feat: multi-user ownership + department-admin permissions, surfaced in the org chart

[Aureliolo]

Context

The org chart currently renders only AI agents from config.agents. The human operator -- the person who owns the organisation, pays the bills, and ultimately directs the AI -- is invisible in the chart. Operators testing the dashboard asked "where am I?" and "who owns this?" when looking at the tree, because the natural top of an org chart should be whoever owns it.

In parallel, SynthOrg already has multi-user support in the backend (src/synthorg/api/controllers/users.py, users settings, session store, JWT auth), but the permission model is coarse -- every authenticated user currently has roughly the same read/write capabilities on the organisation config, and there is no concept of owner or department-scoped admin.

This issue tracks two related gaps:

1. Visible representation of human operators in the org chart -- an "Owner" node (or nodes) at the top of the hierarchy, above the CEO/c-suite agent, showing which humans own and direct the company.
2. An ownership and delegation permission model -- so the chart can meaningfully render multiple humans at different levels (company-wide owners, department-scoped owners, view-only observers) once the backend knows who has which rights.

A short-term partial fix is landing in PR #1074 (the Base UI migration): a synthetic "Owner" node rendered from the current session user, anchored above the CEO. It is intentionally designed to accept an array of human users later, so this issue is about turning that placeholder into a real multi-user, permission-aware feature.

Proposed fix

Backend (permissions)

• Introduce an explicit Role enum or permission set covering the following levels:
  • owner -- full admin, can edit any department, any agent, any setting, add/remove other users; shown at the top of the org chart.
  • department_admin -- scoped to one or more departments; can edit agents and teams within those departments only; shown inside the relevant department boxes as a "dept owner" marker.
  • editor -- can edit config but is not displayed on the chart (invisible collaborator).
  • viewer -- read-only; not displayed on the chart.
• Extend the User model with a roles: list[Role] (or equivalent) and, for department_admin, a scoped_departments: list[str] field.
• Extend /api/v1/auth/me (and the user list endpoint) to return the current role set and scoped departments so the frontend can reason about who to draw on the chart.
• Add grant/revoke endpoints (POST /api/v1/users/{id}/roles, DELETE /api/v1/users/{id}/roles/{role}) guarded by require_owner.
• Enforce the new roles in every existing mutation endpoint (extending feat: implement backend CRUD endpoints for company, departments, and agents (all 9 write paths are missing) #1081's CRUD work with per-role checks).

Frontend (org chart rendering)

• Render the list of users with owner role as a horizontal row of human cards at the very top of the org chart, above the CEO. Each card shows avatar + display name + "Owner" label.
• Render users with department_admin role as small human cards pinned to the top of the corresponding department box, with a distinct visual treatment (e.g. human icon vs agent avatar, different border).
• If there is exactly one owner (the common case today), render a single centered owner node at the top. If there are many, render them in a row and connect each to the CEO via a shared junction edge so the tree does not explode horizontally.
• editor and viewer roles do NOT appear in the chart -- they show up only in the Settings/Users page.
• AgentNode and CeoNode already have a visual language for AI agents (colored avatars, status dots, seniority borders). Human nodes should use a visually distinct treatment (human icon / different avatar style / different border color) so operators can tell humans from agents at a glance.

Frontend (org chart data pipeline)

• Extend build-org-tree.ts to accept a humans: HumanUser[] argument (one per user with owner or department_admin role) and synthesise the corresponding nodes + edges above the existing AI agent tree.
• The CEO agent node becomes the child of the owner row instead of the root.
• Department boxes remain children of the CEO node; department admins are rendered inside their scoped boxes as pinned "human header" cards.

Frontend (Users / Settings admin UI)

• On the Users page, add a "Role" column and a role-editor control per row (dropdown or multi-select), visible to owners only.
• Add a "Delegate department" action on user rows that opens a department picker, visible to owners only.

Migration / defaults

• The first user to run through the setup wizard gets the owner role automatically. Existing single-user installs get the current (only) user promoted to owner on first boot after upgrade. No operator-visible migration required.

Out of scope

• Full RBAC system with arbitrary permission strings -- the four-role model (owner / dept_admin / editor / viewer) is explicitly the scope here, not a generic policy engine.
• SSO / SAML / OIDC integration -- users still log in with the existing local auth; role assignment happens in-app.
• Audit log of role changes -- worth having eventually, tracked separately.
• Delegation chains (department_admin granting sub-permissions to other users) -- flat model only for now.

Acceptance criteria

• User model has a roles field and (for department_admin) a scoped_departments field, persisted in the existing users store.
• /api/v1/auth/me returns the current user's roles.
• Org chart renders a row of human owner nodes above the CEO when at least one user has the owner role.
• Org chart renders department admins as pinned human headers inside their scoped department boxes.
• Mutations to config/agents/departments are guarded by the appropriate role (extending feat: implement backend CRUD endpoints for company, departments, and agents (all 9 write paths are missing) #1081 CRUD handlers).
• Users page shows and allows editing of roles (owner-only).
• Single-user installs see exactly one owner at the top of the chart (themselves), with no visible change in behaviour.
• Human nodes are visually distinct from AI agent nodes (different avatar / border / icon).

Related

• Short-term placeholder landing in PR feat: migrate web dashboard from Radix UI to Base UI + activate CSP nonce + personality trimming WS notification #1074: synthetic single-user "Owner" node at the top of the org chart, derived from the current session user only. This issue upgrades it to a real multi-user, permission-aware feature.
• Depends on feat: implement backend CRUD endpoints for company, departments, and agents (all 9 write paths are missing) #1081 (backend CRUD endpoints) -- the mutation guards in this issue build on the CRUD handlers added there.
• Touches: src/synthorg/api/controllers/users.py, src/synthorg/api/auth/, src/synthorg/settings/, web/src/pages/org/build-org-tree.ts, web/src/pages/settings/UsersTab.tsx, web/src/api/endpoints/auth.ts, web/src/stores/auth.ts.