Fix member-add bug + dept-aware org matching + Cassandra cleanups

Makefile

@@ -168,7 +168,7 @@ sast-gosec:
 # Requires outbound network access to https://vuln.go.dev.
 sast-vuln:
 	@test -x "$(GOVULNCHECK)" || { echo "govulncheck not installed — run 'make tools'"; exit 1; }
-	$(GOVULNCHECK) ./...
+	GOTOOLCHAIN=$(TOOLS_GO_TOOLCHAIN) $(GOVULNCHECK) ./...
 
 # semgrep: rule-based SAST (Go security + security-audit rulesets).
 # Requires outbound network access to the Semgrep registry on first run.

chat-frontend/src/api/fetchSidebarBuckets/index.ts

@@ -132,7 +132,6 @@ function subToRoom(sub: DMSubscription, fallbackSiteId: string): Room {
     appCount: 0,
     lastMsgId: sub.lastMsgId ?? '',
     lastMsgAt: sub.lastMsgAt ?? undefined,
-    createdBy: '',
     createdAt: '',
     updatedAt: '',
   }

chat-frontend/src/api/types.ts

@@ -107,7 +107,6 @@ export interface Room {
   id: string
   name: string
   type: RoomType
-  createdBy: string
   siteId: string
   userCount: number
   appCount: number

chat-frontend/src/components/MainApp/Sidebar/CreateRoomDialog/CreateRoomDialog.jsx

@@ -90,19 +90,24 @@ export default function CreateRoomDialog({ onClose, onCreated }) {
         { treatAsSuccess: isDMExistsReply }
       )
       const roomId = sync.roomId
-      // On the dedup branch the server only tells us the existing roomId, not
-      // its type — could be either dm or botDM. Default to 'dm'; the canonical
-      // type arrives shortly via subscription.update.
-      const roomType = sync.roomType || (isDMExistsReply(sync) ? 'dm' : undefined)
       // For DM/BotDM the name is empty; fall back to the counterpart account
       // so the sidebar + header have something to show until the canonical
       // name arrives via subscription.update.
       const displayName = trimmedName || finalUsers[0] || ''
+
+      if (isDMExistsReply(sync)) {
+        // Dedup branch: server already confirmed the DM; skip the summaries-wait that can trip the 3s banner on a BUCKETS_LOADED race.
+        onCreated({ id: roomId, type: 'dm', siteId: user.siteId, name: displayName })
+        onClose()
+        return
+      }
+
+      // On the normal branch the server returns roomType explicitly.
       // Request is done; flip loading off so Cancel becomes re-enabled
       // during the subscription.update wait. The pendingRoom state marks
       // the wait phase — see the two useEffects above for the resolution
       // paths (summaries-match success vs timeout error).
-      setPendingRoom({ id: roomId, type: roomType, siteId: user.siteId, name: displayName })
+      setPendingRoom({ id: roomId, type: sync.roomType, siteId: user.siteId, name: displayName })
     } catch (err) {
       setError(formatAsyncJobError(err))
     } finally {

chat-frontend/src/components/MainApp/Sidebar/CreateRoomDialog/CreateRoomDialog.test.jsx

@@ -136,30 +136,30 @@ describe('CreateRoomDialog', () => {
     )
   })
 
-  it('treats a "dm already exists" reply as success and navigates to the existing room', async () => {
-    const requestWithAsyncResult = vi.fn().mockResolvedValue({
-      sync: { error: 'dm already exists', roomId: 'r-existing' },
-      async: null,
-    })
-    useNats.mockReturnValue({
-      user: { account: 'alice', siteId: 'site-A' },
-      request: vi.fn(),
-      requestWithAsyncResult,
-    })
-    useRoomSummaries.mockReturnValue({ summaries: DEFAULT_SUMMARIES })
-    const onCreated = vi.fn()
-    const onClose = vi.fn()
-    render(<CreateRoomDialog onClose={onClose} onCreated={onCreated} />)
-    fireEvent.change(screen.getByLabelText(/Users/i), { target: { value: 'bob' } })
-    fireEvent.keyDown(screen.getByLabelText(/Users/i), { key: 'Enter' })
-    fireEvent.click(screen.getByRole('button', { name: /Create/i }))
-    await waitFor(() => expect(onCreated).toHaveBeenCalledWith(
-      expect.objectContaining({ id: 'r-existing', type: 'dm' })
-    ))
-    await waitFor(() => expect(onClose).toHaveBeenCalled())
-    expect(requestWithAsyncResult.mock.calls[0][2]).toMatchObject({
-      treatAsSuccess: expect.any(Function),
-    })
+  it('navigates directly to the existing room on dm-already-exists reply (no summaries-wait)', async () => {
+    vi.useFakeTimers({ shouldAdvanceTime: true })
+    try {
+      const { onCreated, onClose } = setup({
+        summaries: [],
+        requestWithAsyncResult: vi.fn().mockResolvedValue({
+          sync: { error: 'dm already exists', roomId: 'r-existing' },
+          async: null,
+        }),
+      })
+
+      fireEvent.change(screen.getByLabelText(/Users/i), { target: { value: 'bob' } })
+      fireEvent.keyDown(screen.getByLabelText(/Users/i), { key: 'Enter' })
+      fireEvent.click(screen.getByRole('button', { name: /Create/i }))
+
+      await waitFor(() => expect(onCreated).toHaveBeenCalledTimes(1))
+      expect(onCreated).toHaveBeenCalledWith(expect.objectContaining({ id: 'r-existing', type: 'dm' }))
+      expect(onClose).toHaveBeenCalledTimes(1)
+
+      await vi.advanceTimersByTimeAsync(3500)
+      expect(screen.queryByText(/taking longer than expected/i)).toBeNull()
+    } finally {
+      vi.useRealTimers()
+    }
   })
 
   it('auto-flushes typed-but-not-Entered text into the request payload', async () => {

docker-local/cassandra/init/10-table-messages_by_room.cql

@@ -5,7 +5,6 @@ CREATE TABLE IF NOT EXISTS chat.messages_by_room (
   message_id               TEXT,
   thread_room_id           TEXT,
   sender                   FROZEN<"Participant">,
-  target_user              FROZEN<"Participant">,
   msg                      TEXT,
   mentions                 SET<FROZEN<"Participant">>,
   attachments              LIST<BLOB>,

docker-local/cassandra/init/11-table-thread_messages_by_room.cql

@@ -6,7 +6,6 @@ CREATE TABLE IF NOT EXISTS chat.thread_messages_by_room (
   message_id            TEXT,
   thread_parent_id      TEXT,
   sender                FROZEN<"Participant">,
-  target_user           FROZEN<"Participant">,
   msg                   TEXT,
   mentions              SET<FROZEN<"Participant">>,
   attachments           LIST<BLOB>,

docker-local/cassandra/init/12-table-pinned_messages_by_room.cql

@@ -3,7 +3,6 @@ CREATE TABLE IF NOT EXISTS chat.pinned_messages_by_room (
   created_at            TIMESTAMP, // = pinnedAt
   message_id            TEXT,
   sender                FROZEN<"Participant">,
-  target_user           FROZEN<"Participant">,
   msg                   TEXT,
   mentions              SET<FROZEN<"Participant">>,
   attachments           LIST<BLOB>,

docker-local/cassandra/init/13-table-messages_by_id.cql

@@ -3,7 +3,6 @@ CREATE TABLE IF NOT EXISTS chat.messages_by_id (
   room_id                  TEXT,
   thread_room_id           TEXT,
   sender                   FROZEN<"Participant">,
-  target_user              FROZEN<"Participant">,
   msg                      TEXT,
   mentions                 SET<FROZEN<"Participant">>,
   attachments              LIST<BLOB>,

docker-local/compose.deps.yaml

@@ -28,7 +28,9 @@ services:
       - chat-local
 
   mongodb:
-    image: mongo:8
+    # Patch-pinned to match pkg/testutil/testimages/testimages.go so local dev
+    # tracks the same image testcontainers uses.
+    image: mongo:8.2.9
     container_name: chat-local-mongodb
     ports:
       - "27017:27017"
@@ -151,7 +153,8 @@ services:
   # --cluster-enabled, waits for it to accept connections, then assigns all
   # 16384 hash slots so it forms a valid one-node cluster.
   valkey:
-    image: valkey/valkey:8-alpine
+    # Patch-pinned (same rationale as mongodb above).
+    image: valkey/valkey:8.1.7-alpine
     container_name: chat-local-valkey
     ports:
       - "6379:6379"

docs/cassandra_message_model.md

@@ -76,7 +76,6 @@ CREATE TABLE IF NOT EXISTS messages_by_room(
   message_id TEXT,
   thread_room_id TEXT,
   sender FROZEN<"Participant">,
-  target_user FROZEN<"Participant">,
   msg TEXT,
   mentions SET<FROZEN<"Participant">>,
   attachments LIST<BLOB>,
@@ -109,7 +108,6 @@ CREATE TABLE IF NOT EXISTS thread_messages_by_room(
   message_id TEXT,
   thread_parent_id TEXT,
   sender FROZEN<"Participant">,
-  target_user FROZEN<"Participant">,
   msg TEXT,
   mentions SET<FROZEN<"Participant">>,
   attachments LIST<BLOB>,
@@ -135,7 +133,6 @@ CREATE TABLE IF NOT EXISTS pinned_messages_by_room(
   created_at TIMESTAMP, // =pinnedAt
   message_id TEXT,
   sender FROZEN<"Participant">,
-  target_user FROZEN<"Participant">,
   msg TEXT,
   mentions SET<FROZEN<"Participant">>,
   attachments LIST<BLOB>,
@@ -162,7 +159,6 @@ CREATE TABLE IF NOT EXISTS messages_by_id(
   room_id TEXT,
   thread_room_id TEXT,
   sender FROZEN<"Participant">,
-  target_user FROZEN<"Participant">,
   msg TEXT,
   mentions SET<FROZEN<"Participant">>,
   attachments LIST<BLOB>,

docs/client-api.md

@@ -196,18 +196,22 @@ When the auth-service is started with `DEV_MODE=true`, the request body schema i
 |--------------------|----------|----------|-------|
 | `name`             | string   | yes      | Room name. |
 | `type`             | string   | yes      | One of `channel`, `dm`, `botDM`, `discussion`. |
-| `createdBy`        | string   | yes      | Internal user ID of the creator. |
-| `createdByAccount` | string   | yes      | Account name of the creator. Used for the owner subscription. |
 | `siteId`           | string   | yes      | The site that will own this room. |
 | `members`          | string[] | no       | Required exactly **one** entry when `type=dm` (the other user's ID); ignored otherwise. |
+| `users`            | string[] | no       | `channel` only. Internal user IDs (or accounts) to enroll as members at creation time. Rejected with `"user not found"` if any entry has no matching user document. |
+| `orgs`             | string[] | no       | `channel` only. Org IDs to enroll (expanded server-side to all org members). Rejected with `"invalid org"` if any entry matches zero users. |
+| `channels`         | array<ChannelRef> | no | `channel` only. Other channels whose members should be copied in. Each entry is `{ "roomId": string, "siteId": string }`. |
+
+The creator's account is taken from the `{account}` segment of the subject (`chat.user.{account}.request.rooms.create`); the client does not pass it in the body.
 
 ```json
 {
   "name": "engineering-announcements",
   "type": "channel",
-  "createdBy": "01970a4f8c2d7c9a01970a4f8c2d7c9a",
-  "createdByAccount": "alice",
-  "siteId": "siteA"
+  "siteId": "siteA",
+  "users": ["bob"],
+  "orgs": ["org-eng"],
+  "channels": []
 }
 ```
 
@@ -220,9 +224,8 @@ The created `Room` object.
 | `id`                | string  | Room ID. 17-char base62 for channels; sorted concat of two accounts for DMs. |
 | `name`              | string  |       |
 | `type`              | string  | Same values as request. |
-| `createdBy`         | string  |       |
 | `siteId`            | string  |       |
-| `userCount`         | number  | `1` immediately after creation (the owner). |
+| `userCount`         | number  | `1` for owner-only creates; higher when initial members were enrolled at creation via `users` / `orgs` / `channels`. |
 | `lastMsgAt`         | string  | Optional. RFC 3339 timestamp; absent until first message. |
 | `lastMsgId`         | string  | Empty until first message. |
 | `lastMentionAllAt`  | string  | Optional. RFC 3339 timestamp. |
@@ -238,7 +241,6 @@ The created `Room` object.
   "id": "01970a4f8c2d7c9aQ",
   "name": "engineering-announcements",
   "type": "channel",
-  "createdBy": "01970a4f8c2d7c9a01970a4f8c2d7c9a",
   "siteId": "siteA",
   "userCount": 1,
   "lastMsgId": "",
@@ -249,15 +251,15 @@ The created `Room` object.
 
 ##### Error response
 
-See [Error envelope](#6-error-envelope-reference).
+See [Error envelope](#6-error-envelope-reference). Channel creates also reject any `orgs` entry that matches zero users with `"invalid org"` and any `users` entry without a matching user document with `"user not found"` (same gates as Add Members — phantom org IDs or accounts do not create a room).
 
 ```json
 { "error": "DM requires exactly one other member, got 0" }
 ```
 
 ##### Triggered events — success path
 
-`None — reply only.` Member additions are a separate RPC (Add Members); creating a room only enrolls the owner.
+`None — reply only.` Creation enrolls the owner (from the subject's `{account}`) plus any members supplied via `users` / `orgs` / `channels` per the request schema above. Adding members to an existing room is a separate RPC (Add Members).
 
 ##### Triggered events — error path
 
@@ -291,7 +293,6 @@ Empty. Send `{}` or no payload.
       "id": "01970a4f8c2d7c9aQ",
       "name": "engineering-announcements",
       "type": "channel",
-      "createdBy": "01970a4f8c2d7c9a01970a4f8c2d7c9a",
       "siteId": "siteA",
       "userCount": 12,
       "lastMsgAt": "2026-05-06T07:55:00Z",
@@ -341,7 +342,6 @@ A single `Room` object. See [Create Room](#create-room) for the `Room` schema.
   "id": "01970a4f8c2d7c9aQ",
   "name": "engineering-announcements",
   "type": "channel",
-  "createdBy": "01970a4f8c2d7c9a01970a4f8c2d7c9a",
   "siteId": "siteA",
   "userCount": 12,
   "lastMsgAt": "2026-05-06T07:55:00Z",
@@ -411,7 +411,7 @@ The fields `requesterId`, `requesterAccount`, and `timestamp` on the Go `AddMemb
 
 ##### Error response
 
-See [Error envelope](#6-error-envelope-reference). Returned synchronously when validation or authorization fails (e.g. requester not in room, room is full, room is restricted and requester is not owner).
+See [Error envelope](#6-error-envelope-reference). Returned synchronously when validation or authorization fails (e.g. requester not in room, room is full, room is restricted and requester is not owner). Any `orgs` entry that matches zero users (no user with `sectId == orgId` or `deptId == orgId`) is rejected with `"invalid org"`, and any `users` entry that has no matching user document is rejected with `"user not found"` — in both cases the request is not queued and no members are added.
 
 ```json
 { "error": "room is at maximum capacity (200): cannot add 5 members to room with 198 existing" }
@@ -864,7 +864,7 @@ See [Error envelope](#6-error-envelope-reference). Common errors:
 **Subject:** `chat.user.{account}.request.orgs.{orgID}.members`
 **Reply subject:** auto-generated `_INBOX.>` (NATS request/reply)
 
-The org ID is the second-to-last subject segment — there is no request body.
+The org ID is the second-to-last subject segment — there is no request body. `orgID` matches a user's `sectId` OR `deptId`; the response includes every user whose either field equals `orgID`. This mirrors the dept-aware org membership pipelines on the server side (a room may be added by sect-level or dept-level org and either form resolves through this endpoint).
 
 ##### Request body
 
@@ -935,7 +935,6 @@ Used by every history-service method that returns messages. Mirrors the Cassandr
 | `messageId` | string | 17- or 20-char base62. |
 | `sender` | object | A `Participant` — see below. |
 | `msg` | string | The message body. |
-| `targetUser` | object | Optional. `Participant` — set for direct/system messages addressed to a specific user. |
 | `mentions` | array<Participant> | Optional. |
 | `attachments` | string[] | Optional. Each entry is base64-encoded bytes. |
 | `file` | object | Optional. `{id, name, type}`. |