = response.json()
+            assert len(data['successful']) == 2
+            assert len(data['failed']) == 0
+
+    @pytest.mark.asyncio
+    async def test_batch_create_returns_partial_success(
+        self, batch_client, mock_invitation
+    ):
+        """Test that batch creation returns both successful and failed invitations."""
+        failed_emails = [('existing@example.com', 'User is already a member')]
+
+        with (
+            patch(
+                'server.routes.org_invitations.check_rate_limit_by_user_id',
+                new_callable=AsyncMock,
+            ),
+            patch(
+                'server.routes.org_invitations.OrgInvitationService.create_invitations_batch',
+                new_callable=AsyncMock,
+                return_value=([mock_invitation], failed_emails),
+            ),
+        ):
+            response = batch_client.post(
+                '/api/organizations/12345678-1234-5678-1234-567812345678/members/invite',
+                json={
+                    'emails': ['alice@example.com', 'existing@example.com'],
+                    'role': 'member',
+                },
+            )
+
+            assert response.status_code == 201
+            data = response.json()
+            assert len(data['successful']) == 1
+            assert len(data['failed']) == 1
+            assert data['failed'][0]['email'] == 'existing@example.com'
+            assert 'already a member' in data['failed'][0]['error']
+
+    @pytest.mark.asyncio
+    async def test_batch_create_permission_denied_returns_403(self, batch_client):
+        """Test that permission denied returns 403 for entire batch."""
+        from server.routes.org_invitation_models import InsufficientPermissionError
+
+        with (
+            patch(
+                'server.routes.org_invitations.check_rate_limit_by_user_id',
+                new_callable=AsyncMock,
+            ),
+            patch(
+                'server.routes.org_invitations.OrgInvitationService.create_invitations_batch',
+                new_callable=AsyncMock,
+                side_effect=InsufficientPermissionError(
+                    'Only owners and admins can invite'
+                ),
+            ),
+        ):
+            response = batch_client.post(
+                '/api/organizations/12345678-1234-5678-1234-567812345678/members/invite',
+                json={'emails': ['alice@example.com'], 'role': 'member'},
+            )
+
+            assert response.status_code == 403
+            assert 'owners and admins' in response.json()['detail']
+
+    @pytest.mark.asyncio
+    async def test_batch_create_invalid_role_returns_400(self, batch_client):
+        """Test that invalid role returns 400."""
+        with (
+            patch(
+                'server.routes.org_invitations.check_rate_limit_by_user_id',
+                new_callable=AsyncMock,
+            ),
+            patch(
+                'server.routes.org_invitations.OrgInvitationService.create_invitations_batch',
+                new_callable=AsyncMock,
+                side_effect=ValueError('Invalid role: superuser'),
+            ),
+        ):
+            response = batch_client.post(
+                '/api/organizations/12345678-1234-5678-1234-567812345678/members/invite',
+                json={'emails': ['alice@example.com'], 'role': 'superuser'},
+            )
+
+            assert response.status_code == 400
+            assert 'Invalid role' in response.json()['detail']

enterprise/tests/unit/test_org_member_store.py

@@ -158,6 +158,57 @@ def test_get_org_member(session_maker):
         assert retrieved_org_member.llm_api_key.get_secret_value() == 'test-key'
 
 
+def test_get_org_member_for_current_org(session_maker):
+    # Test getting org_member for user's current organization
+    with session_maker() as session:
+        # Create test data - user belongs to two orgs but current_org is org1
+        org1 = Org(name='test-org-1')
+        org2 = Org(name='test-org-2')
+        session.add_all([org1, org2])
+        session.flush()
+
+        user = User(id=uuid.uuid4(), current_org_id=org1.id)
+        role = Role(name='admin', rank=1)
+        session.add_all([user, role])
+        session.flush()
+
+        org_member1 = OrgMember(
+            org_id=org1.id,
+            user_id=user.id,
+            role_id=role.id,
+            llm_api_key='test-key-1',
+            status='active',
+        )
+        org_member2 = OrgMember(
+            org_id=org2.id,
+            user_id=user.id,
+            role_id=role.id,
+            llm_api_key='test-key-2',
+            status='active',
+        )
+        session.add_all([org_member1, org_member2])
+        session.commit()
+        user_id = user.id
+        org1_id = org1.id
+
+    # Test retrieval - should return org_member for current_org (org1)
+    with patch('storage.org_member_store.session_maker', session_maker):
+        retrieved_org_member = OrgMemberStore.get_org_member_for_current_org(user_id)
+        assert retrieved_org_member is not None
+        assert retrieved_org_member.org_id == org1_id
+        assert retrieved_org_member.user_id == user_id
+        assert retrieved_org_member.llm_api_key.get_secret_value() == 'test-key-1'
+
+
+def test_get_org_member_for_current_org_user_not_found(session_maker):
+    # Test getting org_member for non-existent user
+    with patch('storage.org_member_store.session_maker', session_maker):
+        retrieved_org_member = OrgMemberStore.get_org_member_for_current_org(
+            uuid.uuid4()
+        )
+        assert retrieved_org_member is None
+
+
 def test_add_user_to_org(session_maker):
     # Test adding a user to an org
     with session_maker() as session:
@@ -604,3 +655,180 @@ async def test_get_org_members_paginated_eager_loading(async_session_maker):
         assert member.role is not None
         assert member.role.name == 'owner'
         assert member.role.rank == 10
+
+
+@pytest.mark.asyncio
+async def test_get_org_members_count_no_filter(async_session_maker):
+    """Test get_org_members_count returns correct count without email filter."""
+    # Arrange
+    async with async_session_maker() as session:
+        org = Org(name='test-org')
+        session.add(org)
+        await session.flush()
+
+        role = Role(name='admin', rank=1)
+        session.add(role)
+        await session.flush()
+
+        users = [
+            User(id=uuid.uuid4(), current_org_id=org.id, email=f'user{i}@example.com')
+            for i in range(5)
+        ]
+        session.add_all(users)
+        await session.flush()
+
+        org_members = [
+            OrgMember(
+                org_id=org.id,
+                user_id=user.id,
+                role_id=role.id,
+                llm_api_key=f'test-key-{i}',
+                status='active',
+            )
+            for i, user in enumerate(users)
+        ]
+        session.add_all(org_members)
+        await session.commit()
+        org_id = org.id
+
+    # Act
+    with patch('storage.org_member_store.a_session_maker', async_session_maker):
+        count = await OrgMemberStore.get_org_members_count(org_id=org_id)
+
+    # Assert
+    assert count == 5
+
+
+@pytest.mark.asyncio
+async def test_get_org_members_count_with_email_filter(async_session_maker):
+    """Test get_org_members_count filters by email correctly."""
+    # Arrange
+    async with async_session_maker() as session:
+        org = Org(name='test-org')
+        session.add(org)
+        await session.flush()
+
+        role = Role(name='admin', rank=1)
+        session.add(role)
+        await session.flush()
+
+        users = [
+            User(id=uuid.uuid4(), current_org_id=org.id, email='alice@example.com'),
+            User(id=uuid.uuid4(), current_org_id=org.id, email='bob@example.com'),
+            User(
+                id=uuid.uuid4(), current_org_id=org.id, email='alice.smith@example.com'
+            ),
+        ]
+        session.add_all(users)
+        await session.flush()
+
+        org_members = [
+            OrgMember(
+                org_id=org.id,
+                user_id=user.id,
+                role_id=role.id,
+                llm_api_key=f'test-key-{i}',
+                status='active',
+            )
+            for i, user in enumerate(users)
+        ]
+        session.add_all(org_members)
+        await session.commit()
+        org_id = org.id
+
+    # Act
+    with patch('storage.org_member_store.a_session_maker', async_session_maker):
+        count = await OrgMemberStore.get_org_members_count(
+            org_id=org_id, email_filter='alice'
+        )
+
+    # Assert
+    assert count == 2
+
+
+@pytest.mark.asyncio
+async def test_get_org_members_paginated_with_email_filter(async_session_maker):
+    """Test get_org_members_paginated filters by email correctly."""
+    # Arrange
+    async with async_session_maker() as session:
+        org = Org(name='test-org')
+        session.add(org)
+        await session.flush()
+
+        role = Role(name='admin', rank=1)
+        session.add(role)
+        await session.flush()
+
+        users = [
+            User(id=uuid.uuid4(), current_org_id=org.id, email='alice@example.com'),
+            User(id=uuid.uuid4(), current_org_id=org.id, email='bob@example.com'),
+            User(id=uuid.uuid4(), current_org_id=org.id, email='charlie@example.com'),
+        ]
+        session.add_all(users)
+        await session.flush()
+
+        org_members = [
+            OrgMember(
+                org_id=org.id,
+                user_id=user.id,
+                role_id=role.id,
+                llm_api_key=f'test-key-{i}',
+                status='active',
+            )
+            for i, user in enumerate(users)
+        ]
+        session.add_all(org_members)
+        await session.commit()
+        org_id = org.id
+
+    # Act
+    with patch('storage.org_member_store.a_session_maker', async_session_maker):
+        members, has_more = await OrgMemberStore.get_org_members_paginated(
+            org_id=org_id, offset=0, limit=10, email_filter='bob'
+        )
+
+    # Assert
+    assert len(members) == 1
+    assert members[0].user.email == 'bob@example.com'
+    assert has_more is False
+
+
+@pytest.mark.asyncio
+async def test_get_org_members_paginated_email_filter_case_insensitive(
+    async_session_maker,
+):
+    """Test email filter is case-insensitive."""
+    # Arrange
+    async with async_session_maker() as session:
+        org = Org(name='test-org')
+        session.add(org)
+        await session.flush()
+
+        role = Role(name='admin', rank=1)
+        session.add(role)
+        await session.flush()
+
+        user = User(id=uuid.uuid4(), current_org_id=org.id, email='Alice@Example.COM')
+        session.add(user)
+        await session.flush()
+
+        org_member = OrgMember(
+            org_id=org.id,
+            user_id=user.id,
+            role_id=role.id,
+            llm_api_key='test-key',
+            status='active',
+        )
+        session.add(org_member)
+        await session.commit()
+        org_id = org.id
+
+    # Act
+    with patch('storage.org_member_store.a_session_maker', async_session_maker):
+        members, has_more = await OrgMemberStore.get_org_members_paginated(
+            org_id=org_id, offset=0, limit=10, email_filter='alice@example'
+        )
+
+    # Assert
+    assert len(members) == 1
+    assert members[0].user.email == 'Alice@Example.COM'

enterprise/tests/unit/test_org_service.py

@@ -482,7 +482,7 @@ async def test_get_org_credits_success(mock_litellm_api):
     spend = 25.0
 
     mock_team_info = {
-        'litellm_budget_table': {'max_budget': max_budget},
+        'max_budget_in_team': max_budget,
         'spend': spend,
     }
 

enterprise/tests/unit/test_org_store.py

@@ -10,6 +10,7 @@ with patch('storage.database.engine', create=True), patch(
     'storage.database.a_engine', create=True
 ):
     from storage.org import Org
+    from storage.org_invitation import OrgInvitation
     from storage.org_member import OrgMember
     from storage.org_store import OrgStore
     from storage.role import Role
@@ -806,3 +807,88 @@ def test_orphaned_user_error_contains_user_ids():
     assert error.user_ids == user_ids
     assert '2 user(s)' in str(error)
     assert 'no remaining organization' in str(error)
+
+
+def test_org_deletion_with_invitations_uses_passive_deletes(
+    session_maker, mock_litellm_api
+):
+    """
+    GIVEN: Organization has associated invitations with non-nullable org_id foreign key
+    WHEN: Organization is deleted via SQLAlchemy session.delete()
+    THEN: Deletion succeeds without NOT NULL constraint violation
+          (passive_deletes=True defers to database CASCADE instead of setting org_id to NULL)
+
+    This test verifies the fix for the bug where SQLAlchemy would try to
+    SET org_id=NULL on org_invitation before deleting the org, causing:
+    "NOT NULL constraint failed: org_invitation.org_id"
+
+    With passive_deletes=True on the relationship, SQLAlchemy defers to the
+    database's CASCADE constraint instead of trying to nullify the foreign key.
+
+    Note: SQLite doesn't enforce CASCADE by default, so we only verify that
+    the deletion succeeds. In production (PostgreSQL), CASCADE handles cleanup.
+    """
+    from datetime import datetime, timedelta
+
+    # Arrange
+    org_id = uuid.uuid4()
+    other_org_id = uuid.uuid4()
+    user_id = uuid.uuid4()
+
+    with session_maker() as session:
+        # Create role first (required for invitation)
+        role = Role(id=1, name='owner', rank=1)
+        session.add(role)
+        session.flush()
+
+        # Create organization to be deleted
+        org = Org(id=org_id, name='test-org-with-invitations')
+        session.add(org)
+        session.flush()
+
+        # Create a second org for the user's current_org_id
+        # (to avoid the user.current_org_id constraint issue during deletion)
+        other_org = Org(id=other_org_id, name='other-org')
+        session.add(other_org)
+        session.flush()
+
+        # Create user with current_org pointing to the OTHER org (not the one being deleted)
+        user = User(id=user_id, current_org_id=other_org_id)
+        session.add(user)
+        session.flush()
+
+        # Create invitation associated with the organization to be deleted
+        invitation = OrgInvitation(
+            token='test-invitation-token-12345',
+            org_id=org_id,
+            email='invitee@example.com',
+            role_id=1,
+            inviter_id=user_id,
+            status='pending',
+            created_at=datetime.now(),
+            expires_at=datetime.now() + timedelta(days=7),
+        )
+        session.add(invitation)
+        session.commit()
+
+        # Verify invitation was created
+        invitation_count = session.query(OrgInvitation).filter_by(org_id=org_id).count()
+        assert invitation_count == 1
+
+    # Act - Delete organization via SQLAlchemy (this is what triggered the bug)
+    # Without passive_deletes=True, SQLAlchemy would try to SET org_id=NULL
+    # which violates the NOT NULL constraint on org_invitation.org_id
+    with session_maker() as session:
+        org = session.query(Org).filter(Org.id == org_id).first()
+        assert org is not None
+
+        # This should NOT raise IntegrityError with passive_deletes=True
+        # Previously this would fail with:
+        # "NOT NULL constraint failed: org_invitation.org_id"
+        session.delete(org)
+        session.commit()  # Success indicates passive_deletes=True is working
+
+    # Assert - Organization should be deleted
+    with session_maker() as session:
+        deleted_org = session.query(Org).filter(Org.id == org_id).first()
+        assert deleted_org is None

enterprise/tests/unit/test_user_route_fallback.py

@@ -5,7 +5,7 @@ the endpoint constructs a User from OIDC claims. These tests verify that name an
 fields are correctly populated from Keycloak claims in this fallback path.
 """
 
-from unittest.mock import AsyncMock, patch
+from unittest.mock import AsyncMock, MagicMock, patch
 
 import pytest
 from pydantic import SecretStr
@@ -33,9 +33,20 @@ def mock_check_idp():
         yield mock_fn
 
 
+@pytest.fixture
+def mock_user_store():
+    """Mock UserStore.get_user_by_id_async to return None by default."""
+    with patch(
+        'server.routes.user.UserStore.get_user_by_id_async',
+        new_callable=AsyncMock,
+        return_value=None,
+    ) as mock_fn:
+        yield mock_fn
+
+
 @pytest.mark.asyncio
 async def test_fallback_user_includes_name_from_name_claim(
-    mock_token_manager, mock_check_idp
+    mock_token_manager, mock_check_idp, mock_user_store
 ):
     """When Keycloak provides a 'name' claim, the fallback User should include it."""
     from server.routes.user import saas_get_user
@@ -62,7 +73,7 @@ async def test_fallback_user_includes_name_from_name_claim(
 
 @pytest.mark.asyncio
 async def test_fallback_user_combines_given_and_family_name(
-    mock_token_manager, mock_check_idp
+    mock_token_manager, mock_check_idp, mock_user_store
 ):
     """When 'name' is absent, combine given_name + family_name."""
     from server.routes.user import saas_get_user
@@ -89,7 +100,7 @@ async def test_fallback_user_combines_given_and_family_name(
 
 @pytest.mark.asyncio
 async def test_fallback_user_name_is_none_when_no_name_claims(
-    mock_token_manager, mock_check_idp
+    mock_token_manager, mock_check_idp, mock_user_store
 ):
     """When no name claims exist, name should be None."""
     from server.routes.user import saas_get_user
@@ -113,7 +124,9 @@ async def test_fallback_user_name_is_none_when_no_name_claims(
 
 
 @pytest.mark.asyncio
-async def test_fallback_user_includes_company_claim(mock_token_manager, mock_check_idp):
+async def test_fallback_user_includes_company_claim(
+    mock_token_manager, mock_check_idp, mock_user_store
+):
     """When Keycloak provides a 'company' claim, include it in the User."""
     from server.routes.user import saas_get_user
 
@@ -139,7 +152,7 @@ async def test_fallback_user_includes_company_claim(mock_token_manager, mock_che
 
 @pytest.mark.asyncio
 async def test_fallback_user_company_is_none_when_absent(
-    mock_token_manager, mock_check_idp
+    mock_token_manager, mock_check_idp, mock_user_store
 ):
     """When 'company' is not in Keycloak claims, company should be None."""
     from server.routes.user import saas_get_user
@@ -161,3 +174,88 @@ async def test_fallback_user_company_is_none_when_absent(
 
     assert isinstance(result, User)
     assert result.company is None
+
+
+@pytest.mark.asyncio
+async def test_fallback_user_email_from_db_when_available(
+    mock_token_manager, mock_check_idp, mock_user_store
+):
+    """When User.email is stored in DB, use it instead of Keycloak's live email."""
+    from server.routes.user import saas_get_user
+
+    mock_token_manager.get_user_info = AsyncMock(
+        return_value={
+            'sub': '248289761001',
+            'preferred_username': 'j.doe',
+            'email': 'keycloak@example.com',
+        }
+    )
+
+    mock_db_user = MagicMock()
+    mock_db_user.email = 'db@example.com'
+    mock_user_store.return_value = mock_db_user
+
+    result = await saas_get_user(
+        provider_tokens=None,
+        access_token=SecretStr('test-token'),
+        user_id='248289761001',
+    )
+
+    assert isinstance(result, User)
+    assert result.email == 'db@example.com'
+
+
+@pytest.mark.asyncio
+async def test_fallback_user_email_falls_back_to_keycloak_when_db_null(
+    mock_token_manager, mock_check_idp, mock_user_store
+):
+    """When User.email is NULL in DB, fall back to Keycloak's email."""
+    from server.routes.user import saas_get_user
+
+    mock_token_manager.get_user_info = AsyncMock(
+        return_value={
+            'sub': '248289761001',
+            'preferred_username': 'j.doe',
+            'email': 'keycloak@example.com',
+        }
+    )
+
+    mock_db_user = MagicMock()
+    mock_db_user.email = None
+    mock_user_store.return_value = mock_db_user
+
+    result = await saas_get_user(
+        provider_tokens=None,
+        access_token=SecretStr('test-token'),
+        user_id='248289761001',
+    )
+
+    assert isinstance(result, User)
+    assert result.email == 'keycloak@example.com'
+
+
+@pytest.mark.asyncio
+async def test_fallback_user_email_falls_back_to_keycloak_when_no_db_user(
+    mock_token_manager, mock_check_idp, mock_user_store
+):
+    """When DB user doesn't exist, fall back to Keycloak's email."""
+    from server.routes.user import saas_get_user
+
+    mock_token_manager.get_user_info = AsyncMock(
+        return_value={
+            'sub': '248289761001',
+            'preferred_username': 'j.doe',
+            'email': 'keycloak@example.com',
+        }
+    )
+
+    # mock_user_store already returns None by default
+
+    result = await saas_get_user(
+        provider_tokens=None,
+        access_token=SecretStr('test-token'),
+        user_id='248289761001',
+    )
+
+    assert isinstance(result, User)
+    assert result.email == 'keycloak@example.com'

enterprise/tests/unit/test_user_store.py

@@ -398,6 +398,121 @@ async def test_create_user_contact_name_falls_back_to_username():
     assert org.contact_name == 'jdoe'
 
 
+# --- Tests for email fields in create_user() ---
+# create_user() should populate user.email and user.email_verified from the
+# Keycloak user_info, ensuring the user table has the correct email data.
+
+
+class _StopAfterUserCreation(Exception):
+    """Halt create_user() after User creation for email field inspection."""
+
+    pass
+
+
+@pytest.mark.asyncio
+async def test_create_user_sets_email_from_user_info():
+    """create_user() should set user.email and user.email_verified from user_info."""
+    # Arrange
+    user_id = str(uuid.uuid4())
+    user_info = {
+        'preferred_username': 'testuser',
+        'email': 'testuser@example.com',
+        'email_verified': True,
+    }
+
+    mock_session = MagicMock()
+    mock_sm = MagicMock()
+    mock_sm.return_value.__enter__ = MagicMock(return_value=mock_session)
+    mock_sm.return_value.__exit__ = MagicMock(return_value=False)
+
+    mock_settings = Settings(language='en')
+    mock_role = MagicMock()
+    mock_role.id = 1
+
+    with (
+        patch('storage.user_store.session_maker', mock_sm),
+        patch.object(
+            UserStore,
+            'create_default_settings',
+            new_callable=AsyncMock,
+            return_value=mock_settings,
+        ),
+        patch('storage.org_store.OrgStore.get_kwargs_from_settings', return_value={}),
+        patch.object(UserStore, 'get_kwargs_from_settings', return_value={}),
+        patch('storage.user_store.RoleStore.get_role_by_name', return_value=mock_role),
+        patch(
+            'storage.org_member_store.OrgMemberStore.get_kwargs_from_settings',
+            return_value={'llm_model': None, 'llm_base_url': None},
+        ),
+        patch.object(
+            mock_session,
+            'commit',
+            side_effect=_StopAfterUserCreation,
+        ),
+    ):
+        # Act
+        with pytest.raises(_StopAfterUserCreation):
+            await UserStore.create_user(user_id, user_info)
+
+    # Assert - User is the second object added to session (after Org)
+    user = mock_session.add.call_args_list[1][0][0]
+    assert isinstance(user, User)
+    assert user.email == 'testuser@example.com'
+    assert user.email_verified is True
+
+
+@pytest.mark.asyncio
+async def test_create_user_handles_missing_email_verified():
+    """create_user() should handle missing email_verified in user_info gracefully."""
+    # Arrange
+    user_id = str(uuid.uuid4())
+    user_info = {
+        'preferred_username': 'testuser',
+        'email': 'testuser@example.com',
+        # email_verified is not present
+    }
+
+    mock_session = MagicMock()
+    mock_sm = MagicMock()
+    mock_sm.return_value.__enter__ = MagicMock(return_value=mock_session)
+    mock_sm.return_value.__exit__ = MagicMock(return_value=False)
+
+    mock_settings = Settings(language='en')
+    mock_role = MagicMock()
+    mock_role.id = 1
+
+    with (
+        patch('storage.user_store.session_maker', mock_sm),
+        patch.object(
+            UserStore,
+            'create_default_settings',
+            new_callable=AsyncMock,
+            return_value=mock_settings,
+        ),
+        patch('storage.org_store.OrgStore.get_kwargs_from_settings', return_value={}),
+        patch.object(UserStore, 'get_kwargs_from_settings', return_value={}),
+        patch('storage.user_store.RoleStore.get_role_by_name', return_value=mock_role),
+        patch(
+            'storage.org_member_store.OrgMemberStore.get_kwargs_from_settings',
+            return_value={'llm_model': None, 'llm_base_url': None},
+        ),
+        patch.object(
+            mock_session,
+            'commit',
+            side_effect=_StopAfterUserCreation,
+        ),
+    ):
+        # Act
+        with pytest.raises(_StopAfterUserCreation):
+            await UserStore.create_user(user_id, user_info)
+
+    # Assert - User should have email but email_verified should be None
+    user = mock_session.add.call_args_list[1][0][0]
+    assert isinstance(user, User)
+    assert user.email == 'testuser@example.com'
+    assert user.email_verified is None
+
+
 # --- Tests for backfill_contact_name on login ---
 # Existing users created before the resolve_display_name fix may have
 # username-style values in contact_name. The backfill updates these to
@@ -524,6 +639,204 @@ async def test_backfill_contact_name_preserves_custom_value(session_maker):
         assert org.contact_name == 'Custom Corp Name'
 
 
+# --- Tests for backfill_user_email on login ---
+# Existing users created before the email capture fix may have NULL
+# email in the User table. The backfill sets User.email from the IDP
+# when the user next logs in, but preserves manual changes (non-NULL).
+
+
+@pytest.mark.asyncio
+async def test_backfill_user_email_sets_email_when_null(session_maker):
+    """When User.email is NULL, backfill_user_email should set it from user_info."""
+    user_id = str(uuid.uuid4())
+    with session_maker() as session:
+        org = Org(
+            id=uuid.UUID(user_id),
+            name=f'user_{user_id}_org',
+            contact_email='jdoe@example.com',
+        )
+        session.add(org)
+        user = User(
+            id=uuid.UUID(user_id),
+            current_org_id=org.id,
+            email=None,
+            email_verified=None,
+        )
+        session.add(user)
+        session.commit()
+
+    user_info = {
+        'email': 'jdoe@example.com',
+        'email_verified': True,
+    }
+
+    with patch(
+        'storage.user_store.a_session_maker',
+        _wrap_sync_as_async_session_maker(session_maker),
+    ):
+        await UserStore.backfill_user_email(user_id, user_info)
+
+    with session_maker() as session:
+        user = session.query(User).filter(User.id == uuid.UUID(user_id)).first()
+        assert user.email == 'jdoe@example.com'
+        assert user.email_verified is True
+
+
+@pytest.mark.asyncio
+async def test_backfill_user_email_does_not_overwrite_existing(session_maker):
+    """When User.email is already set, backfill_user_email should NOT overwrite it."""
+    user_id = str(uuid.uuid4())
+    with session_maker() as session:
+        org = Org(
+            id=uuid.UUID(user_id),
+            name=f'user_{user_id}_org',
+            contact_email='original@example.com',
+        )
+        session.add(org)
+        user = User(
+            id=uuid.UUID(user_id),
+            current_org_id=org.id,
+            email='custom@example.com',
+            email_verified=True,
+        )
+        session.add(user)
+        session.commit()
+
+    user_info = {
+        'email': 'different@example.com',
+        'email_verified': False,
+    }
+
+    with patch(
+        'storage.user_store.a_session_maker',
+        _wrap_sync_as_async_session_maker(session_maker),
+    ):
+        await UserStore.backfill_user_email(user_id, user_info)
+
+    with session_maker() as session:
+        user = session.query(User).filter(User.id == uuid.UUID(user_id)).first()
+        assert user.email == 'custom@example.com'
+        assert user.email_verified is True
+
+
+@pytest.mark.asyncio
+async def test_backfill_user_email_sets_verified_when_null(session_maker):
+    """When User.email is set but email_verified is NULL, backfill should set email_verified."""
+    user_id = str(uuid.uuid4())
+    with session_maker() as session:
+        org = Org(
+            id=uuid.UUID(user_id),
+            name=f'user_{user_id}_org',
+            contact_email='jdoe@example.com',
+        )
+        session.add(org)
+        user = User(
+            id=uuid.UUID(user_id),
+            current_org_id=org.id,
+            email='jdoe@example.com',
+            email_verified=None,
+        )
+        session.add(user)
+        session.commit()
+
+    user_info = {
+        'email': 'different@example.com',
+        'email_verified': True,
+    }
+
+    with patch(
+        'storage.user_store.a_session_maker',
+        _wrap_sync_as_async_session_maker(session_maker),
+    ):
+        await UserStore.backfill_user_email(user_id, user_info)
+
+    with session_maker() as session:
+        user = session.query(User).filter(User.id == uuid.UUID(user_id)).first()
+        # email should NOT be overwritten since it's non-NULL
+        assert user.email == 'jdoe@example.com'
+        # email_verified should be set since it was NULL
+        assert user.email_verified is True
+
+
+@pytest.mark.asyncio
+async def test_create_user_sets_email_verified_false_from_user_info():
+    """When user_info has email_verified=False, create_user() should set User.email_verified=False."""
+    user_id = str(uuid.uuid4())
+    user_info = {
+        'preferred_username': 'jsmith',
+        'email': 'jsmith@example.com',
+        'email_verified': False,
+    }
+
+    mock_session = MagicMock()
+    mock_sm = MagicMock()
+    mock_sm.return_value.__enter__ = MagicMock(return_value=mock_session)
+    mock_sm.return_value.__exit__ = MagicMock(return_value=False)
+
+    mock_settings = Settings(
+        language='en',
+        llm_api_key=SecretStr('test-key'),
+        llm_base_url='http://test.url',
+    )
+
+    mock_role = MagicMock()
+    mock_role.id = 1
+
+    with (
+        patch('storage.user_store.session_maker', mock_sm),
+        patch.object(
+            UserStore,
+            'create_default_settings',
+            new_callable=AsyncMock,
+            return_value=mock_settings,
+        ),
+        patch('storage.user_store.RoleStore.get_role_by_name', return_value=mock_role),
+        patch(
+            'storage.org_member_store.OrgMemberStore.get_kwargs_from_settings',
+            return_value={'llm_model': None, 'llm_base_url': None},
+        ),
+    ):
+        mock_session.commit.side_effect = _StopAfterUserCreation
+        with pytest.raises(_StopAfterUserCreation):
+            await UserStore.create_user(user_id, user_info)
+
+    user = mock_session.add.call_args_list[1][0][0]
+    assert isinstance(user, User)
+    assert user.email == 'jsmith@example.com'
+    assert user.email_verified is False
+
+
+@pytest.mark.asyncio
+async def test_create_user_preserves_org_contact_email():
+    """create_user() must still set Org.contact_email (no regression)."""
+    user_id = str(uuid.uuid4())
+    user_info = {
+        'preferred_username': 'jdoe',
+        'email': 'jdoe@example.com',
+        'email_verified': True,
+    }
+
+    mock_session = MagicMock()
+    mock_sm = MagicMock()
+    mock_sm.return_value.__enter__ = MagicMock(return_value=mock_session)
+    mock_sm.return_value.__exit__ = MagicMock(return_value=False)
+
+    with (
+        patch('storage.user_store.session_maker', mock_sm),
+        patch.object(
+            UserStore,
+            'create_default_settings',
+            new_callable=AsyncMock,
+            return_value=None,
+        ),
+    ):
+        await UserStore.create_user(user_id, user_info)
+
+    org = mock_session.add.call_args_list[0][0][0]
+    assert isinstance(org, Org)
+    assert org.contact_email == 'jdoe@example.com'
+
+
 def test_update_current_org_success(session_maker):
     """
     GIVEN: User exists in database
@@ -565,3 +878,100 @@ def test_update_current_org_user_not_found(session_maker):
 
     # Assert
     assert result is None
+
+
+# --- Tests for update_user_email ---
+# update_user_email() should unconditionally overwrite User.email and/or email_verified.
+# Unlike backfill_user_email(), it does not check for NULL before writing.
+
+
+@pytest.mark.asyncio
+async def test_update_user_email_overwrites_existing(session_maker):
+    """update_user_email() should overwrite existing email and email_verified values."""
+    user_id = str(uuid.uuid4())
+    with session_maker() as session:
+        org = Org(
+            id=uuid.UUID(user_id),
+            name=f'user_{user_id}_org',
+            contact_email='old@example.com',
+        )
+        session.add(org)
+        user = User(
+            id=uuid.UUID(user_id),
+            current_org_id=org.id,
+            email='old@example.com',
+            email_verified=True,
+        )
+        session.add(user)
+        session.commit()
+
+    with patch(
+        'storage.user_store.a_session_maker',
+        _wrap_sync_as_async_session_maker(session_maker),
+    ):
+        await UserStore.update_user_email(
+            user_id, email='new@example.com', email_verified=False
+        )
+
+    with session_maker() as session:
+        user = session.query(User).filter(User.id == uuid.UUID(user_id)).first()
+        assert user.email == 'new@example.com'
+        assert user.email_verified is False
+
+
+@pytest.mark.asyncio
+async def test_update_user_email_updates_only_email_verified(session_maker):
+    """update_user_email() with email=None should only update email_verified."""
+    user_id = str(uuid.uuid4())
+    with session_maker() as session:
+        org = Org(
+            id=uuid.UUID(user_id),
+            name=f'user_{user_id}_org',
+            contact_email='keep@example.com',
+        )
+        session.add(org)
+        user = User(
+            id=uuid.UUID(user_id),
+            current_org_id=org.id,
+            email='keep@example.com',
+            email_verified=False,
+        )
+        session.add(user)
+        session.commit()
+
+    with patch(
+        'storage.user_store.a_session_maker',
+        _wrap_sync_as_async_session_maker(session_maker),
+    ):
+        await UserStore.update_user_email(user_id, email_verified=True)
+
+    with session_maker() as session:
+        user = session.query(User).filter(User.id == uuid.UUID(user_id)).first()
+        assert user.email == 'keep@example.com'
+        assert user.email_verified is True
+
+
+@pytest.mark.asyncio
+async def test_update_user_email_noop_when_both_none():
+    """update_user_email() with both args None should not open a session."""
+    user_id = str(uuid.uuid4())
+    mock_session_maker = MagicMock()
+
+    with patch('storage.user_store.a_session_maker', mock_session_maker):
+        await UserStore.update_user_email(user_id, email=None, email_verified=None)
+
+    mock_session_maker.assert_not_called()
+
+
+@pytest.mark.asyncio
+async def test_update_user_email_missing_user_returns_without_error(session_maker):
+    """update_user_email() with a non-existent user_id should return without error."""
+    user_id = str(uuid.uuid4())
+
+    with patch(
+        'storage.user_store.a_session_maker',
+        _wrap_sync_as_async_session_maker(session_maker),
+    ):
+        await UserStore.update_user_email(
+            user_id, email='new@example.com', email_verified=False
+        )

frontend/__tests__/components/context-menu/account-settings-context-menu.test.tsx

@@ -1,9 +1,27 @@
 import { render, screen } from "@testing-library/react";
 import userEvent from "@testing-library/user-event";
-import { afterEach, describe, expect, it, test, vi } from "vitest";
+import { afterEach, beforeEach, describe, expect, it, test, vi } from "vitest";
 import { AccountSettingsContextMenu } from "#/components/features/context-menu/account-settings-context-menu";
 import { MemoryRouter } from "react-router";
 import { renderWithProviders } from "../../../test-utils";
+import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
+import { createMockWebClientConfig } from "../../helpers/mock-config";
+
+const mockTrackAddTeamMembersButtonClick = vi.fn();
+
+vi.mock("#/hooks/use-tracking", () => ({
+  useTracking: () => ({
+    trackAddTeamMembersButtonClick: mockTrackAddTeamMembersButtonClick,
+  }),
+}));
+
+// Mock posthog feature flag
+vi.mock("posthog-js/react", () => ({
+  useFeatureFlagEnabled: vi.fn(),
+}));
+
+// Import the mocked module to get access to the mock
+import * as posthog from "posthog-js/react";
 
 describe("AccountSettingsContextMenu", () => {
   const user = userEvent.setup();
@@ -11,15 +29,45 @@ describe("AccountSettingsContextMenu", () => {
   const onLogoutMock = vi.fn();
   const onCloseMock = vi.fn();
 
+  let queryClient: QueryClient;
+
+  beforeEach(() => {
+    queryClient = new QueryClient({
+      defaultOptions: { queries: { retry: false } },
+    });
+    // Set default feature flag to false
+    vi.mocked(posthog.useFeatureFlagEnabled).mockReturnValue(false);
+  });
+
   // Create a wrapper with MemoryRouter and renderWithProviders
   const renderWithRouter = (ui: React.ReactElement) => {
     return renderWithProviders(<MemoryRouter>{ui}</MemoryRouter>);
   };
 
+  const renderWithSaasConfig = (ui: React.ReactElement) => {
+    queryClient.setQueryData(["web-client-config"], createMockWebClientConfig({ app_mode: "saas" }));
+    return render(
+      <QueryClientProvider client={queryClient}>
+        <MemoryRouter>{ui}</MemoryRouter>
+      </QueryClientProvider>
+    );
+  };
+
+  const renderWithOssConfig = (ui: React.ReactElement) => {
+    queryClient.setQueryData(["web-client-config"], createMockWebClientConfig({ app_mode: "oss" }));
+    return render(
+      <QueryClientProvider client={queryClient}>
+        <MemoryRouter>{ui}</MemoryRouter>
+      </QueryClientProvider>
+    );
+  };
+
   afterEach(() => {
     onClickAccountSettingsMock.mockClear();
     onLogoutMock.mockClear();
     onCloseMock.mockClear();
+    mockTrackAddTeamMembersButtonClick.mockClear();
+    vi.mocked(posthog.useFeatureFlagEnabled).mockClear();
   });
 
   it("should always render the right options", () => {
@@ -93,4 +141,59 @@ describe("AccountSettingsContextMenu", () => {
 
     expect(onCloseMock).toHaveBeenCalledOnce();
   });
+
+  it("should show Add Team Members button in SaaS mode when feature flag is enabled", () => {
+    vi.mocked(posthog.useFeatureFlagEnabled).mockReturnValue(true);
+    renderWithSaasConfig(
+      <AccountSettingsContextMenu
+        onLogout={onLogoutMock}
+        onClose={onCloseMock}
+      />,
+    );
+
+    expect(screen.getByTestId("add-team-members-button")).toBeInTheDocument();
+    expect(screen.getByText("SETTINGS$NAV_ADD_TEAM_MEMBERS")).toBeInTheDocument();
+  });
+
+  it("should not show Add Team Members button in SaaS mode when feature flag is disabled", () => {
+    vi.mocked(posthog.useFeatureFlagEnabled).mockReturnValue(false);
+    renderWithSaasConfig(
+      <AccountSettingsContextMenu
+        onLogout={onLogoutMock}
+        onClose={onCloseMock}
+      />,
+    );
+
+    expect(screen.queryByTestId("add-team-members-button")).not.toBeInTheDocument();
+    expect(screen.queryByText("SETTINGS$NAV_ADD_TEAM_MEMBERS")).not.toBeInTheDocument();
+  });
+
+  it("should not show Add Team Members button in OSS mode even when feature flag is enabled", () => {
+    vi.mocked(posthog.useFeatureFlagEnabled).mockReturnValue(true);
+    renderWithOssConfig(
+      <AccountSettingsContextMenu
+        onLogout={onLogoutMock}
+        onClose={onCloseMock}
+      />,
+    );
+
+    expect(screen.queryByTestId("add-team-members-button")).not.toBeInTheDocument();
+    expect(screen.queryByText("SETTINGS$NAV_ADD_TEAM_MEMBERS")).not.toBeInTheDocument();
+  });
+
+  it("should call tracking function and onClose when Add Team Members button is clicked", async () => {
+    vi.mocked(posthog.useFeatureFlagEnabled).mockReturnValue(true);
+    renderWithSaasConfig(
+      <AccountSettingsContextMenu
+        onLogout={onLogoutMock}
+        onClose={onCloseMock}
+      />,
+    );
+
+    const addTeamMembersButton = screen.getByTestId("add-team-members-button");
+    await user.click(addTeamMembersButton);
+
+    expect(mockTrackAddTeamMembersButtonClick).toHaveBeenCalledOnce();
+    expect(onCloseMock).toHaveBeenCalledOnce();
+  });
 });

frontend/__tests__/components/features/auth/login-content.test.tsx

@@ -151,8 +151,9 @@ describe("LoginContent", () => {
     await user.click(githubButton);
 
     // Wait for async handleAuthRedirect to complete
+    // The URL includes state parameter added by handleAuthRedirect
     await waitFor(() => {
-      expect(window.location.href).toBe(mockUrl);
+      expect(window.location.href).toContain(mockUrl);
     });
   });
 
@@ -201,4 +202,103 @@ describe("LoginContent", () => {
 
     expect(screen.getByTestId("terms-and-privacy-notice")).toBeInTheDocument();
   });
+
+  it("should display invitation pending message when hasInvitation is true", () => {
+    render(
+      <MemoryRouter>
+        <LoginContent
+          githubAuthUrl="https://github.com/oauth/authorize"
+          appMode="saas"
+          providersConfigured={["github"]}
+          hasInvitation
+        />
+      </MemoryRouter>,
+    );
+
+    expect(screen.getByText("AUTH$INVITATION_PENDING")).toBeInTheDocument();
+  });
+
+  it("should not display invitation pending message when hasInvitation is false", () => {
+    render(
+      <MemoryRouter>
+        <LoginContent
+          githubAuthUrl="https://github.com/oauth/authorize"
+          appMode="saas"
+          providersConfigured={["github"]}
+          hasInvitation={false}
+        />
+      </MemoryRouter>,
+    );
+
+    expect(
+      screen.queryByText("AUTH$INVITATION_PENDING"),
+    ).not.toBeInTheDocument();
+  });
+
+  it("should call buildOAuthStateData when clicking auth button", async () => {
+    const user = userEvent.setup();
+    const mockBuildOAuthStateData = vi.fn((baseState) => ({
+      ...baseState,
+      invitation_token: "inv-test-token-12345",
+    }));
+
+    render(
+      <MemoryRouter>
+        <LoginContent
+          githubAuthUrl="https://github.com/login/oauth/authorize"
+          appMode="saas"
+          providersConfigured={["github"]}
+          buildOAuthStateData={mockBuildOAuthStateData}
+        />
+      </MemoryRouter>,
+    );
+
+    const githubButton = screen.getByRole("button", {
+      name: "GITHUB$CONNECT_TO_GITHUB",
+    });
+    await user.click(githubButton);
+
+    await waitFor(() => {
+      expect(mockBuildOAuthStateData).toHaveBeenCalled();
+      const callArg = mockBuildOAuthStateData.mock.calls[0][0];
+      expect(callArg).toHaveProperty("redirect_url");
+    });
+  });
+
+  it("should encode state with invitation token when buildOAuthStateData provides token", async () => {
+    const user = userEvent.setup();
+    const mockBuildOAuthStateData = vi.fn((baseState) => ({
+      ...baseState,
+      invitation_token: "inv-test-token-12345",
+    }));
+
+    render(
+      <MemoryRouter>
+        <LoginContent
+          githubAuthUrl="https://github.com/login/oauth/authorize"
+          appMode="saas"
+          providersConfigured={["github"]}
+          buildOAuthStateData={mockBuildOAuthStateData}
+        />
+      </MemoryRouter>,
+    );
+
+    const githubButton = screen.getByRole("button", {
+      name: "GITHUB$CONNECT_TO_GITHUB",
+    });
+    await user.click(githubButton);
+
+    await waitFor(() => {
+      const redirectUrl = window.location.href;
+      // The URL should contain an encoded state parameter
+      expect(redirectUrl).toContain("state=");
+      // Decode and verify the state contains invitation_token
+      const url = new URL(redirectUrl);
+      const state = url.searchParams.get("state");
+      if (state) {
+        const decodedState = JSON.parse(atob(state));
+        expect(decodedState.invitation_token).toBe("inv-test-token-12345");
+      }
+    });
+  });
 });

frontend/__tests__/components/features/chat/change-agent-button.test.tsx

@@ -5,11 +5,6 @@ import { ChangeAgentButton } from "#/components/features/chat/change-agent-butto
 import { renderWithProviders } from "../../../../test-utils";
 import { useConversationStore } from "#/stores/conversation-store";
 
-// Mock feature flag to enable planning agent
-vi.mock("#/utils/feature-flags", () => ({
-  USE_PLANNING_AGENT: () => true,
-}));
-
 // Mock WebSocket status
 vi.mock("#/hooks/use-unified-websocket-status", () => ({
   useUnifiedWebSocketStatus: () => "CONNECTED",

frontend/__tests__/components/features/chat/git-control-bar-repo-button.test.tsx

@@ -0,0 +1,195 @@
+import { render, screen } from "@testing-library/react";
+import userEvent from "@testing-library/user-event";
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { GitControlBarRepoButton } from "#/components/features/chat/git-control-bar-repo-button";
+
+// Mock react-i18next
+vi.mock("react-i18next", () => ({
+  useTranslation: () => ({
+    t: (key: string) => key,
+  }),
+}));
+
+// Mock GitProviderIcon
+vi.mock("#/components/shared/git-provider-icon", () => ({
+  GitProviderIcon: ({ gitProvider }: { gitProvider: string }) => (
+    <span data-testid="git-provider-icon">{gitProvider}</span>
+  ),
+}));
+
+// Mock GitExternalLinkIcon
+vi.mock(
+  "#/components/features/chat/git-external-link-icon",
+  () => ({
+    GitExternalLinkIcon: () => (
+      <span data-testid="git-external-link-icon">external</span>
+    ),
+  }),
+);
+
+// Mock RepoForkedIcon
+vi.mock("#/icons/repo-forked.svg?react", () => ({
+  default: () => <span data-testid="repo-forked-icon">forked</span>,
+}));
+
+// Mock constructRepositoryUrl
+vi.mock("#/utils/utils", async (importOriginal) => {
+  const actual = await importOriginal<typeof import("#/utils/utils")>();
+  return {
+    ...actual,
+    constructRepositoryUrl: (provider: string, repo: string) =>
+      `https://${provider}.com/${repo}`,
+  };
+});
+
+describe("GitControlBarRepoButton", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  describe("when repository is connected", () => {
+    it("should render as a link with repository name", () => {
+      render(
+        <GitControlBarRepoButton
+          selectedRepository="owner/repo"
+          gitProvider="github"
+        />,
+      );
+
+      const link = screen.getByRole("link");
+      expect(link).toHaveAttribute("href", "https://github.com/owner/repo");
+      expect(link).toHaveAttribute("target", "_blank");
+      expect(screen.getByText("owner/repo")).toBeInTheDocument();
+    });
+
+    it("should show git provider icon and external link icon", () => {
+      render(
+        <GitControlBarRepoButton
+          selectedRepository="owner/repo"
+          gitProvider="github"
+        />,
+      );
+
+      expect(screen.getByTestId("git-provider-icon")).toBeInTheDocument();
+      expect(screen.getByTestId("git-external-link-icon")).toBeInTheDocument();
+    });
+
+    it("should not show repo forked icon", () => {
+      render(
+        <GitControlBarRepoButton
+          selectedRepository="owner/repo"
+          gitProvider="github"
+        />,
+      );
+
+      expect(
+        screen.queryByTestId("repo-forked-icon"),
+      ).not.toBeInTheDocument();
+    });
+  });
+
+  describe("when no repository is connected", () => {
+    it("should render as a button with 'No Repo Connected' text", () => {
+      render(
+        <GitControlBarRepoButton
+          selectedRepository={null}
+          gitProvider={null}
+        />,
+      );
+
+      const button = screen.getByRole("button");
+      expect(button).toBeInTheDocument();
+      expect(
+        screen.getByText("COMMON$NO_REPO_CONNECTED"),
+      ).toBeInTheDocument();
+    });
+
+    it("should show repo forked icon instead of provider icon", () => {
+      render(
+        <GitControlBarRepoButton
+          selectedRepository={null}
+          gitProvider={null}
+        />,
+      );
+
+      expect(screen.getByTestId("repo-forked-icon")).toBeInTheDocument();
+      expect(
+        screen.queryByTestId("git-provider-icon"),
+      ).not.toBeInTheDocument();
+    });
+
+    it("should not show external link icon", () => {
+      render(
+        <GitControlBarRepoButton
+          selectedRepository={null}
+          gitProvider={null}
+        />,
+      );
+
+      expect(
+        screen.queryByTestId("git-external-link-icon"),
+      ).not.toBeInTheDocument();
+    });
+
+    it("should call onClick when clicked", async () => {
+      const handleClick = vi.fn();
+      const user = userEvent.setup();
+
+      render(
+        <GitControlBarRepoButton
+          selectedRepository={null}
+          gitProvider={null}
+          onClick={handleClick}
+        />,
+      );
+
+      await user.click(screen.getByRole("button"));
+      expect(handleClick).toHaveBeenCalledTimes(1);
+    });
+
+    it("should be disabled when disabled prop is true", () => {
+      render(
+        <GitControlBarRepoButton
+          selectedRepository={null}
+          gitProvider={null}
+          disabled={true}
+        />,
+      );
+
+      const button = screen.getByRole("button");
+      expect(button).toBeDisabled();
+      expect(button).toHaveClass("cursor-not-allowed");
+    });
+
+    it("should be clickable when disabled prop is false", () => {
+      render(
+        <GitControlBarRepoButton
+          selectedRepository={null}
+          gitProvider={null}
+          disabled={false}
+        />,
+      );
+
+      const button = screen.getByRole("button");
+      expect(button).not.toBeDisabled();
+      expect(button).toHaveClass("cursor-pointer");
+    });
+
+    it("should not call onClick when disabled", async () => {
+      const handleClick = vi.fn();
+      const user = userEvent.setup();
+
+      render(
+        <GitControlBarRepoButton
+          selectedRepository={null}
+          gitProvider={null}
+          onClick={handleClick}
+          disabled={true}
+        />,
+      );
+
+      await user.click(screen.getByRole("button"));
+      expect(handleClick).not.toHaveBeenCalled();
+    });
+  });
+});

frontend/__tests__/components/features/chat/git-control-bar.test.tsx

@@ -0,0 +1,45 @@
+import { describe, it, expect } from "vitest";
+
+describe("GitControlBar clone prompt format", () => {
+  // Helper function that mirrors the logic in git-control-bar.tsx
+  const generateClonePrompt = (
+    fullName: string,
+    gitProvider: string,
+    branchName: string,
+  ) => {
+    const providerName =
+      gitProvider.charAt(0).toUpperCase() + gitProvider.slice(1);
+    return `Clone ${fullName} from ${providerName} and checkout branch ${branchName}.`;
+  };
+
+  it("should include GitHub in clone prompt for github provider", () => {
+    const prompt = generateClonePrompt("user/repo", "github", "main");
+    expect(prompt).toBe("Clone user/repo from Github and checkout branch main.");
+  });
+
+  it("should include GitLab in clone prompt for gitlab provider", () => {
+    const prompt = generateClonePrompt("group/project", "gitlab", "develop");
+    expect(prompt).toBe(
+      "Clone group/project from Gitlab and checkout branch develop.",
+    );
+  });
+
+  it("should handle different branch names", () => {
+    const prompt = generateClonePrompt(
+      "hieptl.developer-group/hieptl.developer-project",
+      "gitlab",
+      "add-batman-microagent",
+    );
+    expect(prompt).toBe(
+      "Clone hieptl.developer-group/hieptl.developer-project from Gitlab and checkout branch add-batman-microagent.",
+    );
+  });
+
+  it("should capitalize first letter of provider name", () => {
+    const githubPrompt = generateClonePrompt("a/b", "github", "main");
+    const gitlabPrompt = generateClonePrompt("a/b", "gitlab", "main");
+
+    expect(githubPrompt).toContain("from Github");
+    expect(gitlabPrompt).toContain("from Gitlab");
+  });
+});

frontend/__tests__/components/features/chat/open-repository-modal.test.tsx

@@ -0,0 +1,381 @@
+import { render, screen } from "@testing-library/react";
+import userEvent from "@testing-library/user-event";
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { OpenRepositoryModal } from "#/components/features/chat/open-repository-modal";
+
+// Mock react-i18next
+vi.mock("react-i18next", () => ({
+  useTranslation: () => ({
+    t: (key: string) => key,
+  }),
+}));
+
+// Mock useUserProviders - default to single provider (no dropdown shown)
+const mockProviders = vi.hoisted(() => ({
+  current: ["github"] as string[],
+}));
+
+vi.mock("#/hooks/use-user-providers", () => ({
+  useUserProviders: () => ({
+    providers: mockProviders.current,
+    isLoadingSettings: false,
+  }),
+}));
+
+// Mock GitProviderDropdown
+vi.mock(
+  "#/components/features/home/git-provider-dropdown/git-provider-dropdown",
+  () => ({
+    GitProviderDropdown: ({
+      providers,
+      onChange,
+    }: {
+      providers: string[];
+      onChange: (provider: string | null) => void;
+    }) => (
+      <div data-testid="git-provider-dropdown">
+        {providers.map((p: string) => (
+          <button
+            key={p}
+            data-testid={`provider-${p}`}
+            onClick={() => onChange(p)}
+          >
+            {p}
+          </button>
+        ))}
+      </div>
+    ),
+  }),
+);
+
+// Mock GitRepoDropdown
+vi.mock(
+  "#/components/features/home/git-repo-dropdown/git-repo-dropdown",
+  () => ({
+    GitRepoDropdown: ({
+      onChange,
+    }: {
+      onChange: (repo?: {
+        id: number;
+        full_name: string;
+        git_provider: string;
+        main_branch: string;
+      }) => void;
+    }) => (
+      <button
+        data-testid="git-repo-dropdown"
+        onClick={() =>
+          onChange({
+            id: 1,
+            full_name: "owner/repo",
+            git_provider: "github",
+            main_branch: "main",
+          })
+        }
+      >
+        Mock Repo Dropdown
+      </button>
+    ),
+  }),
+);
+
+// Mock GitBranchDropdown
+vi.mock(
+  "#/components/features/home/git-branch-dropdown/git-branch-dropdown",
+  () => ({
+    GitBranchDropdown: ({
+      onBranchSelect,
+      disabled,
+    }: {
+      onBranchSelect: (branch: { name: string } | null) => void;
+      disabled: boolean;
+    }) => (
+      <button
+        data-testid="git-branch-dropdown"
+        disabled={disabled}
+        onClick={() => onBranchSelect({ name: "main" })}
+      >
+        Mock Branch Dropdown
+      </button>
+    ),
+  }),
+);
+
+// Mock RepoForkedIcon
+vi.mock("#/icons/repo-forked.svg?react", () => ({
+  default: () => <div data-testid="repo-forked-icon" />,
+}));
+
+describe("OpenRepositoryModal", () => {
+  const mockOnClose = vi.fn();
+  const mockOnLaunch = vi.fn();
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+    mockProviders.current = ["github"];
+  });
+
+  it("should not render when isOpen is false", () => {
+    render(
+      <OpenRepositoryModal
+        isOpen={false}
+        onClose={mockOnClose}
+        onLaunch={mockOnLaunch}
+      />,
+    );
+
+    expect(
+      screen.queryByText("CONVERSATION$OPEN_REPOSITORY"),
+    ).not.toBeInTheDocument();
+  });
+
+  it("should render modal with title and description when open", () => {
+    render(
+      <OpenRepositoryModal
+        isOpen={true}
+        onClose={mockOnClose}
+        onLaunch={mockOnLaunch}
+      />,
+    );
+
+    expect(
+      screen.getByText("CONVERSATION$OPEN_REPOSITORY"),
+    ).toBeInTheDocument();
+    expect(
+      screen.getByText("CONVERSATION$SELECT_OR_INSERT_LINK"),
+    ).toBeInTheDocument();
+    expect(screen.getByTestId("repo-forked-icon")).toBeInTheDocument();
+  });
+
+  it("should render Launch and Cancel buttons", () => {
+    render(
+      <OpenRepositoryModal
+        isOpen={true}
+        onClose={mockOnClose}
+        onLaunch={mockOnLaunch}
+      />,
+    );
+
+    expect(screen.getByText("BUTTON$LAUNCH")).toBeInTheDocument();
+    expect(screen.getByText("BUTTON$CANCEL")).toBeInTheDocument();
+  });
+
+  it("should disable Launch button when no repository or branch is selected", () => {
+    render(
+      <OpenRepositoryModal
+        isOpen={true}
+        onClose={mockOnClose}
+        onLaunch={mockOnLaunch}
+      />,
+    );
+
+    const launchButton = screen.getByText("BUTTON$LAUNCH").closest("button");
+    expect(launchButton).toBeDisabled();
+  });
+
+  it("should call onClose and reset state when Cancel is clicked", async () => {
+    const user = userEvent.setup();
+
+    render(
+      <OpenRepositoryModal
+        isOpen={true}
+        onClose={mockOnClose}
+        onLaunch={mockOnLaunch}
+      />,
+    );
+
+    await user.click(screen.getByText("BUTTON$CANCEL"));
+    expect(mockOnClose).toHaveBeenCalledTimes(1);
+  });
+
+  it("should enable Launch button after selecting repository and branch", async () => {
+    const user = userEvent.setup();
+
+    render(
+      <OpenRepositoryModal
+        isOpen={true}
+        onClose={mockOnClose}
+        onLaunch={mockOnLaunch}
+      />,
+    );
+
+    // Select a repository
+    await user.click(screen.getByTestId("git-repo-dropdown"));
+
+    // Select a branch
+    await user.click(screen.getByTestId("git-branch-dropdown"));
+
+    const launchButton = screen.getByText("BUTTON$LAUNCH").closest("button");
+    expect(launchButton).not.toBeDisabled();
+  });
+
+  it("should call onLaunch with selected repository and branch, then close", async () => {
+    const user = userEvent.setup();
+
+    render(
+      <OpenRepositoryModal
+        isOpen={true}
+        onClose={mockOnClose}
+        onLaunch={mockOnLaunch}
+      />,
+    );
+
+    // Select repository and branch
+    await user.click(screen.getByTestId("git-repo-dropdown"));
+    await user.click(screen.getByTestId("git-branch-dropdown"));
+
+    // Click Launch
+    await user.click(screen.getByText("BUTTON$LAUNCH"));
+
+    expect(mockOnLaunch).toHaveBeenCalledWith(
+      {
+        id: 1,
+        full_name: "owner/repo",
+        git_provider: "github",
+        main_branch: "main",
+      },
+      { name: "main" },
+    );
+    expect(mockOnClose).toHaveBeenCalledTimes(1);
+  });
+
+  it("should not call onLaunch when Launch is clicked without selections", async () => {
+    const user = userEvent.setup();
+
+    render(
+      <OpenRepositoryModal
+        isOpen={true}
+        onClose={mockOnClose}
+        onLaunch={mockOnLaunch}
+      />,
+    );
+
+    // Force click the launch button even though it's disabled
+    const launchButton = screen.getByText("BUTTON$LAUNCH").closest("button")!;
+    await user.click(launchButton);
+
+    expect(mockOnLaunch).not.toHaveBeenCalled();
+  });
+
+  it("should reset branch selection when repository changes", async () => {
+    const user = userEvent.setup();
+
+    render(
+      <OpenRepositoryModal
+        isOpen={true}
+        onClose={mockOnClose}
+        onLaunch={mockOnLaunch}
+      />,
+    );
+
+    // Select repository and branch
+    await user.click(screen.getByTestId("git-repo-dropdown"));
+    await user.click(screen.getByTestId("git-branch-dropdown"));
+
+    // Launch button should be enabled
+    let launchButton = screen.getByText("BUTTON$LAUNCH").closest("button");
+    expect(launchButton).not.toBeDisabled();
+
+    // Select a new repository (resets branch)
+    await user.click(screen.getByTestId("git-repo-dropdown"));
+
+    // Launch button should be disabled again (branch was reset)
+    launchButton = screen.getByText("BUTTON$LAUNCH").closest("button");
+    expect(launchButton).toBeDisabled();
+  });
+
+  it("should use small modal width", () => {
+    render(
+      <OpenRepositoryModal
+        isOpen={true}
+        onClose={mockOnClose}
+        onLaunch={mockOnLaunch}
+      />,
+    );
+
+    // ModalBody with width="small" renders w-[384px]
+    const modalBody = screen
+      .getByText("CONVERSATION$OPEN_REPOSITORY")
+      .closest(".bg-base-secondary");
+    expect(modalBody).toHaveClass("w-[384px]");
+  });
+
+  it("should override default gap with !gap-4 for tighter spacing", () => {
+    render(
+      <OpenRepositoryModal
+        isOpen={true}
+        onClose={mockOnClose}
+        onLaunch={mockOnLaunch}
+      />,
+    );
+
+    const modalBody = screen
+      .getByText("CONVERSATION$OPEN_REPOSITORY")
+      .closest(".bg-base-secondary");
+    expect(modalBody).toHaveClass("!gap-4");
+  });
+
+  describe("provider switching", () => {
+    it("should not show provider dropdown when only one provider exists", () => {
+      mockProviders.current = ["github"];
+
+      render(
+        <OpenRepositoryModal
+          isOpen={true}
+          onClose={mockOnClose}
+          onLaunch={mockOnLaunch}
+        />,
+      );
+
+      expect(
+        screen.queryByTestId("git-provider-dropdown"),
+      ).not.toBeInTheDocument();
+    });
+
+    it("should show provider dropdown when multiple providers exist", () => {
+      mockProviders.current = ["github", "gitlab"];
+
+      render(
+        <OpenRepositoryModal
+          isOpen={true}
+          onClose={mockOnClose}
+          onLaunch={mockOnLaunch}
+        />,
+      );
+
+      expect(
+        screen.getByTestId("git-provider-dropdown"),
+      ).toBeInTheDocument();
+      expect(screen.getByTestId("provider-github")).toBeInTheDocument();
+      expect(screen.getByTestId("provider-gitlab")).toBeInTheDocument();
+    });
+
+    it("should reset repository and branch when provider changes", async () => {
+      mockProviders.current = ["github", "gitlab"];
+      const user = userEvent.setup();
+
+      render(
+        <OpenRepositoryModal
+          isOpen={true}
+          onClose={mockOnClose}
+          onLaunch={mockOnLaunch}
+        />,
+      );
+
+      // Select repo and branch
+      await user.click(screen.getByTestId("git-repo-dropdown"));
+      await user.click(screen.getByTestId("git-branch-dropdown"));
+
+      // Launch should be enabled
+      let launchButton = screen.getByText("BUTTON$LAUNCH").closest("button");
+      expect(launchButton).not.toBeDisabled();
+
+      // Switch provider — should reset selections
+      await user.click(screen.getByTestId("provider-gitlab"));
+
+      // Launch should be disabled (repo and branch reset)
+      launchButton = screen.getByText("BUTTON$LAUNCH").closest("button");
+      expect(launchButton).toBeDisabled();
+    });
+  });
+});

frontend/__tests__/components/features/chat/plan-preview.test.tsx

@@ -27,11 +27,6 @@ function renderPlanPreview(ui: React.ReactElement) {
   );
 }
 
-// Mock the feature flag to always return true (not testing feature flag behavior)
-vi.mock("#/utils/feature-flags", () => ({
-  USE_PLANNING_AGENT: vi.fn(() => true),
-}));
-
 // Mock i18n - need to preserve initReactI18next and I18nextProvider for test-utils
 vi.mock("react-i18next", async (importOriginal) => {
   const actual = await importOriginal<typeof import("react-i18next")>();