feat(api.iam): AIHCM-143 workspace repo infra

src/api/iam/dependencies/workspace.py

@@ -0,0 +1,31 @@
+"""FastAPI dependency injection for workspace repository.
+
+Provides workspace repository instances for route handlers
+using FastAPI's dependency injection system.
+"""
+
+from typing import Annotated
+
+from fastapi import Depends
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from iam.dependencies.outbox import get_outbox_repository
+from iam.infrastructure.workspace_repository import WorkspaceRepository
+from infrastructure.database.dependencies import get_write_session
+from infrastructure.outbox.repository import OutboxRepository
+
+
+def get_workspace_repository(
+    session: Annotated[AsyncSession, Depends(get_write_session)],
+    outbox: Annotated[OutboxRepository, Depends(get_outbox_repository)],
+) -> WorkspaceRepository:
+    """Get WorkspaceRepository instance.
+
+    Args:
+        session: Async database session
+        outbox: Outbox repository for transactional outbox pattern
+
+    Returns:
+        WorkspaceRepository instance with outbox pattern enabled
+    """
+    return WorkspaceRepository(session=session, outbox=outbox)

src/api/iam/infrastructure/models/__init__.py

@@ -0,0 +1,19 @@
+"""SQLAlchemy ORM models for IAM bounded context.
+
+These models map to database tables and are used by repository implementations.
+They store only metadata - authorization data (membership, roles) is stored in SpiceDB.
+"""
+
+from iam.infrastructure.models.api_key import APIKeyModel
+from iam.infrastructure.models.group import GroupModel
+from iam.infrastructure.models.tenant import TenantModel
+from iam.infrastructure.models.user import UserModel
+from iam.infrastructure.models.workspace import WorkspaceModel
+
+__all__ = [
+    "APIKeyModel",
+    "GroupModel",
+    "TenantModel",
+    "UserModel",
+    "WorkspaceModel",
+]

src/api/iam/infrastructure/models/api_key.py

@@ -0,0 +1,72 @@
+"""SQLAlchemy ORM model for the api_keys table.
+
+Stores API key metadata in PostgreSQL. The key_hash is the only
+sensitive data stored - the plaintext secret is never persisted.
+"""
+
+from datetime import datetime
+
+from sqlalchemy import Boolean, DateTime, ForeignKey, String, UniqueConstraint
+from sqlalchemy.orm import Mapped, mapped_column
+
+from infrastructure.database.models import Base, TimestampMixin
+
+
+class APIKeyModel(Base, TimestampMixin):
+    """ORM model for api_keys table.
+
+    Stores API key metadata in PostgreSQL. The key_hash is the only
+    sensitive data stored - the plaintext secret is never persisted.
+
+    Notes:
+    - created_by_user_id is VARCHAR(255) to match users.id (external SSO IDs)
+      This is for audit trail only - authorization is handled by SpiceDB.
+    - tenant_id is VARCHAR(26) for ULID format
+    - key_hash is unique for authentication lookup
+    - prefix allows key identification without exposing the full key
+    - Per-user key names are unique within a tenant
+
+    Foreign Key Constraint:
+    - tenant_id references tenants.id with CASCADE delete
+    - When a tenant is deleted, all API keys are cascade deleted
+    - API key revocation must be handled in service layer to emit events
+    """
+
+    __tablename__ = "api_keys"
+
+    id: Mapped[str] = mapped_column(String(26), primary_key=True)
+    created_by_user_id: Mapped[str] = mapped_column(
+        String(255), nullable=False, index=True
+    )
+    tenant_id: Mapped[str] = mapped_column(
+        String(26),
+        ForeignKey("tenants.id", ondelete="CASCADE"),
+        nullable=False,
+        index=True,
+    )
+    name: Mapped[str] = mapped_column(String(255), nullable=False)
+    key_hash: Mapped[str] = mapped_column(String(255), nullable=False, unique=True)
+    prefix: Mapped[str] = mapped_column(String(12), nullable=False, index=True)
+    expires_at: Mapped[datetime] = mapped_column(
+        DateTime(timezone=True), nullable=False
+    )
+    last_used_at: Mapped[datetime | None] = mapped_column(
+        DateTime(timezone=True), nullable=True
+    )
+    is_revoked: Mapped[bool] = mapped_column(Boolean, default=False, nullable=False)
+
+    __table_args__ = (
+        UniqueConstraint(
+            "tenant_id",
+            "created_by_user_id",
+            "name",
+            name="uq_api_keys_tenant_user_name",
+        ),
+    )
+
+    def __repr__(self) -> str:
+        """Return string representation."""
+        return (
+            f"<APIKeyModel(id={self.id}, created_by_user_id={self.created_by_user_id}, "
+            f"name={self.name}, prefix={self.prefix})>"
+        )

src/api/iam/infrastructure/models/group.py

@@ -0,0 +1,43 @@
+"""SQLAlchemy ORM model for the groups table.
+
+Stores group metadata in PostgreSQL. Membership relationships are
+managed through SpiceDB, not as database columns.
+"""
+
+from sqlalchemy import ForeignKey, String
+from sqlalchemy.orm import Mapped, mapped_column
+
+from infrastructure.database.models import Base, TimestampMixin
+
+
+class GroupModel(Base, TimestampMixin):
+    """ORM model for groups table (metadata only).
+
+    Stores group metadata in PostgreSQL. Membership relationships are
+    managed through SpiceDB, not as database columns.
+
+    Note: Group names are NOT globally unique - per-tenant uniqueness
+    is enforced at the application level.
+
+    Foreign Key Constraint:
+    - tenant_id references tenants.id with RESTRICT delete
+    - Application layer must explicitly delete groups before tenant deletion
+    - This ensures GroupDeleted domain events are emitted for SpiceDB cleanup
+    """
+
+    __tablename__ = "groups"
+
+    id: Mapped[str] = mapped_column(String(26), primary_key=True)
+    tenant_id: Mapped[str] = mapped_column(
+        String(26),
+        ForeignKey("tenants.id", ondelete="RESTRICT"),
+        nullable=False,
+        index=True,
+    )
+    name: Mapped[str] = mapped_column(String(255), nullable=False, index=True)
+
+    def __repr__(self) -> str:
+        """Return string representation."""
+        return (
+            f"<GroupModel(id={self.id}, tenant_id={self.tenant_id}, name={self.name})>"
+        )

src/api/iam/infrastructure/models/tenant.py

@@ -0,0 +1,32 @@
+"""SQLAlchemy ORM model for the tenants table.
+
+Stores tenant metadata in PostgreSQL. Tenants represent organizations
+and are the top-level isolation boundary in the system.
+"""
+
+from sqlalchemy import String
+from sqlalchemy.orm import Mapped, mapped_column, relationship
+
+from infrastructure.database.models import Base, TimestampMixin
+
+
+class TenantModel(Base, TimestampMixin):
+    """ORM model for tenants table.
+
+    Stores tenant metadata in PostgreSQL. Tenants represent organizations
+    and are the top-level isolation boundary in the system.
+
+    Note: Tenant names are globally unique across the entire system.
+    """
+
+    __tablename__ = "tenants"
+
+    id: Mapped[str] = mapped_column(String(26), primary_key=True)
+    name: Mapped[str] = mapped_column(String(255), nullable=False, unique=True)
+
+    # Relationships
+    workspaces = relationship("WorkspaceModel", back_populates="tenant")
+
+    def __repr__(self) -> str:
+        """Return string representation."""
+        return f"<TenantModel(id={self.id}, name={self.name})>"

src/api/iam/infrastructure/models/user.py

@@ -0,0 +1,29 @@
+"""SQLAlchemy ORM model for the users table.
+
+Stores user metadata in PostgreSQL. Users are provisioned from SSO
+and this table only stores minimal metadata for lookup and reference.
+"""
+
+from sqlalchemy import String
+from sqlalchemy.orm import Mapped, mapped_column
+
+from infrastructure.database.models import Base, TimestampMixin
+
+
+class UserModel(Base, TimestampMixin):
+    """ORM model for users table (metadata only).
+
+    Stores user metadata in PostgreSQL. Users are provisioned from SSO
+    and this table only stores minimal metadata for lookup and reference.
+
+    Note: id is VARCHAR(255) to accommodate external SSO IDs (UUIDs, Auth0, etc.)
+    """
+
+    __tablename__ = "users"
+
+    id: Mapped[str] = mapped_column(String(255), primary_key=True)
+    username: Mapped[str] = mapped_column(String(255), nullable=False, unique=True)
+
+    def __repr__(self) -> str:
+        """Return string representation."""
+        return f"<UserModel(id={self.id}, username={self.username})>"